What Training is Missing?

training Both Richard Bejtlich and Harlan Carvey have expressed their concerns with the recent SANS NewsBites issue in which the new Certified Malware Removal Expert certification is announced:

Does anyone on your staff do an excellent job of cleaning out PCs that have been infected by spyware and other malicious software. We are just starting development of a new certification (and related training) for Certified Malware Removal Experts and we are looking for a council of 30 people who have done a lot of it to help vet the skills and knowledge required for the certification exam and classes. Email cmre@sans.org if you have a lot of experience.

I understand their concerns with this certification but their comments did make me think of something: “If we don’t need training on this topic what topics do we need training on?”

So these are my questions to you, the security community:

  • What security related topics have not been covered in formal training yet but you feel should be?
  • What topics require revised or better content?
  • How would these topics be best presented? (i.e. self-paced-training, instructor led online training, instructor led classroom training, etc.)

I would appreciate all of your comments and suggestions. If you do not wish to post your comments or suggestions to the blog then please feel free to email me directly at andrewsmhay@gmail.com. Perhaps we can even work together on getting these topics into some formal training.

7 comments

  1. Catfive says:
    January 14, 2007 at 3:36 pm

    Instructing users on how to use some spam filtering, including Bayes-style filters, is not something easily found, or easily deployed. Making some of it "secratery friedly" is what is needed, not IT ready. If the secretary understands, everyone will understand.

    Reply
  2. Fd 5times says:
    January 14, 2007 at 3:54 pm

    I have yet to see a serious analysis of the economics of the "security" business. There's a lot of fluff out there, and a treatise on how the money effects net security decisions would help tremendously with clearing it away. "Secrets and Lies", as well as "The Cathedral and the Bazaar" are good places to start…

    Reply
  3. Gr@ve_Rose says:
    January 15, 2007 at 8:08 am

    Advanced "cracking" techniques. It's easy as 3.14 to create some shellcode and an eggdrop on a box you're already on but I'd like to see how to do this over the network. Show some good VPN-based attacks (not just brute-force or [D]DoS) and the theory behind them. Dynamic route poisoning, perhaps some Layer Two attacks, inter-protocol stack attacks (that was fun to say) and other "bad guy" things that involve more than just n/v/a/Map and Metasploit. ^_^

    Reply
  4. LonerVamp says:
    January 15, 2007 at 9:13 am

    Ouch, I didn't see the security question, clicked Submit, and it wiped out my text, told me to hit Back, and there was no Back button to hit (browser was greyed out since I hadn't moved anywhere). Just FYI for ya. 🙂

    What I wanted to post was a second for Fd's comment that selling security to business is still difficult. It tends to take some client/investor pressure or a major incident to prompt any caring. Then again, maybe this is not something that can be easily taught…

    My own suggestion would be more training for desktop persons on why security is important. Desktop security is often overlooked internally and dealt with on a sweeping enterprise-wide basis, but too often I've seen desktop support too quick to acquiesce customers by providing horribly insecure solutions or actions. They want to please the customer, and as long as their performance is measured by that, that's what they do. Perhaps this is then a management issue, but I also think there are plenty of desktop support guys and gals who knows their little niche and stick to just that, without really branching out into more secure means to do things. Even the little things like sticking a note to a laptop with the password on it happens more often than it doesn't, imo.

    Reply
  5. Peter Giannoulis says:
    January 15, 2007 at 11:04 am

    What security related topics have not been covered in formal training yet but you feel should be?
    – If you look deep enough there is formal training for everything. The problem is with the overall popularity of the subjects in which some people need training. For example, worms, viruses, etc, are always killing us, so organizations write courses on them. Why? It's profitable. It's the same thing with regard new security technology. A vendor releases a product and coins it IPS. Now we have over 100 IPS vendors. Some good, some bad.

    What topics require revised or better content?
    – The obvious answer is going to be the topics in which we cannot find good formal training. Until the popularity of the topic grows the content is typically not very good. This is not always the case, but I believe good courseware is developed when hundreds of professionals are involved. This usually doesn't happen until it becomes popular.

    How would these topics be best presented? (i.e. self-paced-training, instructor led online training, instructor led classroom training, etc.)
    – Different ways. This question is kind of irrelevant to the subject, as everybody learns differently. For example, I like the self-paced route. I really don't like instructors trying to teach me. I can't learn this way. However, most people need instructors.

    Reply
  6. John H. Sawyer says:
    January 15, 2007 at 12:14 pm

    As I posted on Harlan's blog, there is already a SANS training and GIAC cert for malware analysis. Why not simply expand upon it instead of creating yet another cert. I like the comment someone had about creating a "Malware Prevention Expert" cert. That seems like a much more useful exercise than trying to clean a machine. If you are a big corporate customer, you re-image the machine to a clean build and go about your business.

    What topics do I see that need more focus?
    – VOIP security
    – data extrusion detection and prevention
    – analysis of memory for incident response
    – the analysis would be an exercise of triage and preventing collateral damage, not removing malware 😉

    Reply
  7. Clement Dupuis says:
    January 15, 2007 at 2:49 pm

    Good day to all,

    This is a very interesting topic.

    As it was mentioned above, there is definitively a need for very specialize training or training that do not reach the masses yet. In popular domain of expertise there are plenty of training that exist and that is available.

    If we really wish to have an impact on the level of education within the masses we do need to make training more accessible to the average Joe who might not have 3 to 4K to spend on a full week of training.

    However, a business model based on something that you are giving out for free is really tough at best. Such a model attract people who do not wish to pay for training resources and as such is not very scalable.

    We do need to have the training available in different format to cater to people who have different learning ability. Myself I cannot learn from CBT that present you 25 words at the time. I prefer live training or video training as it moves faster and allow me to get to the point. There are other people as mentioned above who swears only by CBT and that works for them. There is a real need for the different types of training.

    I have tried over the past few years to offer free resources on my http://www.cccure.org web site, but it is tough to do this as a side project. I usually spend 10 to 15 hours a week on it and sometimes a lot more.

    I certainly welcome any new project where education will benefit.

    Best regards to all

    Clement
    Security Evangelist
    cdupuis@cccure.org

    Reply

Leave a Reply to Gr@ve_Rose Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top