Challenges

Johnathan Ham and Sherri Davidoff from SANS Internet Storm Center (ISC) and Raul Siles from InGuardians have created two recent, still open, security challenges. Sherri, co-author with Jonathan of the SANS’ Network Forensics course, has posted “Network Forensics Puzzle Contest!” (8-14-2009). The most elegant solution wins a free SANS On-Demand class (worth up to $3500 depending on the course). Raul wrote a new hacking challenge on the Ethical Hacker Network site, titled “Prison Break – Breaking, Entering & Decoding” (7-27-2009). Three winners will be selected based on: the best technical answer, creativity (while also technically correct), and a random drawing. Winners will receive signed copies of Ed’s book, “Counter Hack Reloaded.”

Ed Skoudis, of Counter Hack Reloaded fame along with various SAN’s hacking and penetration testing courses (see Ed in Virginia Beach teaching “Network Penetration Testing: Planning, Scoping, and Recon” August 30th – September 4th), is the host bringing monthly new challenges created and managed by the fine folks of InGuardians. The great thing about past challenges is that they allow you to try the problems and check your solutions immediately. Check out Ed’s Counter Hack Reloaded site for a few additional, older challenges.

UPDATE: For a challenge in the forensic’s realm, check out the series of posts by Dave Hull (trustedsignal) on the SANS Forensics Blog. This series discusses the FAT file system. Dave provided the following description: “I’ve provided a copy of the disk image used during the series and have ended almost every post with a challenge question and have been giving away a forensics related title from the Syngress Publishing group. We’ve had a great time and the series is in the archives for anyone who wants to check it out.” Dave is working on a series for NTFS, which he should start posting in the next few weeks. The series is very informative and a great hands-on way to learn.

Data Sets

Greg Conti, author of Security Data Visualization, co-authored the paper, “Toward Instrumenting Network Warfare Competitions to Generate Labeled Datasets.” The paper was done for the CSET ‘09 Worksop on Cyber Security Experimentation and Test. The authors demonstrates how the network warfare competitions can be instrumented to generate modern labeled data sets. They have made available the archived data capture and log files from the 2009 Inter-Service Academy Cyber Defense Competition. The annual competition pits the service academies, including West Point, against an actual National Security Agency Red Team. There is a great deal to be learned by examining this data. A blog has been setup to discuss the data. They are hoping to do a few data captures of network warfare games, as well as, data captures of red-on-blue events at the US Military Academy at West Point.

There are a few additional sites where you can obtain data captures. JJC, from the “Security – The Global Perspective” blog, manages the OpenPacket.org site. The site’s mission is to “provide quality network traffic traces to researchers, analysts, and other members of the digital security community.” The site pcapr, powered by Mu Dynamics, calls itself a “social nOtworking site.” Go to the site to learn about networks and protocols from packet captures.

UPDATE: The folks from pcapr wrote in and pointed out that they just made available the “Collaborative Network Forensics” area where they “took the recently published ITOC dataset and the CCTF captures from the Shmoo group, indexed them for real-time browsing and contextual search/extract.” As they point out, “with over 15.0 GBytes and 26.3 million packets, this now represents the largest collection of indexed pcaps online.” Really nice.

The VizSEC site maintains links to various repositories of data sets. SourceForge, as part of the NetworkMiner tool, has links to publically available PCAP files. The wireshark site also has a few links and sample PCAP files.

Practicing

Practice can be done by installing software, using disk images, or by going to sites/training grounds. Installing software will create a vulnerable site. Make sure to do it onto a local machine inside your LAN which is used solely for testing. For ISO images, make sure you set the VM to use the IP addresses that are only available from the local host OS (NAT or Host-only). If you go to a site, take caution and remember the site could be hostile. In other words, be properly paranoid.

