inside the man

Wednesday, December 14, 2005

SANS Hacker Techniques report - day 1

Other posts in this thread:There are roughly 40 hardened computer geeks in the class. Each has his or her (there are two women in the class) laptop and the corresponding web of power, USB , and other cables. The students are a varied lot from the US and Canada ranging from techies from start up infosec firms, to university security techs, to consultants such as myself.

I took a seat in the back row at a long table with four other occupants - two RCMP cyber-cops to my left and two Cisco pre-sales guys on my right. I should note that there are one or two disruptive influences in the class as well. These one or two, whom I will not identify, have an irritating tendency to monopolize class time. Not by asking too many questions as you might expect, but by offering up their half-informed opinion on every topic of discussion. I suppose they are trying to assert their self-perceived position of alpha geek.

Day one, Monday, focused entirely on incident response and was essentially the preparation session for the corresponding GIAC certification exam. The course material was a thorough overview of SANS recommended incident handling practices.

This was good solid material that everyone in the class needs, even if they were a little anxious to get their hand on some tools by the end of the day. Unfortunately, there was no effort to include any Canadian law in the discussions of computer crime law, rules of evidence, privacy legislation and so on. For the price of the course, SANS should be able to put together a few slides of Canadian material. (SANS - I am available to write course material on a contract basis.)

Here are a couple of entertaining anecdotes from the class:
  • "I don't think that it is morally right to ask users to remember 14-character passwords" - anonymous student
  • I asked the RCMP officer beside me if they use keystroke loggers. He responded in a serious tone, "I cannot answer that question." and regarded me with a dead-pan glare. Then he broke into a smile, "Just kidding. Of course we do!"


Summary
  • Day: Day 1
  • Topics: Incident handling
  • Tools: none
  • Overall value: 3 out of 5
  • Coolness: 1 out of 5


Update: I was mistaken. Individuals wishing to challenge the GIAC GCIH certification must master the entire six days of course material, not just the first day.

No comments:

About Me

My photo
Edmonton, Alberta, Canada
Returned to working as a Management Consultant, specializing in risk, security, and regulatory compliance, with Fujitsu Canada after running the IT shop in the largest library in the South Pacific.

CC Developing Nations
This work is licensed under a Creative Commons Developing Nations license.

Site Meter