Community SANS Event in Dublin

Bob McCardle has made me aware of these upcoming community SANS events to be held in Dublin this coming September.  Bob and Owen are both very well regarded for their expertise and I highly recommend attending any, or both, of these courses. 

Bob also kindly offered a discount code for those of you wishing to attend.  Contact me on brian dot honan at bhconsulting dot ie and I will pass the code along to you.

The two upcoming coureses are;

  •  20-25 September for SEC504: Hacker Techniques, Exploits & Incident Handling
  • 27 September – 2 October for SEC542: Web App Penetration Testing and Ethical Hacking.

SEC504: Hacker Techniques, Exploits & Incident Handling

20-25 September

Instructor: Robert McArdle

Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. This challenging course is particularly well suited to individuals who lead or are a part of an incident handling team. Furthermore, general security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

SEC542: Web App Penetration Testing & Ethical Hacking

27 September – 2 October

Instructor: Owen Connolly

In this intermediate to advanced level class, you will learn the art of exploiting Web applications so you can find flaws in your enterprise’s Web apps before the bad guys do. Through detailed, hands-on exercises and training from an experienced instructor you will learn the four-step process for Web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross-Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And you will explore various other Web app vulnerabilities in depth with tried-and-true techniques for finding them using a structured testing regimen. Throughout the class, you will learn the context behind the attacks so that you intuitively understand the real-life applications of our exploitation. In the end, you will be able to assess your own organization’s Web applications to find some of the most common and damaging Web application vulnerabilities today.

For more details and to register please visit:

About the Community SANS EMEA Program –

The Community SANS format in EMEA (Europe, Middle East and Africa Region) offers the most popular SANS courses in your local community and in your local language. The classroom setting is small with fewer than 25 students. The instructors are pulled from the best of the local mentor program or qualified security experts who have passed SANS rigorous screening process. The course material is delivered over consecutive days, and the course content is the same as ones provided at a larger training event. In addition to the excellent courseware, not only will you be able to use the skills that you learned as soon as you return to the office, but you will be able to continue to network with colleagues in your community that you meet at the training.

The Value of Security Certifications

graduationWithin the information security community one of the most debated topics is that of security certifications.  I previously blogged about certifications and gave my own views.   The mailing list of the Irish OWASP Chapter also had a recent discussion centred around the topic.   Many asked the question what value is a certification and which ones should I get?  What about CPEs and do they really add any value?

Richard Nealon, a well respected member of the Irish infosec community who has been involved as a volunteer with (ISC)2 in various roles over the past 10 years and was to be honoured with the COSAC award in 2003, gave one of the most insightful contributions to this debate that I have read in a long time.  I talked to Richard and he has agreed to allow me to publish his thoughts here,

As a former member of (ISC)2 Board of Directors, and active volunteer, you’ll not be surprised to find that I have stong opinions on the topic.
You might be surprised though, to find that they’re not too far from all of the points raised so far.

First point: There are three types of certification available in the market at the moment: 

  1.  Technical certification – SANS, Vendor related (Microsoft, Cisco, Symantec, etc), EC Technical Hacker, etc
  2.  Generic certifications – ISC2, ISACA 
  3. Academic certifications – MSc, Dip in Forensics, etc. 

Each of these have their merits & demerits, but I think that we have to look at the area of certification (and what it offers each of us) holistically rather than focusing on one particular cert.

Which one of these types is best?  To use the great SOx answer – “It depends”
It depends greatly on what your chosen/planned career path is, the security of your job, your expectations for the future…..

I’d argue that any certification doesn’t prove competence in any manner. It only goes to show that an individual has been successful in achieving a certain score at a point in time.

Nevertheless, in so many cases, recruiting employers will list a specific certification (or range of certs) to set a baseline and discourage what they consider to be the timewasters (those going for the job despite having no experience). In most cases, for security management roles, CISSP or CISA (CISM is the more appropriate ISACA cert but simply isn’t as well known) are used as that baseline. That’s just the way it is – (ISC)2 has been around over 20 years with a membership of about 60k and ISACA even longer. The reason that these specific baselines are used, is only because there’s nothing better on offer that’s as well known in the marketplace.

Now – let me come back to an important point in the last paragraph. You’ll notice that I mentioned “for security management roles”.  The baseline certs being looked for should be much different if the organisation is recruiting a DBA, Firewall admin, RACF support…. but unfortunately they nearly always use one-size-fits-all (primarily because they don’t really understand what “security do”).

I was speaking with a chap last week who’s a graduate of the MSs programme in Information Security from Royal Holloway.  The job he was interviewing for was to independently review and report on a PKI implementation.  Despite having implemented and managed a large PKI environment in the past, and having the MSc, the employer rejected his tender because he didn’t meet their certification criteria (i.e. didn’t currently hold CISSP or CISA).