Software

In my post “WebGoat, Lua, and ModSecurity verses Password Guessing,” I go through the steps of setting up WebGoat. WebGoat is a deliberately insecure J2EE web application maintained by OWASP and is intended to teach a structured approach to test and exploiting vulnerabilities within an application security assessment. WebGoat is written in Java and installs on any platform with a Java virtual machine. The YGN Ethical Hacker Group has made available a series of video on walking through WebGoat v5.2. There are currently over 30 lessons.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL Web application that is light weight, easy to use and full of vulnerabilities to exploit. Ryan Dewhurst, developer of DVWA, created a video showing the installation process:

If you prefer PHP scripts, Mutillidae is a set that implements the OWASP Top 10 vulnerabilities. Adrian Crenshaw posted the presentation he gave to the Louisville Chapter of OWASP about the Mutillidae project titled “OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF).”

Owasp Louisville 2nd Meeting from Adrian Crenshaw on Vimeo.

ISO Disk Images

On the ISO disk image side, there are few interesting options. Badstore demo helps in the understanding of Web application vulnerabilities and shows how to reduce exposure.

For full scaled lesson based environment, there is the Linux-based distribution Damn Vulnerable Linux (DVL). Mayank Sharma writes in the article “Securing Linux by breaking it with Damn Vulnerable Linux:”

“Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop — it’s a learning tool for security students.”  “The one thing that sets DVL apart the most,” Josh Sweeney says, “is the focus on buffer overflows and disassembly.” Disassembly, he says, is often talked about in conjunction with buffer overflows and reverse engineering. “Disassembling is when someone breaks down a program into the assembly language for further analysis. By doing this, users can analyze code at a very low level and look for security issues. There have been many excellent papers on the subject over the years, but these generally don’t come with learning tools in a self-contained, easy-to-use environment.”

Thomas Wilhelm is the author of “Professional Penetration Testing: Creating and Operating a Formal Hacking Lab” and the creator of both the Hackerdemia project and the De-ICE.net Pentest LiveCDs project. Hackerdemia is a LiveCD that containing several vulnerabilities, including un-patched software, mis-configured services, default passwords and a few other surprises. Paul Asadoorian posted “Scanning Vulnerable Linux Distributions With Nessus” where he walks through using Nessus to determine the vulnerabilities within Hackerdemia. The De-ICE.net Pentest LiveCDs are disk images that are fully-functioning server. The Security Aegis site has an interview with Thomas where he discusses these projects along with the Heorot.net pentest video training and his recently published book.

One more Linux VM intentionally configured with exploitable services pWnOS. It was created by Brady Bloxham, a.ka bond00. Below is a nice introduction video.

The Web Application Attack and Audit Framework (w3af) project has created a VMware image, called Moth, which is a set of vulnerable Web Applications and scripts. The w3af core and it’s plugins are fully written in Python, has more than 130 plugins checking for SQL injection, cross site scripting (xss), local and remote file inclusion, etc. What is really interesting about Moth is that it allows for testing of web application scanners and learning how web application firewalls work by providing a way access web applications and vulnerable scripts directly, through mod_security, and through PHP-IDS.

On the system side, LAMPSecurity has been creating a series of capture the flag exercise that uses a full Linux virtual machine that is vulnerable to remote root compromise due to a number of vulnerabilities. The most recent exercise is Capture the Flag 6 and was released 7/17/2009. The documentation will take you through the steps of the exercise.

Training Ground

The Mighty Seek Podcast did a Hands On Series and setup the NTO Hackme Test site, which includes the podcasts with the opportunity to test what is discussed out. Dan Kuykendall did two episodes: “Episode #01 – SQL Injection Part 1 [Intro]” and “Episode #02 – Cross Site Scripting (XSS) Part 1 [Intro].”

Hack This Site (HTS) is a website to test and expand one’s hacking skills. You will need to register with the site to access the hacker challenges.  There are various lessons and missions.  User cwade12c has posted the several video tutorial covering missions. Below is “Hack This Site – Basic 1 Tutorial” to give you an feel for the simplest of challenges:

HellBound Hackers (HBH) is another site offering a large resource consisting of challenges, articles, forums, etc. The LifeofaHacker site has published some challenge tutorials/walkthrough guides for both Hack This Site (HTS) and HBH.

