The Victims of Cyber Security Training

Feb 2, 2017 10:00:00 AM |

Wesley McGrew

Social Share:

AdobeStock_726528.jpegIt’s harder than you think to identify good talent in cyber security. Whether you’re trying to fill full-time security positions within your organization, or partner with service providers and vendors that can identify vulnerabilities and help maintain resilience, there is an ocean of “get rich/smart quick” schemes that make things more difficult for you. They target up-and-coming information security professionals, and, in turn, leave you with less qualified staff and vendors.

Recent media attention aimed at cyber security has made it an attractive career path. In-your-face coverage of national security issues, businesses held hostage by ransomware, and large-scale breaches illustrate the importance and visibility of the field. The current critical talent shortage gives individuals hope that they will be able to find a job, if only they can quickly get up to speed.

There is a cottage industry of training programs that victimize these individuals. The desire to quickly “break into” glamorous penetration testing jobs with high salaries is exploited by these programs, which are designed to quickly separate ambitious potential hackers from their money. They’re priced affordably, and are either provided in quick “boot camp” formats, or as self-paced online material. Low overhead and minimalist pricing provide training providers with lucrative volume. I recently saw a class that advertised itself (in its title, no less) as a path to a six-figure salary in penetration testing, at a discounted price of $39.99.

As you can imagine, these ubiquitous training programs do not naturally output highly-skilled security professionals. The material often lacks structure and comprehensive coverage of the topic, especially in classes that purport to train penetration testers. This is due to the limited experience of the trainers and those involved in course development (both in teaching experience, and in the material that they are teaching), and the serious limitations of scope that a short class must face.

Plagiarism is rampant in information security training. Providers hold their material close to their chest, making it difficult to identify plagiarism with publicly-available information, but a look at a broad range of this material reveals a nasty truth: training programs are stealing from each other in their quest for maximal profit for minimal effort. The worst offenders take the material directly, while even more “adapt” (read: steal, while changing a few words) their hands-on exercises and examples from others’ books and original training material. It’s amazing how many courses and books I’ve seen that cover the details of exploiting the exact same WU-FTPD vulnerability (that, I might add, is now thirteen years old).

So, at the same time you’re dealing with a talent shortage, you’ll also be sorting through a group of individuals and vendors that look good on paper, but are relying on a very thin background to present themselves as being able to help you protect yourself against ever-increasingly-sophisticated threats. How do you separate the wheat from the chaff?

While there are highly-qualified information security professionals from non-traditional backgrounds, those individuals will not be propping themselves up with short training courses. When you’re in conversations with service providers and vendors, don’t let them settle their qualifications with a list of certifications. Four-year degrees in computer science/engineering, or the equivalent in experience, is far more valuable than passing a multiple-choice test at the end of a one-week course. Even that, by itself, isn’t enough to have real capability.

Ask about original research, presentations at conferences, and other activities outside of the classroom. Would you rather hire a penetration testing team that is limited to publicly-disclosed vulnerabilities, or a team that has experience in identifying new vulnerabilities that weren’t in their training manuals?

As cyber security becomes a higher-profile news item, and more businesses are victimized by attacks, the demand for qualified professionals will increase. Especially within the exciting field of offense-oriented services, there will be an ever-increasing number of training programs that fall short of providing value to individuals and, in turn, fall short of being a reliable indicator of talent.

If you are trying to fill security positions within your business, or evaluating vendors of security services, you run a very high risk of employing unqualified individuals and teams. Given the devastating impact of recent breaches, you can’t afford to make this mistake. Be very careful and thorough when you discuss candidates’ qualifications!

 

 For weekly insights into cybersecurity, please sign up here:

Subscribe to HORNE Cyber Blog

COMMENTS

THIS POST WAS WRITTEN BY Wesley McGrew

Wesley serves as the director of cyber operations for HORNE Cyber. Known for his work in offensive information security and cyber operations, Wesley specializes in penetration testing, network vulnerability analysis, exploit development, reverse engineering of malicious software and network traffic analysis.

Find me on: