Free Professional Pen Testing Security Workshop

Shad0r

Date: Thursday, June 22, 2006
Time: 6:00 pm to 8:30 pm
Location:
The Morrison Hotel
Ormond Quay, Dublin 1
Cost: FREE
Registration: Required
Email: neil.sisson@newhorizonsireland.com

Penetration Testing (Ethical Hacking):
This workshop will introduce attendees to new hacking techniques and methods used to break into networks. Attendees will learn how the focus of security has changed in recent years and will see how penetration testing (Ethical Hacking) can make a huge difference in your security program.

Attendees will see live and simulated demonstrations of attacks on computer systems.

Seeing the ease with which these attacks are carried out will demonstrate the problems faced by information security personnel every day. Upper level management also needs to be aware of such techniques used by hackers.

Attendees will also have an opportunity to use fully test Core Impacts $25000 Professional Penetration Testing Software.
http://www.coresecurity.com/products/index.php

Attendees must be at least 21 years of age. Seating is limited

Workshop Overview
1. Zombies
2. Profiling Hackers?
3. Attacker Landscape.
4. Pen Testing Methodology
5. General Pen Testing Tools
6. Vulnerability Life Cycle
7. Exploit TimeLine
8. Core Impact Hands On Lab.

Static M.e.

Sounds good.

Shad0r

Static M.e. wrote:

Sounds good.

Whats not good about free!

FYI: Of the forty seats available yesterday morning, there are now only 4 left.

If you want to go you need to mail me (with name, company, job title and contact number) asap.

WizZard

If this is the evening class that's held during the CPTS courses, then I can highly recommend it.

hmmm

Shad0r wrote:

Attendees will learn how the focus of security has changed in recent years

Has it? Care to enlighten us?

I think the focus has changed because security people have had to become risk managers who can communicate and sell security to the business, but I'm not quite expecting this to be your answer.

Shad0r

hmmm wrote:

Has it? Care to enlighten us?

Nope. But I'm only one of the people organising the event, not a security expert. I wouldnt pretend to be able to speak at anywhere approaching the level of the Mile2 guys who will be speaking at the seminar.

The evening is free to attend so if you are interested in becoming enlightened as to your question then please by all means send me a mail and I will register you.

Shad0r

ANNOUNCEMENT:
Due to phenominal demand we have had to change the venue from our training centre here in town to the Morrison Hotel.

This will allow us to increase capacity substantially, so once again there are lots of seats available.

Static M.e.

Sorry but where is the Morrison Hotel? Not from Dublin. I could google but I dont want to end up in the wrong place

Shad0r

Static M.e. wrote:

Sorry but where is the Morrison Hotel? Not from Dublin. I could google but I dont want to end up in the wrong place

Its on Ormond Quay, which is the Liffey quay on the northside of the city that runs between the Italian Quater/Millenium bridge and Capel St.

http://www.morrisonhotel.ie/

Static M.e.

Thanks, looking forward to it.

WizZard

Shad0r wrote:

Nope. But I'm only one of the people organising the event, not a security expert. I wouldnt pretend to be able to speak at anywhere approaching the level of the Mile2 guys who will be speaking at the seminar.

As a matter of interest, who is speaking?

Cake Fiend

Mail0red.

Shad0r

WizZard wrote:

As a matter of interest, who is speaking?

Wayne Burke will be giving the seminar. He is the Chief Information Officer for Mile2.

WizZard

I might go so. He's an excellent speaker

scojones

I'd love to go but not being near Dublin sucks. This sounds really good though.

aerocell

If you want to go you need to mail me (with name, company, job title and contact number) asap.

OK does that mean that you must be actually working in the security area to go? or can anyone? I am studying Programming.
Please let me know asap.
Thanks

Shad0r

aerocell wrote:

OK does that mean that you must be actually working in the security area to go? or can anyone? I am studying Programming.
Please let me know asap.
Thanks

No you dont need to be working in the security industry. Send me an email and substitute company details for your course details. Substitute job title for the year of your course.

tech

what was the speach like

Cake Fiend

tech wrote:

what was the speach like

Hang on, I'll start up the DeLorean...

tech

ooops sorrry can someone record it for me so since it hasnt been on yet get it on a podcast!

