I am including a video of Dr. Eric Cole, SANS instructor, developer of the course material, and President of Secure Anchor, providing a course description.

While I tend to prefer more technically focused courses, DoD directive 8570.1M convinced me that becoming a CISSP would be useful. Below is a chart showing the certification requirements for 8570.1M.

SANS offers information on SANS courses that align with the 8570 Baseline and with CND & IASAE. If it sounds like I favor SANS a bit, I do. Over the past few years, I have had to work with a very limited security training budget. SANS has offered options allowing me to pick up certification while keeping costs low. I really appreciate that. Plus, SANS instructors are well trained and of the highest caliber. If you are on a budget, two low cost options are available:

• The SANS Work Study Program. The program allows the volunteer to pay a fee of $700, which is applied towards tuition and certification costs. The volunteer works the selected event and in exchange they can attend the course and all other events at the conference (SANS@Night events, BoFs, Lunch & Learns, etc.).
• The Community of Interest in Network Security (COINS) program. If you are a member of an OWASP chapter, ISSA, ISACA, InfraGard, HTCIA, ECTF or other local security organization, the COINS program offers you a 50% tuition discount for this or any other SANS @Home course.

I decided to take the SANS GISP exam first because SANS makes it so much easier to schedule the exam when compared to (ISC)2. The closest CISSP exam was over a 4.5 hour drive away from where I am currently residing. SANS allowed me to take the proctored at a local test center. Unlike the CISSP, SANS exams provide immediate results. For those not familiar with SANS certifications exams, they are given electronically. As you answer the questions, you are told whether you answered correctly.

A word of warning: The GISP is a 5 hours exam. Initially, the local test center stated they were only setup for maximum 3 hour exams. The test center was trying to avoid having to monitor the test takers over lunch. The good news is that SANS can resolve this problem, but you will have to ask them to do so.

Ted Demopoulos, over at SecurITyCerts.org, did one of the better posts, “CISSP versus SANS GISP Certification.” Unlike many writers on this subject, Ted was one of the few who had taken and passed both exams. Otherwise, I encountered people who had taken only one exam and tended to discuss how that exam was superior.

I will hold off offering an opinion as to how the exams compare until after I pass the CISSP. Since I plan on doing DoD work, the fact that the CISSP fulfills the certification requirements for half of the DoD categories makes the certification choice pretty obvious. In the future, SANS may be better represented under DoD directive 8570.1. Generally speaking, security professionals will be aware of SANS and will respect the GIAC certification. People in business and IT, but outside of security, are more likely to know about the CISSP. You will likely find yourself in a position where you need to impress both groups. If you have the option, consider taking both exams.

Please note that if you are a member of an OWASP chapter, ISSA, ISACA, InfraGard, HTCIA, ECTF or other local security organization, the COINS program offers you a 50% tuition discount for this or any other SANS @Home course.

Being very interested, I contacted Steve Peterson, director of mentor programs. Steve explained that COINS is a fairly new program at SANS. To quote Steve:

The goal of COINS is to work with local security organizations to strengthen the security community by offering SANS discounts to chapter members and free content to chapter meetings. COINS typically will run an event at our conferences as well. If you attend a conference, keep an eye out for the COINS event.

I used the COINS program to signed up for the SANS® +S™ Training Program for the CISSP® Certification Exam (Management 414). While I tend to prefer more technically focused courses, the DoD directive 8570 convinced me that having the Certified Information Systems Security Professional (CISSP) certification would be useful. To quote the 8570 FAQ:

DoD Directive 8570.1 provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Information Assurance (IA) workforce. The policy requires Information Assurance technicians, managers, and members of IA specialties to be trained and certified to a DoD baseline requirement. The Directive’s accompanying Manual identifies the specific certifications mandated by the Directive’s enterprise-wide certification program.

Agencies covered by 8570 include:

• Office of the Secretary of Defense
• Military Departments
• Chairman of the Joint Chiefs of Staff
• Combatant Commands
• Office of the Inspector General of the DoD
• Defense Agencies
• DoD Field Activities
• All other organizational entities in the DoD

Any full or part time military service member, contractor, or local nationals with privileged access to a DoD information system performing information assurance functions — regardless of job or occupational series is affected by 8570. For fiscal year 2008, the goal was to fill a total of 70 percent of the Information Assurance positions with certified personnel.

The tables below describe the DoD Approved Baseline Certifications, according to DoD 8570.01-M. This includes requirements for Information Assurance Technical (IAT), IA Management (IAM), IA System Architect and Engineers (IASAE), and Computer Network Defense-Service Providers (CND-SP). All must be be fully trained and certified to baseline requirements to perform their IA duties.

IAT workforce members consists of anyone with privileged information system access performing IA functions. IAT Level certifications are cumulative. Higher level certifications qualify for lower level requirements. Certifications listed in Level II or III cells can be used to qualify for Level I. However, Level I certifications cannot be used for Level II or III unless the certification is also listed in the Level II or III cell.

IAM personnel are responsible for secure implementation and operation of a DoD information system (IS). IAMs perform IS security management functions for DoD operational systems. Management certifications corresponding to the position level do not cascade down. Each position requires the individual to meet one of the specific certifications associated with that Management Level. An IAM I must obtain one of certifications shown in the IAM I box, such as the GISF. The IAM I should not take the CISSP unless already qualified in one of the certifications listed in the IAM I box (e.g., GISF).

