What to bring:
Basic networking knowledge is required and a familiarization with database concepts would be beneficial. Experience or knowledge of specific database solutions is desirable, though not essential in order to complete the course satisfactorily.
Participants are requested to bring their own laptops installed with a either Microsoft® Windows® 2000 or Windows XP, fully patched.
This class provides an VMware attack image for students to use - although VMware workstation is *not* required, students are urged to have at least 512MB of RAM for best performances
Databases contain your company’s most sensitive information that you don’t want falling into the wrong hands…
Computer networks are built to support business functionality and beyond communication the result of business is data. The data important to your business is your company’s digital assetsit needs organiziation, maintainenance and above all protection from malicious attackers. The modern corporate enterprise contains database solutions used to take care of data such as client credit card numbers, customer names and addresseseven the entire employee pay roll. Ensuring that this data can’t get into the hands of unauthorized employees, your competitors or punk kids trading card numbers on IRC means that you need to recognize and secure it from this threat. The evolution of security training has shown us that the most effective way to learn about security is by learning from the people that know how to attack your systems. By understanding the threat from the attacker’s perspective, you can develop effective assessment methodologies and ultimately secure what really matters from ever increasing threats.
NGSSoftware (http://www.ngssoftware.com) is offering the chance to benefit from the experience of its consultants and award-winning research team. This course teaches how to recognize the insecurities present within common database systems and how these flaws can leave you wide open to attack. It is tailored to teach security consultants, database administrators and IT professionals how hackers discover and exploit vulnerabilities to gain access to your data and further penetrate internal networks. By learning these techniques, we can discover the flaws for ourselves and effectively develop strategies to keep attackers out.
Who should take this course:
Internal security teams, database administrators and security consultants concerned with the insecurity of database systems, the exposure they have to network and data compromises, and assessment techniques used to close security holes.
In addition to course / delegate introduction and safety brief requirements, the course is split into 10 sections over a two days period:
- Fundamental database concepts
- Popular industry database solutions
- Database integration into business solutions
- Building a database assessment toolkit
- Database enumeration: unauthenticated
- Database enumeration: authenticated
- Identifying database vulnerabilities
- Exploiting flaws to gain control
- Developing your assessment methodology
- Database assessment flag challenge
Upon completing this course, delegates should be able to understand:
- The fundamental concepts behind database systems
- Key components within a database deployment
- The integration of databases into business solutions
- The process of thorough database assessment, including tools and methodologies
- Techniques used by hackers to exploit database flaws and vulnerabilities
- Practical assessment / attack vector considerations, through hands-on experience
Advanced Database Security Assessment has been jammed full of assessment techniques from world-renowned database experts! NGS's own researchers David Litchfield, Chris Anley, John Heasman and Bill Grindlay have joined the course authors to provide content for this BlackHat training session. These four database experts are soon to release an authoritative text: The Database Hackers Handbook and have collaborated once again to ensure the NGS Black Hat training is the best security tuition available. SQL Injection and database security guru Chris Anley has personally developed lab exercises to further push the boundaries of database security training... Seats are limited so don't miss out!
(UK CHECK Team Leader) Senior Security Consultant, NGS Software
Kev is a Senior Consultant for NGSSoftware, responsible for conducting penetration testing and security assessments of customer networks across many different operating environments. Providing consultancy advice for a wide selection of high profile clients has ensured detailed exposure, and assessment of database and network architectures common place within the world’s financial and technology industries. His specialist knowledge combined with hands-on consultancy experience of backend database systems and network infrastructure has lead to him being invited to design, author and present a comprehensive list of training courses for NGS.
Before joining NGS, Kev worked as a Network Vulnerability Analyst for the British Ministry of Defence, securing Military IT infrastructures and providing advice to protect government digital assets. During this time he developed in-house network security training programs that are still in use today, for the education of personnel and to raise the overall level of awareness for network security practices.
(UK CHECK Team Leader), Principal Consultant, NGS Software
Marcus Pinto is a Principal Consultant for NGS Software. Marcus originally studied mathematical modeling and holds an MPhys in Experimental and Theoretical Physics from Cambridge University. Current and prior working experience has lead to over 5 years’ experience in a variety of customer architectures, largely centered around web applications and 2-tier information systems. This experience has been gained in diverse areas such as British National Critical Infrastructure, high street banks and large software houses, many of whom have the most demanding security requirements of any company. The role at NGS has included research projects into specific products, including Sybase ASA Anywhere, and has lead to a hands-on background in penetrating and securing most of the large database systems found on networks in differing real-world environments.
Prior to NGS, Marcus worked as a security advisor for a 30-man team responsible for assessing and securing Military networks for the British Ministry of Defence. This included running an internal training program and assessing personnel within the team, as well as an overall responsibility for providing knowledge transfer. Ultimately, team members were passed through a penetration “assault course” to ensure team members had reached the necessary ability to lead assessments on Government networks.