CSO Online | Sep 8, 2016

In the latest episode of Security Sessions, CSO Editor-in-Chief Joan Goodchild talks with Bill Rosenthal, CEO of Logical Operations, about the benefits of tiered security training for IT staff members, not just those with 'security' in their title.

InfoWorld Security

employee awareness trainingIT projects are most effective when they take into account people, processes, and technology. These three components should be addressed concurrently so the organization can get the maximum benefit from security initiatives when they are rolled out. Unfortunately, while companies tend to address the hardware/software and process aspects, many stop short of the trifecta, viewing employee awareness training as “nice to have” but not necessary.

Especially when budgets are tight, companies choose to educate staff informally if at all. This approach is rarely effective. Organizations often pay the price many times over when a lack of employee security awareness leads to incidents that require time and money to detect, assess, and mitigate.

The reality is that the human element has always been, and will always be, the most challenging aspect of security. Whether staff members intentionally skirt security measures that they feel inhibit productivity or inadvertently take actions that open the digital door to bad actors, people are the proverbial weak link. And cybercriminals know that it is much easier to defeat a person than it is to defeat technology.

Training: The key to winning the cybersecurity battle

In the face of escalating cyberattacks, every company should perform ongoing employee awareness training. To be effective, a program must:

  • Have clearly articulated goals
  • Use well-defined success metrics
  • Have executive support
  • Be developed from an in-depth understanding of employee roles.

Internal IT or training staff can perform the training, or companies can utilize the expertise of security consulting services providers. There are some advantages to working with a third party who specializes in security. One is that they have access to the latest information on threats and countermeasures. Another is that doing so leaves internal resources free to focus on projects designed to deliver business outcomes. And finally, bringing in outside resources tends to underscore the importance of the material presented.

The objectives of an employee training program should include:

  • Educating staff on security policies and risks
  • Outlining behaviors that must be established or eliminated
  • Explaining the ramifications (to the company and employees) of failure to follow security protocols.

The program should provide education commensurate with an employee’s responsibilities, and should be ongoing. “One and done” training provided when a new security system is first implemented is not effective long-term. Employee awareness training should be broken into segments of 10-15 minutes. This makes it easy to consume and more likely to hold an attendee’s interest. The goal is to keep them wanting more information and seeing security as an ongoing priority.

Following the completion of a new security program rollout and training, periodic social engineering penetration testing can help decision makers determine the efficacy of the training program.

Please hack me

One of the most telling measures of the need for employee training comes in the form of what are called “please hack me” tests. This type of social engineering penetration testing involves someone – typically the security consulting services provider – impersonating a bad actor and sending an email to staff members.

The email contains custom-built malware that is launched if the recipient clicks a link. Not only is a click recorded as a failure to follow security protocols, the malware can capture an image of the recipient’s desktop at that moment to help the company determine if certain conditions (personal web surfing, for example) make employees more susceptible to attacks. The malware can even activate the computer’s web camera to provide more context. All of the information gathered is included in a grading report provided to management.

Other types of tests to probe vulnerabilities can be conducted as well. USB flash drives containing custom malware can be sent to employees or simply left in common areas. Connecting them to a computer produces the same results as the email security test. And in the most personal form of testing, a phone call can be placed to an employee with the caller impersonating a company executive needing assistance in accessing sensitive information.

The results of this type of testing are very eye-opening for most companies. Prior to receiving their score, organizations often feel they have no data that cybercriminals would find valuable, and therefore they believe they are “secure through being obscure.” It only takes one “breach” in a testing scenario to dispel that notion, as they begin to consider what a bad actor could access as a result of their porous security perimeter.

The future of employee awareness security training and testing

There is a clear trend in business toward devoting more resources to security initiatives, and committing to employee education and testing. As a result, new forms of training are being developed to replace the old approach of simply making a slide deck available on the company intranet and asking employees to sign off that they have reviewed it.

Gamification is one recent addition to the security training toolkit. Bringing a competitive aspect to employee education has proven very successful. Companies are also emphasizing to their staff that the lessons learned on the job can help them do a better job of securing their personal information at home. New forms of “please hack me” tests are continually being devised.

Ultimately, companies that are willing to invest in security initiatives that consider people, processes, and technology stand the best chance of staying ahead of cybercriminals.

