Welcome to cissp CISSP training Certified Information Systems Security Professional
Search
Nickname Password Security Code Security Code Type Security Code  

Best training in the world

CCCure Quiz Engine

Rated #1 Training

Best hacking and penetration testing magazine in the world

Library of Documents

Forum Postings

CISSP's Blogs

Here is a list of Blogs maintained by CISSP's.

SECURITY JOBS

- Information Security Jobs

ISC2 BLOGS

- Official ISC2 Blog

CISSP's BLOGS

- Allen Baranov
- Andy Willingham
- Anton Aylward
- Benjamin Tomhave
- Bob Johnston
- Chad McDonald
- CSCI Blog
- Daniel Accioly Rosa
- Dave Lewis
- Donald Glass
- Gary Hinson
- Martin McKeay
- Michael Ehart
- Michael Santarcangelo Security Catalyst
- Peter Gregory
- Rebecca Herold
- Shaun Balkum
- Vijay Upadhyaya
- Vincent Arnold 

LEGAL INFO BLOGS

- Bow Tie Law's Blog
- Chilling Effects Clearinghouse
- Cyber Law Update
- Digestible Law
- Law.Com Daily Alerts
- Law.Com Technology News
- Law.Com
- International Legal News
- Lessig Blog
- Michael Overly
- NCSL info site
- The Gray Blog

ISO 27001 & BS 25999

- Dejan Kosutic

You know of a blog that is not listed, please Click Here to send us the link

Recommended Podcasts

MISC Menu

Security Books

Surveys

Where do you find the best price for books?

Amazon.Com
Bookpool.Com
The ISC2 webstore
CISSPS.COM
Cheapbooks.com
Ecampus.com
Other (Please leave a comment with name of site)



Results
Polls

Votes 1758

Top10 Links

Top10 Downloads

Who's Online

There are currently, 65 guest(s) and 5 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
cissp CISSP training Certified Information Systems Security Professional: OSSTMM

Search on This Topic:   
[ Go to Home | Select a New Topic ]

CEH V7 More details
Posted by boss on Wednesday, 09 February 2011 @ 23:13:17 EST (13922 reads)
Topic OSSTMM

Anonymous writes "

NOTE FROM CLEMENT:

THis week was a busy week with two webcasts presented by the EC-Council giving us more details about the new CEH Version 7.   Below you have a summary of what is new and coming from the new version.

The first thing you will note as you walk into the classroom is the smaller size of the package.  There used to be 67 modules which was completely insane.  It meant 365 slides per day if you wanted to teach everything over a 5 days period.  Now the number has been shrinked to only 19 modules overall.  It is now possible to deliver the whole package in 5 days.  No more cluttering and useless tools taking hundreds of pages in the courseware.

Reserve your seat at:

http://secureninja.com/course/23/CEH-v7-Certified-Ethical-Hacker/

 

Overview

Secure Ninja's CEH v7(Certified Ethical Hacker) training and certification boot camp in Washington, DC will immerse the students into an interactive environment where they will be shown how to scan, test, hack and secure their own systems. The lab intensive environment gives each student in-depth knowledge and practical experience with the current essentials of security systems.  Students will begin by understanding how perimeter defenses work and then be lead into scanning and attacking their own networks, no real network is harmed. Students then learn how intruders escalate privileges and what steps can be taken to secure a system. Students will also learn about Intrusion Detection, Policy Creation, Social Engineering, DDoS Attacks, Buffer Overflows and Virus Creation. When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking. This course prepares the student for the EC-Council Certified Ethical Hacker exam 312-50.  

The exam number will not changed but there will be exam specifically marked for CEH V7 within the VUE and Prometric testing centers.

Topics Covered 

 1. Introduction to Ethical Hacking
 2. Footprinting and Reconnaissance
 3. Scanning Networks
 4. Enumeration
 5. System Hacking
 6. Trojans and Backdoors
 7. Viruses and Worms
 8. Sniffers
 9. Social Engineering
10. Denial of Service
11. Session Hijacking
12. Hacking Webservers
13. Hacking Web Applications
14. SQL Injection
15. Hacking Wireless Networks
16. Evading IDS, Firewalls and Honeypots
17. Buffer Overflows
18. Cryptography
19. Penetration Testing

Who can benefit from such a class:

  • Security Officers 
  • Auditors 
  • Network Administrators  
  • Firewall Administrators   
  • Security Professionals
  • Anyone who is concerned about the integrity of the network infrastructure 
  • I would recommend even Managers get out of their office to learn about the offensive side

Prerequisites

  • Strong knowledge of TCP/IP
  • Information systems and security background
  • Minimum of 12 months of experience in networking
    technologies

Required Exams

CEH training at Secure Ninja will properly prepare you for the following exams:

  • 312-50 – Ethical Hacking / Countermeasures (CEH)
  • 312-99 – Certified Network Defense Architect (CNDA)

Courseware

Official Certified Ethical Hacker v7 Review Guide

Course Length

40 hours

DoD Directive 8570.1-M - CEH v7 meets Government and DoD agencies compliance with Federal Information Security Management Act (FISMA) and DoD Directive 8570.1-M.  It is approved for CND Analyst,  CND Infrastructure Support, CND Incident Reporter, and CND Auditor.   One single class that meet 4 different levels.

