RE: Ethical Hacking Training

["S. Thomas" <sangthomas () rediffmail com>]

Hello list,

May I share my views on this topic? I came into this area about a year
or two back. Needless to say, I was a "newbie" in every sense. I would
rate my knowledge of computer security from management point of view
where policies, best practices are the usual norm. "Hackers" or
"hacking" is still something that the management feels is something to
watch out for, but have little idea as to what it is.

When I started out, this list was one of the learning grounds from where
I got references to books like TCP/IP illustrated, Pete's OSSTMM model,
Eric Cole's counter hack, Hacking exposed series etc.

I have spent most of my waking hours reading and learning from all kinds
of sources - be it Aleph's paper on buffer overflow, phrack magazine,
defcon presentations or sites where people offer "zero day" exploits for
stolen credit cards.

The bottom line is this - you cannot transfer all this knowledge in a
limited number of days under whatever course you name it - 'ethical
hacking', 'security test course', 'hacking' etc because knowledge needs
time for assimilation, to be built upon and most importantly to be
applied.

However, it CAN initiate someone's interest in the subject and increase
awareness. Often security is an after thought in organizations and would
it really hurt if someone goes back from training and tells the
organization "Hey, I did not know these kind of threats existed. Why
don't we reassess our situation?" I'm not referring to the really big
organizations that can spend on security products and talented manpower.

Knowledge is not proprietary, but it does have value. It's an attractive
market for those offering these kinds of courses. What we need to work
on is to ensure that there is a minimum standard in these offerings, so
that somebody is not misguided. It does not pay to say who has trained
whom. However, it makes sense to say that a course complies with some
standard that assures the student that he will be getting quality.

My 2 cents,
S Thomas


"Your attitude determines your action. Your action determines your
accomplishment." 
-----Original Message-----
From: Don Parker [mailto:dparker () rigelksecurity com] 
Sent: Monday, January 19, 2004 11:50 PM
To: Pete Herzog; Don Parker; Andy Cuff [Talisker]; Rob Shein;
pen-test () securityfocus com
Subject: RE: Ethical Hacking Training

The biggest thing I find is that people have unrealistic expectations.
Bottom line is 
that it takes a lot of time to learn all the various topics that
constitute what the 
average hacker knows. I encounter this mindset all the time with the
people I have 
trained. They wonder why after 4 or 5 days they are not at the same
level I am at. Quite 
simply put because for every day I have taught them I have spent a full
year studying 
and learning. 

A good example of this is SANS actually. They do a better job then most
at teaching 
imho. The problem is though that over the course of 6 days you are
learning an 
incredible amount of information. Then you have 6 months to certify if
you so choose. My 
thoughts on this prove me correct. Look at the amount of track
attendee's vice certified 
people. To sum up gaining knowledge is no easy task, and simply put
takes time.

Cheers

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Jan 19, "Pete Herzog" <pete () isecom org> wrote:

Hi,

As a person who has begun to provide training on security testing and
analysis, this is tough spot for me as well.

The truth is the public buys hacking classes.  That's all there is to
it.
And the more flashy and exploity and thrilling the better because that's
what the people buy.

But as people want more and more in their 5 days and they want to see
hacking exploits, you can expect the money will continue to flow to the
hucksters who solicit their wares the best.  Funny thing though is that
this
is happening with almost every facet of security.  Training is no
different.

I really have no plans to take our trainings down that road.  But it's a
fight every time with people who think ISECOM should be mainstream.

Sincerely,
-pete.

Pete Herzog, Managing Director
Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org






---------------------------------------------------------------------------
----------------------------------------------------------------------------