The CND-SP personnel are members of “Accredited” CND-SP teams performing the functions listed.

IASAE personnel perform system design functions, such as requirements gathering.

In the above table, I put CISSP in bold, along with a few other certifications I currently possess, as an example of how a few certifications can help cover requirements for many of the DoD Information Assurance positions. With the CISSP certification, IAT Level I, II and II are covered along with IASAE I and II. It is easy enough to pick up one of the IAM Level I certification, depending on that you are managing, and the CISSP will cover you for IAM Level II and III.

Now if you are not directly affected by 8570, why should you care? There are a large number of military service member, contractor, and local nationals with privileged access to DoD information systems. These folks are performing information assurance functions and DoD 8570 will eventually require them to have various security certifications. At some point, there is a good chance that these certified individuals are going to be competing with you for a job. Management often does not know how to tell the difference between candidates. Obtaining these certifications will help level the playing field so you can get past human resources, obtain management approval, and have the opportunity to impress the security folks. Of course, obtaining training and taking certification exams can get expensive. Thankfully there are programs like the SANS Work Study and COINS program providing great options for those with financially disadvantaged training budgets.

The Center for Education and Research in Information Assurance and Security (CERIAS)

CERIAS provides a very informative area for finding information on security. The information can ranges from purely technical issues (e.g., intrusion detection, network security, etc) to ethical, legal, educational, communicational, linguistic, and economic issues, and the subtle interactions and dependencies among them. The research available on the site is centered on eight subject areas:

• Risk Management, Policies, and Laws
• Trusted Social and Human Interactions
• Security Awareness, Education, and Training
• Assurable Software and Architectures
• Enclave and Network Security
• Incident Detection, Response, and Investigation
• Identification, Authentication, and Privacy
• Cryptology and Rights Management

The site offers news, blogs, papers, and podcasts. Of particular interest to me are the podcasts, because mostly they are vidcasts. Here are a few recent postings:

• “What are CSO’s thinking about? Top information security initiatives for 2008 and beyond …” by Anand Singh, Target Corporation
• “Electronic Voting: Danger and Opportunity” by Edward W. Felten
• “Tor: Anonymous communications for government agencies, corporations, journalists… and you” by Paul Syverson & Roger Dingledine
• “Security in a Changing World” by Eric Cole
• “CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations” by Ventkat Venkatakrishnan
• “Wireless Router Insecurity: The Next Crimeware Epidemic” by Steve Myers
• “Security, Soft Boundaries, and oh-so-subtle Strategies:How to Play Chess While the Board is Disappearing” by Richard Thieme

The research conducted through CERIAS includes faculty from six different colleges and 20+ departments across campus, all being made available for free. CERIAS offers a great opportunity to keep well informed on all security subject areas.

CERT Coordination Center (CERT/CC)

Off the CERT site, you can find the most up-to-date material on security issues. Like CERIAS, information is available in whatever form you prefer (documents, podcasts, video, research tools). In short, it is a fantastic source for security information. I wanted to draw particular attention to the CERT Virtual Training Environment (VTE). It is a resource for information assurance and incident response and computer forensic training. The site contains over 500 hours of material. Some of the VTE material requires membership or affiliates to certain organizations. Still, there is a great deal of video content available for free. VTE “blends classroom instruction with self-paced online training, delivering training courses, anytime access to answers, and hands-on training labs all through the Internet“. Here are a few of the most recent publicly available courses:

• FAA 2008 IT/ISS Conference presentation slides
• IPv4-IPv6 Comparison
• IPv6 Addresses
• Vulnerability Remediation
• Vulnerability Assessment Reporting
• Best Practices for VA Tools
• Vulnerability Assessment Best Practices
• Errors During Vulnerability Analysis
• Vulnerability Analysis
• Vulnerability Assessment Methodology
• Vulnerability Assessment Basics
• DEMO: Hack Calculations

I cannot help by point out that CERT also provides some great podcasts in the areas of governing for enterprise security, measuring security, privacy, risk management and resilience, security education and training, threat, trends and lessons learned, and tips from the trenches: areas of practice. I have posted links off this site on a few of these top notch security podcasts.

The Academy

Andrew Hay, a Canadian security professional and co-author of the upcoming book OSSEC Host-Based Intrusion Detection Guide, recommended I check out the Academy. I am glad he did. Registration is required to view the videos. The site brings together videos from various security sources, such as TippingPoint, SANS, IronPort, OSSEC, Cisco, Insecure, Tenable, Nokia, and FortiNet. The Academy current videos cover the following security subjects:

• Anti-Spam – contributions by IronPort
• Content Filtering – contributions by FortiGate
• DLP – contributions by McAfee DLP
• Firewall – contributions by CheckPoint, Cisco PIX & ASA, Nokia, FortiGate
• IDS/IPS – TippingPoint, OSSEC
• Network Access Control (NAC) – Insecure
• SANS Institute
• VA/Pen Testing – contributions by Nessus, Nmap
• Wireless – FortiGate

Key contributors are Peter Giannoulis, Adam Winnington, Andrew Hay, and Jason Ingram. SANS is sponsoring the site. The academy does request that “if you have an idea for a video please forward it to us or simply make the video yourself and send it through. Contact peter@theacademy.ca for a list of guidelines to follow when creating your contribution. If you believe you have something to say please send in an article submission for posting on the website. Any security related topic will do.” The site has some talented security professionals and a great security organization backing it. To quote Andrew, “The Academy is a user driven community and videos are created at the request of its members. Vendors can also leverage the site to showcase the features and capabilities of their products. The Academy is an ideal place to find and share knowledge with others practicing or interested in the information security field. The Academy is an ideal place to find and share knowledge with others practicing or interested in the information security field.”

