Hi all,

I've been thinking back over where I have come from in the past few years. No doubt I have learned a lot. And I can apply some of that knowledge. But I was thinking today, does IT Sec training really prepare us for the challenges we face?

I am a CEH. I am supposed to know the tools, techniques, and tactics that a hacker uses to compromise a network. A year ago I would have told you that I probably had a good idea about something like that. But I am thinking, in an age of Advanced Persistent Threats, with "cyberwar" on the horizon, how has my training prepared me for that?

I know that an attacker will try to hide their location before they perpetrate their attack. From just general knowledge I know of some of the techniques, like tor or tunneling. But none of my training mentioned this. Had I not tried tor for myself I would have no idea how it is used, its limitations, i've done a little research on how to tunnel traffic through tor, but I dont think I could use it effectively.

I know that attacks are often traced back to perpetrators, possibly across the world, through multiple computer systems or networks, but I dont know how. It goes on through all the phases of the hacking process i suppose, I know about trojans, maybe I can download one, run it through a program to change its signature (fuzzing right?) but this knowledge comes in piecemeal, over time.

Honestly, i guess im a little frustrated. I know there are a lot of people with a lot more knowledge, skills, and experience than me. How does one get to that level? How do you get to that place where you can sit there and right a report where you can say, "this is what happened, and this is how they did it, and this is how you can prevent it."?

Am I alone in this?

take it form a 12 hour old pen tester - you are not alone in this thought

I got told this morning that i am going to become an in-house pentester. right now i have no training, no experience, and at most i have played with a few hacking tools. I can tell you this though I agree with your post one hundred percent.


I don't know if this will help you or not but i am planning on looking at "both" sides of the attack. What i am thinking would be best to become one of the more "experienced" testers (please correct me if i am wrong on this) is to set up an actual server and then attack it using the various methods that you find posted on the web or learned in class. once you have performed the attack then look at the attack from the "Protectors" view and try to trace the attack back to the source. that way you get to see what logs are created and how the investigative process happens. once you understand how the attack was performed then you can concentrate on how to prevent it. once you feel you have a handle on attack type A then move onto attack B. If and when you get through a bunch of attacks you will start to see patterns and it will become easier to see what happened, thereby making the reports easier.

Like i said i am new to all of this and do not know squat but this is my plan and i guess i can only hope that it is the correct path.

Edit: listen to ajohnson he is probably wiser than I on this stuff.

You clearly know something because that's dead-on. You should read Tom's recent post (http://www.ethicalhacker.net/content/view/408/2/) and possibly check out his Hacking Dojo service as well. It's affordable for what you get, and it will help you get up to speed quickly, especially because of the pros that you can ask questions to.


Perhaps. As always, take it with a grain of salt



I disagree. I think by and large you're one of the better ones out there. I think we lose perspective when we do things like following dozens of people we really respect on Twitter. We put ourselves in a position where we get bombarded with high-level expertise, and after awhile, we feel inadequate.

However, that's not representative of the real world and sea of information security "professionals." A friend of mine recently did a security assessment for a relatively small financial institution, and their security guy hadn't even heard of SSH before. I have many similar stories from my own experience. I think if most of us stepped back and looked at everything in perspective, we'd probably find that we were better off than we realized.


This. Remember that a lot of people excel in this field because they find it entertaining and make it their hobby. If you put more importance and putting 40 hours into WoW or watching TV every week, there's no way you can be on the same level.


Maybe. I think a lot of that comes down to attitude and perspective, which you can change if you put the effort in. Most of us got into this field because we were drawn to the constant change and would get bored otherwise, yet we seem to view those changes as burdensome rather than interesting. It seems like whether you focus on offense or defense would dramatically affect your views as well. 

I don't think hacker training in general is giving us the wrong knowledge, but some training providers, are giving us most of the tools (knowledge) 14-16 year olds already have, where the higher level practical knowledge, is only found with a very few training providers currently.

There's many things, in Hacking, which you will learn a lot more about, if you study it yourself (and become dedicated too), even though it may take a long time, but learning from e.g., the guys at Corelan, Rapid7 (Metasploit developers) and perhaps OffSec about exploit development, web app sec from well, various random resources, intrusion detecting and preventing, from experienced people that blogs about their experiences, creating new custom rules that detects the latest malware, etc., as it's often hard to find the best resources to learn from, if you're completely new.