CEH 6.1 VS CEH V7- Big Difference!

This version is the version that has cost EC-Council most money so far to produce, they really invested in lots of experts, lots of time, professional graphic designers, Psychometricians, and the community as well for input. 

This is not just another version where they added 15 more modules.  It is the contrary; the package was submitted to a diet to come out with a top shape package.  It is a completely new and updated package. EC-Council mentions terms such as concise, focused, skills, knowledge, supporting elements, and more.  

In the CEH 6.1 version the language was about tools, this time it is about knowledge and skills and what is needed to be a true Security Tester.  All of the slides were revised and they got rid of slides with lots of text and they replace those slides with amazing graphics where it talks by itself,   they say a picture is worth 1000 words and this is true in this case. 

The instructor will be the one responsible to explain and there is no need to write all the instructor can say on the slide.  The professional graphics are really great looking and you can see there was some thinking behind it. The graphic support is so great the instructor will have very little drawing to do on the board.

KEY UPGRADES

  • UPDATED TO LATEST OPERATING SYSTEMS: The next thing that is really exciting is the fact that everything is updated to the latest version of operating systems with the latest patches and hotfixes.  The student machines, the instructor machine, the target range, they are all updated to the latest version.  No more hacking of old windows 2000 box.  Only the latest.
  • SLIDE SHOW GETS AN A+: The slide show had a major cleanup on the tool side.  Some modules used to have dozens of tools presented, this has changed, and the new layout will showcase only a few tools and only the most relevant tool for the task being done.
     
  • KILLER LAB MANUAL: The lab manual has been completely redone and a new format being used.  It has a really nice layout with a great flow.
  • COLOR MY WORLD COURSEWARE:   As mentioned in my previous message the courseware will be in color, you heard right, no more black and white and bad shades of the gray scale.   The courseware will really come to life with vibrant graphics in color.  It is nice to see important items and points stand out with a different color.  This is really a step forward.   I still cannot believe it a large vendor is willing to spend more money to get color in their courseware.

Revolutionary Product

EC-Council releases the most advanced ethical hacking program in the world. This much anticipated version was designed by hackers and security researchers. CEH v7 is a revolutionary training program that combines class metrics, advance lab environment, cutting edge hacking techniques and excellent presentation materials. EC-Council has spent several years in developing this version.
 
The Certified Ethical Hacker courseware has undergone tremendous improvement from its predecessor. We have invested 4 times the regular investment in the research and development since the last release, and have given CEHv7 a complete makeover.
 
The new version is a breakaway from earlier releases with more emphasis on techniques and methodologies, which attackers may use to carry out possible attacks against system/networks that are updated and maintained.
 
Picture speaks thousand words and we at EC-Council have enforced the saying by practicing it. The instructor slides and student manuals in CEHv7 has it all. The new version empowers the instructor with flawless flow and outstanding diagrammatic representation of the hacking techniques, which makes it easier to teach and enables students to understand the concepts better.  

CEHv7 provides a comprehensive ethical hacking and network security-training program to meet the standards of highly skilled security professionals. Hundreds of SMEs and authors have contributed towards the content presented in the CEHv7 courseware.  Latest tools and exploits uncovered from the underground community are featured in the new package. Our researchers have invested thousands of man hours researching the latest trends and uncovering the covert techniques used by the underground community.
 
In addition to the makeover, CEHv7 includes two additional bundles; a Monster Hacking Tool Repository, Codenamed Frankenstein and a subscription based Virtual Lab Environment codenamed iLabs.

Frankenstein
 
Frankenstein is the Hacker version of the Apple Store.  It provides user with an ease for searching, downloading and installing the latest hacking and penetration testing tools.  By using Frankenstein Version 1.0, users can check the release date of the tool, category under which it is published, probable size of the tool, name of the publisher/author, the website details and technical requirements for the tool to run.  This will help all the Certified Members to keep themselves updated of tools released in the wild.
 
Key benefits:
•    Repository of categorized latest tools
•    User can download the tool in less time with comparison to manual search
•    Helps the user to synchronize & manage the tools from the server
•    Search specific tools from the available list of tools
•    The system provides a means to generate a HTML report of all the tools downloaded by the user
 
iLabs
 
The iLabs is a subscription based service that allows students to logon to a virtualized remote machine running Windows 2003 Server to perform various exercises featured in the CEHv7Lab Guide. All you need is a web browser to connect and start experimenting. The virtual machine setup reduces the time and effort spent by instructors and partners prior to the classroom engagement. It is a hassle free service available 24x7 x number of days subscribed.  Different subscription and pricing will be available.   Even thou it was not mentioned, I saw a BUY button on the interface, I will bet you that soon we will see commercial software being offer at reduce price in there as well.
 
