|| Date: 18-12-09 || Back to index ||
|| Tag: write-up ||

SANS SEC575 Review

I've recently had the pleasure to attend SANS SEC575 course on mobile security.

Contenders

The only contender I know of for this sort of training is MASPT. I have not dabbled into it but a couple of reviews I read did not speak too horribly of it.

Overview

SANS SEC575 is a zero-to-hero course on mobile security. There isn't really a good way to put "mobile security" as it's own category, so the course basically gives a deep-dive to the following categories under the perspective of mobile security:

Structure & Take-Aways

The good thing about this structure is that there is something for everyone. We had a couple of folks in the class that were mobile developers for a big mobile company in South East Asia. Their take from the course wasn't too much in regards to wireless technologies, but they did get a tremendous help in proper secure coding standards when they started reversing the lab mobile apps.

My work revolves mostly around reversing mobile malware and penetration testing mobile devices, which made my take of the course the biggest, I believe. It's been around two months since I finished the course and I can say that I've applied more parts of the course than expected.

Prerequisites

The official course page will tell you that SEC560 (SANS flagship pentesting course) and SEC504 (SANS intro course) are prerequisites to this class. I've worked as a Software Engineer most of my career, which also included some mobile development on both major platforms, so I did have a leg-up in the class. Most of the other folks, however, either had pentesting experience or zero knowledge at all and they did score amazingly-well in the CTF.

I think this course really does not assume any prerequisite knowledge. Also, the lab environment, which I'll talk about in depth in a bit, does not assume too much previous knowledge. That being said, ANY security course or book you'll ever read would at least require the following, just to keep up with the speed of the class with minimal headaches:

Worst case scenario: All the lab walkthroughs are provided at the beginning of the class in written form and the labs themselves are uploaded on a shared Google Drive folder, so you can do them again at the end of the course.

Instructor

I had the pleasure to be taught by a Mr. Christopher Crowly (@CCrowMontance). It's hard to give justice to how professional the class was conducted and mentored. Mr. Crowly was presenting the topics as if they were personal anecdotes while following a very strict curriculum, the complicated subjects most practioners dread regarding wireless protocols and reversing binaries were straigtened-out with practical real-life examples, and no question was left unanswered. I truly admire Mr. Crowley for his professionalism and seniority. It is inspiring to see a truly passionate individual.

The course material was actually written by a Mr. Joshua Wright (@joswr1ght). Mr. Wright is well-known for authoring SEC575 course and "Hacking Wireless Exposed". I think Mr. Wright did a good job in categorizing a complicated topic such as Mobile Security, which involves many facets of security, into a cohesive structure that can be taught and labeled easily.

Lab Environment

The labs were hosted on a private network in the hotel room where the class took place. The students can either connect through wired or wireless connections. The labs did glitch a couple of times but the experience was tolerable.

My only criticism here is that some of the labs could only be run through that private network and could not be reproduced when I was studying for the GMOB exam after the course has ended. In the contrary, SANS FOR610 had all the labs in a virtualized environment that could be run with VMWare Workstation (or VirtualBox). For the record, I only recall 3-4 labs that had this issue, where the rest were provided at the shared Google Drive directory.

Another criticism was that there were no labs regarding iOS application reversing or penetration testing since that would require a jailbroken iOS device and a MacOS machine for every student. There were quite a bit of practical examples and useful snippets of the iOS pentesting tools in the classes and there were even multiple jailbroken iOS devices provided by Mr. Crowley for students to use. However, I would've appreciated it if there were some MacOS instances (maybe using OSX-KVM or maccos-virtualbox-vm) running in the private network. I do have to mention here that my criticism could be ill-placed since Mr. Crowley did mention that they explored possibilities of setting up a MacOS instance and it was not easy.

Course Content

I'll provide some bullet-points to how each day was structured

Day 1: Device Architectures

Day 2: Application Analysis

Day 3: Reverse Engineering

Day 4 & 5: Penetration Testing & Wireless Technologies

Day 6: Capture The Flag (CTF)

Basically, a series of time-constrained labs where each team (4-5 students) competes to solve as many challenges as possible.

Conclusion & GMOB

Overall I was very pleased with the course content of SEC 575. I definitely am better equipped to handle mobile device deployments and evaluate the security of the applications than I was going into the class. SANS also deserves some credit for being the only people with a good course dedicated to the topic. I'm very grateful to have taken this course and I truly appreciate the time and effort that Mr. Crowley and Mr. Wright have put into this course. You can recognize quality work when you see it.

As for GMOB, I recently took the GMOB examination and received my certification with a score of 92%. Yay! ΓΈ/