Enigma Group is similar to HTS and HBH in terms of tutorials, articles, and hacker challenges. There are some education and humorous short tutorial videos.

The Bright Shadows site also offers challenges on JavaScript, cyptography, cracking, steganography, Flash, Java, various programming exploits, etc. Registration is required. The challenges get voted on by the members in terms of difficulty, creativity, education, and presentation.

Smash The Stack (StS) Wargaming Network has a progression of challenges where each challenge is dependent on the completion of the previous challenge. The challenges are *nix based. To get started you ssh into one one of the wargame servers on port 2224 using password “level1″, at which point you receive a message letting you know how to get started. The password for the next level will be located in different placed, depending on the game. Questions can be asked on their forums area. OverTheWire offer similar wargame challenges.

A Few Final Thoughts

The above list represents a few source I have experience with. Duncan Alderson on his site Webantix has done a great job of listing war games/hacking simulators in his post, “War Games. Current and past hacking simulators and challenges. The New Order site also has a much more comprehensive list.

Just remember, it is good to be paranoid. Even HTS, with a user base of over 1,300,000 can still have problems with disgruntled and past employees. We are talking very skilled, intelligent, and disgruntle employees. In the last major attack, root-level access to the website was gained and HTS was taken down for months.

It is a dangerous world. That is exactly why skilled ethical hackers are needed. One of my college professors would always say, “Repetition is the key to learning.” He repeated it so many time, I finally learned that lesson. The above links help provide a challenging way to practice and learn. Give them a try and have some fun.

Passing the certification exam for System Forensics, Investigation & Response (Sec-508) and becoming a GIAC Certified Forensics Analyst (GCFA) might not have been what Marcus Aurelius had in mind. Still, I am very glad to have the certification exam over with. To get things straight in my head, I have to study for an exam. I can go through class, and basically understand most of what is discussed. Until I sit down to study, I do not truly put the parts together. When I studied for the exam, I did not limit myself to SANS material. It is about learning the topic, not just passing the exam.

I want to point out a few additional references. I am not claiming they will help you with the certification exam. The truth is, they might hurt. It is easy to become a bit overwhelmed. If your goal is to pass the certification exam, stick to the SANS material. But, if you want to learn forensics a little better, these addition sources might be help.

For a good discussion of file system forensics, I recommend Brian Carrier’s book, “File System Forensic Analysis.” While there are tools that will do alot of the file system forensic work for you, I really enjoyed reminding myself of the very structures that we are analyzing. If you want a book more focus on Windows, Harlan Carvey’s book, “Windows Forensic Analysis.” The SANS forensic class is already full of information. Still, the course would benefit by incorporating some of Harlan’s material. Finally, one of my favorite books by Keith J. Jones, Richard Bejtlich, and Curtis W. Rose is “Real Digital Forensics: Computer Security and Incident Response.” It provides a great hands on approach for both UNIX and Windows to learning forensics.

For enjoyable podcast listening, I recommend CyberSpeak. The podcast is done by Ovie Carroll and Bret Padres and they describe their show as, “Two Former Federal Agents Talk About Computer Forensics, Network Security and Computer Crime.” If you need to keep up on news and forensic topics, there are a few blogs that might interest you. There is the Computer Forensics and Incident Response, written a gentleman who identifies himself as Bill. I am afraid I can provide no additional details, besides the fact that it is a good blog. Bob Krantz and Jeff Fehrman maintain the EDD Blog Online which provides, “An insiders look into the ever evolving landscape of legal discovery to include but not limited to computer forensics, electronic discovery, email archiving, online review and proactive management.” Forensic Focus provides computer forensics news, information, and community forums. Finally, there is the Forensic Incident Response by hogfly who describes the blog as, “created to support some of the work I’m doing and to contribute to the forensic community. I’ll be blogging about the science of forensics, incident response, methodologies, relating real world investigations to digital ones and some other tidbits.”

