I took a seat in the back row at a long table with four other occupants - two RCMP cyber-cops to my left and two Cisco pre-sales guys on my right. I should note that there are one or two disruptive influences in the class as well. These one or two, whom I will not identify, have an irritating tendency to monopolize class time. Not by asking too many questions as you might expect, but by offering up their half-informed opinion on every topic of discussion. I suppose they are trying to assert their self-perceived position of alpha geek.
Day one, Monday, focused entirely on incident response and was essentially the preparation session for the corresponding GIAC certification exam. The course material was a thorough overview of SANS recommended incident handling practices.
This was good solid material that everyone in the class needs, even if they were a little anxious to get their hand on some tools by the end of the day. Unfortunately, there was no effort to include any Canadian law in the discussions of computer crime law, rules of evidence, privacy legislation and so on. For the price of the course, SANS should be able to put together a few slides of Canadian material. (SANS - I am available to write course material on a contract basis.)
Here are a couple of entertaining anecdotes from the class:
- "I don't think that it is morally right to ask users to remember 14-character passwords" - anonymous student
- I asked the RCMP officer beside me if they use keystroke loggers. He responded in a serious tone, "I cannot answer that question." and regarded me with a dead-pan glare. Then he broke into a smile, "Just kidding. Of course we do!"
- Day: Day 1
- Topics: Incident handling
- Tools: none
- Overall value: 3 out of 5
- Coolness: 1 out of 5
Update: I was mistaken. Individuals wishing to challenge the GIAC GCIH certification must master the entire six days of course material, not just the first day.