THE STI CORNICENVolume I / Issue I • December 2014

Welcome to the inaugural edition of The STI Cornicen! Why “Cornicen?” In the Roman military every elementof the military played a key part in the overall effectiveness of the military endeavor. The Cornicen was thesoldier who was responsible for signaling the rest of the legion using a horn. A Roman General recognizedthe important role of clear communication for his men to reach their objective. In a similar way this periodicalwill seek to act as a communication tool for the SANS Technology Institute. Not only will it provide a mecha-nism to communicate happenings within the college, but it will also seek to provide useful information, reviews,interviews and an open communication forum between the faculty, staff and student body. Welcome!

Upcoming STI DatesDecember 13 CDI GraduationDecember 15/16 Live NetWars EventDecember 25 Cornicen Forum DeadlineDecember 31 MSISE/M 5000 submission deadline for early January gradingJanuary 15 MSISE/M 5000 submission deadline for late January gradingJanuary 25 Cornicen Forum Deadline

llow me to take a few minutes to introduce ourfirst edition of The STI Corcinen. I’ve alwaysbelieved that communication in all of its civilforms, including and especially criticism, is

absolutely integral to the success of any endeavor.This is especially true when the activities require thecollaborative efforts of ever-larger groups of peoplewho are as geographically dispersed as the students,faculty, and staff of the SANS Technology Institute.Without frequent and informative communications,students engaged in what is largely a self-driven, “ata distance” learning process may feel disconnectedor even isolated.

This monthly newsletter is just one of several toolswe’ll be using improve communications by and be-tween students, faculty, and staff. In future issues,we’ll describe some of the other mechanisms we’reputting in place to facilitate communications and com-munity, including the hiring of a primary Student Man-ager to serve as your primary point of contact. We’llalso be including some potentially useful content justfor you. Please send us any other suggestions youmay have! - David Hoelzer, Editor

A

ark Baggett, one ofSANS’ Certified In-structors, is also anSTI Graduate! You

may have seen or heard himspeaking about Python from timeto time. In fact, if you’re anMSISE candidate or pursuing a Penetration TestingCertificate, you may find the Kung-Fu that he teachesto be extraordinarily practical!

Especially for people who enter the information se-curity profession from non-technical backgrounds,programming of any kind can seem to be a dauntingproposition. Much of the trepidation, however, can bequickly overcome by learning just a few of the basics.While there are various types of scripting taught inother courses within the curriculum (Bash, Batch,Powershell, etc.), Python really is an excellent lan-guage to consider learning for penetration testers.Not only are many open source reconnaissance andattack tools written in this language, but many directlysupport Python as a part of an official “extensions” or“plugins” architecture. (Burp Suite, for example)

One of the best ways to combat the myth that pro-gramming (or more specifically, scripting) is hard is tohave a problem that you need to solve and to be de-termined to write a script to do it. The reason thatmost people run into trouble is that they, instead, tryto pick up a book on a language (Python, for example)and try to read it to learn how to use the language.This is much the same as picking up a dictionary andreading it in an effort to learn how to speak a lan-guage. Anyone who has spent time learning lan-guages will tell you that the best way to learn a

MDo You Python?

spoken language is to learn a few words and phrasesand then go and try to speak the language! You mayget things wrong, people may laugh, but that’s fine!

The same is true when trying to master a computerlanguage. Don’t worry about being fluent. Learnenough words to get you started and then start tinker-ing! Don’t worry, the computer will absolutely let youknow if you’re not speaking the language correctly!

