Penetration Testing mailing list archives
RE: Ethical Hacking Training
From: "S. Thomas" <sangthomas () rediffmail com>
Date: Tue, 20 Jan 2004 10:15:42 +0530
Hello list, May I share my views on this topic? I came into this area about a year or two back. Needless to say, I was a "newbie" in every sense. I would rate my knowledge of computer security from management point of view where policies, best practices are the usual norm. "Hackers" or "hacking" is still something that the management feels is something to watch out for, but have little idea as to what it is. When I started out, this list was one of the learning grounds from where I got references to books like TCP/IP illustrated, Pete's OSSTMM model, Eric Cole's counter hack, Hacking exposed series etc. I have spent most of my waking hours reading and learning from all kinds of sources - be it Aleph's paper on buffer overflow, phrack magazine, defcon presentations or sites where people offer "zero day" exploits for stolen credit cards. The bottom line is this - you cannot transfer all this knowledge in a limited number of days under whatever course you name it - 'ethical hacking', 'security test course', 'hacking' etc because knowledge needs time for assimilation, to be built upon and most importantly to be applied. However, it CAN initiate someone's interest in the subject and increase awareness. Often security is an after thought in organizations and would it really hurt if someone goes back from training and tells the organization "Hey, I did not know these kind of threats existed. Why don't we reassess our situation?" I'm not referring to the really big organizations that can spend on security products and talented manpower. Knowledge is not proprietary, but it does have value. It's an attractive market for those offering these kinds of courses. What we need to work on is to ensure that there is a minimum standard in these offerings, so that somebody is not misguided. It does not pay to say who has trained whom. However, it makes sense to say that a course complies with some standard that assures the student that he will be getting quality. My 2 cents, S Thomas "Your attitude determines your action. Your action determines your accomplishment." -----Original Message----- From: Don Parker [mailto:dparker () rigelksecurity com] Sent: Monday, January 19, 2004 11:50 PM To: Pete Herzog; Don Parker; Andy Cuff [Talisker]; Rob Shein; pen-test () securityfocus com Subject: RE: Ethical Hacking Training The biggest thing I find is that people have unrealistic expectations. Bottom line is that it takes a lot of time to learn all the various topics that constitute what the average hacker knows. I encounter this mindset all the time with the people I have trained. They wonder why after 4 or 5 days they are not at the same level I am at. Quite simply put because for every day I have taught them I have spent a full year studying and learning. A good example of this is SANS actually. They do a better job then most at teaching imho. The problem is though that over the course of 6 days you are learning an incredible amount of information. Then you have 6 months to certify if you so choose. My thoughts on this prove me correct. Look at the amount of track attendee's vice certified people. To sum up gaining knowledge is no easy task, and simply put takes time. Cheers ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 -------------------------------------------- On Jan 19, "Pete Herzog" <pete () isecom org> wrote: Hi, As a person who has begun to provide training on security testing and analysis, this is tough spot for me as well. The truth is the public buys hacking classes. That's all there is to it. And the more flashy and exploity and thrilling the better because that's what the people buy. But as people want more and more in their 5 days and they want to see hacking exploits, you can expect the money will continue to flow to the hucksters who solicit their wares the best. Funny thing though is that this is happening with almost every facet of security. Training is no different. I really have no plans to take our trainings down that road. But it's a fight every time with people who think ISECOM should be mainstream. Sincerely, -pete. Pete Herzog, Managing Director Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Ethical Hacking Training, (continued)
- RE: Ethical Hacking Training Pete Herzog (Jan 19)
- Re: Ethical Hacking Training Mike Hoskins (Jan 20)
- RE: Ethical Hacking Training Teicher, Mark (Mark) (Jan 19)
- RE: Ethical Hacking Training DeGennaro, Gregory (Jan 19)
- Re: Ethical Hacking Training Meritt James (Jan 19)
- Re: Ethical Hacking Training Stormwalker (Jan 20)
- RE: Ethical Hacking Training Kurt (Jan 20)
- Re: Ethical Hacking Training Meritt James (Jan 19)
- Re: Ethical Hacking Training Don Parker (Jan 19)
- Re: Ethical Hacking Training Kevin Johnson (Jan 20)
- RE: Ethical Hacking Training Don Parker (Jan 19)
- RE: Ethical Hacking Training S. Thomas (Jan 20)
- RE: Ethical Hacking Training DeGennaro, Gregory (Jan 20)
- Re: Ethical Hacking Training Hamish webhosting.net.nz (Jan 20)
- Ethical Hacking Training Daryl Davis (Jan 20)
- Re: Ethical Hacking Training Jeff Shawgo (Jan 20)
- Re: Ethical Hacking Training Chris Kirschke (Jan 20)
- RE: Ethical Hacking Training Kohlenberg, Toby (Jan 20)
- RE: Ethical Hacking Training Don Parker (Jan 20)