Help Net Security

Craig Williams, Mike Caudill & Kevin Timm, Cisco Systems

Register Now // july 24 - 27

USA 2010 Weekend Training Session //July 24-25

USA 2010 Weekday Training Session //July 26-27


When testing an intrusion prevention system (IPS), security engineers tend to evaluate speed, accuracy, and ease of use. Although speed and ease of use are important for a security device, customers are paying for protection; thus, the accuracy of the signature base is critical. Evasion techniques are constantly evolving, it is imperative that IPS devices have the ability to detect both ordinary exploits and their obfuscated cousins.

This hands-on course will cover everything from older, well understood evasion techniques to newer, cutting edge ones. We will apply these techniques using penetration testing tools and public proof-of-concept exploit code. The purpose of this course is to learn to test any IPS, not expose a flaw of a specific vendor. To that end the actual IPS devices we are testing will not be identified.

Students will learn how to modify attacks to accurately evaluate the detection capability of a device. Emphasis will be placed on determining if a signature is specific to a vulnerability or exploit, as well as its resistance to additional layers of evasions. The course will also cover the intricacies of performance testing and the impact that a heavy load can have on an IPS. Newer technologies such as reputation will be discussed as they apply to detection.

By the end of the course, students will have detailed knowledge of evasion techniques and be able to properly gauge the performance of a device and avoid IPS testing pitfalls. The key factor in successful IPS testing is having properly trained, knowledgeable staff conducting the test. With the ever-present threat to network security, it is imperative to fully understand the level of protection that an IPS device provides and the level of insight required to maximize its capabilities.

teaching methods:

Lecture, group exercises, and demos.

Student Requirements, experience/expertise

  • Basic IPS experience required with a major IPS platform (Cisco, TippingPoint, ISS, Sourcefire, Entrasys, etc.)
  • Basic shell scripting programming experience is recommended.
  • Basic familiarity with VMWare products.
  • Basic regular expression familiarity.
  • Optional: While Ruby/Python/Perl experienced is not a prerequisite, students with this background will probably be more comfortable with the material.

What to bring:

A laptop capable of running vmware infrastructure client (aka windows or windows vm) or RDP

What we provide:

  • Copy of slides
  • Remote access to 2 VMware infrastructure servers (hosting attacker & victim vm’s) setup on an inline IPS network
  • 3 switches (assuming 3 rows of tables 1 switch per table)
  • Cisco IPS
  • 30 Ethernet cables
  • Traffic generator capable of dosing an ips


Craig Williams is a senior research engineer for Cisco Systems where he is part of the Cisco Security Research & Operations organization. Craig specializes in exploit and malware analysis, reverse engineering, IPS signature design, vulnerability research, attack obfuscation and evasion, and network programming. Since joining Cisco in 2004, Craig has made significant contributions to the IPS signature team including a pending patent involving obfuscated traffic inspection. His current research involves malware, specifically improving the detection and mitigation of botnets.

Mike Caudill is a Program Manager and Incident Manager for Cisco Systems where he is part of the Cisco Security Research & Operations organization. Since joining Cisco in 1998, Mike has worked as an Incident Manager for the Cisco PSIRT where he responded, resolved, and disclosed security vulnerabilities in affected Cisco products. Mike has held leadership roles in both FIRST and ICASI, international organizations whose missions focus on vulnerability and security incident response in order to improve the state of security on the Internet. Mike has a relentless passion to protect customers and Internet users from vulnerabilities and attacks and today is helping to find new ways to detect, identify, mitigate, and respond to those attacks.

Kevin Timm is a security researcher at Cisco Systems where he is part of the Cisco Security Research & Operations organization. Kevin’s current work focuses the automation of malware analysis using virtualization. Over the past decade, Kevin has authored several security-related white papers and articles as well as presented at Cisco Networkers. Prior to joining Cisco in 2004, Kevin held senior roles in the Managed Security and Managed Hosting industries.

