Security Laboratory

Security Laboratory

The Business Case for SANS Penetration Testing Course and Incident Handling Course

By Stephen Northcutt

This is a follow on to our discussion on how SANS new course, Security 560: Network Penetration Testing and Ethical Hacking, differs from other courses that, at first glance, appear to have the same objectives. This new course addresses in-depth methods used by professional penetration testers and ethical hackers to find and exploit flaws in a target environment. Additionally, SANS offers a course called SANS Security 504: Hacker Techniques, Exploits, and Incident Handling. Perhaps you are convinced you need one or the other course because of your duties in incident handling or penetration testing.

Perhaps your next step is building a business case for SEC560 as it relates to your vulnerability management programs? With corporate training and travel budgets being limited, workers in the trenches are often forced to build detailed business case justifications for travel and training. Perhaps, a quick slide deck, or well crafted email, doesn't cut it any more. Companies want a good ROI for sending us. There are three basic areas that need to be addressed in your business justification, people, process and technology, so let's get started.

People. Who do we select for training as a penetration tester? Clearly, someone with that job duty and/or the job duty of overseeing an outside Pen Test. We recommend that you always have someone shadowing an outside pen test group. Not everyone is appropriate for penetration testing training. This is very technical, very hands on. It requires knowledge of more than one operating system and comfort with command lines. If we do not send the right person for penetration testing training, we do not get the anticipated benefits. Who do we select for training in hacker techniques and incident handling? This is also fairly technical, but there is a lot of process. Many organizations have sent the manager responsible for incident response as well as technical responders. The manager may not get all of the benefit of the training, some of the technical material may be over his head, but he comes away with a solid understanding of the process and of what is possible. In all cases, just sending someone to training probably does not give the organization the full benefit. We do not retain everything we learn in a class. If we also fund the GIAC certification and give the student some time to study, we get far greater results, the student learns the material better. Take a minute to consider these two quotations from actual GIAC certified students. SANS courses are well known for very complete notes so that study of the books is beneficial.

"The GIAC certification process forced me to dig deeper into the information that I was taught in class. As a result of this, I integrated this training into my practical skill set and improved my 'hands-on skills." Dean Farrington, Information Security Engineer, Wells Fargo

"Being in the SANS class alone was extremely beneficial, but reviewing the course material afterwards and performing the labs at home as I prepared for my certification exam helped me learn the material even better. Additionally, it ensured that I retained the material longer and this
process gave an opportunity for some of the more difficult topics to sink."
Matt Austin, Senior Security Consultant, Symantec

"Studying for the GIAC exam forced me to spend far more time reviewing details I probably wouldn't have reviewed if I was not attempting
certification, and resulted in a far greater retention of the material, thereby making me a better InfoSec professional."
Peter Leight, Universal, Orlando

We apologize for any sense of marketing, but your organization is making a sizable investment, and, if you require your people to certify, you will increase the return on your investment. The price of the investment with certification is even higher, but the result of the investment is improved. The GIAC certification for Incident Handling is the GCIH and for Penetration testing is the GPEN.

Process. The organization has an existing process Incident Handling. How mature is that process? Many organizations choose to send all of their technical response folks to SANS for incident response training. That way they have all been trained on the same model and basic approach. When they get back, it is good practice to schedule a brown bag lunch so they can show the other technical responders some of the new tips and techniques they have learned. Many other organizations have a less mature process for Incident Handling. Then, as part of the investment in Incident Response training, you would be wise to plan some time to improve your process. Also, if your organization has one team that is responsible for incident response and a completely separate team responsible for disaster recovery, you may want to rethink that. In general, the incident response team gets a lot more exercise, so their documentation and process stays up to date. You may want a number of your incident response personnel to also be on your disaster recovery team. A final note on incident handling. How many incidents have been managed in the past 12 months? If the answer is zero or one, your organization almost certainly has a very big problem. You have lost the ability to detect. You cannot respond to an incident until you detect an incident. You don't want to be like the Department for Homeland Security which lost over 6 terabytes of sensitive data to the Chinese, or TJ Maxx who was compromised for over a year, losing customer records the entire time. Protection is ideal, but detection is a must.

Your organization probably has an existing process for Penetration Testing as well. It may be that you have an outside group come and do a penetration test once a year. You may have even purchased a multi-event penetration test to save money. But are the testers any good? These days, you can sign up for a course like certified ethical hacker where you look at tools all day long, pass a test and you are a certified pen tester. But, penetration testing is far more than a bunch of tools - it is a process, an approach. It is knowing which tool to use when and why. If you send someone to a high-end rigorous course, they can evaluate the skill level of an outside group. And, using an outside group may appeal to the auditors, and has some value, but what about doing your own penetration tests internally? What is the benefit to that? One of the most important things to understand about an outside penetration test is that it is only good for the state your organization is in when the test is done. As soon as one thing changes, the test report has less value. Within a month or two, many changes have happened. Being able to test yourself as you roll out a new technology is a valuable capability.

Technology. The world of attack and defense is not static, both sides are trying new things all the time. Up to date training lets students continue to learn about the latest technology and bring that back to their organization. Also, there are tools that are kept up to date; any organization with a vulnerability management or penetration testing program should consider CORE Impact. The price is reasonable and it really helps establish a baseline for penetration testing. Does CORE take the place of training? Of course not, it is a great tool, but it is a tool; the person using the tool is far more effective if they are trained properly.

NOTE: There is a once in a lifetime opportunity coming up to maximize your penetration testing knowledge, SANS has pulled the very best practitioners together for the SANS WhatWorks in Penetration Testing & Ethical Hacking Summit starting May 31, 2008, Las Vegas.

Framework. Security works best when there is an overarching framework. For example, if you want to implement defense in depth it will not just happen and just buying more products from your vendor won't do it either, you need an architectural approach to implementing defense in depth. If you have an overarching framework for your security program it is easier to balance how much investment your organization should make in incident response and penetration testing. If you do not do that, everything feels like a "one off" and executives are rightly concerned that money is being wasted. Frameworks include the NIST Special Pages, IAM, but the very best one is often referred to as "7799" and it is ISO 27002. While SANS has a "7799" class, here are two excellent resources to give you the structure of the 7799 framework, the bits Kalculator and SANS' SCORE Checklist.

If you can't develop the security skills you need in-house, you have to either ignore the risk or outsource. Now, that you have the basic buckets where you need to implement security, you may come to the conclusion that it is not feasible to resource to do everything. Sometimes, especially when specialist skills are involved such as log analysis, intrusion analysis, forensics, or even penetration testing, you may want to outsource the majority of the work and just have one or two people in your organization that are sufficiently expert to monitor that the work is being done as specified in the Service Level Agreement.