If you’ve never written a script before, take aminute and key in the following short script into a fileon a Linux or Mac computer. Of course, you coulduse Windows too, but that would require you to goand download Python and get it installed... Way toomuch work for something so short, right? Before yourun the script below, look it over and see if you canpuzzle out what the script will do:

Hopefully you can already see the point of our

“Spoken Languages” illustration. Even though youlikely don’t know what half of the commands actuallydo, you are likely able to figure out that this will con-nect to a specified host on a specified port and at-tempt to grab the banner from that host! Let’s give ita try and see what happens with some sample sys-tems. First, port 80:

Instantly we retrieve the exact server and build ofthe remote web server (in addition to discovering thatthe port is open)! Of course, we could do this in otherways (Netcat, NMap, etc.), but by creating a simplescript of our own we can begin to build all kinds ofother intelligence into our script. For example, imag-

ach month a staff writer interviews one of ourcurrent or past students in an effort to bothprovide useful perspective for other studentsand useful feedback for faculty. It’s our hope

that this also serves to introduce you to some of yourfellow students along the way!

This month we sat down (virtually) with Sally Van-deven. In addition to being an accomplished Cellistand a faculty member at Washtenaw Community Col-lege, Sally is soon to be one of the newest MSISEgraduates.

STI: So, Sally, please tell us a little bit about your-self. How did you find STI and what did you expectto be the benefits of a Master’s degree from the SANSTechnology Institute?

Sally: Several years back I was working happilyas a data security analyst. My boss offered to sendme to a training class of my choice. Based on a col-league’s recommendation I attended my first SANScourse and loved the content and hands-on approach.

When I heard about the STI program I got pretty

From Cellos to Rootkits...An interview with Sally Vandeven

Eexcited because I enjoy being a student and all thatcomes with it like research, assignments and exams.I got a late start in the field of security so I felt that theMSISE degree would accelerate the “catch up”process for me. It definitely helped me get up to speedfaster, but at the same time it taught me how muchthere still is to learn. In my opinion, that is whatmakes security both challenging and interesting; at-tempting to stay current and the effort it requires.

I also hoped that the STI program would help meexpand my network of security professionals beyondour little group of four at work. In that regard, it waswildly successful. I have made many, many contactsand appreciate the benefits of networking, collabora-tion and information sharing.

STI: What was it that made you feel that an ac-credited credential would bring value for you?

Sally: The program was seeking accreditation butwas not yet accredited when I was accepted. Hon-estly, I was not concerned with that. My primary mo-tivation for enrolling was to learn as much as I couldand I knew that my expenses would not be reim-bursed by my employer, regardless of accreditationstatus. I believed in the quality of SANS instruction

ine that there is a new flaw involving SSH. Using ourexisting code we can easily target port 22 as follows:

Rather than printing out the banner, how hardwould it be for us to examine that banner and see if itcontains “OpenSSH_6.6.1p1?” How difficult would itbe to create a byte payload based on a CVE or Bug-Traq notice and send it to the SSH server to see ifwe’re vulnerable? Even better, how hard would it beto add just a handful of lines to this very script thatwould allow us to scan our entire network to see if wehave any hosts currently exposed to this vulnerabil-ity?

Obviously, there’s no way that we can teach youhow to write a script in just a handful of words in anewsletter. Mark’s class, however, can and will teachyou to do all of these things and more. While theclass is really designed to focus on Novice throughIntermediate Python people, don’t worry that you’ll bebored if you already have the basics down. One ofthe most oustanding features of the class is an amaz-ing interactive workshop/competition/challengesknown as “PyWars” that will really put even experi-enced Python coders to the test!and that is what mattered most to me so I forgedahead.

STI: I know that you’re someone who looks for op-portunities to learn stuff; I think you actually soughtout additional learning experiences at SANS/STI be-yond what was required for your degree, is that right?

Sally: Yes, I took a few extra SANS courses inareas that I felt I needed to improve. I looked for vol-unteer opportunities within SANS to do technical re-views of course and lab materials. I have had theopportunity to act as a TA a couple of times and havetruly valued the experience. Outside of SANS I havelooked for opportunities to present security topics tolocal groups because IMHO one of the best ways tolearn a topic is to teach it.