Studying for an exam like the GCFA, helps me to put together pieces of computer knowledge that I have long since forgotten. I am not that old. At least I don’t think so. Senility has not set in. Or, if it has, I am too far gone to realize it. Still, I have been doing something with computers since I was twelve. For those Technorama fans, my first computer I would have to say was really a book. No, not an iBook. I learned to program through the use of a book. My interest in computers started before I had access to a computer. Our grammar school was doing an experimental program where students were able to get out of regular class for an afternoon once a week. We could choose to attend a course in literature or robotics. Most girls and the smart boys, who figured it was not a bad idea to go where the girls went, choose the literature class. I chose the robotics. Looking back, this program was probably just a way for the school to get more money from the state. While it was an interesting idea, it was not like we had access to a robot or even a computer. The literature class did have access to books though.

One day the instructor told us our homework was to write a BASIC program. She had not spent anytime during the class teaching us how to program. I don’t think she really expected much from us. Probably just a begin, print, end kind of program. Well, during that time my mom was bringing in some extra income by watching kids. The father of a family who’s child we watched did some programming as part of his job. He heard about my assignment and volunteered to help me. The poor man did not know what he was getting himself into. Thanks to his extreme patients, by the end of the day we had a program. And it did take all day because I had to keep going over it to get it straight in my mind. By the time I left, I knew that program. Well, the course spent an hour or so the next week talking about programming, and that was it for the course. Still, it introduced me to a way of thinking that I wanted to learn. I started buying books and learning how to program.

This was a time when computers were not in every classroom. I was in 8th grade, which was part of the grammar school. It was not until 9th grade, when we switched to attending the high school, that we would have access to a computer room. Even then, the programming classes were suppose to be limited to the upperclassmen. Fortunately, fate stepped in and because of a scheduling conflict, I got into the programming class. Well, fate and supportive parents. The high school computer room had Commodore PETs. Later, in a year or two, the PETs would be replaced by the Apple II. Also, right before I attended high school, my dad purchased for our home an IBM XT. His company allowed their employees to purchase these computer with no interest loans. The computer cost about as much as a decent car. It was a major investment on my dad’s part. Like I said, it helps to have supportive parents who value education.

Before any of this, I spent a year learning how to program using programming books. Once I got into high school, I was in the lab everyday after school making use of the computers. I gave back to the high school with such great programs as the dating program. Now that program was used for many years at the high school for fund raising around Valentine’s day. Of course, there was the scouting program which analyze the playing strategies of the opponent’s football team. I developed that for the coaches. I just wanted to make it clear that I did not have any kind of gambling programs going on, though it could have been used for that purpose. Considering these were the times of computers with less than 64k memory and 10M hard drives, the programs were pretty decent.

I was listening to Security Wire Weekly where they interviewed David Foote of Foote Partners on his latest research on the value of IT security job skills and certifications. The bottom line is that David found the security management exams lead to higher salary increased than the technical focused certifications. This is not surprising, but I would argue it can be misleading. The CISSP is not more valuable than a SANS GIAC certification. It is a different target group. A manager that demonstrates a broad base knowledge of security will do better than the pool of managers without such skill. A technical person who becomes certified is being compared to other technical people.

Put another way, there are managers who may have a vision of what to do but really do not know how it might actually get done. On the other end of the spectrum you have good technical people who are so focused in their area that they can’t see beyond their world to the requirements of the company as a whole. Most people don’t have the ability to switch perspectives or bridge the gap between these camps. A person who demonstrates both an enterprise focused / high level view coupled with the ability to get into the weeds, is a very valuable asset to a company.

No matter what you do, I think Marcus would agree that the key is to continuously learn and strive to understand. That twelve year has come a long way in his understanding of computers.

One of the things that I think frequently about as I listen to folks talk about security is that many people forget the fact that information technology exist to help us do something. Security’s job is to figure out how to allow the task to be done while minimizing risk. If implementing security only results in a company unable to advance, security has failed the company. It is like the old analogy about security being the brakes to the corporate car. To quote Ron Woerner of the Security Catalyst:

Brakes allow the driver to go faster, have more control and go where they want to go safely. While brakes are an inhibitor, they actually allow the driver to reach their destination in a safe, yet quick manner.

