Saturday, December 22, 2012

Passing the SANS SEC504: Hacker Techniques, Exploits & Incident Handling Exam

I recently attended a SANS class a few months back,  “SEC504: Hacker Techniques, Exploits & Incident Handling”, and I must say, it was awesome. The course goes into detail on the techniques/exploits hackers use in today’s threat landscape and ways for incident handlers prevent, detect and eradicate threats. The cost of the training and the exam was expensive, but it was worth every dollar being able to spend 6 days with like-minded professionals all hacking the day away. Leaving the course I felt a renewed confidence in my skills and learned a few new tools that I wasn’t familiar with before, than I began studying for the exam. 

Let me preface this by saying, exams and certifications don’t make you a better security pro, all they do is show others that you have the knowledge to pass the certification. In many cases this means that people have diluted both the exam and the certification by dumping for the test and just end up collecting credentials without knowledge or experience. This hurts both the people that have worked very hard to pass the exam and the cheater themselves by falsifying their knowledge. Anyway, I digress.

Now having said this I’m not going to give away any questions or topics that are on the exam, that would defeat the purpose of this blog post, but I do want to give a few helpful hints regarding studying for the exam. During our class our instructor gave us a heads up on a few ways to prepare for the test and I have a few that helped me tremendously as well.

First, lets lay down the rules of the exam and what to expect:

·      The exam is completely open book. Yeah, I know easy right. Not. The proctor looked at me weird when I told her it was an open test and made me prove to her that it was. This is your first tip, bring your confirmation proving that it's open book. She than went on to say that open book tests are normally much harder, this time she was right. You’re allowed to bring in arms full of books to the exam that you fell will help you in your attempt. If you’ve taken the course you’ve been given the adequate material to pass the exam and don’t need additional material, unless you want it, but you have what’s needed to assist you with the exam. If you didn’t take the course I would highly recommend reading Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses by Ed Skoudis. Not only is this book awesome and fits right into the course material, but Ed Skoudis founded this course and teaches it. So pick it up if you’re not able to attend the training, it will surely help with the exam and your knowledge in general. There are "right out of the book answers", but material that will jog your memory. If you don't know the course work the books will be useless.

·      For the exam you get 4 hours to complete 150 questions. That might seem like a lot of time, but when you’re flipping through books for a question you’re unsure of the time flies by quickly. You also get a 15-minute break that stops the clock to stretch and clear your mind. I highly suggest you use it when you hit question 75 to give your brain a break. 

·      The course is also multiple choices, but that doesn’t always make it easier, and many times I found it more difficult to pick only one answer.

·      During the test you’ll have the score displayed every 15 questions as a meter of how you’re doing. This can be either very reassuring if you’re doing well, or a way to set you into a panic if you’re not cutting the mustard. The passing grade for the exam is a 72, so knowing where you stand during the exam can be a two edged sword.

Now for the studying tips:

·      If you’ve attended the course or you’re self studying I would highly recommend pouring over the material before taking the exam. Prepare yourself with the materials you have, otherwise you’ll be in for a long test.

·      Tab your books with sticky notes so that you’ll be able to quickly find topics as they come up. This is one of the most important areas of preparation during the exam that I couldn’t emphasis enough. If you’re unable to answer the question without research you need to quickly find where the topic might be in your books. Having sticky notes lined on the side of it is a quick way to do this, especially if you’re using five (or more) books. 

·      Read through all your material and keep notes. You’re also allowed to bring in notes to the exam that you’ve written or printed out. Find areas that you might be weak in that will help jog your memory. I used the course books and kept a spreadsheet of all the tools mentioned, the book they were in the page within that book so I could quickly divert to page in a book if there were specifics about a tool I wanted to verify during the exam.

·      If you’ve taken the course you’ll get a few things on your SANS account that I wasn’t aware of until I logged into the site. Within my account I was given two practice tests that were similar to the experience of the actual test (just with different questions) and mp3’s of the same course by Ed Skoudis. I can’t tell you how valuable those mp3s were and after reading the books again, I listed to the mp3’s by Ed on my way to work, lunch, etc. to prepare for the exam. I read a review about Ed Skoudis’s teaching and it went like this, “Ed is able to harness the English language like a weapon” and I couldn’t agree more. He’s a wonderful teacher and really helped me grasp many topics. Also, if you're not going to use the practice exams you're able to "give them away" to someone else during their studies.

