I achieved 3 of my GIAC certs this way and just got back today from doing the new SEC575 Mobile Pentest course in VA Beach (no cert available yet). I'd be happy to provide any feedback on the process. By the way, I'll be posting a course review of SEC575 shortly. It was a great course and I have some thoughts on it and future mobile pentesting courses I'd like to share but don't want to derail this thread.

As far as selection, SANS STI students always get first dibs, even if they don't need the course for graduation. While I am currently in STI, I just started so that did not impact the 4 times I've been selected to facilitate.

The next thing they look at, is if you've facilitated before and what kind of reviews the instructor gave you. We have had some really bad facilitators that were not asked back a second time. It's hard work and SANS puts a lot of trust in the volunteers so laziness, evidence of untrustworthiness or general douchebaggery are good ways to ensure you don't get asked to return. I've seen facilitators do really stupid things for minimal gain that jeopardize what I think is the best deal for training on the market today.

They typically don't like to pair up 2 newbies if they can help it and for the larger classes will often pair a veteran with a first timer. If they can run with all veterans and have enough to fill the seats I'm sure they would but that generally does not happen. For instance in VA Beach week 1, we had 2 veterans, myself and a guy who's done it 8 or so times and 2 first timers. At big events like Orlando it seems more like 25% first timers. Typically veterans wind up in the newer more popular courses and first timers wind up in courses the veterans have all taken, 401 being a good example of that. That's not always the case, but is a common scenario.

They also look at things like if you are a community SANS instructor, a local mentor (SANS Mentor program), a GIAC cert holder, and several other areas. You can see what I mean when you fill out the application. A yes in most of those areas will certainly help your application but I'd suggest being honest there.

It's a ton of work at the big conferences, you will be working 14 to 16 hour days frequently. Smaller conferences you might have 1 or 2 12 to 14 hour days and the rest it's closer to 10. I don't mind the work and the value from meeting all the other facilitators and getting more facetime with the instructors is invaluable. It's a great networking opportunity in addition to being an amazing discount on training. A SEC560 course (Network Pentest) with GPEN certification attempt and 4 months of OnDemand would normally be over $5,000 but you are getting it for $850. That's insane. Personally, even if my employer wanted to pay the full amount I'd probably facilitate anyway. It's certainly a lot of fun. Good luck on your 401 course.

The person who prompted that post has been engaged in a flurry of activity lately. No commitment to quality whatsoever but apparently thinks spamming is the key to success here, or maybe he just wants some OffSec training. It sounds like he might have some decent things to say but he's coming across like an idiot because he isn't proofreading his posts, or at least appears not to be. I won't name him, but he has not posted in this thread yet. I'm sure most of you will be able to figure out who I'm talking about but he is not the only one and I don't want to single him out.

This is an issue prevalent with many of our members and it's disturbing to me because this career path is much more than a technical discipline. If you practice writing without attention to detail, that failure to properly communicate will manifest itself in anything you write. Written communication is the lasting and ultimate deliverable that is the manifestation of our work output. I personally think it's difficult to classify any hacking as ethical (other than hedonism, ethics can be somewhat relative but that's a topic for another post) when the ultimate goal is not to communicate findings to a customer or impacted stakeholder.

I will also admit, had I not been so inebriated last night my filter would have engaged but I'm glad it didn't. It needed to be said, and the several PM's I've received in the last 24 hours indicate that others feel the same. For the non-native English speakers, I applaud you for taking the time to learn a second (or third or fourth) language. I am not so cultured. This post is not directed at you. It's directed at anyone who makes a conscious decision to be lazy in their writing. As my grandfather used to say: "Anything worth doing is worth doing well."

Seriously, use spell check. I get really frustrated trying to read what would be otherwise useful content. If you are going to take the time to write useful material for folks, use your fucking spell check and grammar check. Don't switch from passive to active voice. Don't switch from 1st to 3rd person. Don't switch from past to present tense. If you don't know how to write properly, pickup a copy of Strunk and White. http://www.amazon.com/The-Elements-Style-Fourth-Edition/dp/020530902X Otherwise you are going in my "moron" bin.

That being said, I'm sure I will have a typo somewhere in this post.

I've seen a lot of auditors go for the ISO27001 Lead Auditor credential. Here's a UK based training course

http://www.itgovernance.co.uk/products/2753

Currently reading Neal Stephenson's Cryptonomicon and it is dated (released 1999) but it is really good! http://www.amazon.com/Cryptonomicon-Neal-Stephenson/dp/0380973464

Next up is Railsea by China Mieville http://www.amazon.com/Railsea-China-Mieville/dp/0345524527

Then I'll probably re-read Shadow & Claw by Gene Wolfe http://www.amazon.com/Shadow-Claw-First-Half-Book/dp/0312890176 Gene is probably the most underrated but amazing sci fi/fantasy author of our time. Seriously check out anything he has written.

