Re: Ethical Hacking Training

From: Don Parker (dparker_at_rigelksecurity.com)
Date: 01/19/04

  • Next message: Meritt James: "Re: Ethical Hacking Training"
    Date: Mon, 19 Jan 2004 13:05:10 -0500 (EST)
    To: Jimi Thompson <jimit@myrealbox.com>, "Teicher,  Mark (Mark)" <teicher@avaya.com>
    
    

    I fully agree that to defend one *must* know how to attack. I too often hear some
    of my peers say how ,such and such, attack is very script kiddiesh. My usual retort to
    that is "do you know how to do it?". Most network security people I know have no concept
    on how to use an exploit, and invoke it let alone code one. Sending someone on
    an "Ethical Hacking" course can fill most of these gaps in. As I have already stated
    though the student must come to one of these courses with a certain amount of knowledge
    before hand or the money is wasted. Prerequisites for such courses must be clearly laid
    out in the course marketting imho.

    Cheers

    -------------------------------------------
    Don Parker, GCIA
    Intrusion Detection Specialist
    Rigel Kent Security & Advisory Services Inc
    www.rigelksecurity.com
    ph :613.249.8340
    fax:613.249.8319
    --------------------------------------------

    On Jan 18, Jimi Thompson <jimit@myrealbox.com> wrote:

    <SNIP>

    >Why not spend the time in researching how to correct security exploits
    >in enforcing secure coding standards and forcing vendors to clean up
    >their act and making their products work more efficiently and securely.
    >
    >
    </SNIP>

    Precisely how do you think that the aforementioned "security exploits"
    are discovered?

    My experience has been that unless you know how to hack and how to look
    at your network from the outside like one of the bad guys, that you
    aren't going to have much of an idea of what is vulnerable, what is
    poorly coded, and what does not work efficiently and securely.

    2 cents,

    Jimi

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Meritt James: "Re: Ethical Hacking Training"

    Relevant Pages

    • Re: gets() is dead
      ... The first step in writing a secure program is not to do things you know are insecure. ... When doing audit, both manual inspection and static analysis ... I have worked on safety critical SW where security was not a requirement. ... A powerful attack is fault injection, RSA can for example be broken after a single faulty calculation. ...
      (comp.lang.c)
    • Re: wcLEX - New NNTP Proxy for MS Forums
      ... think the Internet is secure and/or the end users don't care about security. ... if you've been taken out once by a JavaVirus attack, ...
      (microsoft.public.vc.mfc)
    • Re: A Strong Password Isnt the Strongest Security [telecom]
      ... And *which* Operating System are you referring to? ... who find an attack vector which hasn't been plugged. ... systems have the appearance of security is that the exploit writers ... Some distributions of *nix are "secure" ...
      (comp.dcom.telecom)
    • Re: Netowrk Admin. Breach
      ... You should also go through the Windows 2003 Security Guide ... attack, but at the time it was a little beyond me. ... no business knowing any of your sensitive passwords. ... that their systems are secure. ...
      (microsoft.public.windows.server.security)
    • [Full-disclosure] Raising Robot Criminals
      ... identity theft and robot-driven attack propagation. ... security as well as on Sql Injection, this text is not yet another one. ... security numbers - are opened for remote penetration. ...
      (Full-Disclosure)