So that being said, please try to take a SANS course if you’re able to, they’re terrific. The SEC504: Hacker Techniques, Exploits & Incident Handling in particular was a great learning experience that will help me professionally for years to come. 

The Computer Incident Response Planning Handbook: Executable Plans for (Google Affiliate Ad) 

Happy Holidays with Gratitude from Breezy Point

I know this blog dedicated to information security, but there are things in life that take precedent before cyber security. Living in New York I saw firsthand the devastation that was left from Hurricane Sandy. This storm might seem like a distant memory for some, especially if you weren't in its path, but the effects are still lingering with many along the coast of New York and New Jersey. This video shows what many are still going through during this Christmas season. Please pray for them and their families. This video is a collage taken from Breezy Point by one of its residents that we volunteered with during this tragedy.

Tuesday, December 11, 2012

The Rise and Rule of Android

I've reviewed mobile security many times on this blog before, but the explosion of the Android OS still amazes me. Take a look at this image regarding the rise and dominance of the Android juggernaut from


Tuesday, December 4, 2012

Enhancing Your Security at the Edge: Part 2 of 2

In our last article we looked at how to harden your perimeter with traditional firewalls and routers. In part 2 we will continue this examination of enhancing security at the edge, but higher up the stack via an application or layer 7 approach. Just as with traditional firewalls and routers, when it comes to the application layer we need to maximize the benefits available to us with solutions, without adding too much complexity to our security operations.

We Bring the Fire BackThe systems in place that can assist with monitoring/securing your systems from application layer  attacks are Next Generation Firewalls (NGFW), Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF). Here are just a few more “bumps in the road” that I’ve seen when it comes to these devices:
  • Monitoring traffic at the application layer needs much love. You can’t just turn on a system like these and assume that you’ll be catching every bit of malicious traffic that comes past your interface. We’ll dig deeper into this later on, but each one of these systems needs to be tuned in order to work for your organization. Not all filters or signatures are going to be turned on by default and knowing what’s behind these security devices is going to be key (AKA Understand your network).
  • Even with tuning in place you’ll still get false positives, albeit fewer, but false positives nonetheless. Management and others involved need to understand that this isn’t a silver bullet and that when properly tuned will assist with blocking malicious traffic. But the potential for false positives will always be there. What needs to be shown is the risk between having a potential false positive versus a security breach.
  • These devices are always going to be in-line with your network and because of this will also be a concern as single point of failure if not configured properly. Making sure that the systems that are in place to protect your business don’t bring it down should be a priority. Having performance issues due to the signature load it’s scanning for or not having load balancing or clustering on them isn’t an option when they’re in such a delicate part of your network. 
You can read the the rest of the article here:

Saturday, December 1, 2012

Enhancing Your Security at the Edge: Part 1 of 2

I think many of us can agree that the network perimeter as we’ve known it is no longer. In this two-part blog series we won’t spend time on the reasons for this (There are many and you can listen to my podcast on the Disappearing Network Perimeter to hear about these), but we will review a few methods to harden your perimeter from attack and include ways to manage and reduce the complexity of your network in the meantime.

When it comes to your network edge, the first devices to examine are your routers and firewalls. These devices are most commonly found in the network and are also most commonly an area of weakness. Here are just a few “bumps in the road” that I’ve seen when it comes to these devices:
  • Network perimeterI’ve seen many networks that have old versions of software running on their perimeter devices mainly because the network admins are comfortable with the version they’re running, or they don’t want to risk the downtime or issues of upgrading to a more stable and secure version. Outdated software gives attackers an opening to exploit. You could have the best policies in place to filter traffic at the edge, but if your devices aren’t up-to-date with the latest OS, you’re giving the bad guys an easy way in.
  • Not having the appropriate access control on these devices is another common oversight. Who has the ability to make changes to these systems? Should these personnel be able to make them at any time? Even though access control is more of an internal issue, it’s still needed to protect your perimeter from attack.
  • Don’t forget about your firewall rulesets and router ACLs! Firewalls and routers are designed to ALLOW traffic through them. I know we often think of them the other way around, especially with firewalls, but these are in place to forward traffic back into your network. While a big part of their job is to block traffic, they’re ultimately in place to ALLOW traffic into your network. Ultimately, just because a ruleset is locked down to certain ports, doesn’t make your network secure. This is where IPS/NGFW technology comes into place, but we’ll get to that in the next article.
You can read the rest of my article at