Imagine driving without them. You’d be a nervous wreck. (Okay, maybe not you, but most of us would be.) You’d go really slow; be afraid of changing directions; and feel stressed. Think: the only way to stop is to crash into something.

In the paragraphs above, replace brakes with security (meaning security controls and processes) and driver with your organization’s name. Isn’t the concept the same? Security allows the user (driver) to reach their goal (destination) in a safe, yet quick manner. If you (security professionals) and your customers (users) are doing it right, security should allow the business to go faster, have control, and reach their goals safely without crashing.

Don Ulsch, technology risk management director in the Boston office of Jefferson Wells, told security executives during a lunchtime presentation that “many people blog from work and mobile platforms and that’s very bad.” He went on to categories blogs as one of the bad guys’ tools. Alan Shimel, chief strategy officer for StillSecure, addresses Don’s statement in his blog, “Don Ulsch, keep the FUD to yourself.” Don’s job is to see emerging threats and he makes the point that blogs represent a possible source of data leakage. This is a case where risk needs to be weighed against reward. That is Alan’s point. I listen to the “StillSecure, After All These Years” podcast and I read Alan’s blog. I am aware of his company StillSecure, and I have respect for the people he works with. I think Alan has demonstrated how useful the latest technology can be if you do not allow risk to stop your company from utilizing such technology. Sure, you want to minimize risk, but it is about balance. You cannot allow just the existence of risk to stop you from doing your business efficiently.

For this reason, I feel that one of the most important quality in a security professional is their ability to keep up with the latest technologies. We need to know the tools our organizations will be using in order to understand the risks involved. I am thankful to O’Reilly for helping me do my best to stay up on developments in IT. I read daily the O’Reilly Radar blog. I listen to the Distributing the Future podcast. Finally, I am subscriber to Safari Books Online. When Tim O’Reilly speaks, I listen.

I have a confession and I hope Tim does not feel I am stepping out on him. Occasionally, I will check out what books the Pragmatic Programmers, LLC might have. Awhile back, I brought the online version of the book by Dave Thomas and David Heinemeier Hansson, “Agile Web Development with Rails, Second Edition.” I found the web site to be very profession and well done. This is what you want to see in a publisher that sells books on web development. They have continued to provide free updates to the book. Considering the changing nature of agile web development, I have been very appreciate of that.

I also recently purchased the electronic version of Harlan Carvey’s book, “Windows Forensic Analysis DVD Toolkit.” It is a great book. Syngress’ site is not as slick as the Pragmatic Programmer site. I purchased from Syngress only because Harlan has produced such a great book. If you want to get a feel for Harlan technical and writing capability, check out his blog, the Windows Incident Response.

Right now, I am sitting at work finishing up the printing of some documents. While it might be nice to have documents in PDF format for searching and convenience in carrying around on a USB stick, I like to read hardcopy. While printing, I also have my MP3 player. I was listening to podcasts until I figured I would post a blog while waiting for my documents to finish printing. My phone and MP3 player are capable of making voice recording, which I occasionally use to record notes to myself. I don’t think Don would approve. The questions is how much safer would the company be verses how less productive would I be if these technologies were eliminated?

Here are a few other documents I am printing:

• OCEG Foundation Guidelines Red Book
• Guide to NIST Information Security Documents
• COBIT 4.1
• IT Governance Implementation Guide
• IT Assurance Guide
• Version Control with Subversion

What a way to spend Sunday.

I wanted to post a few more references. Hopefully, I will even find time to read these documents. I have referenced many times in this blog various NIST SP documents. On Friday, they published a guide to NIST information security documents. They describe the document as follows:

In order to make NIST information security documents more accessible, especially to those just entering the security field or with limited needs for the documents, we are presenting the Guide to NIST Computer Security Documents (.pdf). In addition to being listed by type and number, the Guide presents three ways to search for documents: by Topic Cluster, by Family, and by Legal Requirement. This Guide is current through the end of FY 2006.

