In addition to taking the GSE lab exam at Network Security 2011, I also enrolled to take the Web Application Penetration Testing and Ethical Hacking course. It was a 6 day course taught by Kevin Johnson. Some portions were taught by Justin Searle. They are both great instructors.

My overall impression of the 6 days of this course is very positive. Kevin is an engaging instructor, who uses real-world examples to drive home important points. Like the rest of us, he sometimes veers off on tangents. I found these tangents entertaining!

What’s the most significant thing I learned from taking this course? First off, I came away with an awareness of some of the things that I still do not know. Second, I have a much better understanding of what good practice is when developing a web application. Third, I now know enough to be dangerous with testing, and I need to actually start using what I’ve learned.

Ok, so that was 3 things that I learned!

Here is a brief overview of what the course covered:

• The course starts at the beginning with a review of some basic web application and penetrating testing concepts.
• The next day walks through gathering information about the organization and application (recon and mapping).
• The third day covers discovering vulnerabilities and weaknesses in the application (server-side discovery).
• Day 4 addresses vulnerabilities and weaknesses in the client-side piece of the application.
• Day 5 is where exploitation of the previously discovered vulnerabilities is taught.
• Finally, Day 6 is the culmination of the learning with a Capture The Flag exercise. This was done in an isolated network environment where we had to discover and exploit vulnerabilities in some common web applications. The goal was to find certain specific pieces of information – the “Flags”.

I highly recommend this course for anyone needing a better understanding of web applications and how to find vulnerabilities in them. Much of the class is spent learning how to use automated tools such as proxies, scripting, and injection/cross-site attacks. it is very hands-on.

Beyond just the technical aspects of the course, there are always people who enhance the learning. I found the folks sitting around me to be valuable contributors to my learning. Asking questions and working together to find answers is very beneficial. Thanks Kevin, Tim, Justin, Brian, Patrick, Craig, Richard and others.

Go to the conference. Take the class. You will enjoy it.

- Dan

{ 0 comments }

Taking the GSE

One of the primary reasons that I went to Las Vegas for NS2011 was to take the GIAC GSE hands-on lab exam. A huge motivation for me is that I hold several certifications, all of which need to be re-certified every 4 years. Holding the GSE would mean only having to re-certify one.

As of the time of writing this entry, I do not know whether I passed or not. If not, then I am hoping to be in Orlando in spring of 2012 to do a re-take.

Earning the GSE requires both a written exam and a hands-on lab exam. I passed the written exam in late summer. That qualified me to sit for the lab exam.

———–

There were 11 of us who took the lab exam. It was quite a mix of folks. My brother and I both sat for the exam. Most of us were from the U.S., but there was also representation from Egypt, Australia and New Zealand. I really believe the most enjoyable part was getting to know some of the other test-takers.

I really cannot share much about the lab exam itself. We were required to agree not to share details. The GIAC GSE webpage does give a pretty decent high-level listing of what you need to know and be able to practice.

How did I feel about the exam? It was tough. I choked on some things that should have been very simple. My time management was terrible. The most difficult part was not knowing exactly what we would be expected to demonstrate.

Yep. I’ll do it again if I didn’t pass. It’s worth the work of preparation and the stress of taking the exam.

- Dan

{ 0 comments }

The Travel and Town

I had the opportunity to attend SANS Network Security 2011 in Las Vegas from September 17-25. I attempted the GSE Lab exam the first two days, and then attended SEC542: Web Application Penetration Testing and Ethical Hacking.

The flight to LV was pretty uneventful. As we flew across the western plains, these circles were plentiful across the ground. These are crop circles from aliens, but rather from irrigation pivots. This area has been suffering from drought, but irrigation helps as an equalizer. When we flew across Arizona, we could see the Grand Canyon out the window. Here is a picture of some irrigation circles…

This was the first time that I had actually stayed in Las Vegas. I’ve driven through before, but never felt a need to stay. After being there for several days, there is no strong desire to make this a regular visit.

The conference was being held at Caesar’s Palace, but by the time I called to make a room reservation, there were no rooms available for the first two nights. So, I stayed across the street at Bally’s. Just like most hotels in Las Vegas, a casino is a part of the experience. No, I didn’t lose any money in the slot machines!

The cost of food at the hotel/casino restaurants was more than I really wanted to spend and generally of a style different that want I care for. So, if I was not going to starve, I needed to find someplace else to eat. Using a great variety of apps on my iPhone, I searched and finally found what I was looking for (quite like U2, I suppose) down the street.

The walk down The Strip after dark is an experience. It was packed with people! Some were down-and-out. Others were trying to give the impression of a High-Roller. Most had adequate clothing on. Others looked like they were in a “Who Can Dress The Sluttiest” contest. Some were speaking English. Many were not. Most times the sidewalk was packed shoulder-to-shoulder with people.

I took the time to walk around Caesar’s Palace where NS2011 was being held. It is an opulent place.  Here’s a picture of the sports betting area…

One end of Caesar’s Palace featured the Forum Shops. It is basically an up-scale shopping mall. As you would expect, there is a Roman theme to everything. This fountain was in the middle of an intersection…

…

When it came time to make the journey home, I was ready. There is a bus that shuttles visitors between the hotel/casino and the airport. The pickup time at the hotel was about 2 1/2 hours before my scheduled departure time so it seemed there would be plenty of time to make the flight.

So, you can imagine my surprise when we arrived at the airport and came upon one of the longest lines I have ever seen… I was even more surprised at how fast the line moved!

In the end, the trip back was uneventful. As John Denver said many years ago, “It’s good to be back home again. Sometimes this old house feels like a long lost friend.”

Check back in a couple of days for Part 2.

- Dan Strom

{ 0 comments }