Google and the Rest of the Web

Of course, I should point out that SecurityMonks does have a presentation area where slides and videos done by experts in the field are posted. On the LifeHacker site, Wendy Boswell has done a posting “Technophilia: Get a free college education online” in case you are interested in subject matters other than IT security. For each his own, though I can see taking a break now and then. In which case, the University of California, Berkeley has posted a few their classes on Google Video. There are plenty more from various universities. To access, simply type “lecture genre:educational” into the video search box. Google has several genres, if you have a specific interest.

To return to the more geeky side of life, if you are interested in lectures given at the Googleplex, Google have made those available. There are TechTalks, designed to “disseminate a wide spectrum of views on topics ranging from Current Affairs, Science, Engineering, Humanities, Business, Law, Entertainment, Medicine, and the Arts.” Authors@Google is a “speaker series where thought-provoking, Zeitgeist-making, trend-setting authors come to the Googleplex to read from their works and share their thoughts.” You can view those videos on Google Video, or YouTube Talks@Google area. Finally, there are also miscellaneous videos that include marketing videos, recruiting videos, lectures, and more.

To return to the genres of educational security, type into the video search box: “genre:EDUCATIONAL IT security.”

Google, to help folks learn how to use Google Code, has posted some courses under “Google Code for Educators.” There are a few security video lectures:

• “Introduction to Web Security” by Neil Daswani
• “How to Break Web Software” by Mike Andrews
• “What Every Engineer Needs to Know About Security and Where to Learn It” by Neil Daswani

Of course there are many more fine sites. SecurityDistro, started by Spyro contains a tutorial section that has some very good material. Of course there is the SANS Webcasts archive area. I just came across the “Learn Security Online” site that offers free and paid membership levels. Even TechVidSite has video presentations on security topics, if you can navigate through the site. A search on “IT” and “Security”, for example returned over 7k matches, while “metasploit” returned 25. The above information and links are meant only as a starting place. I hope I have managed to stay true to Einstein and provided the conditions in which we may all learn a little more about the world of information security.

I just passed my GIAC Certified Incident Handler (GCIH) exam.

Thanks for that intro Ed Skoudis. It is the new year; a proper time to reflect on the past and think about the future. Now that I can take a moment to breath, I have been been doing just that. Follow me as we take the wayback machine to my early experience with SANS certification.

When SANS first began their certification program, they offered those of us in the course (SEC-504: Hacker Techniques, Exploits and Incident Handling) the opportunity to take the certification exam for free, provided we could stay on the last day of class. I will tell you, it was the hardest SANS exam I ever took. Anyone who has ever attended a SANS track knows that you get a great deal of information in those six days. I remember attending a course prior to SEC-504, taught by Eric Cole. Ed sat next to me. At that time, I did not know who Ed was. Prior to class, he seemed like a nice guy. What struck me was how obsessed he was with the time the instructor was spending on various slides. He was beginning to freak me out a bit. Later I was to learn that Ed and Eric, taught that same course, and would help each other out with the pace and timing of the material.

At the end of the SEC-504 course, I was pretty much fried. SANS did not tell us about the exam nor make the offer until the final day. There was only the lunch break to prepare. I would rather take a close book exam that I had time to prepare for then an open book exam with no preparation. While I did pass, I did not do so with flying colors. My work at that time was focused on Unix and I struggled with the Windows questions. Back then, the courses required a practical. Fortunately for me, Code Red hit the scene and swept through computers across the nation, including a few at my site. With knowledge from SANS, my organization had begun an incident response team. My paper dealt with how we handled the incident. The paper was well received, I passed my certification, and I was allowed to volunteer as a grader for GCIH papers. For those thinking, “Great, you got to volunteer to do more work.” Well, grading is a great way to continue to learn.

I always liked the idea of a practical, but I totally understood when the requirement was dropped. The amount of grief those papers caused was amazing. The specifications were all stated up front, but people would change font size, increase margins, etc. to make minimal page size requirements. Basically, the kind of stuff which, I’ll confess, I did in grammar school. Folks would plagiarize to an amazingly obvious degree. Every way to cheat, people did. When SANS would call them on it, these folks would argue and cause all sorts of grief. It was truly amazing for people who were suppose to be security professionals. I never understood why those folks took the certification outside of the company requiring it of them.

After I first became certified as a GIAC Certified Incident Handler, management had me meet a couple of the top brass that was visiting the site. They told these gentleman about how I had just been certified. The gentlemen asked me, “So you like to hack?” I explained how in order to defend against attacks, one need to know the methods that will be deployed in circumventing the site’s defenses. They listened, nodding their heads, and then asked me, “So when you and your friends get together, do you all hack together?” Sigh. As they walked away, I heard one of the men say, “That guy is a real hacker.” Maybe it was the can of Mountain Dew I was drinking that gave him that impression. More likely, for some folks when they hear the word “hack” certain images take root in their heads.

