SANS Instructors: Author Statements

SANS Instructors:
Ed Skoudis"Successful penetration testers don't just throw a bunch of hacks against an organization and regurgitate the output of their tools. Instead, they need to understand how these tools work in-depth, and conduct their test in a careful, professional manner. This course explains the inner workings of numerous tools and their use in effective network penetration testing and ethical hacking projects." - Ed Skoudis

SEC504: Hacker Techniques, Exploits & Incident Handling

Ed Skoudis"My favorite part of teaching Hacker Techniques, Exploits, and Incident Handling is watching students when they finally get it. It's usually a two-stage process. First, students begin to realize how truly malicious some of these attacks are. Some students have a very visceral reaction, occasionally shouting out Oh, shoot! when they see what the bad guys are really up to. But if I stopped the process at that point, I'd be doing a disservice. The second stage is even more fun. Later in the class, students gradually realize that, even though the attacks are really nasty, they can prevent, detect, and respond to them. Using the knowledge they gain in this track, they know they'll be ready when a bad guy launches an attack against their systems. And being ready to thwart the bad guys is what its all about." - Ed Skoudis

SEC542: Web App Penetration Testing and Ethical Hacking

Kevin Johnson"Testing the security of Web applications is not as simple as just knowing what SQL injection and cross-site scripting mean. Successful testers understand that methodical, thorough testing is the best means of finding the vulnerabilities within the applications. This requires a deep understanding of how Web applications work and what attack vectors are available. This course provides that understanding by examining the various parts of a Web application penetration. When teaching the class, I especially enjoy the use of real-world exercises and the in-depth exploration of Web penetration testing." - Kevin Johnson

SEC560: Network Penetration Testing and Ethical Hacking

Ed Skoudis"Successful penetration testers don't just throw a bunch of hacks against an organization and regurgitate the output of their tools. Instead, they need to understand how these tools work in-depth, and conduct their test in a careful, professional manner. This course explains the inner workings of numerous tools and their use in effective network penetration testing and ethical hacking projects. When teaching the class, I particularly enjoy the numerous hands-on exercises culminated with a final pen-testing extravaganza lab." - Ed Skoudis

SEC561: Intense Hands-on Pen Testing Skill Development

Joshua Wright"In creating this course, we focused on getting as much practical, hands-on skill building into the classroom as possible. Each day begins with a short briefing on the technical topics students will work on throughout the day. Then, students build their skills analyzing real-world target systems in the classroom. When students walk out of the class, they'll have mastered over 100 new techniques for finding, exploiting, and then fixing security flaws. Just as aircraft pilots needs more "stick" time learning how to fly, this course provides penetration testers and other security professionals real-world hands-on experience they need to excel in their work." - Joshua Wright

SEC573: Python for Penetration Testers

Mark Baggett"Today basic scripting skills are essential to professionals in all aspects of information security. Understanding how to develop your own applications means you can automate tasks and do more, with fewer resources, in less time. As penetration testers, knowing how to use canned information security tools is a basic skill that you must have. Knowing how to build your own tools when the tools someone else wrote fail is what seperates the great penetration testers from the good. This course is designed for security professionals who have some basic scripting skills and want to learn how to apply them to the field of penetration testing. The course will cover the essential skills that are needed to develop applications that interact with networks, websites, databases, and file systems so you can take your career to the next level. We will cover these essential skills as we build practical applications that you can immediately put into use in your penetration tests." - Mark Baggett

SEC760: Advanced Exploit Development for Penetration Testers

Stephen Sims"As a perpetual student of information security, I am excited to offer this course on advanced Exploit Writing for Penetration Testers. Exploit development is a hot topic as of late and will continue to grow moving forward. With all of the modern exploit mitigation controls offered by operating systems such as Windows 7 and 8, the number of experts with the skills to produce working exploits is highly limited. More and more companies are hiring to fill experts with the ability to aid in a Secure-SDLC process, perform threat modeling, determine if vulnerabilities are exploitable, and perform security research. This course was written to help you get into these highly sought after positions and to teach you cutting edge tricks to thoroughly evaluate a target, providing you with the skills to improve your exploit development. Contact me at stephen@deadlisting.com if you have any questions about the course!"- Stephen Sims

SEC580: Metasploit Kung Fu for Enterprise Pen Testing

John StrandEd Skoudis"Metasploit is the most popular free exploitation tool available today. It is in widespread use by penetration testers, vulnerability assessment personnel, and auditors. However, most of its users rely on only about 10 percent of its functionality, not realizing the immensely useful, but often poorly understood, features that Metasploit offers. This course will enable students to master the 10 percent they currently rely on (applying it in a more comprehensive and safe manner), while unlocking the other 90 percent of features they can then apply to make their tests more effective. By attending the course, they will learn how to make a free tool achieve the power of many much more costly commercial tools." - Ed Skoudis & John Strand

SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses

Joshua Wright

"It's been amazing to watch the progression of wireless technology over the past several years. WiFi has grown in maturity and offers strong authentication and encryption options to protect networks, and many organizations have migrated to this technology. At the same time, attackers are becoming more sophisticated, and we've seen significant system breaches netting millions of payment cards that start with a wireless exploit. This pattern has me very concerned, as many organizations, even after deploying WPA2 and related technology, remain vulnerable to a number of attacks that expose their systems and internal networks.

"With the tremendous success of WiFi, other wireless protocols have also emerged to satisfy the needs of longer-distance wireless systems (WiMAX), lightweight embedded device connectivity (ZigBee and IEEE 802.15.4), and specialty interference-resilient connectivity (Bluetooth and DECT). Today, it's not enough to be a WiFi expert; you also need to be able to evaluate the threat of other standards-based and proprietary wireless technologies as well.

"In putting this class together, I wanted to help organizations recognize the multi-faceted wireless threat landscape and evaluate their exposure through ethical hacking techniques. Moreover, I wanted my students to learn critical security analysis skills so that, while we focus on evaluating wireless systems, the vulnerabilities and attacks we leverage to exploit these systems can be applied to future technologies as well. In this manner, the skills you build in this class remain valuable for today's wireless technology, tomorrow's technology advancements, and for other complex systems you have to evaluate in the future as well." - Joshua Wright

SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking

Stephen Sims "As a perpetual student of information security, I am excited to offer this course on advanced penetration testing. Often, when conducting an in-depth penetration test, we are faced with situations that require unique or complex solutions to successfully pull off an attack, mimicking the activities of increasingly sophisticated real-world attackers. Without the skills to do so, you may miss a major vulnerability or not properly assess its business impact. Target system personnel are relying on you to tell them whether or not an environment is secured. Attackers are almost always one step ahead and are relying on our nature to become complacent with controls we work so hard to deploy. This course was written to keep you from making mistakes others have made, teach you cutting edge tricks to thoroughly evaluate a target, and provide you with the skills to jump into exploit development. Contact me at stephen@deadlisting.com if you have any questions about the course!" - Stephen Sims