Benefits
 
•    Enables students to practice various hacking techniques in a real time and simulated environment
•    The course tools and programs are preloaded on the iLabs machine thereby saving productive time and effort
 
Key Features of CEH v7

•    Well organized DVD-ROM content; a repository of approximately 30GB of latest hacking and security tools and more than 1000 minutes of videos demonstrating hacking techniques.
•    Well organized content for a better understanding and learning experience
•    Concepts are well-illustrated to create self-explanatory slides.
•    Diagrammatic representation of concepts and attacks
•    Industry standard key tools are featured in detail and other tools are presented as a list for students to try
•    Exclusive section for countermeasures against different attacks with detailed explanation of how to implement these countermeasures in real time environment
•    The new version has complete section dedicated for penetration testing. It illustrates how to implement learned concepts to test network system security
•    A result oriented, descriptive and analytical lab manual; the labs showcased in the courseware are tested against latest Operating Systems with all the patches and hot fixes applied

SO THE OVERALL VIEW OF CEH V7 TRAINING FEATURES ARE: Updated Content

CEH v7 contains updated content based on rapidly evolving security challenges and attack techniques.

Organized Content
The well-designed content enhances the learning experience and ensures better understanding of key concepts,
attack types and hacking methodologies.

Classroom Friendly
The well-structured slides create an interactive classroom environment

Rich in Illustration
The slides contain diagrams and illustrations to create better understanding of
hacking concepts and actual attack paths

New Hacks
CEH v7 provides insights on new hacking techniques, exploits, vulnerabilities, viruses, Trojan and organized
cybercrime.

Hacking Tools
CEH v7 showcases thousands of Hacking tools including password crackers, spyware, live Trojans and viruses.

Security Tools
CEH v7 offers a detailed description of industry-standard security tools and technologies.

Countermeasures
CEH v7 has an exclusive section, which provides detailed explanation of countermeasures to be adopted against
different types of attacks.

Visual Appeal
Eye-catching graphics complement the content and enhance the learning experience.

Penetration Testing
CEH v7 has an exclusive section for Penetration Testing. The section demonstrates how to conduct
network pen testing using proven methodologies.

Lab Setup
Lab setup environment includes 5 virtual machines to test different attack scenarios. Lab
setup manual is accompanied with videos to facilitate learning.

DVD-ROM Content
CEH v7 also provides DVDs with a repository of around 15 GB of latest hacking tools, exploits, viruses, Trojans
and security tools.

Expert Instructors
The course is taught by expert instructors and world renowned network security professionals and engineers.

Frankenstein System
CEH v7 comes with state of the art hacking tools repository system. Using the system, students would be able to
download the current and latest hacking tools available on the Internet. You will never be left with outdated tools.

ILabs
Students will be able to access online cloud based ILabs virtual Lab environment. The entire ILabs systems can be
accessed by using a web browser.

Live Hacking
Students will be able to attack live hacking web applications provided by EC-Council. Students will have realistic
attack experience.

Web Applications
CEH v7 focuses heavily on evolving security threats involving web applications such as SQL
Injections, Cross-site Scripting, Xpath attacks, web services vulnerabilities.

Mobile Phones
Detailed coverage on mobile application threats such as Android, I-Pods, I-Pads
and tablet computers.

Lab exercises
The lab exercises covered in CEH v7 are contributed by leading experts in the security industry. The labs focus real
and practical examples close to an enterprise network environment

Exams
CEH v7 exams follow ANSI compliance and the exam items are created and vetted by the leading psychometricians
in the industry

Career Track & Roles

  • Network Administrator
  • Systems Administrator
  • Systems Engineer
  • Systems Architect
  • Network Security Specialist

Follow On Courses

  • ECSA
  • Wireless Security
  • Computer Forensics

What is a Certified Ethical Hacker?  

The Ethical Hacker is a security specialist who conducts in-depth tests to penetrate networks and computer systems
on behalf of an organization. The objective is to facilitate organizations in ascertaining the vulnerabilities and
security flaws before their exploitation by hackers. Ethical hackers mimic the approach adopted by hackers with
minimum disruption in services. The extent of the tests depends on the contract between the ethical hacker and the
organization.

The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor neutral perspective. The Certified Ethical Hacker certification enhances the skill sets of security administrators,
network administrators, security auditors and other IT professionals. Certified Ethical hackers are skilled in
identifying the threat vectors in the IT infrastructure and use their expertise in strengthening the defenses against
security threats. 

About Secure Ninja  

Secure Ninja Training is the DC’s Area’s #1 Expert IT Training Center . We are conveniently located in beautiful Historic Old Town Alexandria, VA enhancing your training experience and featuring:

  • Metro Accessibility - Short walk from Metro Blue/Yellow Line (leave the car behind)
  • 4 minute Drive to Ronald Reagan Washington National Airport
  • Available Parking
  • World class restaurants and shops at your footsteps
  • Closest Expert IT & IT Security Training Center to Fort Belvoir, Boiling AFB, Fort Myer, Department of Homeland Security, US Department of Navy, US Coast Guard, Fort McNair, Washington Navy Yard and the Pentagon

 Why Choose Secure Ninja for your Washington DC Expert IT Training?  