What I do is I redirect all my tool output to text files and move those into an encrypted archive I retain with the report. We also require full packet capture with a filter set for anything in target scope + tester machine(s). It's mostly a training aid for IR purposes and IPS/SIEM tuning than anything else. So yes, we are retaining a lot of other data with the report, but the key is, not IN the report.

And yes cyber.spirit, we are telling a story. Usually the story the client wants us to tell as long as the data supports it.

Most of the time it's just not necessary. What does it add to the report? If anything, it shows laziness. There may be situations where you need a short snippet of output to help you tell your story but for the most part no it should not be in the report.

Pimping my own blog at http://sentinel24.com/blog/ where I just made a post on this topic. Plan on doing some more here as I am developing a separate wiki on pentest business issues (including scoping, reporting, insurance, customer relationships, quality management, etc)

And jamie.R - yes it's the hardest and the most important. I've always heard that the report should take more time than the test itself. It's not just gathering data and writing a report, what the customer is really paying you for is analysis and interpretation of that data. As I've heard @mmurray say, they are paying you for your wisdom. (sorry if I butchered your quote Mike!  )

Hope you guys are visiting this site from an unimportant machine. If I wanted to target a bunch of security professionals this is exactly how I'd do it.

 

Just checked out this sample report and it's an excellent example.... of what NOT to do. I don't have time to take the deep dive as I'm getting ready to hit the road, but an executive summary with technical terms is a poor executive summary. Nmap output and other tool output in the report is just bad. That stuff belongs in an appendix, far too much copy and paste here for my liking. I'll try to take the time to followup on this with more explicit examples and recommendations in the next day or two, but this is NOT a good report.

No, I'm not referring to hacking specific examples. I just mean learning how to think and then applying those skills to breaking things. You have to walk before you can run. But then again, it won't be as popular because there's no shell at the end.

Videos on logic and deductive reasoning would be very useful. This is really what it comes down to, but it's hard to make people think outside the box. We naturally operate under a set of constraints, many times self-imposed and getting people to understand new ways of thinking is huge.

Jamie.r This is something I've been working on for awhile. One of the directions I'm starting to shift more in favor of is using a wiki as the collection point and then populating report with data from the wiki. If you include the ability for team collaboration and a place to upload tool output and then have a way to reference within your reporting engine that has substantial value.

I'd be happy to talk to you about some of the work I've done here if you think it might be helpful. Unfortunately my mechanisms currently are pretty ugly, generate an infopath form, copy and paste into word, customize content and then convert to protected pdf. I know some consultant firms use custom spreadsheets for this and believe it or not get some pretty amazing results out of Excel. I'm moving in a similar direction as you but I think I'm going to implement as a Rails app.

What I'd really love to see here is some good collaboration tools and proper version control for the report. Also need to consider the sensitivity of the data and storage/encryption needs and how you plan to purge or dispose of the data once no longer needed.

Also, if you have not looked at http://dradisframework.org/demo.html already I highly suggest you check it out. It may already meet most of your needs.

I will agree with this but the executive summary is the LAST part you write, even if it comes first. In a recent report writing course I took at BsidesLV with Mike Murray and Josh Sokoly it was recommended to make things a bit more granular with CEO executive summary on page 1, page 2 and 3 targeted at Technology executives like CIO and CISO, then technical mgmt and lastly the IT Ops guys actually fixing things. They actually suggested those heat maps on page 2-3. They also suggested keeping the report as short as possible and expending a lot of effort in reducing the word count. Much of the data we find in reports like scans, and tool output really belongs in an appendix or possibly an archive attachment external to the report.

Avoid technical terms on that first page and try to address things like meta-issues over specific vulnerabilities. ("There does not appear to be a standard process for updating system files" vs 5 pages of "server x was missing patch ms08-067") Also try to identify impacts a CEO might care about like shareholder value, SEC reportable findings, findings that might carry compliance fines, brand damage, etc.

Also on the topic of using templates for this, I've created Infopath forms for my own report needs for common findings and recommendations but you need to be really careful here because it's easy to get lazy. Make sure you take the time to document the specifics around the finding and determine if your canned recommendation makes sense within the context of the system environment in question. For instance, I might recommend AV on a Linux box that hosts a Samba share for Windows clients, but not on another Linux server that has iptables configured in such a way that only other Linux servers are communicating, has no access to internet or any other client facing technologies.

Very nice prizes Don, once again.