Open source software security

InfoSec Institute Ethical Hacking Day 4 & 5

30 November -0001

I've just finished InfoSec Institute's Ethical Hacking class (http://www.infosecinstitute.com/courses/ethical_hacking_training.html). The last two days were so hectic that I didn't even get a chance to blog about them as I would have liked. Day four went from 8:30 until 6:30, after which we took the CPT (Certified Penetration Tester) exam so we weren't done until about 8. The EC-Council Certified Ethical Hacker (CEH) exam was scheduled for day 5 at 10 AM so we all left the class exhausted, but I went back to my room to study some more. The content of day four was intense, covering topics from web application attacks (SQL injection, cross site scripting, etc.) to sniffers, deep target penetration, and wireless security.

Day four was a killer. It lasted a long time and covered a lot of great topics. I was actually extremely nervous about the CPT exam, as I've already passed the CEPT (Certified Expert Penetration Tester) and would have been pretty embarrassed if, as an certified "expert" penetration tester, I couldn't pass the standard penetration tester exam. Luckily all went well and I scored very high. The CPT, like the CEPT, is a great exam because it includes a multiple choice part (in this case 50 questions) as well as a take home practical. You get 60 days to turn in the take home practical, which is distributed via CD upon successful completion of the CPT exam. The practical contains two VMWare images of machines. The practical involves breaking into both machines and stealing the root password for each. The idea is to break into the first machine, then leverage that access to break into the second machine. I looked at the first machine but haven't had much time to play with it. Other students in the class report it isn't vulnerable to any metasploit payload, which is good. Knowing that the CEPT practical involves compromising a machine by writing custom shellcode, I'm assuming this practical will be somewhat easier. The format of the practical is perfect though. In order to complete the practical, students must actually demonstrate the skills they've been taught over the tenure of the training. I'm a big fan of this style of testing since it requires independent thought and analysis as well as application of ideas learned during the training.

Day five was the dreaded CEH exam. This exam was brutal, if for no other reason than it was 250 questions, each of which takes a half a minute or so to answer - even at a fast pace. This insures a minimum of two hours working on the exam - which is a long time to answer multiple choice questions. The day began with a review led by our instructor, Jeremy Martin, that (re)covered a lot of the basic grounds. The scope of information covered by the CEH is staggering. You had to know everything from types of physical locks, to wireless security, to types of encryption, to packet traces, offensive scanning, viruses, tools, Linux command line, and a host of other topics. There were very few questions on the exam where as soon as I started reading them I knew the answer. The test was just exhausting, especially after such an intense week.

In retrospect I learned quite a few lessons about the class and the exams that I figured I would write up to share:

  • Study each night after the classes, this will help you keep up with the material so you don't fall behind and have a huge load of reading at the end of the week.
  • A solid background in operating systems and networking will really help you in the class. If you're already familiar with the OSI model, how IP works, Linux and Windows you're at a great advantage.
  • Do as many of the labs as you can! The labs aren't required but they drive home the lessons that you learn during the week. Also, don't speed through the labs just to get them done - really take the time to understand them. Don't be afraid to ask questions.
  • Pay attention during class. It's very tempting to surf the internet when you have a laptop in front of you and you've been listening to the instructor for several hours already. Sometimes I found it was helpful just to turn off the laptop and use a paper and pen to take notes - this helped me concentrate and I used my notes as a study guide at the end of the week.
  • Take the exams when they're scheduled. I saw a lot of students put off the exams until the weekend or a later date. It's better to take the exam while the knowledge is fresh in your mind - even if you don't feel entirely prepared. Delaying the exam seemed a little like easing into cold water - it only prolongs the pain.
  • Try to focus on the class and not the exam. Passing the exam is obviously stressful, but if you begin to focus on the exam and loose focus on the class you'll miss important material. The class is designed to prepare you not just for the exam, but for the field. The exam only lasts a few hours, your job in security should ideally last a lot longer. The lessons you learn in class can apply not only to the exam, but also to the much broader timeframe of your profession. Try to retain perspective, especially towards the end of the week.

Some non-academic lessons I learned that may apply to other types of training like this, but definitely helped me:

  • Go into the class excited - your initial mindset and mental approach will severely color your experience. If you're psyched to take the class and learn the material you'll have a much easier time than if you're having a bad week, under a lot of outside pressure, or feel forced into the class. In those circumstances I'd recommend rescheduling the class rather than trying to force it. Your attitude will definitely affect your absorption and success.
  • Bring a USB thumb drive - having a way to move material from class to your own laptop, or even between students in the class is great (and should almost be required). I forgot to bring one so skipped out during lunch one day and ran across the street to a store to buy one.
  • Bring earplugs - this will help you get critical sleep during nights staying at a busy hotel.
  • Go out to eat once in the week. Living on the food provided in the class will prevent you from starving but it won't necessarily satisfy you.
  • Exercise daily if you can. Even getting out to take a walk will help you focus and digest the lessons you're learning during the class.
  • Realize that you're going to be spending your evenings studying and reading - don't make plans to visit friends and family in the area or have other commitments. These classes are intense and you'll need the down time in the evenings to review and investigate areas of the class that you might not completely grasp.
  • Pace yourself. Realize that the end of the week will be intense and you'll be running on low batteries. Plan for this by attempting to front load some stuff towards the beginning of the week (for instance reading through exam prep material).

Overall I found the InfoSec Institute Ethical Hacking to be an excellent course and I'm excited about taking another class from them. Jeremy Martin did a great job at presenting the material and the labs were top notch. I've taken a couple classes from other training organizations and I have to say that the InfoSec Institute labs are a lot better in terms of being interesting, utilizing realistic environments, and teaching very topical skills. The CPT exam is a great test, not only because the questions are topical, up-to-date, and well written, but also because the practical is such a great gauge of student skill. While the CEH is a more widely known exam and it's scope is much broader, some of the questions were pretty esoteric or outdated. I'd recommend the class to all who are interested in the field as a great, hands on, and challenging way to expand your knowledge of computer security.