If we go back, just ~10 years, it was even harder, and if we go back even further, a lot harder because good information about hacking was almost like a dark art back then that was hard to obtain. (At least that's how I felt, when you don't know where to go, who the leading experts are, or at least, the good resources from where you can learn a lot from. If there was a single place where you could learn everything from, I would've studied that intensely.)

Today it's thankfully a lot easier, but becoming an expert, or close to, or for that sake the all-round pentester that knows everything, isn't easy, as there's so much information.

Some people are excellent exploit writers, but lack skills in web app sec. Some people in web app sec are just the opposite. (Because both areas, are huge, even though I've always thought of exploit development to be a lot harder than web app sec, which I always thought everyone knew, and that it was just the "basics", the starter level, apparently I was wrong, because I've recently seen more and more people needing to know the right path within area.)


Therefore, I'm happy to say that even I am fiddling with the idea of creating a good resource for practical knowledge about web app sec.


That's crazy, especially because you say, that you have many similar stories.

I remember that I once during an internship roughly 4 years ago, ran a few tools and didn't do much custom work during black-box pentests, I once discovered that most of a particular network used outdated VNC software (with known vulnerabilities like authentication bypasses). I wondered who was in charge of security? Turned out to be the sysadmin, that apparently didn't follow security issues with programs in particular, as there was plenty of other vulnerabilities there too. (All because of outdated software.)

I've never thought of it like this before, but that makes sense.  Thanks for that perspective.  Now to just keep this in mind everytime I'm on Twitter


Well I know I feel better about myself now lol


Sadly, this is my situation right now (outdated software) and it's due to a few factors: lack of infrastructure to manage software centrally, lack of funding to update said infrastructure, small IT team with too many things to do that often take precedence over updating software because "if it works, why update it?" *facepalm*

As much as I've griped about EC Council training, I personally think any training where you learn something/anything from is valuable to some degree. I guess if you can say, "I learned something" it's not a complete waste. Now whether or not learning that DES encryption uses 56 bits is worth $1000, well that's a matter for debate. What the CEH gave me was not the ability to pen test or hack but the broad knowledge of what's out there and to a small degree, how to defend against it. Because of CEH I can say that I know *of* SQL injection, XSS, buffer overflows, sniffing, etc. I would imagine that most of the entry level security courses would be the same. Now it's up to me to develop that high level knowledge into a true skill.

It seems to me that any training you recieve is obsolete the moment you've completed it. Like a new car, by the time you hang that certificate on the wall its value has already depreciated significantly. This field, like any other technological one, is constantly evolving and I think it falls upon the W/B/G Hat to keep up with the latest techniques.

Like you though, I've been feeling overwhelmed by what I don't know. I get this feeling that what separates the White Hat from the script kiddie is indepth knowledge of: SQL, Java, Javascript, Perl, Python, Backtrack, Metasploit, and the list goes on and on. I think ajohnson said it best, the guys that are true masters at this stuff live and breath it. While I'm playing a computer game (not WoW) or watching Big Bang Theory or Netflix movies, these guys are perusing the forums and security news, et al. I'm just not sure I'm ready to devote my life to this stuff, especially since it's not my profession but more of a hobby and something that might distinguish me during a layoff period.

A healthy balance is indeed highly recommended

The point I was making was simply that if you're motivations are money, job security, glamour, etc., you're going to have a very difficult time achieving as much as someone who has an innate passion for the material.

I think, like with all education, that training classes give you a step in the right direction.  They provide you with a good base so that you can decide how far you want to go.  InfoSec, like with InfoTech, is a very general area.  There are many paths to follow and it is up to you to decide which ones best fit your interests.  Then you need to continue building the skills.  The certification is much like a degree and without any experience to back it up, it is worth about as much as the paper it is printed on.  

Specialization is key to surviving in the business of IT and InfoSec but also being able to adapt to the changing landscapes is just as good.  Like right now being able to detect the presence of a targeted attack is a handy skill.  But in order to master such a skill you either need to buy really expensive log management solutions that send you alerts geared toward that type of activity or become a good log analyst and understand the different areas of IT to know when you see something that doesn't quite fit.  Then you need to follow the bread crumbs.  Eventually you will come across some suspicious files and that is where some level 1 malware analysis will be needed.

Knowing what I know now about IR, I would say that can certainly give you some good exposure to a number of other interesting skills involved with responding to incidents. But to be good at it, you really need a solid base of IT based skills to be good at the log analysis and incident response.

But we have all felt overwhelmed at one point in our careers and its natural to question you previous education.  There will always be entry level certs and more advanced counter-parts but both require dedication to continuing your education beyond the classroom.