Time passed, my assignment changed along with work responsibilities, and I was under new management that was not as supportive of security training. I allowed my security certifications (GCIH and GCUX) to expire. Instead I focused on obtaining certifications in ITIL and COBIT. As a side note, the material from ISACA is actually very interesting and I regularly pull information down from their site. For example, ISACA just released an interesting document, “COBIT Mapping: Mapping of NIST SP800-53 Rev 1 With COBIT 4.1.” The IT Skeptic has done some very humorous posting, “ITIL is the hitchhiker’s guide, COBIT is the encyclopaedia” and “itSMF and ISACA: like chalk and cheese.” Any time someone can work the Hitchhiker’s Guide into a post, they are going to get points with me. Now back to our regular programming. The point of all this is, that while it is good to be technically proficient, at some point you need to interact with people in others areas of the business. Being able to talk their language becomes of paramount importance. Concerns of your CEO are not that much different than those of the CSO. The major difference is, if the CSO cannot communicate with the CEO, it is the CSO who loses out and ends up not get the funding, support, etc. to do his job effectively.

The bottom line is that for awhile I did not pursue SANS training. About fifteen months ago, I decided I wanted to focus back on security training. While I might disagree with the priority my management, it was time to accept my management was not going to change their way of business. So, I had to take action on what I knew was right for my own professional growth. Fortunately, SANS offers the volunteer program. Through it I have been able to pursue training on my own dime. I focused on training that would help track the threats an organization has to deal with. I started by taking, AUD-507: Auditing Networks, Perimeters & Systems. The idea being that at the front end, an organization needs to implement and continuously audit a site’s network, perimeters, and systems. A year ago tomorrow, I passed the exam and became certified as a GIAC Systems Network Auditor (GSNA). I then moved onto dealing with what needs to be done when an attacker manages to penetrates a site and get access to systems. I took the SEC-508: System Forensics, Investigation & Response course. About five months ago, I took the exam and became a GIAC Certified Forensics Analyst (GCFA). Finally, I came back and took SEC-504: Hacker Techniques, Exploits and Incident Handling. I saw this course completing the arc.

For folks thinking about taking the SEC-504: Hacker Techniques, Exploits and Incident Handling, I wanted to point out Ed’s and Tom Liston’s Book, “Counter Hack Reloaded, 2nd edition.” You don’t need it for the class. SANS course material will cover the topics. Still, the book does deal with much of the information that will be discussed in class. It is a good way to come prepared. Plus, how many times do you get to be taught by one of the authors? Take advantage of it. And as an added bonus, the book is fun to read. I know it sounds like an odd statement, but Tom and Ed have done a great job with the book.

I also wanted to point out the Ed Skoudis will be teaching a new track “SEC 560: Network Penetration Testing and Ethical Hacking.” This will lead to a GCEH certification. There are not many details right now, but the course looks very interesting.

Passing the exam has left me in a strange mood. I feel I have made a complete circle. Dan Fogelberg’s “Full Circle” keeps playing in the background. For those unfamiliar with the song, here are a few words:

Funny how the circle turns around
First you’re up and then you’re down again
Though the circle takes what it may give
Each time around it makes it live again

As the circle turns around, SANS changes the certification exam once more to being proctored. Again I agree with SANS. It is good that SANS will be meeting the ISO 17024 standard. A small organization that you may have heard of, the Department of Defense (DoD), is really pushing its personnel and contractors to obtain information assurance (IA) certifications through organizations that are ISO 17024 registered. The DoD Directive 8570.1, “provides guidance and procedures for the training, certification, and management of the DoD workforce conducting Information Assurance functions in assigned duty positions. It also provides guidance on reporting metrics.”

I find myself wondering, what is my next objective? I simply do not know. DoD offers great opportunities and they are attempting to addressing cyber security threats. Currently, here are the DoD Approved Baseline Certifications:

IAT stands for Information Assurance Technical while IAM stands for Information Assurance Management. SANS provides the following table aligning SANS courses with “DoD Approved Certifications:

I never pursued a GIAC Security Essentials Certification (GSEC). SEC-401: SANS Security Essentials Bootcamp is a very important class covering all areas of security. The course covers a huge amount of material; a very broad coverage of the security field. Still, if you have been working in security for years, you probably have been exposed to much of the material. Taking SEC-401, seems a bit like going back for an undergraduate degree when you have already obtained a master’s degree.

When I was pursuing my master’s degree. I switched schools after the directors of the graduate division where I worked was let go for misappropriation of funds. It was interesting helping the New Jersey Attorney General investigators try and pull information from the computer systems. In the end, I ended up with a low opinion of the school. I transfered to the University of Utah computer science department, changed my area of focus from artificial intelligence to computer graphics. Between my undergraduate and graduate course work, I ended up taking operating system design three times. It is not fun repeating material.

With limited time and budget, most folks prefer to take the more focused SANS courses. The GIAC Security Expert (GSE), takes things to the other extreme. There are very few people who are certified GSEs. Not too many folks pursue the certification each year. To quote from the GIAC site:

Before a person can attempt the GSE, they must successfully complete three GIAC certifications (GSEC, GCIA and GCIH) with GIAC Gold in at least two. In addition, you must demonstrate a minimum level of performance and undergo a personal interview to qualify. We recommend that your average score on previous GIAC certifications at least 85% or higher, before even attempting the GSE

Becoming a GSE entails alot of work. Unfortunately, if you work on the technical side, GSEC and GSE are the only two DoD recognized SANS certifications. When considering the DoD Approved Baseline Certifications chart, the CISSP certification holds key positions on both the technical and managerial side. Many would conclude pursuing CISSP certification would be of highest benefit. For filling requirements with DoD, I would agree. When it comes to preparing you to carrying out deep technical security operations, I think there are better training options. That is not to slam anyone who is a certified information systems security professional. Like the GSEC, it takes a great deal of work covering such a broad amount of information. My point is that the amount of work to obtain certifications withing DoD 8570 are not even. Maybe that is just the nature on trying to standardize. I do understand DoD 8570 is just a baseline, but it is more than that. It is a requirement. The work required compared to the knowledge obtained while pursuing certifications favor certain certifications. Hopefully, SANS can get better representation now that they are going to be compliant with the ISO 17024 standard.