Shad0r

tech wrote:

ooops sorrry can someone record it for me so since it hasnt been on yet get it on a podcast!

:rollears:

Do I need to mention (cause I sorta thought it went without saying) that recording and podcasting the seminar would be very bold...the illegal type of bold I'd imagine.

The seminar is only for people who could be ar$ed getting off their asses and coming in to be there.

tech

that all very well but due to my location and work commits I wont be able to travel

niT

it would be really great if $company_holding_seminar would record the event and release it to the relevant podcast sites (like the forensic security podcast) so that it raised awareness within professionals in the field and generated good press so that a second event would be far more popular, thereby generating more revenue for said $company_holding_seminar.



just a thought

Gavin

Sent off a mail. Places still available ?

Gav

Hecate

Gahh..why do I always hear about these things at the last minute?!

Mail sent

Static M.e.

links people links!! Which "forensic security podcast" do you speak of?

NutJob

links ???

Odeo: Security Now!

Odeo: PaulDotCom Security Weekly


Odeo: The Security Catalyst


one or two of these are smokeing something funny at times so take with salt and do some research.

theres probably more two

Shad0r

Registration for the event is officially closed!

There are currently 110 people registered so make sure to get there early to get a good seat!!

The event kicks off at 6pm sharp, please do not be late.

The event is completely fully booked, so please do not turn up expecting to get in if you are not registered. If you have not registered and received a reply informing you that you are registered then I'm sorry but you will have to wait until the next time we do this.

Shad0r

First of all thanks to all who attended and apologies for the technical difficulties. Wayne's primary laptop (an alienware machine) gave up the fight while he was setting up in the Morrisson and unfortuntely then the laptop he had to use wasnt configured properly. Its a good thing that he always travels with three of them!

bedlam wrote:

This was a real dissapointment (disregarding the technical difficulties). It was not much more than a sales pitch to convince management to send people on the training. Lots of people in suits furiously scribbling down notes like "170,000 zombied hosts!" "use WPA not WEP" and so on.

Just because someone wears a suit doesnt mean that they are management. Wayne spoke about all the points I put in my first post here:
1. Zombies
2. Profiling Hackers?
3. Attacker Landscape.
4. Pen Testing Methodology
5. General Pen Testing Tools
6. Vulnerability Life Cycle
7. Exploit TimeLine
8. Core Impact Hands On Lab

except the last one. And that's actually my fault. I should have taken that part out of there when we had to increase the venue size. I apologise for forgetting about it.

The original post referenced these two together, however the New Horizons person who did the intro said in passing that they should not be confused (PT > EH), any chance this was due to the fact they offer the CPTS and not the CEH?

Did it ever occur to you that New Horizons chose to give the CPTS course rather than the CEH? If the CEH was a better cert than CPTS we would be delivering that and not the CPTS. There isnt enough room in the Irish market to deliver both at the moment, but even if there was, we wouldnt deliver the CEH, because the CPTS IS a better cert from a "future emplyability" point of view.

FYI: Mile2 are a New Horizons global training partner. They are also the largest organisation in the world for delivering the CEH.

April 26 2005 - Today an EC-Council Authorized Training Center contacted Mile2 to request information about CPTS & CPTE. In addition to training they have a professional services practice that offers Pen Testing. The caller said he had an employee sitting next to him who teaches CEH, and that this instructor stated that "there is hacking, and there is pen-testing". When asked if he believes that CEH is adequate for pen testing, he responded "No". Further, he said if they receive a request for pen testing services, they can't even send their CEH instructor because "it is not pen testing" and that they "have to use a different methodology".

If you are genuinely interested in the differences between the two certs you can read more here: http://www.mile2.com/CEH_vs_CPTS.html

Of the "new hacking techniques" we got to see an nmap scan, an attempt at a dcom exploit, a look at the cain and abel interface (couldnt run that on a public network) and Metasploit VNC server injection.

The purpose of the seminar was to demonstrate how easy it is nowadays with a little knowledge to penetrate supposedly secure systems. Aside from the technical difficulties that he had I think Wayne did a great job.