Information Systems Audit and Control Association (ISACA) has released to its members several documents. For the general public, these documents will be released in May. These document include:

• COBIT 4.1 — To get a quick overview of how COBIT 4.1 differs from 4.0, please see the page titled, “How COBIT 4.1 Changed From 4.0.”
• IT Governance Implementation Guide: Using COBIT and VAL IT, 2nd Edition — I really have not done much with VAL IT. For now, it will be interesting to have as a reference.
• COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition — The guide covers, “control practices provide control approaches consisting of practices that are necessary and sufficient for achieving COBIT control objectives.”
• IT Assurance Guide: Using COBIT — This guide, “provides detailed guidance on how COBIT can be used to support a variety of assurance activities, such as planning, scoping and assessing risks and how an assurance review can be performed for each of the 34 COBIT processes.”
• COBIT Security Baseline, 2nd Edition — This is the guide that I was most interest in. Unfortunately, it will not be available until May 14th. The guide, “helps an organization focus on the essential steps to take by extracting the most important security-related objectives from the COBIT framework.”

This week I paid membership dues to get access to areas on the Open Compliance & Ethics Group (OCEG) site. OCEG has been working with Compliance Week on the Governance, Risk and Compliance (GRC) Illustrated series. OCEG also produces the Foundation “Red Book” which “provides guidance about the core processes and capability to enhance culture and address governance, risk management and compliance requirements. It incorporates the common practices that stand behind some of the most robust programs in the world.” M. E. Kabay from Network World did a nice writeup on the Red Book’s approach to risk management in his article, “OCEG Red Book on risk management.” A final document from OCEG that I want to review is the “Benchmarking Survey Comprehensive Summary Report.”

Finally, in my last post title, “Forensic Resources,” I listed a few other things I will be investigating in the computer forensic arena. Of course, I will also preparing and taking my SANS Security 508 course, System Forensics, Investigation & Response GIAC Certified Forensics Analyst (GCFA) certification exam.

Many times, I feel like the Lloyd Bridges from the movie Airplane. “Looks like I picked the wrong week to quit smoking.” While I might not smoke, nor any of the other things Lloyd’s character choose the wrong week to give up, I did decide to give up hard core caffeine. I went from Pepsi Mountain Dew Code Red to basic green tea. According to Wikipedia’s Caffeine entry, green tea has about half the caffeine of Code Red. That scales me back far enough that I no longer have caffeine headache withdrawals. Maybe one day I will figure out how to get all my work done while getting relatively normal amounts of sleep. One can always dream. Such is the life of a security monk.

I wanted to post a few more references in the area of forensics. There is a new book coming out, “Windows Forensic Analysis.” It is written by Harlan Carvey, who is also a member of the Security Catalyst Community Forums. Syngress has made available chapter three, Windows Memory Analysis, from Harlan’s book.

If you are unfamiliar with the Security Catalyst site, Michael Santarcangelo runs and maintains the forums. To quote the blog overview:

Get engaged and prepare to be entertained as expert on security and the protection of information and professional speaker Michael Santarcangelo (and friends) takes a refreshingly direct but entertaining (and easy to follow) look at the important issues in how we think about and protect our information assets.

It is a site I recommend to security professionals. Michael is really trying to build a community and provide insightful and timely information relating to security.

There are many great books out there. One book that has been out for awhile, which I highly recommend was written by Keith J Jones, Richard Bejtlich, and Curtis W. Rose. The title is “Real Digital Forensics.” Richard does an excellent job with the TaoSecurity blog. The blog is “dedicated to FreeBSD, network security monitoring, incident response, and network forensics.”

Bret Padres and Ovie Carroll, two former federal agents “talk about computer forensics, network security and computer crime” on their podcast, Cyberspeak. The April 22, 2007 episode has an interview with Jesse Kornblum, Pricipal Computer Forensic Engineer, ManTech International. They discuss Forensicswiki.org. The Forensicswiki.org site is “a Wiki operated under the Creative Commons-licensed devoted to information about digital forensics.” Translation: it is open to everyone. On the show, Jesse mentions the site Forensicwiki.com, which is a closed site where membership requests are vetted. To quote the site, “membership is intended for forensic/security professionals, law enforcement and the legal profession.”