In the mean time, I am going to spend some time relaxing and and hoping that as this circle turns, “each time around there’s something new again.” Maybe I can finally read some of those books on my bookshelf. On a personal note, my thoughts and prayers go out to the family and fans of Dan Fogelberg, who’s battle with cancer ended on December 16. His positive influence on so many lives is incalculable. He will be missed.

I am not going to do any predictions. No Tarot card reading today. I have been busy traveling. I went up to Virginia Beach where I volunteered as a SANS room monitor for Hacker Techniques, Exploits & Incident Handling. I took the course several years ago when SANS was first introducing the certification program. While I did become certified, I let the certification expire a few years back. I figured enough had changed, and/or I had forgotten enough to make taking the course again worth while.

It was a very valuable class. Ed Skoudis is an interesting instructor. He is very good. There is no denying he knows his material. He is very precise with his instruction. The first time I met Ed was just before taking the course several years ago. We were both in Eric Cole’s course and Ed sat next to me. I was not aware that Ed was an instructor nor did I realize that he was friends with Eric. I thought he was a regular student. During Eric’s lecture, Ed kept keeping track of how many minutes Eric spent on each slide. I thought Ed was some obsessive compulsive individual as he muttered, “He needs to speed up if before the break he hopes to get to slide …”

It turns out Eric and Ed were covering each other courses, and Ed was very familiar with the timing and material. Eric and Ed teaching styles are very different. With Ed, he knows how long each slide should be and where he needs to be at any point of the class. He’ll make statements concerning the exercises that, “This should take about 6 minutes.” I always found the use of “about” with an exact number like “6 minutes” or “14 minutes” fascinating. Ed’s class is a fast paced, well practiced, and an exact executed course. Eric, on the other hand, likes to present based on the audience. If the audience members seem confused, he will spend more time on the topic. If they seemed bored, he will pick up the pace and cover the material more rapidly. Both are fantastic instructors. They just have different styles.

Thanks to the magic of podcasting, you can listen to both men without any costs. At the end of August, Gary McGraw interviewed Eric on Show 017 of the Silver Bullet podcast. It was a very entertaining podcast. Gary and Eric discuss demonstrating security ROI, the academic approach to security versus practitioner certification models, and what kinds of training makes for good network security practitioners. Also at the end of August, PaulDotCom had an interview with Ed on Episode 80. Ed, Tom Liston, and Matthew Carpenter from Intelguardians talk about VM Escaping and the research that they have been doing on this topic. You might also want to check out their paper in IEEE Security & Privacy magazine titled “Hiding Virtualization from Attackers and Malware.”

The course was very interesting and got me thinking about trying to prepare some lunch presentations on application security vulnerabilities. If time allows me to develop these topics, I’ll post them to this blog.

Driving up and back to Virginia Beach, plus the daily commute, provided me about 26 hours to listen to some very interesting podcasts. I’ll post links shortly to a few of the podcasts I particularly enjoyed.

During the training, I was talking to one of the students about links that provided a good source for security information. A fellow volunteer came up, provided some of his favorite links, and then thought of having a bird’s of a feather meeting. It got me thinking about my own site. I have always intended my site to be about providing links to additional resources. For example, adding the links to this post took me longer then writing the blog. I realize that some folks might not quite understand how to navigate and pull information from this site. I’ll write up a page, with graphics, pointing out areas of interest on this site. I hope it will help folks find links to additional information.

This fool has returned from his journey with many ideas and topics to blog on. While time is not always my ally, I will post as I am able.

Passing the certification exam for System Forensics, Investigation & Response (Sec-508) and becoming a GIAC Certified Forensics Analyst (GCFA) might not have been what Marcus Aurelius had in mind. Still, I am very glad to have the certification exam over with. To get things straight in my head, I have to study for an exam. I can go through class, and basically understand most of what is discussed. Until I sit down to study, I do not truly put the parts together. When I studied for the exam, I did not limit myself to SANS material. It is about learning the topic, not just passing the exam.

I want to point out a few additional references. I am not claiming they will help you with the certification exam. The truth is, they might hurt. It is easy to become a bit overwhelmed. If your goal is to pass the certification exam, stick to the SANS material. But, if you want to learn forensics a little better, these addition sources might be help.

For a good discussion of file system forensics, I recommend Brian Carrier’s book, “File System Forensic Analysis.” While there are tools that will do alot of the file system forensic work for you, I really enjoyed reminding myself of the very structures that we are analyzing. If you want a book more focus on Windows, Harlan Carvey’s book, “Windows Forensic Analysis.” The SANS forensic class is already full of information. Still, the course would benefit by incorporating some of Harlan’s material. Finally, one of my favorite books by Keith J. Jones, Richard Bejtlich, and Curtis W. Rose is “Real Digital Forensics: Computer Security and Incident Response.” It provides a great hands on approach for both UNIX and Windows to learning forensics.