Stay tuned for a link to another seminar Wayne did a while back somewhere else, where he didnt have technical problems...

liamo

In fairness, when a company offers an event like this I would expect it to be a marketing exercise. By way of an analogy, the Metro and Herald free-sheets aren't being given away out of the goodness of their hearts - it's a business. Just because the papers are full of ads doesn't mean that the news has any less value. Similarly, the information at this event was valuable even if the purpose was to highlight the vulnerability of software in order to boost sales.

The difficulties that Wayne encountered were unfortunate but he did his best with what he had.

Although much of the content was old-hat to quite a few people in the room, I did find it interesting to see a remote shell being gained with little more than a few mouse clicks.

Overall, I though it was worthwhile to attend. Well done, guys.

Regards,

Liam

NutJob

Iv seen videos of worse of defcon Demos:D

All and all it was well worth the trip. I agree it was a marketing exercise but not everyone in the room had seen those toys before.

I did come expecting a little more advanced a discussion but talking nop slides and Snort rules would have cleared the room
Then again you could demo for two days and still only touch the surface.

As for the technical difficulty it happens to everyone even Bill G got a blue screen while demoing (still think its funny)

Have to admit i was disappointed at not seeing core as i doubt ill ever get the chance to see it in action.

Thumbs up and a thanks to Wayne.

Static M.e.

I was quite impressed I havent seen any of the tools in use before, just read alot about them, so to see them in action was good.

Many Thanks to New Horizons and Wayne.

wind00ze

Im still a bit unsure on how well recognized the CPTS is.
Basically im wondering is it worth the 2500 euros to do the course.
Im sure you learn alot doing the course, buts its still a lot of money.

vinks

it was a mild disappointment for me, but i guess the session was an introductory one with a specific market in mind.

i would have been more interested in seeing how one would manage several hundred machines in a coherent and secure manner (rolling out updates, maintaining authentication systems and the such with common practices)

the session felt very windows centric, but dont most systems store their data on unix backends these days if they want to be competitive and to be able to scale up?

Cake Fiend

This was pretty much as I expected, and I'd support something like this again. It's easy to slag off the lack of technical demonstration etc, but bear in mind that the security pros in the room were outnumbered by the suits and vaguely-interested lesser nerds. You can't expect low-level discussion at a seminar like that (unfortunately, we weren't really shown whether the full course would be different or not...)

I can't say I learnt anything new personally (and tbh, I was a bit unsure about taking a course from someone who didn't know how to restart windows explorer ), but at least people are going to the effort to spread the word to the corporate-types about the importance in security. I was surprised to see how much interest there was from the corporate sector, I expected to see more 'got root?' tshirts and 2600 caps etc

2500 is a lot of money for an individual, but it's nothing to a business for which knowledgeable security staff is important. If I were to think about paying for the course myself though, I'd need to know a lot more about it! Bear in mind though, many certification exams can be taken without doing the official course beforehand, I wonder if the CPTS is one? It would work out a lot cheaper to study on your own and just pay for the exam.

aerocell

There were a few interesting point's to which were brought up, I did learn one or two new things, so I suppose it wasnt a waste of time for me anyhow.
The fact that it was free was also a bonus.
Was kinda dissapointed with all the automated tools, would of liked to of seen compiling from a shell or the likes.
But all in all it wasnt a wated evening.
Looking forward to the link of the seminar that he done previous without the techinacl difficutlites.
Just my two cents.

romperstomper

Nothing is a waste of time if you learn even one new thing IMO
One disappointment for me is that I went to the course pondering whether we should invest time and money in the couse and I'm afraid I left without knowing how indepth the workshop would be, so if it was a sales pitch it failed in that regard. However as a wakeup call on the vulnerability of systems and the speed at which exploits were released it certainly succeeded and I would be interested in attending future seminars.

Shad0r

wind00ze wrote:

Im still a bit unsure on how well recognized the CPTS is.
Basically im wondering is it worth the 2500 euros to do the course.
Im sure you learn alot doing the course, buts its still a lot of money.

This type of certification (i.e. a security one) seems to be a fairly new concept to Ireland but this cert is fast becoming an industry standard. I heard for example the other day that if you have Security+, CPTS and CPTE that the American Army will give you a job that pays around $150k p.a.

