Last week I did something that I do not usually do any more–I took a certification exam, the exam for SANS GIAC Security Leadership Certification (GSLC). I had to not only take this exam, but also obtain a high score to continue in my role as SANS instructor for this course. I’d like to share some of my impressions with you.
First, SANS offers the advantage of allowing certification candidates to schedule the date and location of the exams they must take. This is extremely advantageous to examinees, as it allows them to take an exam when they are ready to do so–but with a few constraints, too. For example, those who sign up for the GSLC exam when they enroll in the GSLC course have four months from the time they took the course to take the exam. I really do not like mass exams that must be taken only on certain dates and times and at limited locations–especially as I grow older. So I very much appreciated being allowed to schedule the exam on the date of my choice. Read more…
In this, the last blog entry in the current series on pen testing, I’d like you to consider with me how and what an organization that needs to have a pen test performed should choose a service provider. This decision is extremely important because not everyone who claims to be a proficient pen tester genuinely fits that bill. It is so easy to hire an individual or consultancy that is incompetent and/or incomplete in its testing. Additionally, not every service provider stays within the rules of engagement. Some get carried away, and in the process cause disruption and/event damage. Read more…
Let’s assume that a penetration test has been performed, leaving an organization with a list of vulnerabilities that have been exploited and prioritized recommendations concerning mitigation options. The question now is what the results mean. At face value, the results really serve no purpose other than being a basis for action. If three critical, five moderate- and ten low-severity vulnerabilities have been exploited, an organization should start by patching the critical vulnerabilities, then if resources permit, the medium-severity vulnerabilities, and if resources remain available, then the low-severity ones. Read more…
