Saturday, January 13, 2007

New SANS Cert

Do we need another SANS cert? I don't think it's so much about us...it's what SANS wants.

I was reading TaoSecurity this morning and ran across this link to the recent SANS newsletter...

Does anyone on your staff do an excellent job of cleaning out PCs that have been infected by spyware and other malicious software. We are just starting development of a new certification (and related training) for Certified Malware Removal Experts and we are looking for a council of 30 people who have done a lot of it to help vet the skills an dknowledge required for the certification exam and classes. Email cmre@sans.org if you have a lot of experience.

I looked at this and thought...hhmmm...why create a new certification for skillsets that admins should already have? After all, malware detection is really just an advanced form of troubleshooting...which all admins should be knowledgeable in, right? I mean, when you have trouble with your car, do you examine it (ie., look at the gas guage and determine you're out of gas) or do you just abandon your car on the side of the road and get a new one?

Of course, there is a school of thought that believes why should you certify someone to run "format c:\", then fdisk, then re-install the OS? Ugh. I don't know which is worse...thinking that "slash and burn" is an acceptable solution, or certifying something like this.

Thoughts?

5 comments:

John H. Sawyer said...

As I was digging through Google Reader catching up on my RSS feeds, I always leave my CF/IR blogs for last. Having already seen the mention on Richard's blog and now yours, I am pretty much of the same opinion...why does there need to be a cert for removing malware? It seems absurd to me.

There are so many areas that could use more research and training with possibly a certification that could lead to IT workers actually learning something useful. This is not one of those areas in my mind. SANS already has a short class and GIAC certification for analyzing malware so the removing malware cert seems like it would simply be an extension of the current cert.

Considering there was a recent interview with Stephen Nortcutt where he mentions that his "single greatest failure" is that there is practically no training related to VOIP. Heck, then why not do a cert related to securing, auditing and pentesting VOIP networks. They just put it into the SANS Top 20 so seems like a good candidate. ;-)

http://searchsecurity.techtarget.com/qna/0,289202,sid14_gci1233013,00.html

Again. Why teach how to remove malware and make it an actual cert? Maybe my mom and other family members will take it so they won't call me to fix their spyware ridden machines.

-jhs

Anonymous said...

I think Sans goes the wrong way. They used to have highly accredited certifications as long as you had to complete a practical.

Now you can achieve a "silver certification" just by taking a multiple choice test - the reason is "to give more people the possibility to get certified"...

Thats what Steven Nortcutt said, I would say it's to make more money. And for the very same reason they are inventing useless certifications.

Who believes that you can get a better job because you are certfied in removing malware ? Perhaps they should invent a "Certified Malware Prevention Specialist"....

Anonymous said...

Hmmm.... I wonder if it is ever cost-effective to attempt malware removal when one considers the time involved compared to re-installing?

I can't imaging it would be except for very high-end machines. A "Certified Malware Removal Expert" is bound to be expensive, not to mention what kind of insurance (s)he would have to carry....

H. Carvey said...

Hmmm.... I wonder if it is ever cost-effective to attempt malware removal when one considers the time involved compared to re-installing?

That's always a concern. Rebuilding a server includes not only reinstalling or Ghosting the original image, but updating it, as well as reloading data from backup. Of course, without a root cause analysis, or at least some form of investigation, how are you to know when the malware got on the system? You may simply be turning up an infected system all over again.

Another misconception about malware is that it always exploits an unpatched vulnerability. If you don't do something to determine the infection or intrusion vector, then you may patch the heck out of a system, but with a bad config setting on an app or a weak password, the system will be re-compromised all over again.

I can't imaging it would be except for very high-end machines. A "Certified Malware Removal Expert" is bound to be expensive, not to mention what kind of insurance (s)he would have to carry....

Insurance? Do any of the SANS certified folks carry insurance? Are they required to do so, as part of the cert? I haven't heard of this...I'm asking...

Anonymous said...

Of course, without a root cause analysis, or at least some form of investigation, how are you to know when the malware got on the system? You may simply be turning up an infected system all over again.

Right now this is part of SANS SEC 504 Incident Handling class... Not sure what the new cert would add to this?

Insurance? Do any of the SANS certified folks carry insurance? Are they required to do so, as part of the cert? I haven't heard of this...I'm asking...

They don't require it, but many of the consultants I communicate with through SANS channels carry their own insurance.