Presley Cannady
03-04-2010, 09:08 PM
An update first (http://www.washingtontimes.com/news/2010/mar/04/inside-the-ring-94616149/) (courtesy of the Washington Times):
The Pentagon has ordered all troops and officials involved in protecting computer networks from enemy hackers to undergo training in computer hacking themselves.
A Feb. 25 update to a directive on information security from the office of the assistant defense secretary for networks and information integration requires workers involved in what the Pentagon calls computer-network defense to be certified in understanding as many as 150 hacking techniques.
Here's how I'd read this. The guys tapped to head up this effort were snowed by their technical people and as a result are going to place human bodies in roles probably better served by an off-the-shelf 2u rack appliance per 100 target machines running some good vulnerability check software.
Hacking covers a wide range of disciplines and arts that do not lend themselves well to the certification process, if for no other reason than the underlying technical and psychological assumptions change so frequently that there's little if anything approaching useful general principle. A general course looks more like a full year of collegiate study--and is aimed for the professional computer scientist and engineer, not the work-a-day technician. That general course usually considers 2-years minimum experience in on-the-job information security experience as a must, and only places tools in the hands of people apt enough to explore the vast, unpredictable landscape of penetration testing and defense.
This is why security market vendors bundle training with their products. Train people to work very well with a very limited tool set--or better yet, replace them with appliances--and keep your over-educated, over paid generalists on retainer exorbitant to paper over the cracks.
On the other hand, if DoD is spot on if they're looking to build the IT equivalent to the TSA.
The Pentagon has ordered all troops and officials involved in protecting computer networks from enemy hackers to undergo training in computer hacking themselves.
A Feb. 25 update to a directive on information security from the office of the assistant defense secretary for networks and information integration requires workers involved in what the Pentagon calls computer-network defense to be certified in understanding as many as 150 hacking techniques.
Here's how I'd read this. The guys tapped to head up this effort were snowed by their technical people and as a result are going to place human bodies in roles probably better served by an off-the-shelf 2u rack appliance per 100 target machines running some good vulnerability check software.
Hacking covers a wide range of disciplines and arts that do not lend themselves well to the certification process, if for no other reason than the underlying technical and psychological assumptions change so frequently that there's little if anything approaching useful general principle. A general course looks more like a full year of collegiate study--and is aimed for the professional computer scientist and engineer, not the work-a-day technician. That general course usually considers 2-years minimum experience in on-the-job information security experience as a must, and only places tools in the hands of people apt enough to explore the vast, unpredictable landscape of penetration testing and defense.
This is why security market vendors bundle training with their products. Train people to work very well with a very limited tool set--or better yet, replace them with appliances--and keep your over-educated, over paid generalists on retainer exorbitant to paper over the cracks.
On the other hand, if DoD is spot on if they're looking to build the IT equivalent to the TSA.