Ends Jul 23


$ 2000

$ 2200

$ 2400

$ 2600

$ 2900

Black Hat Announcements

Jared DeMott, Crucial Security / Harris Corporation

Register Now // july 24 - 27

USA 2010 Weekend Training Session // SOLD OUT

USA 2010 Weekday Training Session // SOLD OUT


There are four technical skills required by security researchers, software quality assurance engineers, or developers concerned about security: Source code auditing, fuzzing, reverse engineering, and exploitation. All these skills and more are covered. C/C++ code has been plagued by security errors resulting from memory corruption for a long time. Problematic code is discussed and searched for in lectures and labs. Web auditing is covered using WebGoat. Fuzzing is a topic book author DeMott knows about well. Mutation file fuzzing and framework definition construction (Sulley and Peach) are just some of the lecture and lab topics. When it comes to reversing C/C++ (Java and others are briefly discussed) IDA pro is the tool of choice. Deep usage of this tool is covered in lecture and lab. Exploitation discussions and labs are the exciting final component. You’ll enjoy exploiting BSD local programs to Vista browsers using the latest techniques.

Reverse Engineering

Students focus on learning to reverse compiled software written in C and C++, though half- compiled code is mentioned as well. The IDA pro tool is taught and used throughout. Calling conventions, C to assembly, indentifying and creating structures, RTTI reconstruction are covered. Students will also use IDA's more advanced features such as flirt/flare, scripting, and plug-in creation.

Source Code Auditing

Understanding how and when to audit source code is key for both developers and hackers. Students learn to zero in on the important components of each language. Automated tools are mentioned, but auditing source manually is the focus, since verifying results is a required skill even when using the most advanced tools. Spotting and fixing bugs is the focus.


Fuzzing is a runtime method for weeding out bugs in software, with a growing footprint within security companies and research communities. Techniques such as dumb file fuzzing, all the way up to intelligent network protocol fuzzing will be covered. Students will write and use various fuzzers to find bugs.


Students will walk out of this class knowing how to find and exploit bugs in software. This is useful to both developers and hackers. The exploit component will teach each common bug type including: stack overflows, function pointer overwrites, heap overflows, off-by-ones, FSEs, return to libc, integer errors, uninitialized variable attacks, heap spraying, and more. Shellcode creation/pitfalls and other tips and tricks will all be rolled into the exciting, final component.


  • College Degree in a computer related disciple or equivalent work experience
  • Programming (C/C++/.asm) and security experience will help, but you will still get a lot out of the course if you lack that, so no fears. All questions are good questions in my classes. We have a fun but instructive and intense learning experience. You won’t walk away disappointed.
  • If desired read "Introduction to Application Security" :


By the end of this course, you will be able to: research and develop an exploit from scratch by auditing code or fuzzing an application, reverse engineering the issue, and developing an exploit for the vulnerability you discovered. This knowledge will help developers produce better code, and will help security researchers or malware analysts in their daily tasks.

What to bring:

  • Nearly all the work will be done in XP (you provide) and the BSD image (I provide)
  • - Vista is not required but is referenced for the final exercise if you have it
  • - If you have Vista/7, you’ll be ok for most of the exercises but will have additional pains
  • Cygwin (include: vim, make, gcc, perl, python, netcat, ruby, man pages, ndisasm, and whatever else you like)
  • VMware workstation/player for Windows or Fusion for the Mac
  • Visual Studio (Express is fine if don’t have full)
  • WinDbg and Immunity Debugger
  • Used only for Day 1 homework - FireFox (optional plug-ins: Tamper Headers, Firebug, and Live headers)

What you will get:

The following will be provided on Course DVD, and will be installed in class:

  • IDA pro 5.x (I have the 5.5 demo for install on DVD, can also get from
  • Python (From Sulley installer. pydbg works with 2.4 by default in this installer)
  • Keep at least 1.5GB free HD space to install the course materials and FreeBSD VM

Course Material:

The course material will be provided to you at class check on day 1, normally as a DVD or thumb drive that you keep along with any printed material. As soon as you receive the course material extract4 and test the BSD image. There is a BSD survival guide in the AppSec_A-ZExploitation folder with the user and password (and more). All the material you need to do the BSD labs in already in the image so you shouldn’t need to transfer any information to the image.

The course material is in 4 directories: SrcAudit, Fuzzing, Reversing, and Exploitation. In each directory you’ll find a wealth of knowledge from documents, tools, labs, and lectures. There’s so much we won’t go over it all, but leave further study as bonus material5 to the student. Harris marked material cannot be directly reproduced or used for profit, but can be shared to internal co-workers within the organization that sponsored your seat in the course, if credit is noted.

