From: The SANS Institute (lmpsans.org)
Date: Tue Apr 12 2005 - 21:26:45 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

SANS Local Mentor Program Update, Volume 1, Issue 5, April, 2005

****************************************************************************
Table of Contents:

Section 1: Featured SANSHOME on demand Webcast Courses

Section 2: Further discussion on GIAC certification changes

Section 3: Tales from a SANS Hacker Techniques local mentor led class

Section 4: Local Mentor Program Update offers assistance with HIPAA, SOX,
GLB and FISMA regulatory issues

Section 5: Jobs

****************************************************************************

Introduction:

The quiz question we asked last month turned out to be pretty easy.
FYI, we are now up to 7767 people with GIAC Certification. This month,
we offer an interesting and hopefully fun challenge, the SANS Haiku (see
below).

About SANS Local Mentor Program
***************************************************************************
SANS recognizes our community has varied requirements for the delivery
of our SANS courses. That is why, in addition to the SANS Conferences
we offer, such as SANS Rocky Mountain 2005 which runs from May 8 - 14,
2005, in Denver, http://www.sans.org/rockymnt2005 , we offer:

SANS Local Mentor Program, http://www.sans.org/local

SANSHOME, http://www.sans.org/athome

SANS Stay Sharp, http://www.sans.org/staysharp

SANS Self Study, http://www.sans.org/selfstudy

These four programs provide a great opportunity for those who are
seeking a flexible alternative to SANS popular six-day conferences. No
packed airplanes, no living out of a suitcase for a week, no backlog of
emails and to-dos upon your return from a six day conference.

The Local Mentor Program enables students to participate in SANS
training, without the expense and inconvenience of travel or taking time
out of the workday and the advantage of a small classroom setting.

Students receive all the same course materials used at SANS conferences
and study at a more regular pace. As these SANS Local Mentor led
courses are all packed with technical information and hands-on
exercises, the additional time to digest this material is beneficial to
many students. We believe that the interaction with others and the
mentors, plus the 10 weekly sessions, give students the opportunity to
master the material and also make it a bit easier to pursue a GIAC
certification.

As one of our LMP students told us, "The interaction that LMP provides
is truly value added. Concepts that are fuzzy after reading the course
materials are clarified by the instructor. Real life experiences and
incidents encountered by other students are discussed." Calliope
Carellos

READER CHALLENGE
As you may know, we have recently removed the Practical requirement from
the GIAC certification process. The Practical assignment was a written
paper of anywhere from 8 40 pages in length, depending on the
particular certification. There is a detailed discussion of this change
in Section 2, below.

The local mentor program is offering the following challenge in the
spirit of brevity, fun and depth. The first ten readers to submit a
Haiku devoted to a SANS Course or GIAC certification will each receive
a 10% discount off the regular tuition fee for the upcoming SANSHOME
course of your choice, from the list below. For those of you who dont
recall the format of a Haiku, here is a sample:

Security Risks
Incidents inside and out
How best to protect

****************************************************************************

Section 1: Featured SANSHOME Webcast Courses
****************************************************************************
SANSHOME upcoming Webcast courses

-->SANS Security Essentials starts (archived webcasts) April 18
http://www.sans.org/athome/details.php?id=855

-->SANS Intrusion Detection in Depth starts Tuesday, May 3.
http://www.sans.org/athome/details.php?id=955.

-->SANS(R) +S Training Program for the CISSP(R) Certification Exam
starts April 28 in Spanish
http://www.sans.org/athome/details.php?id=945. and

-->June 22 in English, http://www.sans.org/athome/details.php?id=980.

Note: For our market research purposes, if you are interested in taking
one of these courses, please send an email to lmpsans.org letting us
know what country you reside in.

And remember, the earlier you register, the more you save on your
tuition fees.

For a list of all available SANSHOME courses, please go to
http://www.sans.org/athome.

****************************************************************************

Section 2: Update on changes in GIAC Certification requirements
****************************************************************************
The local mentor program has received numerous emails and calls about
the new GIAC certification procedures which no longer require the
writing of a practical paper. We would like to take this opportunity
to shed some more light on this subject.

First, SANS has earned its reputation for having meaningful
certifications based on the trust put into our GIAC certifications by
all of you. This reputation has allowed SANS to differentiate itself
from all other training programs, and GIAC from all other certifications
in the information security field. No one at SANS will do anything to
jeopardize the hard-earned respect and reputation that we currently
enjoy. We understand that this reputation has been earned through your
trust and your confidence in The SANS Institute.