  • Superior Expert Instructors
  • Highest Industry Pass Rates
  • Small Class - No classroom overcrowding means more attention to you
  • Choose from Day, Evening & Weekend Classroom-Based or Live Online Classes to meet your busy schedule
  • Accelerated Boot Camps Save You Time And Money
  • Personal 1-1 Mentoring
  • Easy Financing/ Payment Plans Available!
  • Veterans Benefits & GI Bill Approved – Welcome Military
  • WIA (Workforce Investment Act) Approved
  • Paid Internships & Job Referrals!
  • Meet Your DoD 8570-1 Certification Needs. Get Compliant!
  • Secure Ninja is the ONLY Testing Center that offers ALL 5 industry standard test vendors in the DC / Baltimore Metropolitan Area. (Prometric, VUE, Kryterion-Online, Certiport and Impact-Testing)
  • Lowest Prices! We are locally based keeping our overhead low so we can pass the savings along to you
  • DC is our Home.  Most training centers set up shop in hotels or rented centers.  When you have a need, request or encounter a problem they are not there to answer. Our physical location in Alexandria is open 7 days a week and our staff always there to help.


You can see the CEH V7 Marketing brochure at:

http://secureninja.com/uploads/Secure-Ninja-CEHv7-Complete.pdf

 

Reserve your seat at:

http://secureninja.com/course/23/CEH-v7-Certified-Ethical-Hacker/

"

(Read More... | Score: 5)


No more of the same BAD security
Posted by boss on Tuesday, 18 January 2011 @ 23:36:21 EST (2258 reads)
Topic OSSTMM

cdupuis writes "

Hi,

I saw that HashDays posted my slides from the event.

"No More of the Same Bad Security: Why the OSSTMM 3 is Threatening Modern Security Practices"

It covers Patching, Defense in Width, OSSTMM 3, and Security Testing among other things. From the event blurb:

"Modern security has become just a dance-off between jargon and products. Enterprises are doing what their being told by compliance requirements, books, and blogs and it's not working or it's not scaling. The problem is we are being taught to build defenses like consumers and it fails us again and again. Then most of us learn to late however that it's failed because the verification methods and security metrics provided are biased or indirect and therefore point out unmanageable and imaginary cause/effect relationships. That's why ISECOM took a different direction with the OSSTMM 3. This short seminar will explain how and why the OSSTMM 3 is nothing like security that you know. There's no Risk analysis, no threat analysis, no patching, and no security awareness yet it works efficiently and economically. The operational security metrics and trust metrics you will see in action are realistic and allow for immediate and accurate defensive changes in your tactics and overall strategy. The OSSTMM 3 will challenge what you think you know about security. Be prepared to be amazed."

Here's the slides:

https://www.hashdays.ch/assets/files/slides/herzog_no_more_of_the_same_bad_security.pdf

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete@isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

"

(Read More... | Score: 0)


Making Security Suck Less
Posted by boss on Friday, 17 December 2010 @ 11:40:47 EST (1096 reads)
Topic OSSTMM

cdupuis writes "

Hi,

"Now not everything about the old security model is bad. Personally, I really like the Zen feel of it. It's like raking the fine, white, beach sand into those concentric lines and around rocks and dead fish and stuff. It's very Zen. Then as the tide rises, the wind blows, and Frisbees get badly thrown you have to do it all over again in a very Zen way like this: Install. Harden. Configure. Patch. Scan. Patch again. Update. Re-configure. Scan. Patch again. Uninstall. Re-install. Configure. And then you do it all over again! With so much Zen practice it's hard not to become a Master of the security repeat cycle. But you know what else is Zen? NOT doing that. It's less stressful to maintain an existing balance between operations, limitations, and controls then running around and putting out fires."

This is from my new article called, "Making Security Suck Less" you can read finished at:

https://www.infosecisland.com/blogview/10304-Making-Security-Suck-Less.html

There's some more, new articles reviewing the OSSTMM and the new security model at InfoSec Island here:

https://www.infosecisland.com/osstmm.html

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete@isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

"

(Read More... | Score: 0)


NEW OSSTMM 3 AVAILABLE NOW -- GET YOUR COPY
Posted by boss on Tuesday, 14 December 2010 @ 21:24:55 EST (1653 reads)
Topic OSSTMM

cdupuis writes "

*NEW OSSTMM 3 AVAILABLE NOW*
A handbook version will be available soon.

DOWNLOAD: 
 

 Name          

OSSTMM 3

The Open Source Security Testing Methodology Manual 3.0 covering security testing, security analysis, operational security metrics, trust analysis, operational trust metrics, and the tactics required to define and build the best possible security over Physical, Data Network, Wireless, Telecommunications, and Human channels.

