Comments on: Getting Information Security Training Right http://episteme.ca/2008/12/17/getting-information-security-training-right/ Sat, 04 Feb 2012 10:41:30 +0000 hourly 1 http://wordpress.org/?v= By: Interesting Information Security Bits for 12/18/2008 at Infosec Ramblings http://episteme.ca/2008/12/17/getting-information-security-training-right/comment-page-1/#comment-1800 Interesting Information Security Bits for 12/18/2008 at Infosec Ramblings Thu, 18 Dec 2008 23:25:38 +0000 http://episteme.ca/?p=568#comment-1800 [...] is getting involved it what appears to be a great new effort in training for penetration testers. Getting Information Security Training Right | Episteme Tags: ( training pentesting [...] [...] is getting involved it what appears to be a great new effort in training for penetration testers. Getting Information Security Training Right | Episteme Tags: ( training pentesting [...]

]]> By: Andre Gironda http://episteme.ca/2008/12/17/getting-information-security-training-right/comment-page-1/#comment-1799 Andre Gironda Thu, 18 Dec 2008 23:06:01 +0000 http://episteme.ca/?p=568#comment-1799 Is this going to integrate the OWASP OPCP (Open Q/A)? Is it going to integrate the OSSTMM 3.0 concepts? I'm not just talking about the STAR, but the whole "auditing the auditors" or "assessing the assessors" concepts? How about provide a meaningful certification such as a PE (Professional Engineering) accredidation that would indicate that an individual could be sued by an organization for reducing operational security (or exposing/causing undue risk or damage)? Just "updating" training is 2004 tactics. Is this going to integrate the OWASP OPCP (Open Q/A)?

Is it going to integrate the OSSTMM 3.0 concepts? I’m not just talking about the STAR, but the whole “auditing the auditors” or “assessing the assessors” concepts?

How about provide a meaningful certification such as a PE (Professional Engineering) accredidation that would indicate that an individual could be sued by an organization for reducing operational security (or exposing/causing undue risk or damage)?

Just “updating” training is 2004 tactics.

]]> By: Curt Wilson http://episteme.ca/2008/12/17/getting-information-security-training-right/comment-page-1/#comment-1796 Curt Wilson Thu, 18 Dec 2008 04:19:55 +0000 http://episteme.ca/?p=568#comment-1796 After I wrote my response, I realized that I am blurring "security researcher" and "penetration tester" roles a bit. I see overlap between them, but I suppose it's not really fair to mash these together. Security research feeds penetration testing though, and it's mighty interesting. eot. After I wrote my response, I realized that I am blurring “security researcher” and “penetration tester” roles a bit. I see overlap between them, but I suppose it’s not really fair to mash these together. Security research feeds penetration testing though, and it’s mighty interesting. eot.

]]> By: Curt Wilson http://episteme.ca/2008/12/17/getting-information-security-training-right/comment-page-1/#comment-1795 Curt Wilson Thu, 18 Dec 2008 04:14:46 +0000 http://episteme.ca/?p=568#comment-1795 I have also seen what you describe - a misrepresentation of dated techniques as being cutting-edge, state of the art, etc. A reliance upon the sexiness of "hacking" and a continued re-hash of obsolete, or nearly obsolete techniques. I think these techniques and older OS's have value in getting a person introduced to the subject matter, but the material should move past that into what's current. This might be tricky for a trainer however as some techniques, especially deep system level techniques such a heap overflows, are not intuitive and require training. How to keep the quality of training high while still leaving the door open to enough clients to make it worthwhile? And do you mean training whereby people learn the guts of the issues, or another tool-centric pentesting type of cert, or perhaps some new fresh approach? I've not taken the CEH, but I've taken "advanced ethical hacking" and obtained the CEPT cert, which they tout highly. I suggest that the CEPT is an (mostly) an introduction to the hands-on aspects of memory corruption bugs and their exploitation techniques plus some other hands-on tools and basic RE. But to say that one "knows pentesting backward and forwards" is a bit of a stretch; why don't these organizations just express the truth about these training programs? Not every training program needs to be super-l33t or "advanced" but it seems common to prefix any security training with "advanced" especially at the Black Hat trainings. It's all relative, but some of what I've seen so far does NOT keep you up to date, except perhaps some SANS courses that require you to refresh the cert after a few years. I've not had the fortune to take an endless amount of training, so my perspective is somewhat limited, but your article seems relevant. Thanks I have also seen what you describe – a misrepresentation of dated techniques as being cutting-edge, state of the art, etc. A reliance upon the sexiness of “hacking” and a continued re-hash of obsolete, or nearly obsolete techniques. I think these techniques and older OS’s have value in getting a person introduced to the subject matter, but the material should move past that into what’s current. This might be tricky for a trainer however as some techniques, especially deep system level techniques such a heap overflows, are not intuitive and require training. How to keep the quality of training high while still leaving the door open to enough clients to make it worthwhile? And do you mean training whereby people learn the guts of the issues, or another tool-centric pentesting type of cert, or perhaps some new fresh approach? I’ve not taken the CEH, but I’ve taken “advanced ethical hacking” and obtained the CEPT cert, which they tout highly. I suggest that the CEPT is an (mostly) an introduction to the hands-on aspects of memory corruption bugs and their exploitation techniques plus some other hands-on tools and basic RE. But to say that one “knows pentesting backward and forwards” is a bit of a stretch; why don’t these organizations just express the truth about these training programs? Not every training program needs to be super-l33t or “advanced” but it seems common to prefix any security training with “advanced” especially at the Black Hat trainings. It’s all relative, but some of what I’ve seen so far does NOT keep you up to date, except perhaps some SANS courses that require you to refresh the cert after a few years. I’ve not had the fortune to take an endless amount of training, so my perspective is somewhat limited, but your article seems relevant. Thanks

]]> By: Tom Lakey http://episteme.ca/2008/12/17/getting-information-security-training-right/comment-page-1/#comment-1794 Tom Lakey Wed, 17 Dec 2008 23:43:00 +0000 http://episteme.ca/?p=568#comment-1794 So what differntiates this training from other training on the market? Is it just CEH with current tools? I have been looking for good training but have heard less than positive comments about CEH training. Other than SANS GIAC certifications, I have not found a good alternative which helps me as a hiring manager differentiate between those who can and those who can pass a test. So what differntiates this training from other training on the market? Is it just CEH with current tools? I have been looking for good training but have heard less than positive comments about CEH training. Other than SANS GIAC certifications, I have not found a good alternative which helps me as a hiring manager differentiate between those who can and those who can pass a test.

]]>