I am putting together a semester-long, hands-on security training course for a local college. The college asking me for the program showed me a proposal they got from a professional IT training company for a 120 hour information security course. They are trying to figure how to decide, so they send me the competing proposal and lo and behold, 92 out of 120 hours is about certifying people for Checkpoint firewalls and Microsoft ISA server. Here is what I told the college:
This course focuses on two Checkpoint courses CCSA and CCSE – which counts for 80 hours out of a total of 120. Then they spend another 12 hours on Microsoft ISA server. The course only spends 8 hours on Information security management and 8 hours on application security. From a marketing perspective, the course brochure looks slick. But not more than that.
Because of courses like this – companies have so many data breaches. After the course, the students will know a few buzz words and how to click through the Checkpoint UI, but they won’t understand anything about hacking software.
If you want to understand data security you have to get down into the dirt and roll up your sleeves instead of learning how to click through the Checkpoint user interface. Microsoft system administrators in particular, need to understand security and how to think about threat response and mitigation, because their thought processes have been seriously weakened by the Microsoft monoculture. They need to think about network , data security and software security threats and how to tie it all together with a practical threat analysis and Information security management approach. They can always train on Checkpoint afterwards….
This reminds me of what Paul Graham writes in his article Beating the averages
The first thing I would do… was look at their job listings… I could tell which companies to worry about and which not to. The more of an IT flavor the job descriptions had, the less dangerous the company was. The safest kind were the ones that wanted Oracle experience. You never had to worry about those. You were also safe if they said they wanted C++ or Java developers. If they wanted Perl or Python programmers, that would be a bit frightening– that’s starting to sound like a company where the technical side, at least, is run by real hackers. If I had ever seen a job posting looking for Lisp hackers, I would have been really worried.
So – if you are a real hacker, look for companies with security administrators who are certified for Microsoft ISA server and you will have nothing to worry about. But if your targets security administrators are facile with Wireshark, Ratproxy and Fiddler and Metasploit, then you should be really worried.