 

OSSTMM 3.2 Draft

The road to OSSTMM 4 has begun and Platinum and Gold members get exclusive access to the latest tests, updates, and graphics in this current, latest draft.
 

OSSTMM 3.1 Draft

The first Beta on the way to OSSTMM 4 provides updates, fixes, and changes in advance before being released and presented to the public.

"

(Read More... | Score: 0)


The Möbius Defense, the end of Defense in Depth
Posted by boss on Thursday, 18 June 2009 @ 16:59:29 EDT (1585 reads)
Topic OSSTMM

cdupuis writes "

Hi,

Our new partner in the Netherlands, Lab106 (aka Outpost24), invited me out to present some our research at the Amsterdam Black Hats event.

I focused the main presentation on Anti-Guerrilla Warfare tactics, why defense in depth doesn't work, and the new Möbius Defense along with graphics the NEW attack visualization technology we are now using.

The presentation is now available here but unfortunately there is no video of me giving the talk which might be more enlightening. However, I did do a radio/podcast interview with the company Madison Ghurka who  runs the event there so as soon as that's available you can hear me defend it.

http://www.isecom.org/events/The_Mobius_Defense.pdf

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete@isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org

"

(Read More... | Score: 0)


OSSTMM V3.0 Introduction Video
Posted by boss on Thursday, 28 February 2008 @ 10:48:38 EST (6670 reads)
Topic OSSTMM

cdupuis writes " NOTE FROM CLEMENT:This is one video that you have to watch. Pete is presenting his latest version of the OSSTMM and as usual he's presentation a clear view of what people perceive security is but the truth is sometimes surprising. Do watch the video and I am sure you will learn a lot and it might even change the way you look at security in the future. Here is the announcement:

Hi,

A video walk-through and explanation of the new security testing methodology, OSSTMM 3, which I did recently has been created by Dreamlab (www.dreamlab.net).

The video covers a walk-through of the most important factors of OSSTMM 3 and a little bit about aluminum foil hats. So if you are interested in the new methodology, completely re-written and re-structured from the ground up, check out the video.

The full OSSTMM 3 will still be released publicly and for free as soon as we can get it out but all development has completed for this version and only editing of the document is left. We hope to make this the easiest and most beneficial OSSTMM to use for everyone. We want a manual professionals can use but also to give to their clients as something very readable and informative.

You can get see the video and download the presentation, "The Vision of the OSSTMM" at:

http://www.dreamlab.net/news/review-osstmm-evening-talk-with-pete-herzog

Or the following links:

For all that missed out on the event Dreamlab provides you with the keynote slides and video as well as further downloadable information concerning the new RAV:

Stream

Keynote Slides (PDF)
Keynote Video: Flash (low)/MPEG4 (medium)
OSSTMM 3.0 RAV FAQs (PDF)
OSSTMM 3.0 Security Test Audit Report (STAR): Excel/OpenOffice
OSSTMM 3.0 RAV Calculation Sheet: Excel/OpenOffice



Also, ISECOM is looking for training partners and trainers.

Anyone interested in being a training partner should contact us because we have the next Train the Trainer class coming up March 31st - April 2nd in Barcelona where it's sunny and warm ;)

Trainers are taught the newest ISECOM research and even the terrible truth about security (you can see the video for details about that).

Let us know if you have any questions.

Sincerely,

-pete.
-- Pete Herzog - Managing Director - pete@isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org "

(Read More... | Score: 4)


The OSSTMM 2.2 has been released
Posted by boss on Monday, 18 December 2006 @ 22:49:56 EST (1745 reads)
Topic OSSTMM

Anonymous writes "NOTE FROM CLEMENT:
An unexpected gift came in from ISECOM: Version 2.2 of the OSSTMM has been released. This new version has been greatly expanded and is a prelude to Version 3.0 that is soon to be released

HERE IS THE ANNOUNCEMENT:

The OSSTMM 2.2 (Open Source Security Testing Methodology Manual) is the latest release for auditors, penetration testers, ethical hackers, and the like.

With OSSTMM 3.0 still in peer review and undergoing many edits for clarity, ISECOM decided to update the current 2.11 with the reviewed research to make immediate and necessary improvements to the current security testing standard.

The improvements are based on new research like Error Types committed during tests and Test Types which breaks down black box, white box, and gray box tests into 6 categories.

The biggest addition however is the security metrics which allow for a realistic calculation of security operations. The manual is also much cleaner to make it more presentable for those who like to present it to their executive management or even their customers.

