Re: Mile2 Training (Certifications)

[Pete Herzog <lists () isecom org>]

Hi Ken,

Sorry for the delay.  I'm in the middle of research so I mostly avoid the 
distractions of e-mail until the weekend and play catch-up.

> I'm working with universities across the country and I think the faculty buy
> into this idea. The best programs are trying to find experiential learning
> opportunities. The academics know that even at the masters level, there's a
> huge gap between theory and practice. At the same time, the basic
> understanding of vulnerabilities such as buffer overflows are not adequately
> addressed on the academic or the pragmatic side. 

ISECOM has projects in place to help Universities get the right stuff into 
student's heads.  Unfortunately, now only European colleges and 
Universities are using it. Too much politics I guess to get a smart program 
in place when the garbage stuff has more glamor. As it stands now, many 
schools are purely businesses competing for resources and delivering to the 
students what they want and that's rarely the right foundation.  Too many 
schools are a great metric for the hottest trends 6 years ago.

> Buffer overflows make virtually all of our systems untrustworthy and most IT
> management still don't understand this basic issue. 

Actually, anywhere there is an interaction with a program you have 
potential trouble whether it be injection, overflow, DoS, or integrity 
compromises.  Buffer overflows are so basic and so 6 years ago that any 
CompSci class not teaching programmers how to avoid them are really doing a 
disservice to computer science.

The big problem we see is the amount of spoon-feeding students expect in a 
course.  They don't want teachers- they want actors- who can entertain them 
through an enjoyable syllabus showing them canned exploits against canned 
server configurations (many which just don't exist anymore like that).  But 
that does not make students able to expand their knowledge themselves to 
keep up with trends.  It does not make them self sufficient. Do we really 
need more zombies?

> On the issue of certification - if we test for the right knowledge-base,
> like how does 802.1x authenticate, how are digital certificates safeguarded
> on typical pc's or how do buffer overflows work and then use this knowledge
> for better pen-testing, we would have a safer world.

It's a start but in every subject matter there are those who can "read and 
repeat" and those who can "understand and do".  The latter are needed for 
fast-moving science fields.  If you want to be a vacuum tube engineer then 
it's okay today to just have knowledge. But if you go into any of the 
rapidly changing sciences, you're going to be unable to do the job. This is 
also the problem with all these knowledge-based certifications out there 
with "Bodies of Knowledge" that focus on book content published yearly.

> How do we engage new members of the profession and of these forums to help
> take up the cause of education? I get tired of reading of the security
> failures - we need to promote and showcase the successes, which are always

We can't without fixing the system.  People naturally gravitate to what 
they find most interesting which is generally not the foundation.  An 
architect needs to calculate the strength of a foundation and the location 
of the pillars but it's usually not why they want to be an architect. 
Security classes need to have that core which you then do with the cooler 
stuff.  That's what we did in making the OPST and OPSA.


> based on strong human competencies. The trade journals need to sell
> protective technologies, so they amplify the failures - which we all know
> are rampant. But the good guys do win, most of the time, so maybe by
> profiling the good guys who are winning, we'll draw more attention to how
> they got to where they are, how they trained, how they stay current, etc.
> You were actually starting down this road in your posting.

What you'll find is that most of the people doing their jobs as 
professionals, with a plan and change control, are the ones are generally 
not originally security people.  Their experience is in I.T. whether it be 
routing, network administration, or some other part of computer science. 
Now people say, I want to be in security and jump into it at the college 
level without really having a strong background in all the things they are 
securing.  You see it on this list when people ask questions that show they 
have no clue how DNS works or how a service daemon works.  There is a huge 
gap between what they know and what they do.  Any moron can fire a gun but 
only someone with the right training can hit the middle of the target 
consistently.

> In any case, I offer my strongest support for your efforts. We just need a
> lot more focus on human capital in the security space! 

Thanks!  But let me say, students and recent grads out there right now who 
are interested in security: PLEASE get a good foundation in security like 
with the OPST or OPSA, both professional security certifications that focus 
on walking the walk.  Tools are interesting now, I know, it's a phase we 
all go through, but REALLY know what those tools are doing and how they 
work first!  The only way you can do that is by learning what you need to 
do to have security and controls before you learn which tools are for which 
problems.  Otherwise you'll be medicating symptoms instead of treating the 
disease.

Sincerely,
-pete.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------