“What really is the point of trying to teach anything to anybody?” This question seemed to provoke a murmur of sympathetic approval from up and down the table. Richard continued, “What I mean is that if you really want to understand something, the best way is to try and explain it to someone else. That forces you to sort it out in your mind. And the more slow and dim-witted your pupil, the more you have to break things down into more and more simple ideas. And that’s really the essence of programming. By the time you’ve sorted out a complicated idea into little steps that even a stupid machine can deal with, you’ve learned something about it yourself.”
– Douglas Adams
I just passed my GIAC Certified Incident Handler (GCIH) exam.
Thanks for that intro Ed Skoudis. It is the new year; a proper time to reflect on the past and think about the future. Now that I can take a moment to breath, I have been been doing just that. Follow me as we take the wayback machine to my early experience with SANS certification.
When SANS first began their certification program, they offered those of us in the course (SEC-504: Hacker Techniques, Exploits and Incident Handling) the opportunity to take the certification exam for free, provided we could stay on the last day of class. I will tell you, it was the hardest SANS exam I ever took. Anyone who has ever attended a SANS track knows that you get a great deal of information in those six days. I remember attending a course prior to SEC-504, taught by Eric Cole. Ed sat next to me. At that time, I did not know who Ed was. Prior to class, he seemed like a nice guy. What struck me was how obsessed he was with the time the instructor was spending on various slides. He was beginning to freak me out a bit. Later I was to learn that Ed and Eric, taught that same course, and would help each other out with the pace and timing of the material.
At the end of the SEC-504 course, I was pretty much fried. SANS did not tell us about the exam nor make the offer until the final day. There was only the lunch break to prepare. I would rather take a close book exam that I had time to prepare for then an open book exam with no preparation. While I did pass, I did not do so with flying colors. My work at that time was focused on Unix and I struggled with the Windows questions. Back then, the courses required a practical. Fortunately for me, Code Red hit the scene and swept through computers across the nation, including a few at my site. With knowledge from SANS, my organization had begun an incident response team. My paper dealt with how we handled the incident. The paper was well received, I passed my certification, and I was allowed to volunteer as a grader for GCIH papers. For those thinking, “Great, you got to volunteer to do more work.” Well, grading is a great way to continue to learn.
I always liked the idea of a practical, but I totally understood when the requirement was dropped. The amount of grief those papers caused was amazing. The specifications were all stated up front, but people would change font size, increase margins, etc. to make minimal page size requirements. Basically, the kind of stuff which, I’ll confess, I did in grammar school. Folks would plagiarize to an amazingly obvious degree. Every way to cheat, people did. When SANS would call them on it, these folks would argue and cause all sorts of grief. It was truly amazing for people who were suppose to be security professionals. I never understood why those folks took the certification outside of the company requiring it of them.
After I first became certified as a GIAC Certified Incident Handler, management had me meet a couple of the top brass that was visiting the site. They told these gentleman about how I had just been certified. The gentlemen asked me, “So you like to hack?” I explained how in order to defend against attacks, one need to know the methods that will be deployed in circumventing the site’s defenses. They listened, nodding their heads, and then asked me, “So when you and your friends get together, do you all hack together?” Sigh. As they walked away, I heard one of the men say, “That guy is a real hacker.” Maybe it was the can of Mountain Dew I was drinking that gave him that impression. More likely, for some folks when they hear the word “hack” certain images take root in their heads.