Get your copy at: http://www.isecom.org/osstmm/ (look at the bottom of page)
"

(Read More... | Score: 0)


Patching is Flawed
Posted by boss on Tuesday, 30 May 2006 @ 08:47:07 EDT (1819 reads)
Topic OSSTMM

NOTE FROM CLEMENT:

Here is an extract from the ISECOM mailing list (see info at bottom of this message). My friend Pete Herzog discuss the process of patching and some of the misconceptions attached to it. I invite you to read the great article from Mary Ann at the URL below as well. Patching is just another item in the recipe and not the ONE item that makes your system secure.

http://news.com.com/Oracle+exec+hits+out+at+patch+mentality/2100-7355_3-6077349.html?tag=nl

HERE ARE PETE'S COMMENTS:

Mary Ann is a person that I have crossed paths with a few times at 2 degrees of separation. We have talked on the phone once but I can't really remember much of the conversation. I just know she was interested in collaborating with ISECOM. Anyway, she had a talk regarding patching. You can read about it there. And yes, it's exactly what we've been saying for years. Patching does not work! It's something you do to enhance security not be security. Think of it like enhancing functionality or speed of a product. A patch should improve something but the underlining effectiveness of security should be there already. And if it works, don't fix it! This is another misconception that patches MUST be installed in a timely manner. Not true! There are many other controls that can be taken and should be taken above patching for the sake of confidentiality, availability, trust, and integrity (CATI). (Yes the joke is that we are better off if only we can assure the "CATIness" of a process.)

Since we can't expect the software we buy to be functionally secure from the get go, we need to address it as if it will never be. Once we do that, we can ignore patching altogether except when it provides enhancements that improve efficiency or save money.

-pete.

Pete Herzog - Managing Director - pete@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org

(Read More... | Score: 0)


ISESTORM 2006 is just around the corner -- See you there
Posted by boss on Wednesday, 08 March 2006 @ 09:18:11 EST (1590 reads)
Topic OSSTMM

cdupuis writes "Hi,

Well, ISESTORM is just around the corner! April 1-8!

If you have time for sec training then this is the one to hit! It's a little different than what you're used to seeing because this is about applying the knowledge that these security certifications promote. Knowing how to apply knowledge is a sharp business weapon that nobody can take from you. ISESTORM is probably the best money you can spend on security training. It's OPSA, OPST, BS7799/ISO27001, and CISSP interwoven with industry speakers and other security regulations and methodologies like ISM3, HIPAA, SOX, and more.

See details at: http://www.isestorm.org

Other events:

I will be in London doing the keynote at the International Conference on Global e-Security, 20-22 April 2006. I will also most likely be joining our training partner, IRM PLC for a seminar thereafter. I'd be happy to see any of you while there so please talk to either organization about the details.

No word back yet from Linuxtag but I will hopefully be speaking there on the start of May on our new Open Trusted Computing project as part of the OpenTC consortium.

We are looking to host some Hacker Highschool seminars and meetings in the Oregon area as a preliminary. I'd like to know if there are any teachers interested in working out the details to get this going in their schools as a way of working together through the red tape. It's so important that students get science skills that foster creativity, critical thinking, skepticism, and attention to details not to mention learning to protect themselves online. That's why we want to work with some teachers to learn from them as to what works best to help you get this into the classrooms. If you know any Oregon teachers or can reach some please forward them this mail.

Sincerely,

-pete.

Pete Herzog - Managing Director - pete@isecom.org
ISECOM - Institute for Security and Open Methodologies
http://www.isestorm.org

"

(Read More... | Score: 0)


Beat the Feb 15th deadline - Register for ISESTORM now
Posted by boss on Monday, 30 January 2006 @ 13:27:11 EST (1777 reads)
Topic OSSTMM

cdupuis writes "Hi,

Anyone interested in the very unique and very powerful security training at ISESTORM will want to sign up before Feb. 15th. and enter to win either the Shon Harris CISSP® Solution - worth $1200US or the Shon Harris' CISSP® Video Seminar - worth $600US to enhance their learning from the event.

Shon has been great about donating these two solutions for us to give away. As you may know, Shon is an icon in the field of security and very well known for her CISSP preparation guides and training.

Regardless of which areas of security you are already certified in, the global application of knowledge from the CISSP CBK, BS 7799 / ISO 27001 Lead Auditor, and the OPSA/OPST level of knowledge from the OSSTMM within a small time footprint is a big opportunity that happens only once per year.

ISESTORM attendees are international and come from government, banking, defense, large corporations, independent consultants, and small business owners. They comprise of many fields like auditors, analysts, developers, and CIOs. They are extremely happy with their attendance.

And most of all, you'll be taking part of the ISECOM experience!

http://www.isestorm.org

Register today or at least before the 15th! You will not regret it!

Sincerely,
-pete.
"

(Read More... | Score: 0)


ISESTORM 2006 a must attend security conference
Posted by boss on Wednesday, 04 January 2006 @ 20:23:41 EST (1672 reads)
Topic OSSTMM

Anonymous writes "NOTE FROM CLEMENT:
Isestorm is a conference you do not want to miss. It is organized by ISECOM the organization that maintain and produce the OSSTMM and other leading security effort to help the community.

It is always a fantastic training event where you can get world class training while networking with other security professionals. I will be taking part again this year and will deliver the whole CISSP training. I sincerely hope to see you there. It is the best value you can get for your money and Barcelona is a great city to visit as well :-).

