Working in information security is an ongoing battle! That’s why we have to learn new things every day! But the opposite is also true. As commented by somebody on Twitter recently: “Sometimes, it’s also good to forget things“. We also have to learn by our mistakes and the information security landscape is full of bad stories to learn from! To resume: We have to train ourselves all the time…
Self-learning is (almost) free. It just cost you spare time and requires access to a lab or documentation but could quickly become limited. How to submit questions? How to exchange useful tips & tricks? Real trainings add a social layer which helps you to learn better and quicker. How to select the training which suits your requirements?
Aside your preferences, they are different types of training that can be attended. I see there three big areas for trainings:
- Vendors trainings
- Certification trainings
- Learning “by doing“
Vendors trainings are only useful when you need to be ready as fast as possible to go “to the front” (read: to go to customers) to massively deploy the vendors solutions. You’ll learn the basics but don’t expect going very deep. To go deeper, attend buy a new training! Finally, to successfully complete the training, you’ll have to pass the certification exam based on wonderful questions like:
To achieve the configuration of "A" when "B" is deployed in "C" mode, you use the command: a) cmd -C b) cmd -c c) cmd -s
I hate this kind of questions! You need to know how things work but how to apply them? RTFM! Usually, vendors trainings are mandatory for your company to remain a “certified partner” ($$$!) and not difficult to attend.
Certification trainings are broader and don’t focus on products. Most os them are theoretical: procedures, frameworks and best practices have no secret for you. Here again, after the training (often called a “boot camp“), you have to pass the certification exam and finally reach the holy grail also called “CISSP“, “CISA“, “CISM“, “ITIL“, “CEH” etc… If they are very useful to build the basics of information security, once you got them, they will help you to be put on the top of a stack of resumes and to pretend to be an “infosec guy” (I insist on the verb “pretend“!)
Finally, the third type is learning “by doing” or “looking under the hood“. In my humble opinion, that’s the best way to learn. By practicing and going straight to the point! This last type of trainings is usually organized during security conferences. Hélas, they are not given for free: good trainers are not easy to find and traveling abroad might increase the total costs by two (flight, hotel, …). So, why not benefit of a good opportunity to attend top-notch trainings organized in the center of Europe in a place not far from everywhere: Belgium! The BruCON security conference announced the schedule of trainings for its 4th edition:
- Metasploit for Penetration Testing by Georgia Weidman
- Cyberwar: using the techniques and tactics of APT’s in Penetration Tests by Joe McCray
- Corelan Live! by Peter Van Eeckhoutte
- Visual Analytics – Delivering Actionable Security Intelligence by Raffael Marty
- Hacking IPv6 Network by Fernando Gont
- Red Team Testing by Ian Amit and Chris Nickerson
- Assessing and Exploiting Web Applications with Samurai-WTF by Raul Siles
- Elite Web Application Defense by Eoin Keary and Jim Manico
This is an excellent opportunity to attend trainings provided by people recognized as excellent trainers in the information security field! Registrations are open for a few days and early bird prices are available until 31st of May 2012. Spread the word!