Penetration Testing mailing list archives
Re: Ethical Hacking Training
From: "Hamish webhosting.net.nz" <koremeltdown () hotmail com>
Date: Tue, 20 Jan 2004 03:07:52 +0000
Greetings James, Gregory and the rest of the group,Nothing against the (respected) posters, but I tend to disagree that "know your enemy" is a bad statement... Infact I believe it to be probibly the best statement - know your job is only a small part of being a security expert. To give your client base a fighting edge against real hackers (and face it, not all of them out there are script kiddies, there are guys out there smarter than a lot of us) you must understand several things; these being:
* The mindset of a hacker (yes, there are several similarities most hackers & even script kiddies share)
* Changing trends & methods in how real hackers "hack"* Different hacker groups, connections and specialist skills (most hacking clans will specialise in one particular type of service/os etc, and may even hack in unique steps or processes)
* We as security experts must attempt to our very best to be aware of security threats before they are "real threats" over the internet - that is where the real danger lies with a lot of intrusions as I am increasingly finding. This means that to retain a distinct advantage over hackers and competing companies it is advantagous to become "part of the underground" (how in-depth you delve is your business) and know exactly what your enemy is capable of - otherwise we are as good as al queda is in the mountains, we are just waiting to be struct down.
As I realise that many here are a lot more experienced and knowledgeable members of this group than I am, feel free to comment/correct me on any of my statements :)
Kindest of regards, Hamish Stanaway -= KoRe WoRkS =- Internet Security / Absolute Web Hosting Owner/Operator Auckland, New Zealand http://www.koreworks.com/ http://www.webhosting.net.nz/ http://www.buywebhosting.co.nz/
From: "Meritt James" <meritt_james () bah com> To: "DeGennaro Gregory" <Gregory_DeGennaro () csaa com>CC: "Teicher Mark (Mark)" <teicher () avaya com>,Rob Shein <shoten () starpower net>,"Andy Cuff [Talisker]" <lists () securitywizardry com>,pen-test () securityfocus comSubject: Re: Ethical Hacking Training Date: Mon, 19 Jan 2004 13:06:22 -0500 MIME-Version: 1.0Received: from outgoing3.securityfocus.com ([205.206.231.27]) by mc9-f39.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Mon, 19 Jan 2004 17:58:51 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid 0C308A322B; Mon, 19 Jan 2004 14:46:20 -0700 (MST)Received: (qmail 6082 invoked from network); 19 Jan 2004 18:29:14 -0000 X-Message-Info: JGTYoYF78jHcoYaI71uszeCgzM6KDEBt Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <pen-test.list-id.securityfocus.com> List-Post: <mailto:pen-test () securityfocus com> List-Help: <mailto:pen-test-help () securityfocus com> List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com> List-Subscribe: <mailto:pen-test-subscribe () securityfocus com> Delivered-To: mailing list pen-test () securityfocus com Delivered-To: moderator for pen-test () securityfocus com Message-ID: <400C1C9E.314B1FED () bah com> Organization: Booz Allen Hamilton X-Mailer: Mozilla 4.78 [en]C-CCK-MCD (Windows NT 5.0; U) X-Accept-Language: en References: <F97F7F0DF168D6119C470008023E37100A33A4FE@CSSMCMNT08>Return-Path: pen-test-return-4368-koremeltdown=hotmail.com () securityfocus com X-OriginalArrivalTime: 20 Jan 2004 01:58:51.0898 (UTC) FILETIME=[F3BC85A0:01C3DEF8]Here we go again. I believe that those skills necessary to build a building are different than those to demolish a building. There are construction engineers and there are demolition experts. Different things. And the skills to fix a car engine are not those necessary to vandalize one. "Know your enemy" is nice, "know your job" is, in my opinion, better. "DeGennaro, Gregory" wrote: > > Very good statement and you do need to know your enemy. >> Just because you're a police officer, soldier, or in our case, information > security engineers, does not mean you or I really know our enemy and their> full or potential capabilities. > > Ethical hacking gives us an overview or lets us peer into the cracker's > world. Of course, the classes do not have the latest cracks unless they> have a honey pot running and receiving such traffic. Nor, does it make us> crackers. It is only a look see and not cracker training. >> Ethical Hacking is really a coin term for the public and those who do not > know the difference between hacker, wacker, and cracker. The public only > knows or thinks they know what a hacker is. In reality, they have no clue> that a hacker is good and the other two are not. > > Also, how do you propose a professional runs pen and vuln tests against > their network to secure holes in their fortifications? There are good> products on in the market; however not everyone can afford them, use them> properly, or the software or device is not totally up to date or catches > everything. > > Regards, > > Greg DeGennaro Jr., CCNP > Security Analyst > > -----Original Message----- > From: Teicher, Mark (Mark) [mailto:teicher () avaya com] > Sent: Friday, January 16, 2004 7:10 PM > To: Rob Shein; Andy Cuff [Talisker]; pen-test () securityfocus com > Subject: RE: Ethical Hacking Training > > Talisker, > > I still have an issue with the term "Ethical hacking" It was a term > born out of the Big Six when they were trying build their security > practices and leverage their existing client base. I still feel the > term is somewhat of slant on those who practice "holistic security" and > actually attempt to help customers improve their network security > posture instead of pointing out the "glaring" hole that those who > practice "Ethical Hacking" like to do. > > I have worked in the past with those who preach and teach "Ethical > Hacking" Many of those people have published books exploiting that exact > theme. > > Why not spend the time in researching how to correct security exploits > in enforcing secure coding standards and forcing vendors to clean up > their act and making their products work more efficiently and securely. > > /mark >> --------------------------------------------------------------------------- > ------------------------------------------------------------------------------ James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
_________________________________________________________________Check out the new MSN 9 Dial-up fast & reliable Internet access with prime features! http://join.msn.com/?pgmarket=en-us&page=dialup/home&ST=1
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Ethical Hacking Training, (continued)
- RE: Ethical Hacking Training Teicher, Mark (Mark) (Jan 19)
- RE: Ethical Hacking Training DeGennaro, Gregory (Jan 19)
- Re: Ethical Hacking Training Meritt James (Jan 19)
- Re: Ethical Hacking Training Stormwalker (Jan 20)
- RE: Ethical Hacking Training Kurt (Jan 20)
- Re: Ethical Hacking Training Meritt James (Jan 19)
- Re: Ethical Hacking Training Don Parker (Jan 19)
- Re: Ethical Hacking Training Kevin Johnson (Jan 20)
- RE: Ethical Hacking Training Don Parker (Jan 19)
- RE: Ethical Hacking Training S. Thomas (Jan 20)
- RE: Ethical Hacking Training DeGennaro, Gregory (Jan 20)
- Re: Ethical Hacking Training Hamish webhosting.net.nz (Jan 20)
- Ethical Hacking Training Daryl Davis (Jan 20)
- Re: Ethical Hacking Training Jeff Shawgo (Jan 20)
- Re: Ethical Hacking Training Chris Kirschke (Jan 20)
- RE: Ethical Hacking Training Kohlenberg, Toby (Jan 20)
- RE: Ethical Hacking Training Don Parker (Jan 20)