I watched an interested episode of Nova with the family the other night. It detailed issues with cruise ships and their sinking and compared similarities between disasters such as the recent Italian ship in which the Captain hit a BIG rock, the Titanic, and the Oceanos. A large part of the comparisons dealt mainly with the ships and the Captains. However, part of the episode dealt with crew training.
In the aviation world, at least in the US, pilots are apparently required to take annual simulator training. Maritime crews and Captains are not. Neither are Network Security professionals. Wait. What's this about annual simulator training for nerds?
It's simple really...at least in my head; I admit that I may be foggy after having a Cinqo de Mayo dinner with the family at Chili's. But I think it makes sense, at least some sort of annual event for all types of network security folks, not just DoD exercises or SANS training courses....or even the rush to submit CPEs for your CISSP at the end of the cycle. I may be putting the majority of us nerds into the same container as I am personally, but here's my points:
1. I am frequently moving from one project to the next. Although some may have solutions in the same domain (pun intended!) as others, there is no one-size-fits-all, at least I haven't found it yet. In the last 12 months, for example, I have had to work out solutions using: flash, php, perl, python, bash, batch, PowerShell, new exploits and old exploits, etc, etc. Have you not had to do the same? I'm certainly not complaining, although it can be frustrating on job interviews if you haven't touched perl in 12 months and you get a specific question only to have the answer stuck on the tip of the tongue. :-(
2. What's old is new and what's new is old. While base methodologies and languages haven't changed a whole lot over the last decade, it's safe to say that solutions using said methodologies and languages, or some combination thereof, have certainly changed. Do you use the same type (or even the exact same) script for some task you've been doing over the last decade. I care to venture the answer is no...or at least I think it should be. For example, what I used to like to do in Perl or Batch/Bash scripts, I now like to do in PowerShell (and Perl and Batch/Bash). Some GUI tools even catch my fancy every once in a while. :-)
3. Who's the bad guy? He's not the same one he was decade ago. Probably not even the same he was a year ago (or it could be a she, to be fair!). Does the adversary (being he, she, or them) use the same
tactics, techniques, and procedures...tools and methodologies as a year ago. Sure, beaconing will always be beaconing...but even this has changed over the years in terms of ports, protocols, services, encryption, data, etc, etc, etc.
4. Certification providers and requirerers (not sure that's a real world) have moved towards a demand for recertifying, annual training requirements, or a combination thereof. That's all fine and dandy and usually not that complex to satisfy. But, is it REALLY satisfying? If you took a SANS course last year just to learn something new and/or satisfy some CPE/CMU/C?? requirement, could you sit down today and perform even half of the tasks you learned. No...I don't think most people can unless that training was already a part of their job function or they found a way to incorporate it as such! Fact is our training and our knowledge, in any field really, is perishable. If you don't use it, you WILL lose it and that's the cold hard fact of the matter.
I have at least 15 different and specific skills/languages/tools listed on my resume. I can even talk to all of them to some extent. However, there is a number of them that I need to use the manpage for to refresh myself because of the perishability of the skills (and sometimes because the ever-so-slight differences between some scripting languages). I mention this not as a focal point of this post, but just a way to maybe bring the point home a little bit more, that we computer security nerds live a world that is as horizontal as it is vertical and our tools are as perishable as mayonnaise on the back porch on a hot summer day.
This brings me to the thought of "Annual Simulator Training" for computer security nerds. If we had, regardless of industry or threat, or better yet, tailored to industry and threat, an annual training on a simulator, wouldn't this in fact allow us time to re-learn, re-master, re-visit the tools we don't get to use often enough, or in ways that are challenging enough. I am sure that one of the two people who read this blog has already thought "Doesn't the DoD or USCYBER already do an annual training/simulation event?" The answer would be yes. However, the number of players in the "big" simulation is not a realistic sampling of the network security nerds inside the DoD/USCYBER complex itself. Not to mention, it's training only for this finite number of participants.
There are options available now in terms of simulation environments for network protection, detection, response, analysis, etc. But they are targeted to specific customers (read: If you have enough cash or credit, you can have a simulation network that works 50% of the time...if you're lucky!!!). Furthermore, as with the Captains and crews of marine vessels, there is no one specific requirement for annual simulation training in our field. True that there are the requirements of CPEs/CMUs and the opportunities that some individuals get based solely on there employment location and/or provider. However, I would argue that the private sector is as important as the government and public sectors in terms of how we are equipped to protect and defend. And if the level of importance is the same across the board, at least to all US interests (private, public, and governmental), then the training exercises and environments should be further extended to support annual simulation training for all of us network defenders and penetration testers! Furthermore, if these training capabilities were extended, this would allow for federal support/mandate of an annual simulation training environment.
Now, before anyone shoots me for thinking that I want the federal government to be "all up in our business," let me say this: I don't want them in our business, I want them to better support our business. I think in doing so, we all benefit regardless of sector. Furthermore, it might help stop some of the hair-brained, half-cocked, knee-jerk reactions that I see in terms of policy shifts and requirements development (why should baselines shift every time some CISO or some Colonel gets wind of some "new" threat?).
OK. I'm going to stop here and take a giant leap off of my soap box! Hope you enjoyed this episode (psychotic episode???) and stay tuned for a word from our sponsors. :-)