Time passed, my assignment changed along with work responsibilities, and I was under new management that was not as supportive of security training. I allowed my security certifications (GCIH and GCUX) to expire. Instead I focused on obtaining certifications in ITIL and COBIT. As a side note, the material from ISACA is actually very interesting and I regularly pull information down from their site. For example, ISACA just released an interesting document, “COBIT Mapping: Mapping of NIST SP800-53 Rev 1 With COBIT 4.1.” The IT Skeptic has done some very humorous posting, “ITIL is the hitchhiker’s guide, COBIT is the encyclopaedia” and “itSMF and ISACA: like chalk and cheese.” Any time someone can work the Hitchhiker’s Guide into a post, they are going to get points with me. Now back to our regular programming. The point of all this is, that while it is good to be technically proficient, at some point you need to interact with people in others areas of the business. Being able to talk their language becomes of paramount importance. Concerns of your CEO are not that much different than those of the CSO. The major difference is, if the CSO cannot communicate with the CEO, it is the CSO who loses out and ends up not get the funding, support, etc. to do his job effectively.
The bottom line is that for awhile I did not pursue SANS training. About fifteen months ago, I decided I wanted to focus back on security training. While I might disagree with the priority my management, it was time to accept my management was not going to change their way of business. So, I had to take action on what I knew was right for my own professional growth. Fortunately, SANS offers the volunteer program. Through it I have been able to pursue training on my own dime. I focused on training that would help track the threats an organization has to deal with. I started by taking, AUD-507: Auditing Networks, Perimeters & Systems. The idea being that at the front end, an organization needs to implement and continuously audit a site’s network, perimeters, and systems. A year ago tomorrow, I passed the exam and became certified as a GIAC Systems Network Auditor (GSNA). I then moved onto dealing with what needs to be done when an attacker manages to penetrates a site and get access to systems. I took the SEC-508: System Forensics, Investigation & Response course. About five months ago, I took the exam and became a GIAC Certified Forensics Analyst (GCFA). Finally, I came back and took SEC-504: Hacker Techniques, Exploits and Incident Handling. I saw this course completing the arc.
For folks thinking about taking the SEC-504: Hacker Techniques, Exploits and Incident Handling, I wanted to point out Ed’s and Tom Liston’s Book, “Counter Hack Reloaded, 2nd edition.” You don’t need it for the class. SANS course material will cover the topics. Still, the book does deal with much of the information that will be discussed in class. It is a good way to come prepared. Plus, how many times do you get to be taught by one of the authors? Take advantage of it. And as an added bonus, the book is fun to read. I know it sounds like an odd statement, but Tom and Ed have done a great job with the book.
I also wanted to point out the Ed Skoudis will be teaching a new track “SEC 560: Network Penetration Testing and Ethical Hacking.” This will lead to a GCEH certification. There are not many details right now, but the course looks very interesting.
Passing the exam has left me in a strange mood. I feel I have made a complete circle. Dan Fogelberg’s “Full Circle” keeps playing in the background. For those unfamiliar with the song, here are a few words:
Funny how the circle turns around
First you’re up and then you’re down again
Though the circle takes what it may give
Each time around it makes it live again
As the circle turns around, SANS changes the certification exam once more to being proctored. Again I agree with SANS. It is good that SANS will be meeting the ISO 17024 standard. A small organization that you may have heard of, the Department of Defense (DoD), is really pushing its personnel and contractors to obtain information assurance (IA) certifications through organizations that are ISO 17024 registered. The DoD Directive 8570.1, “provides guidance and procedures for the training, certification, and management of the DoD workforce conducting Information Assurance functions in assigned duty positions. It also provides guidance on reporting metrics.”