For enjoyable podcast listening, I recommend CyberSpeak. The podcast is done by Ovie Carroll and Bret Padres and they describe their show as, “Two Former Federal Agents Talk About Computer Forensics, Network Security and Computer Crime.” If you need to keep up on news and forensic topics, there are a few blogs that might interest you. There is the Computer Forensics and Incident Response, written a gentleman who identifies himself as Bill. I am afraid I can provide no additional details, besides the fact that it is a good blog. Bob Krantz and Jeff Fehrman maintain the EDD Blog Online which provides, “An insiders look into the ever evolving landscape of legal discovery to include but not limited to computer forensics, electronic discovery, email archiving, online review and proactive management.” Forensic Focus provides computer forensics news, information, and community forums. Finally, there is the Forensic Incident Response by hogfly who describes the blog as, “created to support some of the work I’m doing and to contribute to the forensic community. I’ll be blogging about the science of forensics, incident response, methodologies, relating real world investigations to digital ones and some other tidbits.”

Studying for an exam like the GCFA, helps me to put together pieces of computer knowledge that I have long since forgotten. I am not that old. At least I don’t think so. Senility has not set in. Or, if it has, I am too far gone to realize it. Still, I have been doing something with computers since I was twelve. For those Technorama fans, my first computer I would have to say was really a book. No, not an iBook. I learned to program through the use of a book. My interest in computers started before I had access to a computer. Our grammar school was doing an experimental program where students were able to get out of regular class for an afternoon once a week. We could choose to attend a course in literature or robotics. Most girls and the smart boys, who figured it was not a bad idea to go where the girls went, choose the literature class. I chose the robotics. Looking back, this program was probably just a way for the school to get more money from the state. While it was an interesting idea, it was not like we had access to a robot or even a computer. The literature class did have access to books though.

One day the instructor told us our homework was to write a BASIC program. She had not spent anytime during the class teaching us how to program. I don’t think she really expected much from us. Probably just a begin, print, end kind of program. Well, during that time my mom was bringing in some extra income by watching kids. The father of a family who’s child we watched did some programming as part of his job. He heard about my assignment and volunteered to help me. The poor man did not know what he was getting himself into. Thanks to his extreme patients, by the end of the day we had a program. And it did take all day because I had to keep going over it to get it straight in my mind. By the time I left, I knew that program. Well, the course spent an hour or so the next week talking about programming, and that was it for the course. Still, it introduced me to a way of thinking that I wanted to learn. I started buying books and learning how to program.

This was a time when computers were not in every classroom. I was in 8th grade, which was part of the grammar school. It was not until 9th grade, when we switched to attending the high school, that we would have access to a computer room. Even then, the programming classes were suppose to be limited to the upperclassmen. Fortunately, fate stepped in and because of a scheduling conflict, I got into the programming class. Well, fate and supportive parents. The high school computer room had Commodore PETs. Later, in a year or two, the PETs would be replaced by the Apple II. Also, right before I attended high school, my dad purchased for our home an IBM XT. His company allowed their employees to purchase these computer with no interest loans. The computer cost about as much as a decent car. It was a major investment on my dad’s part. Like I said, it helps to have supportive parents who value education.

Before any of this, I spent a year learning how to program using programming books. Once I got into high school, I was in the lab everyday after school making use of the computers. I gave back to the high school with such great programs as the dating program. Now that program was used for many years at the high school for fund raising around Valentine’s day. Of course, there was the scouting program which analyze the playing strategies of the opponent’s football team. I developed that for the coaches. I just wanted to make it clear that I did not have any kind of gambling programs going on, though it could have been used for that purpose. Considering these were the times of computers with less than 64k memory and 10M hard drives, the programs were pretty decent.

I was listening to Security Wire Weekly where they interviewed David Foote of Foote Partners on his latest research on the value of IT security job skills and certifications. The bottom line is that David found the security management exams lead to higher salary increased than the technical focused certifications. This is not surprising, but I would argue it can be misleading. The CISSP is not more valuable than a SANS GIAC certification. It is a different target group. A manager that demonstrates a broad base knowledge of security will do better than the pool of managers without such skill. A technical person who becomes certified is being compared to other technical people.

Put another way, there are managers who may have a vision of what to do but really do not know how it might actually get done. On the other end of the spectrum you have good technical people who are so focused in their area that they can’t see beyond their world to the requirements of the company as a whole. Most people don’t have the ability to switch perspectives or bridge the gap between these camps. A person who demonstrates both an enterprise focused / high level view coupled with the ability to get into the weeds, is a very valuable asset to a company.

No matter what you do, I think Marcus would agree that the key is to continuously learn and strive to understand. That twelve year has come a long way in his understanding of computers.

Last week I spent Monday driving through a few states. It was an eight hour drive. When possible, I prefer driving over flying. While it may take longer, I use the time to listen to podcasts. Since I had taken the SANS System Forensics, Investigation & Response course (SEC 508), I had access to their lectures in MP3 format. The lecture on Computer Investigative Law for Forensic Analysts was prepared and taught by Richard P. Salgado. I had taken the course at a Community SANS event, close to where my brother lives. Yes, I was trying to keep my expenses down, and my brother and his family were kind enough to put me up for the week. While the course was well taught, knowledge of the legal issues of forensics was not the instructors strong point. This was reflected by the fact that the students hated that day. If only they had Richard P. Salgado. He did an amazing job.