Personally I'd be as quick to take a job offer from Satan as I would from the American military, not to mention that that is hearsay (allbeit from a reliable source) but still it does make you wonder what the private sector payscale is for this kind of work, with all the certificates.

NutJob

Shad0r wrote:

This type of certification (i.e. a security one) seems to be a fairly new concept to Ireland but this cert is fast becoming an industry standard. I heard for example the other day that if you have Security+, CPTS and CPTE that the American Army will give you a job that pays around $150k p.a.

Personally I'd be as quick to take a job offer from Satan as I would from the American military, not to mention that that is hearsay (allbeit from a reliable source) but still it does make you wonder what the private sector payscale is for this kind of work, with all the certificates.

I work for satan shes a good employer.:)


Quick question has anyone recieved that e-mail/voucher/video link ?



Seriously i couldnt find cpts in irish jobs but i could find pen testing positions/security admin

CPTS:
http://www.irishjobs.ie/showresults.aspx?IsProvince=1&MatchPerc=40&Ranking=&Roles=&Recruiter=Both&Category=3&Location=0&KEYWORDS=CPTS&I7.x=18&I7.y=10

pen-test:
http://www.irishjobs.ie/showresults.aspx?IsProvince=1&MatchPerc=40&Ranking=&Roles=&Recruiter=Both&Category=3&Location=0&KEYWORDS=penetration+testing&I7.x=0&I7.y=0


http://www.irishjobs.ie/JobDesc.asp?ID=2206504&MID=1797
http://www.irishjobs.ie/JobDesc.asp?ID=2206394&MID=1797
http://www.irishjobs.ie/JobDesc.asp?ID=2204016&MID=824 (ECDL Required ??):eek::eek:


Salery scale makes it look attractive but ... needs further investigation

hmmm

Those 3 irishjobs.ie links are I believe the same job.

Knowing who we are talking about, I'd expect they'd be less interested in CEH/CPTS/any other makey uppey penetration testing certs and more interested in MCSE/CCNA/CISSP/CISA/years experience in IT/audit experience/how presentable you will be in front of management.

Shad0r

I had a quick look at Monster.ie earlier and there were loads of Information Security jobs coming in at the 45k - 60k mark.

Also with regard to the CPTS cert, if they werent familiar with it, you could always ask them if they would like you to prove that their network had security concerns and that you are the right man/woman to fix them!

Shad0r

Sh!t, forgot to say about that email/voucher/video link, they havent gone out yet...well, actually a mail has been sent afaik, but the video link hasnt been released to New Horizons yet.

The winner of a Free seat at the next CPTS course is due to be picked tomorrow to the best of my knowledge.

hmmm

Shad0r wrote:

Also with regard to the CPTS cert, if they werent familiar with it, you could always ask them if they would like you to prove that their network had security concerns and that you are the right man/woman to fix them!

Good idea! If I was interviewing people for a security job, I'd definitely allow random candidates to have a go at hacking my network. Sure, why don't I see whether they have the skills to cope with a disaster recovery situation by setting fire to my server room.

Static M.e.

Sure, why don't I see whether they have the skills to cope with a disaster recovery situation by setting fire to my server room.

Excellent

Shad0r

hmmm wrote:

Sure, why don't I see whether they have the skills to cope with a disaster recovery situation by setting fire to my server room.

rofl yeah thats the spirit. What could possibly go wrong!?

scojones

Will something like this be happening again?

Static M.e.

Also what happened to the Video link we were meant to receive?

NutJob

Static M.e. wrote:

Also what happened to the Video link we were meant to receive?

Thought is was just me and the spam filter again. Did recieve a phone call and cource info. Ne to the video

Shad0r

Sorry guys, the powers that be decided to give the video to us on CD instead of online. :rolleyes:

I'm compiling a list of interested people to post it out to atm, so if you want me to send you a CD, then email me your name and address to neil.sisson[_(a t)_]newhorizons.com

Static M.e.

Thanks Neil.

Appreciate the effort.

the_syco

hmmm wrote:

Good idea! If I was interviewing people for a security job, I'd definitely allow random candidates to have a go at hacking my network.

Or, tell them of a problem which you know exists, as an off-hand example.