Why Certify: Stephen Sims

Why Certify:

October 2, 2007

1. What attracted you to the Internet Security field?

Honestly, it all began as a teenager when I used to take computer-based games and open them with a hex editor to experiment. You could quickly max out something like your gold-carrying abilities in a role-playing game by changing a single hex value. *grin* This turned into an addiction to see how you can go about modifying code to get results other than the author intended. As games and software became more complex, it was always a challenge to discover ways around the controls put into place.

I then went to school for criminal justice and saw an opportunity to satisfy both my interest in crime and computers. I spent many years working as a network security engineer before making the full switch over to security. What attracted me was that it is always challenging, financially rewarding, and provides good job security.

2. Can you share how the decision was made for you to obtain GIAC Certifications and the value of such certification?

That decision was an easy one. I've always been an advocate of certifications primarily because of their ability to help you get the job you want. I hold the CISSP, CISA as well as other non-GIAC certifications, but the main reason I've been the most interested in GIAC certifications is due to the technical demonstration required to pass. With no pretention intended, I did not study for the CISSP or CISA and passed both on the first try. Not to say that they're not solid exams, but I've always preferred the more technical areas of Information Security. I tried the same practice of not preparing before GIAC exams and quickly felt the pain of that choice. After being stubborn and passing a couple of GIAC exams without the preparation I should have made, I realized the value of obtaining a higher score. I guess my overall answer is that I feel GIAC certifications require you to demonstrate a deeper understanding of specialized areas within Information Security than many others.

3. Many people are wondering if a Security Certification really makes a difference, do you feel this has helped your career?

It has definitely helped my career. If you do a search on a job posting website for Information Security positions, you will find a list of desired certifications on at least 50% of them. Certifications as a whole definitely show a company that you've taken that extra step to demonstrate your interest level and ability to learn and practice security.

4. Does the GIAC certification help you respond to threats better, faster or more efficiently?

The GIAC Certified Incident Handler (GCIH) certification definitely laid out a good foundation for me when I combined it with the SANS Hacking Techniques and Incident Handling course many years ago. I have used that foundation in many organizations I have worked for, molding it into a process or procedure specific to that company. One thing you learn when taking a course like that is how much you really don't know! This should serve as the inspiration to hit the books in order to keep up with such a dynamic field.

5. Do you feel these certifications have helped your company's overall direction and bottom line?

I feel that certifications give you a good sense of confidence and recognition within the company. This allows you to use your expertise to guide the company in the right direction. Again, obtaining certifications demonstrates your desire to keep up with the latest and greatest in Information Security. It is with that knowledge that you can try to remain proactive when dealing with threats as opposed to reactive. This most certainly guides your company in the right direction.

6. Did you take any additional Security Certifications or will you attempt the GSE Certification?

I actually hold the GSE certification. I took the exam in October, 2006 in Las Vegas. I have to say that being required to be in the testing center at 7:30 AM both days and not finishing before 9:00 PM is quite taxing! I knew that I was in for it when I signed up. When I passed the exam, it was definitely a great moment for me and a big accomplishment. The great thing about the GSE is that it requires that you have many of the desired traits a company values in a top-level security professional. I can't give away the details, but testing ranges from public speaking, technical labs, exams, essays and other assignments. Anyone who enjoys a good challenge and loves security should take this exam!

7. Are there any plans to require new hires to have or obtain Security Certifications as a condition for employment?

I am not directly involved in hiring in my current position. However, in the past I have always looked for certain certifications. Again, I go back to the fact that it allows me to easily see who makes that extra effort. Make no mistake, I definitely make sure that the candidate can back up everything on their resume, including the certification. It is just a quick way to help you select who you will interview. Very similar to a college degree. For some positions, I would get over fifty applications. You certainly cannot interview that many candidates, so you must look for ways to filter out the desired skill set.

8. What are your plans for personal development in the future? Where do you think you'll be two years... five years?

I always try and walk down multiple paths at the same time. On one side, I love management and working with executives as a consultant. On the other side, I love vulnerability research and sitting for days in front of a software debugger and disassembler. I have no idea where I'll be in several years, but I know I'll always be moving on to bigger and better things. I used to think, wow it will be great when I don't have to study anymore. The truth is that learning should be a part of your daily routine, especially with security!

9. What area of security interests you the most?

I have been spending a lot of time focusing on exploitation and security developments for the last couple of years. It is pretty amazing how far along Operating System (OS) security has become. When you think back to a few years ago, not many OSs had inherent controls in place to protect the system. There were many methods published on how it should be done and even step-by-step instructions, but very few implementations. What's my point you ask? We are at a point now where most OS developers have learned their lesson and are pretty good at adding these controls into place from the start. This takes us to a new phase in security.

The technical knowledge required to execute an attack such as a buffer overflow (BoF) on a "modern" OS requires much more skill. This is partially the reason why we see so many attacks now focusing on the application and not the OS. The gap between the vulnerability researchers who develop Proof of Concept (PoC) exploits and security engineers in general has widened. Almost every individual involved with security knows that a traditional BoF is the process of placing shellcode into a buffer lacking proper bounds checking and then simply overwriting a function or return pointer with the memory address of the shellcode. That's a great starting point, but I've found that when interviewing applicants for a specialized position, many of them do not understand what's happening under the hood and are unaware of the latest attack methods. Everyone should spend some time in the world of assembly with tools such as GDB, OllyDbg, IDA Pro, objdump and others!

There have been many controls put into place to try and stop an attack such as a BoF. All good ideas conceptually, but unfortunately containing elements that still allow fo a successful attack. Don't get me wrong, many of these added controls have frustrated Script Kiddies and others enough to move away from attacking the OS, hence my prior comment about moving to attacking the application. An attack such as SQL Injection is typically much easier to pull off and discover than a modern BoF or Format String attack. It is also much easier to circumvent perimeter controls such as firewalls and IDS'.

Some good examples of security controls added into the OS are non-executable memory stacks, Address Space Layout Randomization (ASLR), Process Environment Block (PEB) Randomization, stack canaries and many others. With those controls came attacks such as return-to-libc, Structured Exception Handling (SEH) attacks, methods on controlling heap-based pointers through a free() function, and many others. I don't have time here to dive into the world of circumventing these controls, but the point is how much more difficult it has become to successfully exploit a vulnerability. Take ASLR for example... Even if you find an application flaw which allows you to overflow a buffer, the memory address of your shellcode is always changing each time that address is accessed. Without being able to determine where in virtual memory your shellcode exists, it is nearly impossible to write a stable exploit.

Properly done, ASLR should fully protect this type of attack from occuring. The problem is that most implementations of ASLR include certain areas in memory addressing that are static such as the code segment for example. If there is an area of memory thats addressing remains static, you may be able to call up certain pointers that allow you to gain control of code execution. Various Linux distributions have been using ASLR for years. Windows has introduced ASLR with Vista, although it is not enabled by default as with many of the Linux distros. It would, however, be a fun experiment to enable it by default on Vista and see what happens! *grin*

Happy Studies!