Why am I mentioning this on a blog posting on intrusion detection systems (IDS)? The law has an ever increasing role in IT. This is especially true in the area of forensics, incident response, and intrusion detection/prevention. Before you setup any IDS system, make sure you are authorized and legally clear to do so.

With that disclaimer out of the way, I spent the weekend beginning to develop a network monitoring system. Sure, for years I have worked with Snort, but I am doing something different. For those unfamiliar with Snort, to quote their site:

Snort® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.

It is a great product. Along with Snort, I have used the Basic Analysis and Security Engine (BASE), which is based on the Analysis Console for Intrusion Databases (ACID) project. BASE provides a web front-end to query and analyze the alerts coming from a SNORT IDS system. If you are pulling down software, I also suggest checking out Sguil.

Richard Bejtlich recently posted on his blog, TaoSecurity, an entry titled “DHS Einstein Demonstrates Value of Session Data.” Richard makes the statement, in relation to collecting session data:

This is just the sort of project I’d like to roll out at my new job, possibly combining Argus with ArgusEye, or maybe just Sguil without Snort.

An intriguing project. This weekend was about setting up an IDS system using Bro. To understand the importance of Bro, you need to first review the different styles of intrusion detection.

• Signature Based – looks for specific, known attacks.
  • Pros: good attack libraries, easy to understand results.
  • Cons: unable to detect new attacks or even just variants.
• Anomaly Detection – build/infer a profile of “normal use” and flag deviations.
  • Pros: potentially detects wide rand of attacks, including previously unknown types of attacks.
  • Cons: can be “trained” to accept attacks as normal, and potentially misses a wide rand of attacks including known attacks.
• Activity Based – inspect traffic and construct “events,” look for patterns of activity that deviate from a site policy.
  • Pros: potentially detects wide range of attacks (including novel), framework can accommodate signatures and anomalies.
  • Cons: policies/specification require significant development and maintenance and harder to construct attack libraries

Snort is a signature based IDS. Bro is an activity based IDS, though it does include a signature engine for matching specific patterns in packet streams. Bro is compatible with Snort. somewhat. With Bro analysis, signature matches generate events which are amenable to high level policy script processing rather than direct alerts. Other difference include that Snort is user friendly and Bro is a beast to learn. Worse still, there are no good guides for Bro. Sure, you can subscribe to the mailing list and there is a Bro Wiki. Geek00l has done some very good postings:

• Regex – Magic for NetSe[x|c]Anal(yst)?
• Bro-IDS: Enable Full Content Data Logging
• Time Machine – Payload Centric
• Bro-IDS v1.2
• Bro-IDS – Signature Matching
• FreeBSD – IDS Sensor Tweaking
• Bro-IDS – The learning process
• Multipurposes post :]
• Bro-IDS – Be Loved
• Bro-IDS – Installation Experience

Geek00l convinced Richard Bejtlich take a second look at Bro, and Richard posted:

• Bro Basics Follow-Up
• Bro Basics

That will get you started.

My interest in Bro comes from the fact that a design goal of Bro was to handle high speed, large volume monitoring. Snort, on a security appliance, can handle such traffic. Force10 released such a box, the P10, which can handle up to 1000 signatures. I have worked with the open source version of Snort on high volume networks, and it has not been pleasant. While the P10 might work well, I am interested in different capabilities.

Bro offers an interesting solution to handling monitoring on 10G traffic. If you are working with FreeBSD, there are ways to tune the kernel. While I have previously run into problems with Bro, my past problems were more likely due to trying to work under the Apple environment. Supported 10G Ethernet cards drivers had not yet been developed. Fortunately, that appears to have changed. I’ll post more as I make progress.

I wanted to post a few more references. Hopefully, I will even find time to read these documents. I have referenced many times in this blog various NIST SP documents. On Friday, they published a guide to NIST information security documents. They describe the document as follows:

In order to make NIST information security documents more accessible, especially to those just entering the security field or with limited needs for the documents, we are presenting the Guide to NIST Computer Security Documents (.pdf). In addition to being listed by type and number, the Guide presents three ways to search for documents: by Topic Cluster, by Family, and by Legal Requirement. This Guide is current through the end of FY 2006.

Information Systems Audit and Control Association (ISACA) has released to its members several documents. For the general public, these documents will be released in May. These document include:

• COBIT 4.1 — To get a quick overview of how COBIT 4.1 differs from 4.0, please see the page titled, “How COBIT 4.1 Changed From 4.0.”
• IT Governance Implementation Guide: Using COBIT and VAL IT, 2nd Edition — I really have not done much with VAL IT. For now, it will be interesting to have as a reference.
• COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition — The guide covers, “control practices provide control approaches consisting of practices that are necessary and sufficient for achieving COBIT control objectives.”
• IT Assurance Guide: Using COBIT — This guide, “provides detailed guidance on how COBIT can be used to support a variety of assurance activities, such as planning, scoping and assessing risks and how an assurance review can be performed for each of the 34 COBIT processes.”
• COBIT Security Baseline, 2nd Edition — This is the guide that I was most interest in. Unfortunately, it will not be available until May 14th. The guide, “helps an organization focus on the essential steps to take by extracting the most important security-related objectives from the COBIT framework.”

