Penetration Testing mailing list archives
Re: Mile2 Training (Certifications)
From: Pete Herzog <lists () isecom org>
Date: Sun, 22 Jul 2007 11:24:49 +0200
Hi Ken,Sorry for the delay. I'm in the middle of research so I mostly avoid the distractions of e-mail until the weekend and play catch-up.
I'm working with universities across the country and I think the faculty buy into this idea. The best programs are trying to find experiential learning opportunities. The academics know that even at the masters level, there's a huge gap between theory and practice. At the same time, the basic understanding of vulnerabilities such as buffer overflows are not adequatelyaddressed on the academic or the pragmatic side.
ISECOM has projects in place to help Universities get the right stuff into student's heads. Unfortunately, now only European colleges and Universities are using it. Too much politics I guess to get a smart program in place when the garbage stuff has more glamor. As it stands now, many schools are purely businesses competing for resources and delivering to the students what they want and that's rarely the right foundation. Too many schools are a great metric for the hottest trends 6 years ago.
Buffer overflows make virtually all of our systems untrustworthy and most ITmanagement still don't understand this basic issue.
Actually, anywhere there is an interaction with a program you have potential trouble whether it be injection, overflow, DoS, or integrity compromises. Buffer overflows are so basic and so 6 years ago that any CompSci class not teaching programmers how to avoid them are really doing a disservice to computer science.
The big problem we see is the amount of spoon-feeding students expect in a course. They don't want teachers- they want actors- who can entertain them through an enjoyable syllabus showing them canned exploits against canned server configurations (many which just don't exist anymore like that). But that does not make students able to expand their knowledge themselves to keep up with trends. It does not make them self sufficient. Do we really need more zombies?
On the issue of certification - if we test for the right knowledge-base, like how does 802.1x authenticate, how are digital certificates safeguarded on typical pc's or how do buffer overflows work and then use this knowledge for better pen-testing, we would have a safer world.
It's a start but in every subject matter there are those who can "read and repeat" and those who can "understand and do". The latter are needed for fast-moving science fields. If you want to be a vacuum tube engineer then it's okay today to just have knowledge. But if you go into any of the rapidly changing sciences, you're going to be unable to do the job. This is also the problem with all these knowledge-based certifications out there with "Bodies of Knowledge" that focus on book content published yearly.
How do we engage new members of the profession and of these forums to help take up the cause of education? I get tired of reading of the security failures - we need to promote and showcase the successes, which are always
We can't without fixing the system. People naturally gravitate to what they find most interesting which is generally not the foundation. An architect needs to calculate the strength of a foundation and the location of the pillars but it's usually not why they want to be an architect. Security classes need to have that core which you then do with the cooler stuff. That's what we did in making the OPST and OPSA.
based on strong human competencies. The trade journals need to sell protective technologies, so they amplify the failures - which we all know are rampant. But the good guys do win, most of the time, so maybe by profiling the good guys who are winning, we'll draw more attention to how they got to where they are, how they trained, how they stay current, etc. You were actually starting down this road in your posting.
What you'll find is that most of the people doing their jobs as professionals, with a plan and change control, are the ones are generally not originally security people. Their experience is in I.T. whether it be routing, network administration, or some other part of computer science. Now people say, I want to be in security and jump into it at the college level without really having a strong background in all the things they are securing. You see it on this list when people ask questions that show they have no clue how DNS works or how a service daemon works. There is a huge gap between what they know and what they do. Any moron can fire a gun but only someone with the right training can hit the middle of the target consistently.
In any case, I offer my strongest support for your efforts. We just need alot more focus on human capital in the security space!
Thanks! But let me say, students and recent grads out there right now who are interested in security: PLEASE get a good foundation in security like with the OPST or OPSA, both professional security certifications that focus on walking the walk. Tools are interesting now, I know, it's a phase we all go through, but REALLY know what those tools are doing and how they work first! The only way you can do that is by learning what you need to do to have security and controls before you learn which tools are for which problems. Otherwise you'll be medicating symptoms instead of treating the disease.
Sincerely, -pete. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- RE: Mile2 Training (Certifications), (continued)
- RE: Mile2 Training (Certifications) Russell Butturini (Jul 13)
- RE: Mile2 Training (Certifications) Panayiotis Psihoyios (Jul 13)
- RE: Mile2 Training (Certifications) Ric Messier (Jul 13)
- Re: Mile2 Training (Certifications) ppsih (Jul 13)
- RE: Mile2 Training (Certifications) Clement Dupuis (Jul 13)
- RE: Mile2 Training (Certifications) Ken Kousky (Jul 15)
- Re: Mile2 Training (Certifications) Pete Herzog (Jul 16)
- Re: Mile2 Training (Certifications) Andrew Blyth (Jul 17)
- Re: Mile2 Training (Certifications) Jamie Riden (Jul 18)
- RE: Mile2 Training (Certifications) Ken Kousky (Jul 17)
- Re: Mile2 Training (Certifications) Pete Herzog (Jul 23)
- Re: Mile2 Training (Certifications) Jamie Riden (Jul 13)
- Certifications Andrew Blyth (Jul 13)
- RE: Mile2 Training (Certifications) Alex Balayan (Jul 11)
- Re: Security Testing Certifications (was Mile2 Training (Certifications)) Pete Herzog (Jul 12)
- RE: Mile2 Training (Certifications) Hope, Sean (Contractor) (Jul 12)