Friday, September 26, 2008

GIAC Certified Penetration Tester desde ayer

No voy a comentar detalles respecto al examen, solamente dire que pienso que ocurre lo mismo que en el CEH y todos los demas :
1. El criterio propio se debe quedar guardado durante el examen.
2. Si no se ha llevado el curso, hay que tener experiencia de campo y vigente.
3. El material de apoyo ayuda en forma minima porque al ser permitido solamente en forma impresa, se pierde mas tiempo buscando. Es mejor un buen block al lado y anotar el analisis o reflexiones.
Ya no sumare mas certificaciones de hacking, salvo que alguien me ofrezca US$10,000 mensuales, con 14 sueldos al año y beneficios adicionales. Ahi tal vez optaria por las de ISECOM o las de Mile2.
Me parece justo agradecer a SANS/GIAC y a Cesar Farro (el proctor/supervisor del examen) por haberme permitido dar el examen en forma gratuita (despues del contest que SANS/GIAC organizo para los CEH) y por haberme dedicado tiempo sin cobrarme un sol/dolar/euro/etc. durante la supervision de este examen, respectivamente.

Tuesday, September 23, 2008

Una Personal

Me habia hecho el proposito de no postear cosas personales, pero, dejaria de ser un blog.
Hoy fallecio la madre de mi Amigo, compadre y colega Gustavo Vallejo.
La verdad, posteo porque no recuerdo haber sentido otro fallecimiento como este y el de Layka. Se que para aquellos que no me conocen el igualar el fallecimiento de la madre de Tavo con Layka sonara a cualquier cosa menos algo positivo. Los que me conocen, saben que Layka fue mi primera "hija" y la pase muy mal cuando nos dejo.
Pero, esta tristeza no es por la madre de Tavo como tal, a la cual conocia, admiraba y era imposible no apreciar y estimar porque era muy, pero, muy simpatica.
Esta tristeza es por no haber podido estar con Tavo en ese momento, ser el respaldo que todos necesitamos por mas que las situaciones nos hagan fuertes, abrazarlo y que sienta que estamos con el, abrazarlo como hizo con mi Mafi durante el terremoto del 15 de agosto del 2007 y a la que no solto sino hasta que todo paso.
Antes de escribir esto, recorde que Tavo estuvo conmigo cuando Layka se puso mal y hasta el final en una amanecida que siempre quisiera olvidar y nunca podre.
Life goes on...

Wednesday, September 10, 2008

GIAC Incident Handler no es lo mismo que un Ethical Hacker

Más allá de quiénes ostentan esta certificación de GIAC/SANS o quienes venden cursos de manejo de incidentes como cursos de hacking, la palabra formal de Ed Skoudis, instructor/consultor de SANS y autor de los cursos 504 y 560, es :

What is the focus of SANS Security 560, and how does it differ from SANS Security 504?
SANS Security 560 deals with penetration testing and ethical hacking, in depth, covering numerous techniques for finding and exploiting flaws in a target environment using a consistent, high-quality testing regimen. SANS Security 504 focuses on incident handling, addressing practical methods for preparing for, detecting, and responding to computer attacks. In short, 560 covers penetration testing and ethical hacking, while 504 addresses incident handling.

Aren't the courses pretty much the same?
Not at all. 560 is very different from 504. We cover a variety of different tools in each class. Even when both classes cover the same topic or tool, they cover it from a completely different perspective. Take Metasploit and password attacks as examples. In 504, we talk about how these attacks work, emphasizing how to defend against them, and addressing how incident handlers can respond to their use. In 560, we get a lot deeper, talking about how to use each and every tool, with detailed, hands-on exercises that cover some of the features that incident handlers don't really need to know about but pen testers will likely use quite often. The idea is that incident handlers need to know what the attacks are from a broad perspective so that they can detect and respond to them in their environment. But, incident handlers don't need to know how to launch every one of the attacks we cover. Penetration testers, on the other hand, need to be able to use every tool we analyze, not just recognize its use against their environments. Thus, SANS 560 has triple the amount of hands-on exercises as 504, which itself includes numerous useful exercises tailored for incident handlers.

From a bottom-line perspective, 504 is more broad because incident handlers need to know about a lot of attack vectors that are typically not allowed for penetration testers by the rules of engagement. For example, incident handlers need to understand how to respond to bots and rootkits. But, the vast majority of penetration testers are prohibited from installing bots or rootkits on target machines. In the end, 560 is deeper, because penetration testers need hands-on experience with each tool, while 504 is more broad, because incident handlers need to focus on recognizing each tool's use in their environments.

Does 560 supersede 504 or supplant it?
No. 560 does not supersede 504. 504 is still a vital course, which we will continue to update and offer, supporting people in their careers as incident handlers. 560 is for penetration testers and ethical hackers.

I've already taken 504. Should I take 560 as a follow-on?
560 was designed as a perfect follow-on for people who have already taken 504 and are looking to get into more depth with tools used in professional penetration testing and ethical hacking. 560 is not recycled 504 material; it is an entirely new class with an entirely new set of slides and exercises.

I've taken neither 504 nor 560. Where should I start?
If you are more interested in incident handling, 504 is the course for you. If you need to develop your penetration testing skills, start with 560. Neither course is a pre-requisite for the other.

Por si no quedo claro, el curso SANS Security 504: Hacker Techniques, Exploits, and Incident Handling es post-mortem, el atacante ya se te metió y quieres aprender a lidiar con él/ella y que no se te vuelva a meter. El curso 560 Network Penetration Testing and Ethical Hacking es para aprender las técnicas y conocer las herramientas usadas por los atacantes más comúnes.

Habrá que esperar que alguno de los certificados locales GIAC/SANS se animen a tomar el challenge o llevar el curso para que lo puedan impartir acá.

Aprovecho el post para dar una estadística local, ya son 4 CEHs los que existen en nuestro querido Perú :
1. Ricardo Berrospi (SBS).
2. Eduardo Delgado (Deloitte).
3. Cesar Cuadra (Freelance, asociado a Open-Sec).
4. WCuestas (Open-Sec).

Alguien más ?