The course will cover how to handle security incidents, demonstrate what tools attackers use and how they exploit systems.  I took this course in 2009 and I can’t say enough how good it is.  It’s one thing to read about how an exploit works.  It brings a whole new level of awareness when you actually run an exploit and start pulling data from the target system.

What was most valuable to me was the background on how to prepare, respond and recover from a security incident.  There is quite a bit of preparation that you need to take so that you are ready to conduct incident response in a way which will stand up in civil or criminal proceedings.  There are lots of pitfalls that you want to avoid so that you protect your employer and don’t get in trouble yourself.

Here are two key things you can use to “sell” this course to management.

1. You will learn how to handle an incident in a way that best protects your company, is thorough and preserves the company’s legal options.
2. You will see what exploits can do to a system, how they are used and what they look like.  Every exploit covered includes how to defend against them.

If you are in the Salt Lake City area and would like to read more about this course or sign up, use the link below.

Security 504: Hacker Techniques, Exploits & Incident Handling

Technorati Tags: incident handling, salt lake city, SANS, sec504, security training

First off, I took the examination for the SANS Incident Handler certification on Friday the 12th.  All the time put into preparation paid off and I passed with 96%!  It was extremely satisfying to pass this exam, since I have been spending the last several weeks studying for it.  On top of just earning the certification, my score was high enough that I can apply to become a SANS Mentor now too.  This is something that I think would be a lot of fun and I really want to do.  Time to start writing up my application and hoping for the best.

Last, I’ve started working on rewriting Reconnoiter to run as a Metasploit module.  I started on this late last week and have made some headway in the process.  Scrapping HTML and using the data in a script or program isn’t much fun.  The main problem I’ve run into is that Google really doesn’t want anyone doing this type of stuff.  While Yahoo! has provided a nice XML web service to aid in accessing data, Google appears to be going out of their way to make this difficult.  I’m actually a bit irritated by this since Google has taken great pains to convince everyone (with good reason on our part to do so) that we need to make it easy for Google to crawl our sites.  Just don’t expect them to return the favor.  Ah well.

Anyhow, I hope to have a rough module up and running by the end of this week.  Current plans are to have the ability to pull results from Google and Yahoo both.  You will be able specify an output directory to save username lists.  Plus, since this is in Metasploit, you can choose between the command line or a web interface to run the module.  That alone may be a real kicker for folks.

The Google query is going to be pretty buggy and a pain to maintain.  The Yahoo! query should be very solid since the script pulls from their XML web service.  The down side is that you will need an AppID to use the Yahoo! query.  So the decision is whether you want to be (relatively) anonymous but have iffy results or if you don’t mind losing some of that anominity for more accurate results.

Technorati Tags: GCIH, Incident Handler, Metasploit, Reconnoiter, SANS