Another site that might be of interest is Computerforensicsworld.com. That site is also a “free and open peer to peer medium for digital and computer forensics professionals and students.” There is also the Forensicfocus.com site. In the July 2006 newsletter, Forensicfocus provided many additional forensic links. One forensic list that they missed was the Appleforensics list. That mailing list is open only to government email addresses.

The NIST Special Publication site does maintain a few documents that might be of interest. There is Draft Special Publication 800-101, Guidelines on Cell Phone Forensics. There is also SP 800-86, “Guide to Integrating Forensic Techniques into Incident Response,” which was published August 2006. Back in November 2004, NIST published SP 800-72, “Guidelines on PDA Forensics.”

If you need a podcast to serve as an introduction to forensics, I recommend Richard Nolan and Stephanie Losi podcast done April 17, 2007 titled Computer Forensics for Business Leaders: A Primer. To quote the description of the show, “In this podcast, Richard Nolan, who leads CERT’s computer forensics efforts, shares what business leaders need to know and provides pointers to resources that can increase organizational preparedness.”

Finally, for training, I would point you to SANS SECURITY 508 course, System Forensics, Investigation & Response.

No, I have not been abducted. No need to call in Gustav and Otto Amlingmeyer (better known as Old Red and Big Red, respectively). Sorry for my long absence from writing. I have several blogs started. Unfortunately, I began referencing so many different sources, the blogs became more research papers. Being tight on time, I have not got around to finishing them. Shoot, I have not gotten around to sleep.

I am going to try something different. I will make every attempt to write more frequently, just on less in-depth topics. The original purpose of this blog was to post interesting topics I came across. By the way, I have updated, over on the right, the “Recent Podcast” area. If you have not listened to these specific podcast, I do highly recommend them. They cover some very interesting topics. For tonight, let me just address what I have been doing recently.

I attended a SANS course System Forensics, Investigation & Response. I’ll follow this up with taking the certification to become a GIAC Certified Forensics Analyst (GCFA). I took the course by volunteering at SANS. It is a great program if your company is a little tight on training funds. Let me quote SANS description of the program:

If you are selected to facilitate for a SANS conference, you will pay a nominal fee of $500 and earn the remainder of your tuition in exchange for facilitator services you provide onsite. This fee includes attendance to the entire track the facilitator is selected to monitor, all course materials, and admission to evening sessions.

To be honest, I prefer volunteering over just attending. You get to interact more with the instructors, students, and the folks who work for SANS. Do not get me wrong, there is work involved. Volunteering for SANS just makes me feel more plugged in to the course and I get more out of it.

I have been asked if it is possible to take the certification exams without taking the course. I volunteer occasionally for SANS, I do not work for them. That is my disclaimer. Still, looking through their site, this is what I have found. If you know the subject mater very well, you can take the exam without taking the course. It is called a GIAC Challenge.

I don’t recommend it unless you are truly an expert on the subject matter. SANS exams are open book. The problem is that the the exam questions will be based on the material in the course. Now, at the conferences I have attended, SANS has allowed students to purchase copies of any of the courses held at the conference. Those course books could be very helpful in passing the exam.

When studying for the SANS exam, I recommend people make a good outline of the course material. That outline will helps a person find the material they do not remember from the course. You can count on there being some specific questions on more obscure material than you will ever be able to memorize.

The GIAC Challenge does include two practice exams. The practice exams are very valuable. They will help one figure out the pace of the exam and will point out areas where further studying is needed. SANS does allow you to purchase the exams separately.

I would point out that the course material is only part of the value of attending a SANS course. I find the interactions with the instructors and students just as valuable as what might be in the course material. If you can make it work, I would try volunteering with SANS before doing the GIAC Challenge.