tag:blogger.com,1999:blog-9518042.post2275313105075477511..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: New SANS CertUnknownnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-9518042.post-89248460231653174652007-01-16T08:57:00.000-05:002007-01-16T08:57:00.000-05:00Of course, without a root cause analysis, or at le...<i> Of course, without a root cause analysis, or at least some form of investigation, how are you to know when the malware got on the system? You may simply be turning up an infected system all over again.</i><br /><br />Right now this is part of SANS SEC 504 Incident Handling class... Not sure what the new cert would add to this?<br /><br /><i>Insurance? Do any of the SANS certified folks carry insurance? Are they required to do so, as part of the cert? I haven't heard of this...I'm asking...</i><br /><br />They don't require it, but many of the consultants I communicate with through SANS channels carry their own insurance.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-74139393416191455272007-01-16T07:46:00.000-05:002007-01-16T07:46:00.000-05:00Hmmm.... I wonder if it is ever cost-effective to ...<i>Hmmm.... I wonder if it is ever cost-effective to attempt malware removal when one considers the time involved compared to re-installing?</i><br /><br />That's always a concern. Rebuilding a server includes not only reinstalling or Ghosting the original image, but updating it, as well as reloading data from backup. Of course, without a root cause analysis, or at least some form of investigation, how are you to know <b>when</b> the malware got on the system? You may simply be turning up an infected system all over again.<br /><br />Another misconception about malware is that it always exploits an unpatched vulnerability. If you don't do something to determine the infection or intrusion vector, then you may patch the heck out of a system, but with a bad config setting on an app or a weak password, the system will be re-compromised all over again.<br /><br /><i>I can't imaging it would be except for very high-end machines. A "Certified Malware Removal Expert" is bound to be expensive, not to mention what kind of insurance (s)he would have to carry....</i><br /><br />Insurance? Do any of the SANS certified folks carry insurance? Are they required to do so, as part of the cert? I haven't heard of this...I'm asking...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-11831648285183689182007-01-16T07:31:00.000-05:002007-01-16T07:31:00.000-05:00Hmmm.... I wonder if it is ever cost-effective to ...Hmmm.... I wonder if it is ever cost-effective to attempt malware removal when one considers the time involved compared to re-installing?<br /><br />I can't imaging it would be except for very high-end machines. A "Certified Malware Removal Expert" is bound to be expensive, not to mention what kind of insurance (s)he would have to carry....Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-66593766966186484332007-01-15T12:28:00.000-05:002007-01-15T12:28:00.000-05:00I think Sans goes the wrong way. They used to have...I think Sans goes the wrong way. They used to have highly accredited certifications as long as you had to complete a practical.<br /><br />Now you can achieve a "silver certification" just by taking a multiple choice test - the reason is "to give more people the possibility to get certified"...<br /><br />Thats what Steven Nortcutt said, I would say it's to make more money. And for the very same reason they are inventing useless certifications.<br /><br />Who believes that you can get a better job because you are certfied in removing malware ? Perhaps they should invent a "Certified Malware Prevention Specialist"....Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-33932399148198683092007-01-13T23:23:00.000-05:002007-01-13T23:23:00.000-05:00As I was digging through Google Reader catching up...As I was digging through Google Reader catching up on my RSS feeds, I always leave my CF/IR blogs for last. Having already seen the mention on Richard's blog and now yours, I am pretty much of the same opinion...why does there need to be a cert for removing malware? It seems absurd to me.<br /><br />There are so many areas that could use more research and training with possibly a certification that could lead to IT workers actually learning something useful. This is not one of those areas in my mind. SANS already has a short class and GIAC certification for analyzing malware so the removing malware cert seems like it would simply be an extension of the current cert.<br /><br />Considering there was a recent interview with Stephen Nortcutt where he mentions that his "single greatest failure" is that there is practically no training related to VOIP. Heck, then why not do a cert related to securing, auditing and pentesting VOIP networks. They just put it into the SANS Top 20 so seems like a good candidate. ;-)<br /><br />http://searchsecurity.techtarget.com/qna/0,289202,sid14_gci1233013,00.html<br /><br />Again. Why teach how to remove malware and make it an actual cert? Maybe my mom and other family members will take it so they won't call me to fix their spyware ridden machines.<br /><br />-jhsJohn H. Sawyerhttps://www.blogger.com/profile/07459314688135865938noreply@blogger.com