Lessons learned while working in Information Security.
moc.navat@ymerejI just returned from SANS SEC501, my first formal Information Security training class in about fifteen years, held at their Network Security 2015 event in Las Vegas. This is a broad but “Advanced” overview class aimed at getting people a familiarity with as many topics as possible in the time available. I was pleased with the course with a few reservations, and I’m really glad I didn’t take one of the lower-level overview courses (SEC301 or SEC401) because this one was perfectly fine for someone at my level of background and experience. It could have been more challenging and technical and that would have been even better. A few notes on my experience:
This isn’t just a complaint about being away from home and family for a week at a stretch. That’s manageable. The amount of time spent learning at these courses, however, is problematic. It wasn’t unusual for me to spend from 0830 to 2130 in the convention center, between the course itself and the evening lectures and tournament. After a week of this I was really ready for some natural light and fresh air. I know there’s a lot of material to cover, but it’s hard to keep sharp for that many hours at a time even with breaks.
There’s a huge amount of material to cover in an overview class, and a week just plain isn’t long enough to do it justice. So many topics were breezed through with just top-level bullet points. So many of the labs would have been more useful if we had to really dig in to them and do some analysis rather than just copying and pasting into a terminal. Our instructor definitely enriched the course with humorous and enlightening anecdotes and suggestions, Of course, the discussions of virtualization and testing labs are going to result in some rather expensive purchases. C’est la vie. but had he just gone off the slides I would have felt cheated by the cursory treatment of the subject areas.
In addition to SEC501, I also signed up for NetWars DFIR because hey, why not, it’s free with the longform training course. This turned out to be the most entertaining and educational part of the entire trip. I hadn’t touched a computer forensics tool in my life before the day of the tournament, but due to convenient timing of the SEC501 topics, we did a quick overview of forensics tools the day the tournament started. Picture my surprise when I found myself on the leaderboard (10th place) after the first day. On the second day people jumped ahead super quickly, I won’t accuse them of working on the questions during the day, but it was pretty suspicious but I still managed to come in 14th out of about 75 participants. I had no idea that digging information out of hard disk, memory, server logs, and network pcap data would be so much fun. This will be a career-influencing experience.
That’s it for my quick reflections. I may well have additional posts to write on the various topics discussed during the class. I would like to thank Paul Henry for leading a fun and educational intro to InfoSec. I look forward to future, more specialized and detailed classes.