Tag Archives: security training

Review of the pentesting course at cybrary.it

Cybrary.it provides free online training courses in certain fields, among them security related. I have just been through the Penetration testing and ethical hacking course and I thought I would write a few notes on it.

The course is taught by Leo Dreiger who seems pretty knowledgeable. It includes 19 modules where some has more content than others. The sessions I most enjoyed were the whiteboard sessions where Leo talks about the specific subject. He does this quite well and offers some good advice along the way.

As for the particular tool demonstrations, I do not find them as interesting. Especially the ones that highlights vulnerabilities in Windows 2000 Advanced Server. I can understand the concept of demo environments but Windows 2000 seems a bit too outdated to be of interest. Also, modules like Denial of Service seems to be me a little out of scope. I would find it very odd if I were to perform a denial of service attack as part of a pentesting assignment. Knowing about denial of service is good, but running LOIC in a demo is perhaps not what I expected to find in a course about penetration testing.

There are two tools that to me are the bread and butter of penetration testing, those being Metasploit and SET. Neither of these tools are demonstrated in this course. They seem to be featured in other courses on Cybrary.it but I found it a bit disappointing never the less.

I guess it really boils down to what you expect to see in any course, and for me there were both pros and cons, but it is how it usually is with any form of training.

Overall though, the course is free, as are any courses on Cybrary.it so I would still recommend anyone visiting their site and see for themselves. I think the idea behind Cybrary.it, providing free IT training is great and benefits all. So, I will stick around and check out other courses, I suggest you give it a try if you feel you need some training for yourself.

How is your security awareness training?

You read about new threats every day. New malware are being discovered, new exploits are being developed and your security is constantly under attack. Sometimes it does seem futile, but there is one key factor to consider if you are going to stay safe or not. That key factor is your users as they can be your best friend or your worst enemy from a security perspective.

As attacks become more and more advanced, your technical security solutions will not be able to keep up. Hackers are almost every time at least once and probably a few steps ahead of you, no matter how hard you try to stay current. So, by showing your users how to stay safe, you can probably shift the outcome of the battle a bit. This is because a lot of the attacks today involve user interaction, they need the user to do something. Whether it is clicking a link or plugging in a USB stick they found in the parking lot, their action might make all the difference. If your users see a stranger lurking around, do they care or not? Do they care if a person tailgates? Do they know not to assume that all emails come with good intentions? Do they pick up that USB stick and plug it in or not? Do they act without thinking because they trust all that security technology that you as the security administrator has implemented? If they do, then you have missed something, that being to train your users to remain vigilant.

It does not really matter what kind of company or organization you work for, security awareness training is important. The only problem is that most security awareness training I have witnessed is plain stupid and misleading, even trying to strike a bit of fear into users if they do something wrong. The last bit really annoyed me, as you need your users to trust you, not fear you. It is OK do do something wrong, but I want them to come forward with it. Then you have a chance to correct it, otherwise you are in the dark.

Security awareness training is something that I think should be taught live, not using elearning where users simply read a slide and answer a question, then another slide and another question. It does not provide the kind of feedback as a live meeting with an ongoing discussion can provide. Also, when listening to and interacting with a person one can really see users reactions to different statements and discussed topics. Provide examples and perhaps demonstrate a hacking tool or two just to let them see how it is done in the real world. In my opinion, nothing beats a live show, and I think we can all agree that security awareness is very much needed, so why not aim to make security awareness training an awesome event. I know I intend do.