Do visit http://www.isecom.org/isestorm/ for all the details.

APRIL 1 TO 8, 2006 - BARCELONA

The third ISESTORM training will be held in Barcelona at La Salle-URL University. ISESTORM is the premium security training lab for ISECOM.

  • 6 days of global, concentrated, and thorough security training,
  • 3 industry certification exams plus preparation training for the CISSP,
    • OPSA
    • BS 7799/ ISO 27000 – Auditor
    • OPST
  • Industry-respected trainers and speakers with subject matter expertise to present practical knowledge and real-world experiences,
  • A perfect learning environment in a modern, spacious class room in the university's new building,
  • All-inclusive: breakfast, a healthy and complete lunch, and a full-day of in-between-meal snacks and beverages.
  • All attendees will receive a study package with various books and materials to complement the course.
  • Register before February 15th and enter the drawing where one lucky person will win The Shon Harris CISSP® Solution and the runner up will win the Shon Harris' CISSP® Video Seminar sponsored by Logical Security.

Within those 6 days you will work interactively among other professionals to learn and practice for the CISSP exam, the OPSA exam, and the BS 7799/ ISO 27000 – Auditor exam. You may even find time to enjoy the beautiful city of Barcelona, an international, cultural center point for Europe.

The CISSP exam is NOT offered at the conference, students can take the exam on their own at their preferred location.


"

(Read More... | Score: 0)


New Methodology on Compromise Detection being deveveloped
Posted by boss on Tuesday, 13 September 2005 @ 23:58:08 EDT (1795 reads)
Topic OSSTMM

Hi,


We have just begun a new project - the Open Methodology for Compromise Detection - and we're looking for volunteers to help.


Joanna Rutkowska will be managing the project which focuses on a methodology for uncovering malware and rootkits on Windows systems to set a standard both for those who need to investigate and clean systems as well as developers creating tools to assist or automate this process.

Check out more about the project and the outline at http://www.isecom.org/projects/omcd.shtml.

Then volunteers can contact us at omcd[at]isecom.org to get involved in addressing this.


Those interested in covering other OSes, let us know.


Sincerely,


-pete.

--

Pete Herzog - Managing Director - pete@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org

(Read More... | Score: 2.5)


The OSSTMM 3.0 FROM ISECOM
Posted by cdupuis on Saturday, 30 July 2005 @ 01:00:00 EDT (1961 reads)
Topic OSSTMM

Hi,

Well, the work has been going into 3.0 and I wanted to let you know the status with this mini-FAQ:

1. Why is the OSSTMM 3.0 taking so long?

In a word: research. Every little thing needs to be researched and verified. The introduction of the metrics to 3.0 meant a complete re-write of the manual. Now the metrics are stable and operational but for every change previously, it had ripple effects through the entire manual. Mix that in with multiple new legislations, technologies, and the improved techniques we improve in ISECOM labs and you have a LOT of work. We will change the submission and editing process for sure with the next version as this has been too much work for our team to maintain.

2. Will OSSTMM 3.0 be really that much better/different than the publicly available 2.1?

Yes. But a very big Yes. The metrics alone make a huge difference.

RAVs have been completely re-developed so they make sense and work correctly and without bias. The biggest improvements will mean consistent operations monitoring for compliance and gap analysis as well as the ability to pre-determine security changes with the introduction of new people, servers, services, to the scope for everything from making sure you're putting in the right security solution to justifying costs.

3. Why are current OPST and OPSA trainings labeled as OSSTMM 3.0?

We update the training materials and the trainers to be prepared for OSSTMM 3.0 as we make significant updates towards new releases. The 3.0 release has been fundamentally researched and verified for nearly a year and those fundamentals become course material and techniques. Regular re-trainings are held for trainers in Barcelona so, for example, attending the July 25th OPSA at Las Vegas as Blackhat or the Aug. 1st.

OPST in the UK will have the latest OSSTMM info available (3.0 RC 6). If you haven't had a chance to take either the OPST or OPSA, learning why and how a structured test methodology can improve your efficiency and effectiveness as a tester, analyst, and organization. See http://www.isecom.org/schedule.shtml for more info.

4. Where can I get more info on 3.0?

This list of course, the ISECOM Discussion list, either the OPST or OPSA classes and any of our OSSTMM trainers or by subscribing to the gold and silver teams. I hate to get all PBS on you people but it's resources that keep these projects like the OSSTMM going and the classes you take, the certifications, the subscriptions, all help to keep this an open, independent non-profit. We will remain open and never have our projects sponsored by government or commercial entities. Free public access to our projects and if you include the service# that's getting a lot for your money.

5. When will 3.0 be released?

I know we have estimated this wrong often but I am shooting for this month. You can help us get there.

Sincerely,

-pete.

Pete Herzog - Managing Director - pete@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org

-------------------------------------------------------------------

ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority.