Bottom line:
If you’re looking to set your career as a security techie – go for, and maintain technical certifications If you’re looking to set your career in security management – get at least one of the generic certifications and maintain it.  If you want to educate yourself – go off and get an academic certification If you’re never going to have to interview again (internally or externally) – save your money and let your certifications lapse

Them’s the options!  Take your pick.

CPEs first – Many of my CPEs are maintained by attending the monthly e-symposia from (ISC)2 and ISACA.  I normally access them via the archive after a couple of months and get them done in one large traunch.  Between the two, I can claim about 60 CPE hours a year if I’m bothered (3 CPEs per symposia, by about 10 instances from each organisation per year).  Past that – every hour that you receive a vendor presentation or demo; every exam question that you write and submit; every time you read the newsletter and answer the Quiz; every hour that you volunteer your services on a committee or board; ….  There are so many ways to earn CPEs free of charge, that only require the time and effort from each of us.  First port of call for quick & easy (and free) CPEs

AMFs – so what do we get for our $65?  We get free seminars, we get reductions on a huge amount of vendor training, we get free e-symosia monthly, we get a quarterly newsletter, we get deliverables (e.g. recent awareness material submitted by members),  discounts off the academic journal, online fora, and a host of other “stuff”.   Have a look at .  Most of all, we get the advantage of putting CISSP after our name. This identifies us as professionals (this is what we do for a living), as distinct from amateurs. It doesn’t necessarily make us good professionals  – as MD doesn’t necessarily guarantee good doctors, but would you want an amateur treating you for a medical complaint?

In terms of competing certification bodies, some organisations certainly do provide more content than (ISC)2 – but they also charge significantly higher AMFs!
Pertinent question being: What offers best value for money?

On a personal note – I’m happy to pass back any constructive suggestions from the group to their exec management as to what (ISC)2 should be doing to make their offering more valuable to their members. Please don’t just tell me that they don’t offer enough content, opportunity, support…
Rather, outline exactly what you think that they’re currently missing e.g. local chapters, free seminars, technical guidelines, areas of the CBK that should be covered, new certs

I think you will agree Richard has made some vary good points.  So if you have any contructive suggestions for Richard please put them in the comments below and I will pass them on.

If you are looking for more information on what certification programmes are available then here is a list I compiled previously.  Finally it is interesting to note in today’s SANs NewsBites a survey conducted by the Foote Partners highlights there is a high demand for certified security professionals.  Interestingly enough it is the technical courses provided by SANS that are most in demand with the  GIAC Certified Incident Handler being the most sought after.

Community SANS Event Coming To Dublin

A Community SANS event in Dublin is scheduled for the 7th to the 15th of September at the Ballsbridge Court Hotel.   The event will have the following courses;

  • SEC504:  – Hacker Techniques, Exploits & Incident Handling and will be tutored by Robert McArdle
  • AUD521: –  Meeting the Minimum: PCI/DSS 1.2: Becoming and Staying Compliant and will be tutored by Owen Connolly. 

The Community SANS format offers the most popular SANS courses locally and the instructors are high-scoring GIAC certification holders pulled from the best of the local mentor program or security experts in the local community. 

The course material is delivered over a six-day period, and the course content is the same as ones provided at a larger training event.  Depending on the course, the instructor may add relative information such as local laws and regulations, and bring cases and examples with local flavor. Not only will you be able to use the skills that you learned as soon as you return to the office, but you will be able to continue to network with colleagues in your community that you meet at the training.

More details on the event are available here.

List of the TOP 25 Most Dangerous Programming Errors Released

Earlier today the List of the Top 25 Most Dangerouse Programming Errors was released.  The list was compiled by a number of different organisations and coordinated by the SANS Institute

Criminals are now moving from attacking the infrastructure layer and moving to finding ways into systems by means of bugs in the applications sitting on top of the infrastructure.   In light of this change in tactics it is very important that if you are responsible for developing applications that you ensure that your code does not contain any of these errors.  If you are not responsible for developing applications then make sure this list get to those who are and that they pay heed to it.

Upcoming SANS WhatWorks Event

SANS are running a WhatWorks in Penetration Testing & Ethical Hacking Summit on September 17th 2008 at the Le Meridien Piccadilly in London.  The summit is a one day indepth look at the latest techniques and best practises you should employ to run penetration tests against your networks.  So whether you are responsible for securing your own network or the networks of clients this is an excellent opportunity for you to enhance your knowledgebase.  YOu can register for the course here.