I find myself wondering, what is my next objective? I simply do not know. DoD offers great opportunities and they are attempting to addressing cyber security threats. Currently, here are the DoD Approved Baseline Certifications:
| IAT Level I | IAT Level II | IAT Level III |
|---|---|---|
| A+ Network+ SSCP |
GSEC Security+ SCNP SSCP |
CISA CISSP® GSE SCNA |
| IAM Level I | IAM Level II | IAM Level III |
| GISF GSLC Security+ |
GSLC CISM CISSP® |
GSLC CISM CISSP® |
IAT stands for Information Assurance Technical while IAM stands for Information Assurance Management. SANS provides the following table aligning SANS courses with “DoD Approved Certifications:
| Technical Level | Certification Name | SANS Course # |
|---|---|---|
| IAT Level II | Security+ | SEC401 (CompTIA Approved) |
| IAT Level II | GSEC – GIAC Security Essentials Certification | SEC401 |
| IAT Level III | CISSP® – Certified Info. Systems Security Professional | MGT414 |
| IAT Level III | CISA – Certified Information Systems Auditor | AUD423 |
| IAT Level III | GSE – GIAC Security Expert | SEC401 (GSEC), SEC503 (GCIA) & SEC504 (GCIH) |
| Management Level | Certification Name | SANS Course # |
| IAM Level I | Security+ | SEC401 (CompTIA Approved) |
| IAM Level I | GSLC – GIAC Security Leadership Certificate | MGT512 |
| IAM Level I | GISF – GIAC Information Security Fundamentals | SEC309 |
| IAM Level II | GSLC – GIAC Security Leadership Certificate | MGT512 |
| IAM Level II | CISSP® – Certified Info. Systems Security Professional | MGT414 |
| IAM Level III | GSLC – GIAC Security Leadership Certificate | MGT512 |
| IAM Level III | CISSP® – Certified Info. Systems Security Professional | MGT414 |
I never pursued a GIAC Security Essentials Certification (GSEC). SEC-401: SANS Security Essentials Bootcamp is a very important class covering all areas of security. The course covers a huge amount of material; a very broad coverage of the security field. Still, if you have been working in security for years, you probably have been exposed to much of the material. Taking SEC-401, seems a bit like going back for an undergraduate degree when you have already obtained a master’s degree.
When I was pursuing my master’s degree. I switched schools after the directors of the graduate division where I worked was let go for misappropriation of funds. It was interesting helping the New Jersey Attorney General investigators try and pull information from the computer systems. In the end, I ended up with a low opinion of the school. I transfered to the University of Utah computer science department, changed my area of focus from artificial intelligence to computer graphics. Between my undergraduate and graduate course work, I ended up taking operating system design three times. It is not fun repeating material.
With limited time and budget, most folks prefer to take the more focused SANS courses. The GIAC Security Expert (GSE), takes things to the other extreme. There are very few people who are certified GSEs. Not too many folks pursue the certification each year. To quote from the GIAC site:
Before a person can attempt the GSE, they must successfully complete three GIAC certifications (GSEC, GCIA and GCIH) with GIAC Gold in at least two. In addition, you must demonstrate a minimum level of performance and undergo a personal interview to qualify. We recommend that your average score on previous GIAC certifications at least 85% or higher, before even attempting the GSE
Becoming a GSE entails alot of work. Unfortunately, if you work on the technical side, GSEC and GSE are the only two DoD recognized SANS certifications. When considering the DoD Approved Baseline Certifications chart, the CISSP certification holds key positions on both the technical and managerial side. Many would conclude pursuing CISSP certification would be of highest benefit. For filling requirements with DoD, I would agree. When it comes to preparing you to carrying out deep technical security operations, I think there are better training options. That is not to slam anyone who is a certified information systems security professional. Like the GSEC, it takes a great deal of work covering such a broad amount of information. My point is that the amount of work to obtain certifications withing DoD 8570 are not even. Maybe that is just the nature on trying to standardize. I do understand DoD 8570 is just a baseline, but it is more than that. It is a requirement. The work required compared to the knowledge obtained while pursuing certifications favor certain certifications. Hopefully, SANS can get better representation now that they are going to be compliant with the ISO 17024 standard.
In the mean time, I am going to spend some time relaxing and and hoping that as this circle turns, “each time around there’s something new again.” Maybe I can finally read some of those books on my bookshelf. On a personal note, my thoughts and prayers go out to the family and fans of Dan Fogelberg, who’s battle with cancer ended on December 16. His positive influence on so many lives is incalculable. He will be missed.
You can get GSLC practice test with 542 questions from the following link:
http://www.ucertify.com/exams/GIAC/GSLC.html