Black Hat USA 2009 Weekday Training Session

July 27-28

Hacking by Numbers: PCI Edition
Hack Like You Mean It!

SensePost

Hacking By Numbers: PCI Edition is a new addition to the HBN series. This is a practical, technical course aimed at beginner penetration testers, that teaches method-based hacker thinking, skills and techniques, specifically focusing on the approach and priorities for penetration testing required by the PCI DSS standard.

Overview

The PCI Data Security Standard (DSS) has had a huge impact on the information security industry. One effect that it has had is to make annual penetration testing mandatory in some segments, and thereby spawn a whole new class of off-the-shelf penetration testers.

SensePost has a wealth of experience performing penetration tests and teaching people how conduct security assessments. SensePost has also undergone PCI QSA training and certification, as well as the PCI ASV certification process, and has conducted assessments and penetration tests for organizations aiming to comply with the PCI DSS.

This has developed the necessary insight to teach people performing assessments the technical aspects of penetration testing for the purpose of PCI certification. The context of the training is relevant to penetration testing within the confines of the approach and priorities of the PCI DSS standard.

The HBN PCI Edition course will initially cover the pertinent theory about the PCI DSS itself and where and how penetration testing fits in. This will set the context for the introduction to penetration testing.

At SensePost we believe that hacking is a way of thinking, and that this way of thinking can be taught. Combined with the correct tools and technical trade-craft hacking is developed into a predictable science. The next phase of the training focuses on teaching this technical method-based philosophy to hacking into networks and systems over the Internet.

Finally, students will spend some time on understanding the critical difference between a 'compliant' penetration test and a 'real-world' attack, focused on the actual compromise of cardholder information.

Students are provided with fully-configured laptop computers that are used stage-for-stage to complete the different technical exercises.

The course runs for two days during which the SensePost trainers will walk you, step-by-step, through understanding the role of different types of penetration testing in the overall PCI compliance process. We'll start by identifying the target systems, teach you how to breach the target perimeter, and demonstrate how to extend these attacks in order to completely compromise the Internet-facing or internal systems protecting cardholder data.

Prerequisites

SensePost will provide fully configured laptop computers as well as CDs with all of the tools and materials used in the course. Students need to ensure they have the necessary level of skill.

No hacking experience is required for this course, but a solid technical grounding is an absolute must. Students are expected to have a solid practical grasp of computer operating systems, networks, web-based applications and databases.

Students without the requisite level of skill are encouraged to attend SensePost's HBN Cadet Edition, which can be taken back-to-back with PCI Edition.

Context

This course is specifically aimed at assisting beginner penetration testers in understanding how to assess networks and systems according to the requirements and priorities of the PCI DSS. Please note that there is approximately a 60%-70% overlap in content with SensePost's HBN Bootcamp course.

Who should attend?

Information security officers, system and network administrators, security consultants, QSA's, card services risk managers and other nice people will all benefit from the valuable insights provided by this class.

Course Length

Two days

Trainer:

Haroon Meer is currently SensePost's director of Development (and coffee drinking). He specializes in the research and development of new tools and techniques for network penetration and has released several tools, utilities and white-papers to the security community. He has been a guest speaker at many Security forums including the Black Hat Briefings. Haroon doesn't drink tea or smoke camels.

Charl van der Waltis a founding member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.

Super Early: Ends Mar 15	Early: Ends May 1	Regular: Ends Jul 1	Late: Ends Jul 22	Onsite:
$2300	$2400	$2600	$2800	$3100