May 12, 2004
This is the fifth in a series where I am trying to pin down what the true effect of a given certification is. If you hold a GIAC or other information security certification and are willing to be interviewed by email, send a note to email@example.com
Stephen Northcutt - The SANS Institute
1. What attracted you to the Internet Security field?
A few years ago, while I was working as a desktop support technician, a co worker locked me out of my own desktop via the standard "User Manager for Domains" application. This started a fun prank war between us and got me interested in finding ways to compromise his operating system, and leave him wondering what hit him. From that point on, learning new attack patterns, and detecting and defending against them became a life long quest of mine. In the process of running downloaded tools against test boxes, I started feeling that I had a need to get more involved in the inner workings of the tools, the underlying operating systems that they run on, the attacks, the medium and the methods that it uses. This got me passionate about the inner workings of protocols, TCP/IP and RFC's that helped design those protocols.
2. Can you share how the decision was made for you to obtain GIAC Certifications and the value of such certification?
When I started researching security related books and training facilities, I came across many certifications that leaned toward a certain application, an operating system or a particular technology. For example, getting certified in administration of a well known hardware based packet filtering firewall is great, so is getting certified in a specific operating system but to get certified with a vendor neutral certification along with training programs that teach the basis and concepts of underlying security technologies attracted me towards SANS training and GIAC certification programs.
3. Many people are wondering if a Security Certification really makes a difference, do you feel this has helped your career.
Security certifications are a great way to show potential employers, clients and co workers, that you have what it takes to detect, defend and test networks and hosts. The GIAC certification process is a grueling task that is not for the faint of heart. In order to get GIAC GSEC certified, I had to write a paper on concept, usage and detection of a commonly available ARP spoofing tool. The strict guidelines on writing the paper along with the responsibility of sharing correct information with the security community made me research the tool's workings in much more detail, thus expanding my personal understanding of the ARP protocol and its effect on any given TCP/IP network. To pass GIAC GCIA certification, I went to a week long SANS training that helped me learn incredible facts about Intrusion detection, attack patterns and signature analysis of a popular open source Intrusion detection system. After coming back from the training, I had to once again decide on a topic for my paper that I felt comfortable with and that will help other analysts learn about a certain Intrusion detection area. Only this time, the paper had to include three different network attacks and a detailed analysis of five days worth of logs that were provided to me. During the preparation of this paper, I learned how to use data mining techniques for long term network traffic analysis; I also learned how to analyze various forms of logs thus improving my correlations skills. Of course, passing the paper was not the last step, I now had to prepare for two tests that encompassed 3 very thick books that I learned from in the SANS training. I started studying for the tests and finally after one month of reading every night after work, I passed both the tests. I think its because of the detailed process involved in getting GIAC certified, this certification is widely known and respected and that is what got me attracted towards it.
4. Does the GIAC certification help you respond to threats better, faster or more efficiently?
Not a day goes by that I don't use the skills learned at SANS training and GIAC certification process, in my day to day responsibilities as an Intrusion analyst. My training helped me fine tune signatures on our sensors, recommend various different placement scenario for the sensors, detect known patterns and researched the not so common ones.
5. Do you feel these certifications have helped your company's overall direction and bottom line?
I believe that having GIAC certified professionals have tremendously benefited my company's bottom line. I work for a consulting company, and all our clients at one point or the other have inquired about having GIAC certified professionals working on their networks.
6. Did you take any additional Security Certifications or will you attempt the GSE Certification?
Now that I am a GIAC GCIA and GSEC certified security professional, the next training that I am planning on is the SANS Track 4 "Hacker Techniques, Exploits and Incident Handling" which will prepare me for the GIAC Certified Incident Handler (GCIH) certification. This training will help me develop and be part of an incident handling team. None of our clients have an on-staff person that has the skills required to handle the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. I will definitely take a shot at the GSE certification in the future.
7. What are your plans for personal development in the future? Where do you think you'll be two years... five years?
As far as personal development goes, I strongly believe that there is a need for more managed security providers in the south east region of the US. Eventually I would like to start an operation that helps corporations defend their critical infrastructure by providing them an all in one security solution, this solution will include Intrusion detection, prevention, multilayer authentication mechanisms, perimeter security and much more. I am sure that this type of solutions is what a lot of small and medium sized companies are looking for and I think I will be able to serve their needs.