Black Hat USA 2007 Briefings and Training
Caesars Palace, Las Vegas • July 28-29 (Weekend) & July 30-31 (Weekday)

Databases contain your company’s most sensitive information that you don’t want falling into the wrong hands…

Overview:
Computer networks are built to support business functionality and beyond communication the result of business is data. The data important to your business is your company’s digital assets—it needs organiziation, maintainenance and above all protection from malicious attackers. The modern corporate enterprise contains database solutions used to take care of data such as client credit card numbers, customer names and addresses—even the entire employee pay roll. Ensuring that this data can’t get into the hands of unauthorized employees, your competitors or punk kids trading card numbers on IRC means that you need to recognize and secure it from this threat. The evolution of security training has shown us that the most effective way to learn about security is by learning from the people that know how to attack your systems. By understanding the threat from the attacker’s perspective, you can develop effective assessment methodologies and ultimately secure what really matters from ever increasing threats.

NGSSoftware (http://www.ngssoftware.com) is offering the chance to benefit from the experience of its consultants and award-winning research team. This course teaches how to recognize the insecurities present within common database systems and how these flaws can leave you wide open to attack. It is tailored to teach security consultants, database administrators and IT professionals how hackers discover and exploit vulnerabilities to gain access to your data and further penetrate internal networks.  By learning these techniques, we can discover the flaws for ourselves and effectively develop strategies to keep attackers out.

Who should take this course:
Internal security teams, database administrators and security consultants concerned with the insecurity of database systems, the exposure they have to network and data compromises, and assessment techniques used to close security holes. 

In addition to course / delegate introduction and safety brief requirements, the course is split into 10 sections over a two days period:

• Fundamental database concepts
• Popular industry database solutions
• Database integration into business solutions
• Building a database assessment toolkit
• Database enumeration: unauthenticated
• Database enumeration: authenticated
• Identifying database vulnerabilities
• Exploiting flaws to gain control
• Developing your assessment methodology
• Database assessment flag challenge

Upon completing this course, delegates should be able to understand:

• The fundamental concepts behind database systems
• Key components within a database deployment
• The integration of databases into business solutions
• The process of thorough database assessment, including tools and methodologies
• Techniques used by hackers to exploit database flaws and vulnerabilities
• Practical assessment / attack vector considerations, through hands-on experience

Advanced Database Security Assessment has been jammed full of assessment techniques from world-renowned database experts! NGS's own researchers David Litchfield, Chris Anley, John Heasman and Bill Grindlay have joined the course authors to provide content for this BlackHat training session. These four database experts are soon to release an authoritative text: The Database Hackers Handbook and have collaborated once again to ensure the NGS Black Hat training is the best security tuition available. SQL Injection and database security guru Chris Anley has personally developed lab exercises to further push the boundaries of database security training... Seats are limited so don't miss out!

Kev Dunn
(UK CHECK Team Leader) Senior Security Consultant, NGSSoftware

Kev is a Senior Consultant for NGSSoftware, responsible for conducting penetration testing and security assessments of customer networks across many different operating environments. Providing consultancy advice for a wide selection of high profile clients has ensured detailed exposure, and assessment of database and network architectures common place within the world’s financial and technology industries. His specialist knowledge combined with hands-on consultancy experience of backend database systems and network infrastructure has lead to him being invited to design, author and present a comprehensive list of training courses for NGS.

Before joining NGS, Kev worked as a Network Vulnerability Analyst for the British Ministry of Defence, securing Military IT infrastructures and providing advice to protect government digital assets. During this time he developed in-house network security training programs that are still in use today, for the education of personnel and to raise the overall level of awareness for network security practices.