This week I paid membership dues to get access to areas on the Open Compliance & Ethics Group (OCEG) site. OCEG has been working with Compliance Week on the Governance, Risk and Compliance (GRC) Illustrated series. OCEG also produces the Foundation “Red Book” which “provides guidance about the core processes and capability to enhance culture and address governance, risk management and compliance requirements. It incorporates the common practices that stand behind some of the most robust programs in the world.” M. E. Kabay from Network World did a nice writeup on the Red Book’s approach to risk management in his article, “OCEG Red Book on risk management.” A final document from OCEG that I want to review is the “Benchmarking Survey Comprehensive Summary Report.”

Finally, in my last post title, “Forensic Resources,” I listed a few other things I will be investigating in the computer forensic arena. Of course, I will also preparing and taking my SANS Security 508 course, System Forensics, Investigation & Response GIAC Certified Forensics Analyst (GCFA) certification exam.

Many times, I feel like the Lloyd Bridges from the movie Airplane. “Looks like I picked the wrong week to quit smoking.” While I might not smoke, nor any of the other things Lloyd’s character choose the wrong week to give up, I did decide to give up hard core caffeine. I went from Pepsi Mountain Dew Code Red to basic green tea. According to Wikipedia’s Caffeine entry, green tea has about half the caffeine of Code Red. That scales me back far enough that I no longer have caffeine headache withdrawals. Maybe one day I will figure out how to get all my work done while getting relatively normal amounts of sleep. One can always dream. Such is the life of a security monk.

No, I have not been abducted. No need to call in Gustav and Otto Amlingmeyer (better known as Old Red and Big Red, respectively). Sorry for my long absence from writing. I have several blogs started. Unfortunately, I began referencing so many different sources, the blogs became more research papers. Being tight on time, I have not got around to finishing them. Shoot, I have not gotten around to sleep.

I am going to try something different. I will make every attempt to write more frequently, just on less in-depth topics. The original purpose of this blog was to post interesting topics I came across. By the way, I have updated, over on the right, the “Recent Podcast” area. If you have not listened to these specific podcast, I do highly recommend them. They cover some very interesting topics. For tonight, let me just address what I have been doing recently.

I attended a SANS course System Forensics, Investigation & Response. I’ll follow this up with taking the certification to become a GIAC Certified Forensics Analyst (GCFA). I took the course by volunteering at SANS. It is a great program if your company is a little tight on training funds. Let me quote SANS description of the program:

If you are selected to facilitate for a SANS conference, you will pay a nominal fee of $500 and earn the remainder of your tuition in exchange for facilitator services you provide onsite. This fee includes attendance to the entire track the facilitator is selected to monitor, all course materials, and admission to evening sessions.

To be honest, I prefer volunteering over just attending. You get to interact more with the instructors, students, and the folks who work for SANS. Do not get me wrong, there is work involved. Volunteering for SANS just makes me feel more plugged in to the course and I get more out of it.

I have been asked if it is possible to take the certification exams without taking the course. I volunteer occasionally for SANS, I do not work for them. That is my disclaimer. Still, looking through their site, this is what I have found. If you know the subject mater very well, you can take the exam without taking the course. It is called a GIAC Challenge.

I don’t recommend it unless you are truly an expert on the subject matter. SANS exams are open book. The problem is that the the exam questions will be based on the material in the course. Now, at the conferences I have attended, SANS has allowed students to purchase copies of any of the courses held at the conference. Those course books could be very helpful in passing the exam.

When studying for the SANS exam, I recommend people make a good outline of the course material. That outline will helps a person find the material they do not remember from the course. You can count on there being some specific questions on more obscure material than you will ever be able to memorize.

The GIAC Challenge does include two practice exams. The practice exams are very valuable. They will help one figure out the pace of the exam and will point out areas where further studying is needed. SANS does allow you to purchase the exams separately.

I would point out that the course material is only part of the value of attending a SANS course. I find the interactions with the instructors and students just as valuable as what might be in the course material. If you can make it work, I would try volunteering with SANS before doing the GIAC Challenge.

From the National Institute of Standards and Technology:

• Guide to Integrating Forensic Techniques into Incident Response
• Guide to Secure Web Services (DRAFT)
• Guide to Intrusion Detection and Prevention (IDP) Systems (DRAFT)
• Guide for Developing Performance Metrics for Information Security
• Recommended Security Controls for Federal Information Systems

From ISACA:

• COBIT Mapping: Mapping of ITIL with COBIT 4.0
• COBIT Mapping: Mapping of PRINCE2 with COBIT 4.0
• COBIT Mapping: Mapping of ISO/IEC 17799:2005 With COBIT 4.0
• IT Control Objectives for Sarbanes-Oxley

Concerning Securing Mac OS X:

• A Corsaire White Paper: Securing Mac OS X
• Mac OS X Server Security Configuration for Version 10.4 or Later
• CIS Mac OS X Tiger Level I Security Benchmark
• NSA Apple Mac OS X v10.3.x “Panther” Security Configuration Guide
• SANS SCORE: Mac OS X Checklist 1.0
• SANS CIS Benchmark Tool
• Bastille Linux Mac OS X Beta
• DISA Mac OS X Security Technical Implementation Guide

Concerning Web Application Security:

• OWASP Testing Guide 2007 V2
• A Guide to Building Secure Web Applications and Web Services
  

Just for Fun:

• The Pragmatic CSO
• Optaros: Open Source Catalogue 2007 U.S. Version 1.1

It sure would be nice to retreat to a monastery and spend a few days just reading this material. A quote from Doug Larson sums it up nicely, “For disappearing acts, it’s hard to beat what happens to the eight hours supposedly left after eight of sleep and eight of work.”