RE: Ethical Hacking Training

From: Don Parker (dparker_at_rigelksecurity.com)
Date: 01/19/04

  • Next message: Rob Shein: "RE: Auditing / Logging"
    Date: Mon, 19 Jan 2004 13:19:38 -0500 (EST)
    To: "Pete Herzog" <pete@isecom.org>, "Don Parker" <dparker@rigelksecurity.com>, "Andy Cuff [Talisker]" <lists@securitywizardry.com>, "Rob Shein" <shoten@starpower.net>, <pen-test@securityfocus.com>
    
    

    The biggest thing I find is that people have unrealistic expectations. Bottom line is
    that it takes a lot of time to learn all the various topics that constitute what the
    average hacker knows. I encounter this mindset all the time with the people I have
    trained. They wonder why after 4 or 5 days they are not at the same level I am at. Quite
    simply put because for every day I have taught them I have spent a full year studying
    and learning.

    A good example of this is SANS actually. They do a better job then most at teaching
    imho. The problem is though that over the course of 6 days you are learning an
    incredible amount of information. Then you have 6 months to certify if you so choose. My
    thoughts on this prove me correct. Look at the amount of track attendee's vice certified
    people. To sum up gaining knowledge is no easy task, and simply put takes time.

    Cheers

    -------------------------------------------
    Don Parker, GCIA
    Intrusion Detection Specialist
    Rigel Kent Security & Advisory Services Inc
    www.rigelksecurity.com
    ph :613.249.8340
    fax:613.249.8319
    --------------------------------------------

    On Jan 19, "Pete Herzog" <pete@isecom.org> wrote:

    Hi,

    As a person who has begun to provide training on security testing and
    analysis, this is tough spot for me as well.

    The truth is the public buys hacking classes. That's all there is to it.
    And the more flashy and exploity and thrilling the better because that's
    what the people buy.

    But as people want more and more in their 5 days and they want to see
    hacking exploits, you can expect the money will continue to flow to the
    hucksters who solicit their wares the best. Funny thing though is that this
    is happening with almost every facet of security. Training is no different.

    I really have no plans to take our trainings down that road. But it's a
    fight every time with people who think ISECOM should be mainstream.

    Sincerely,
    -pete.

    Pete Herzog, Managing Director
    Institute for Security and Open Methodologies
    www.isecom.org - www.osstmm.org
    www.hackerhighschool.org - www.isestorm.org

    > -----Original Message-----
    > From: Don Parker [mailto:dparker@rigelksecurity.com]
    > Sent: Saturday, January 17, 2004 00:57 AM
    > To: Andy Cuff [Talisker]; Rob Shein; pen-test@securityfocus.com
    > Subject: Re: Ethical Hacking Training
    >
    >
    > Evening gentlemen/ladies, this is one sore spot for me. These
    > "Ethical Hacking" courses
    > and others along this vein. These vendors need to be far more
    > clear, as to exactly what a
    > student will come away with, and what they should have knowledge
    > wise prior to attending.
    > I recently sent some feedback to Information Security Magazine in
    > regards to their
    > Technical Editor's take on one such course, (and the technical
    > errors in his column). The
    > problem is that the security industry as a whole is becoming one
    > big money machine.
    >
    > These courses are giving people unrealistic expectations of what
    > they will know after one
    > of these 1 week courses. Nothing wrong with trying to make a
    > dollar, but one should be
    > honest as well in the process. It is doing a great disservice to
    > the industry as a whole
    > to make people think that they will be a "hacker" after a 1 week
    > course. It should be
    > clearly stated that these courses are but an introduction into
    > the world of the true
    > hacker. It will be up to the student to make of it what they
    > will, and then build upon it.
    > Showing people what "Ethical Hacking" is all about is a laudable
    > goal. The thing is we
    > must not forget our own ethics along the way to doing so in
    > pursuit of the almight dollar.
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Rob Shein: "RE: Auditing / Logging"