There is a feedback from in the base directory that should be filled out on the final day if the conference does not provide a custom form for feedback. Any other comments can be sent directly to the instructor at [email protected]

suggested textbooks:

  • Grey Hat Hacking: The Ethical Hacker's Handbook, 2nd Edition. Harris, Harper, Eagle, and Ness
  • Fuzzing for Software Security and Quality Assurance, by Takanen, DeMott, Miller
  • The Art of Software Security Assessment, by Mark Dowd, John McDonald, and Justin Schuh
  • The IDA Pro Book, by Chris Eagle


Jared DeMott is a Principal Security Researcher for the Crucial Security business area at Harris Corporation and PhD candidate at Michigan State University. Crucial provides state-of-the-art technical engineering and security services to the most elite branches of the Federal Government’s law enforcement and intelligence communities, engineering solutions to meet their demanding requirements. Mr. DeMott previously worked for the NSA and currently teaches computer security at university and professionally. He has spoken at security conferences such as Black Hat, Defcon, ToorCon, and Shakacon. This background provides an ideal blend of skills for teaching cutting edge security material, in a fun and instructive manner.

Ends Jul 23


$ 1800

$ 2000

$ 2200

$ 2400

$ 2700

Black Hat Announcements

Mati Aharoni & Chris Hadnagy, Offensive Security

Register Now // july 24 - 27


This is an intensive, hands-on Security class by the creators of Backtrack especially designed for delivery in BlackHat Trainings. "Pentesting with BackTrack" is designed for network administrators and security professionals who need to get acquainted with the world of Offensive Security. The course introduces the latest hacking tools and techniques using the world renowned BackTrack 4.

A experienced and seasoned team of Security Professionals will help you take your skills a few steps further. "Common" hacking techniques are revisited from a professional and practical approach for a better and more efficient pentest. The course is heavily laced with the "do it yourself" approach, and will expose you to the raw underlying mechanisms of the various attack vectors.

We keep our classes small to maximize each students learning potential. This also gives the instructors the ability to spend more time with each student.

Are you up the challenge? Are you ready to Try Harder?

Course Topics:

  • Advanced Information Gathering Techniques
  • Data Mining with Maltego
  • DIY ARP Spoofing
  • Fuzzing
  • Windows Buffer Overflows
  • Client Side Attacks
  • Metasploit Kung-Fu
  • Reverse Tunneling Techniques
  • Password Attacks
  • Web Application Attacks
  • Trojans and Various Windows Oddities

Lab Description

This course includes complex hands-on labs throughout the training. All students will be provided with pre-configured VMware machines for the duration of the course for a personal and in-depth learning experience.

Who should attend?

This is a highly technical course aimed at security professionals. People with entry level "hacking" security certifications in need of modern and practical real world penetration testing experience and insights should attend.


  • Students need to be comfortable in Linux ‐ We'll be using BackTrack during the whole course as our attacking platform. Navigating through directories, executing scripts and tools and writing basic bash scripts are the basic skills expected from the student.
  • A solid understanding of TCP/IP and various network services (DNS, DHCP, etc)
  • Knowledge of a scripting language (Perl, Python, Ruby) is recommended, but not required.
  • A desire for moderate pain and suffering

What to bring:

Students are required to bring their own laptops with a minimum 1 GB RAM installed.

  • VMware Server or Workstation installed.
  • At least 60 GB HD free
  • Network Support - cables will be provided
  • DVDROM / USB 2.0 support

Course Length:

Four days. All course materials, custom BackTrack CD's, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered.


Mati Aharoni is the core developer of the BackTrack liveCD and an active member in remote‐ Mati is a seasoned security professional with over 10 years of experience as a professional penetration tester. Mati has uncovered several major security flaws and is actively involved in the offensive security arena. In addition, he is the lead trainer and developer of the internationally acclaimed security courses, Offensive Security PWB, WIFU and Cracking The Perimeter.

Chris Hadnagy aka loganWHD, has been involved with computers and technology for over 13 years. Presently his focus is on the "human" aspect of technology such as social engineering and physical security. Chris has spent time in providing training in many topics and also has had many articles published in local, national and international magazines and online journals. Chris has been training this course with Mati for a few years and he is the lead developer of the framework.

Ends Jul 23


$ 3600

$ 3800

$ 4000

$ 4200

$ 4500

Black Hat Announcements