STI: What sorts of “extra-curricular” learning ac-tivities really stand out for you and how did they enrichyour experience?

Sally: Shortly after starting the STI program, Ibegan teaching an introductory computer securitycourse at our local community college. Teaching stu-dents about TCP/IP and being prepared to answerALL their questions about the protocols and commonattacks was incredibly helpful with preparation for the

GSE exam (the capstone exam for the MSISE pro-gram -Ed.). In the process of creating labs for the stu-dents I was gaining an even greater in-depthknowledge of the concepts.

STI: Finally, we’re really interested to hear howyour view of Infosec in general, any specific disci-plines that you plan to operate in or your own role andgoals have been clarified or changed as a result ofyour experience at STI. Any thoughts?

Sally: Over the past couple of years it has be-come very apparent to me that computer security hasbecome an incredibly broad field. I don’t think it ispossible for one person to be a true expert in all areasof security. So in order to provide comprehensive se-curity in an organization, the specialized security prac-titioners will have to work together to besuccessful. This means communication – a skillat which we geeks do not always excel. The im-portance of collaboration cannot be overstated.I believe it is essential to invest the time andmoney to cross-train and to share ideas andthreat intel within an organization and ideallyacross organizations in order to make anyprogress in our fight against the attackers.

Information Security Training inNew Orleans, Louisiana

SANS is looking forward to an exciting kickoff of2015 with SANS Security East 2015 in the "Big

Easy" in January. Start the year off right by choos-ing from outstanding, cutting-edge courses pre-sented by our top-rated instructors. Now is thetime to improve your information security skills

and laissez les bons temps rouler!

The site of SANS Security East 2015, January 16 - 21, 2015, is theHilton New Orleans Riverside, located at the base of Canal and

Poydras Streets, four blocks away from the French Quarter.

STI is very proud to announce that there were 23 new Master’s Candidates admitted to the school sinceSeptember! Please join us in welcoming them to our ranks!

Glenn Aydel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automation Security EngineerFrancois Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Senior Security ConsultantWesley Earnest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IT Compliance OfficerAlexander Fry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VP Software Security AssuranceKenton Groombridge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Systems/Network EngineerRonald Hamann . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ConsultantThomas Heffron . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security AnalystBlaine Hein. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Senior Systems EngineerJim Hendrick. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sr. IT Security Project ManagerMichael Horkan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Project EngineerWilliam Knaffl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Information Security EngineerDavid Martin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Law Enforcement OfficerMarsha Miller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cyber Systems EngineerPatrick Neise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Penetration TesterJason Popp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Information Security Group ManagerStephen Reese . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Information Security EngineerMuzamil Riffat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IT Audit ManagerGabriel Sanchez . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IT SupervisorJason Simsay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Principal Security EngineerBabu Srinivas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Information Security & DR ManagerAustin Taylor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Computer ScientistKevin Varpness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GovernmentStefan Winkel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Principal Security Program Manager

SANS Technology Institute StaffAcademics

Alan Paller (apaller@sans.edu) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PresidentDr. Toby Gouker (tgouker@sans.edu) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chief Academic OfficerDr. Eric Cole (ecole@sans.edu) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MSISE Program DirectorDr. James Vorhees (jvorhees@sans.edu) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MSISM Program DirectorStephen Northcutt (snorthcutt@sans.edu). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Academic AdvisingDr. Johannes Ullrich (jullrich@sans.edu) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dean of ResearchDavid Hoelzer (dhoelzer@sans.edu) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dean of Faculty

OperationsShelley Moore (smoore@sans.edu) . . . . . . . . . . . . . . . . . . . . Enrollment Management / CommunicationsJeff Lesch (jlesch@sans.edu) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Student Manager / Assistant RegistrarMatthew Scott (mscott@sans.edu) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Veteran’s Activities / QualityDiane Sardi (registrar@sans.edu) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RegistrarWilliam Lockhart (wlockhart@sans.edu) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Executive Director