Second, as Stephen Northcutt stated in a message to the SANS Local
Mentors, the reason we made this change was to establish a more
objective set of criteria with which to measure each GIAC candidate.
Yes, there is a vacuum right now, as the new testing format is not yet
available. Clearly, like Nature, many of you are uncomfortable with
this vacuum. You can expect to hear more about this from SANS over the
next 10 days.

Third, as Lara Corcoran, deputy director of GIAC points out, the GIAC
certifications are based on SANS training. The training is well
established as the best training in the information security community.
This is not hype; this is based on your feedback to us. Lara reminds
us that the practical was not at the core of the GIAC certifications.
The challenge to prove your knowledge and how to apply that knowledge
every day was at the heart of the GIAC certifications, and still is.

Fourth, based on your input on we have developed the GIAC Gold Standard
which will be known as the premier benchmark in assuring that a
certified individual holds the appropriate level of knowledge and skills
necessary in key areas of information security.

GIAC Gold will distinguish itself from the existing 'GIAC Silver'
certification by requiring candidates to complete a technical paper.
After completing the exams necessary to pass the GIAC Silver
certification, students will have the option to pursue the GIAC Gold
Certification.

All GIAC certified professionals who previously completed a "practical
assignment" under the old GIAC regime will be transferred to the GIAC
Gold program. GIAC sent out a press release on Friday, April 8,
regarding these changes. Please send an email to lmpsans.org if you
would like a copy of this press release.

Your comments and questions on this issue are encouraged. Please send
them to lmpsans.org.

****************************************************************************

Section 3: Tales from a SANS Hacker Techniques, Exploits and Incident
Handling local mentor led class
****************************************************************************

Many students tell us that the knowledge they get from a SANS class can
be put into use at work the next day. How about putting it to work
during class?

In order to respect the privacy and security of the mentor and students,
we will not use any names or locations, but here is what happened during
a class that was hosted by the employer of a group of students:

"Whenever I run a local mentor session, I try and personalize it for the
students, so they can see how the concepts we discuss apply to their
real world jobs.

I was running a Security 504 LMP session at a large company in the
communications industry. One day when I walked into class, the students
said "We understand the course material for this week, but we're
currently being hit by a worm that the anti-virus companies haven't seen
before. Can you show us how to do the incident handling process on the
worm?"

Luckily, we had our mentor sessions on Saturdays, so there weren't a lot of
people in their office that day.

After finding a few infected machines, we started the incident handling
process. There wasn't a whole heck of a lot in the way of preparation, as
their information security department, like many others, was relatively
small. After performing some malware analysis, we identified the fact that
the worm opened up a backdoor on a high port. This allowed us to identify
infected machines relatively quickly, all we had to do was scan their
subnets and find machines with a specific port open.

The containment stage was actually pretty easy. After the worm infected a
system, it logged into an IRC server, and received instructions from the IRC
channel's topic. The solution we came up with, was to setup an internal IRC
server, and redirected the worms to the internal IRC server. This had two
benefits, first a security administrator could connect to the internal IRC
server, and see a list of infected machines, and they could also control the
worm (via the channel topic), to prevent further spreading.

To clean up the infections (eradication), they had security personnel
respond to the infected systems, and manually remove the components of
the worm.

When I got to the mentor session that day it was 12 noon. By the time
all was said and done, we decided to call it a night at 11pm. The best
part of it was the students were able to see and apply the incident
handling process in a hands-on manner. As an added bonus we were able
to develop a methodology for their company for dealing with variants of
the worm."

************************************************************************

Section 4: Help with HIPAA, SOX, FISMA and or GLB issues
************************************************************************
One of the primary values of the Local Mentor led classes is that
students can come to class with questions about a compliance issue that
has presented itself and our SANS local mentor can help the student work
through the process of properly responding to the issue..

For those of you who don't have access to a local mentor yet, please
submit the details of your issue and your location to lmpsans.org. We
will connect you with a local mentor to give you some advice. This
offer is limited to the first 10 people who respond to this note. SANS
will sanitize the compliance issue and the proposed solution, and share
a short write-up on this exchange with the rest of this audience next
month.

************************************************************************

Section 5: Jobs
************************************************************************

We want to make sure you are aware of the GIAC job board on the newly
redesigned GIAC website, http://www.giac.org/jobs.

Highlighted opportunity: Director, Information Security, at TV Guide.
For details, please go to
http://www.gemstartvguide.com/careers/jobopps.asp?Loc=&Company=11&Job=
and then click on the position: 'Director, Information Security".

************************************************************************

To change your subscription, address, or other information, visit
http://portal.sans.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]