(Read More... | Score: 0)


OPSA training for the FBI and government folks
Posted by cdupuis on Tuesday, 05 July 2005 @ 21:45:40 EDT (1484 reads)
Topic OSSTMM

Hi,

The free OPSA training provided by Robert Lee and Jack Louis of Dyad to the FBI and other government folks went over huge- really well- and the attendees really dug it! It's the kind of thing where you learn things you didn't know you still haven't learned and better yet, it applies to your job and your life.

If you weren't one of the lucky 25 in attendance, and have a chance to go to Blackhat, you can catch the same class there:

http://www.blackhat.com/html/bh-usa-05/train-bh-usa-05-dyad.html

It's also another reason to go to Blackhat.

You may also be interested in taking the weekend primer which will also be quite enlightening for those who want a deeper knowledge impact (by the same guys):

http://www.blackhat.com/html/bh-usa-05/train-bh-usa-05-dyad-uh.html

Sincerely,

-pete.

Pete Herzog - Managing Director - pete@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org

(Read More... | Score: 0)


Free OPSA training for US Government employee
Posted by cdupuis on Wednesday, 22 June 2005 @ 13:09:56 EDT (1390 reads)
Topic OSSTMM

NOTE FROM CLEMENT:
This class was filled within a few hours of being announced. Hopefully this type of FREE event will repeat itself in the future.

Hi,

OPSA Training - Washington D.C., June 29-30 Hosted on site, so must be a government employee or contractor and must have security clearance to attend.? And it's free.

In light of the problems that various U.S. Government departments are having with security, an OSSTMM Professional Security Analyst in-depth training class has been sponsored for government employees and contractors for next week.? It is the same intensive OPSA held at Blackhat Las Vegas, held by the same training instructors, and just as heavy on the info.

It's an eye-opener for anyone working in the IT field.? And it's free.
Registration ends this Friday.? The OPSA exam will be offered at the end of the class for those who choose to take it (at standard price).

Seating is VERY limited.? Please contact info'at'isecom.org for registration details.

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete'at'isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority.

(Read More... | Score: 0)

Recommended Training

Login here

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Recommended

CCCure Partners

BRAZIL

Logical IT

Best Security Training in Brazil

São Paulo
Rio de Janeiro
Belo Horizonte
Fortaleza
Brasilia

USA

SecureNinja.Com

SecureNinja Dojo

CANADA

360 Security Experts

CISSP Montreal
CISSP Ottawa
CISSP Toronto
CISSP Quebec City
CISSP Vancouver
CISSP Winnipeg

MIDDLE EAST

CISSP Dubai
CISSP Abu Dhabi
CISSP Qatar
CISSP Kuwait
CISSP Oman

THE OISSG GROUP
The OISSG serving the Middle East security needs

EUROPEAN UNION

CISSP Dublin, Ireland
CISSP London, UK
ESPION

Best security training you can get in Ireland

AFRICA

Lagos, Nigeria
CISSP and Security Training
Digital Encode

The best security training in Lagos and Nigeria

----------------------------
Cameroon
Security Training
CISSP, CEH, Security+
GETSEC

Best Security Training in Cameroon

Most Active Members

· 1: side_winder
Total points: 15336
· 2: webplu9
Total points: 15228
· 3: Lopezco
Total points: 8514
· 4: cissp_newbie
Total points: 7593
· 5: cdupuis
Total points: 7381
· 6: mikeyoung_fla
Total points: 5526
· 7: Vladimir
Total points: 4611
· 8: damoose
Total points: 3374
· 9: MMM
Total points: 2969
· 10: educk
Total points: 2553

Today's Big Story

There isn't a Biggest Story for Today, yet.

Random Headlines

Past Articles

Friday, April 08
· Hacker High School
Tuesday, November 30
· ISESTORM featured in a report from Euronews
Wednesday, November 03
· Bias-Free Security Testing
Tuesday, September 14
· SecurityNow!
Thursday, September 02
· ISECOM has released ISM3 (Information Security Management Maturity Model)
Friday, June 25
· 2nd ISESTORM Conference in Las Vegas
Wednesday, June 09
· New paper on the OSSTMM 3.0 and the need for security
Monday, March 01
· OSSTMM Version 3 to be introduced at ISECOM
Sunday, December 07
· 100 professionals, 10 days, 3 certifications, only at 1 place: ISESTORM
Wednesday, October 29
· OSSTMM - New manual has been released
Monday, August 25
· OSSTMM 2.1 HAS BEEN RELEASED
Wednesday, January 22
· OPST Training in English - OSSTMM Professional Security Tester
Sunday, September 08
· Request for Directors and Regional Representatives

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © 2007 by CCCure.Org, and the site maintainers Clement Dupuis and Nathalie Lambert. Reuse is strictly prohibited without written permission of CCCure.Org or it's maintainers.

This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.


  • Career
  • Magazines
  • Conferences
  • Study Books
  • Certifications
  • Training
  • Tutorials
  • Quizzes
  • Forums

    • Page Generation: 0.56 Seconds