CEHBLOG

 

 

 

 

 

Steven Defino                                       

 

 

Tell us about yourself…

 

I am currently based out of Salt Lake City, Utah but grew up in San Diego California. I travel out of state for my work and some of my work is done over the internet.

I have been in the IT field since the IBM 8088 clones first hit the market. I remember seeing little postage stamp sized “Dell” stickers on the same 25lb metal cases that everyone was using when the 286s were changing the business world.

The 1995-200 “dotcom” era sees me doing some development and project management work. At that time, EC-Council was the only certification vendor that specialized in E-Commerce. Also, I loved the idea of it being vendor neutral. So, I decided to enter the training field and taught web development, network security and did some field work that process bits or images.

In mid 2008, I joined Intense School, the training division of Vigilar which I am still attached to as a Senior Security Instructor and decorated CEI.

 

 

What kind of experience do you have in the Information Security Industry?

 

As part of the Intense School’s parent company Vigilar, I am often assigned to conduct external penetration tests. My primary focus however is on training; I have contributed to several courses and consulted on national rollouts in various training programs.

 

 

Can you tell us a little more about your classes?

 

Intense School averages comfortable 12-16 students per C|EH class. If there are more students a co-teach scenario is arranged to ensure that everyone gets help when needed. I have taught EC-Council’s C|EH, C|HFI, E|CSA/LPT, and ENSA; all of which, starting several versions ago up to present; and management level classes in Project Management, ITIL and CISSP. My work takes me all over the United States which I find a great opportunity to sample local culinary delights and culture.

 

 

What is the background of your students?

 

One of the most satisfying aspects of teaching C|EH is the variety of students I meet.   There really isn’t one prevailing majority other than having a common curiosity regarding information security.  My students range from managers who attend the class to better understand how to direct their team to technical professionals who want to investigate new tools and techniques.

 

 

What is your honest opinion about the Certified Ethical Program C|EH?

 

It is a highly technical course that requires a spirit of curiosity. This is a class that is challenging and has intense expectations regarding student effort. The bottom line is about keeping an open mind and keeping the passion for learning and experimenting.

 

 

How do you think the certified community will benefit corporations or government institutions?

 

I recall a situation where a field technician was having so much difficulty solving a problem that an engineer had to be taken from the lab/training facility and flown across country to help.  Fifteen minutes after arriving onsite, the engineer solved the problem and the repair was installed.  The engineer asked the technician "Did you use the troubleshooting flowchart in your manual?" The technician replied "That thing never works.  In the real world we ...." The engineer quickly interrupted and said "I am not here to question your experience, but if you had followed that fictional flow chart we created in our theoretical lab, I wouldn't be here now."

Preventing even one story like this from happening can pay for a training investment several times over.  Some experiences don't result in wisdom and have the potential of becoming a dangerous habit.  The goal of any certification program should be to give students a framework for knowing how to follow best practices and be resourceful enough to get the job done.  These are not mutually exclusive ideas.  C|EH for example, allows us to show students safe and responsible ways to research potentially harmful activities so they can be more effectively detected and prevented. Its takes a lot of creativity and improvisation at times, but there are also repeatable approaches that ensure the best results.

The topic of Information Security makes people nervous if they don't really understand much about it. I believe all industries and individuals recognize that it is critical to invest in improving security practices.  They also want to know what is being taught and what sort of attitude our community is trying to foster.  In addition to reasons I stated earlier, certifications establish a baseline that can be recognized and understood by decision makers. Being able to market the achievements of their staff in a way that is easily measured and clearly communicated is a powerful marketing tool that results in more business.

One of the unique properties of our training format is that we listen to our customers. We incorporate into our courses things that are asked for most from the highest levels of influence. The classroom is part of the real world, and we play a vital role in communicating the baselines that are needed in this industry and most companies recognize the importance of this.

 

 

How useful have your students found the course and what do they like the most about the program?

 

I often get feedback from students on how they were able to use tools in the kit to solve problems long after the class was over.  There are so many tools out there, the problem lie in that people don’t know they exist, have the time to try them, or have confidence that they can figure out how to use them.

C|EH is most commonly understood, marketed and accepted as a security course,  but it is also the unexpected benefits students receive that I feel express the intended spirit of what “hacking” is really about.  Students might be skeptical or cautious at first glance, but months later they tell me they are still gaining from the experience.

 

 

How do you go about giving your students the “hands on” element of the program? How “hands on” will you rate the C|EH to be? Is it all theory?

 

 It was designed to be over 80% hands on but as one of the few EC-Council  Master Instructor's globally, I always try to achieve 100% hands on ! J But there is a written exam to pass and it is important to make sure the concepts behind the labs are well understood.    I have created labs with a deliberate scope to replace as much “Death by PowerPoint” as possible with hands on experience.  The objective is to meet both requirements as best we can.

I do not believe in “capture the flag” or war game scenarios in a professional training course.    While it can be a good experience, this is usually the case only for a few of the students.  My approach is to give every student an environment that allows them to use the labs without noise and interference from others.  Students work at different paces, have different goals in mind, and we have to be flexible about that without leaving anyone out.

 

 

What in your opinion is the most interesting element of the program?

 

On the first day of class I address the immediate concern students have when they open their kits and see five volumes and over 4000 pages plus the optional reading material in the DVDs.   Unlike other classes that provide courseware that is tightly coupled with the presentation and somewhat useless outside of that environment, EC-Council has always sought to provide reference material that continues to be valuable long after the course has concluded.

The bottom line with this program is that we hope the work starts when the class is over.   So I think it is important to teach students how to use the material more so than expecting them to memorize all of it in a short time.

 

 

In your opinion, what is the key difference between the C|EH program and the ECSA/ LPT?

 

C|EH is about the attack behavior while ECSA/LPT is about formal and accepted methodologies that can be leveraged as a service.

In my C|EH classes I try to impart the skills of staging and experimentation.  It is critical that an ethical hacker practice safely and effectively.   We need to see how attacks work but it is not a pentest or assessment course.   Those are really separate processes and ECSA/LPT allows me to cover them.

In LPT I emphasize the approach a professional would take.   Factors such as Rules of Engagements must be followed; in fact, blowing up a machine is expressly NOT the objective.  It takes skill to convey that a weakness exists and how it can be exploited, without causing service interruptions or increased exposure to negative risk.

It is important to note an example of why both classes work so well together.    There are times when false positives from an assessment tool will be challenged by clients and the tester must be able to stage that one exploit.   There is not always a documented step by step lab that will show how to do it.  A tester must be able to stage, experiment, and extrapolate how a tool could be used.  That skill is learned in C|EH.

It might also be necessary to work outside the “alignment trap” which is my term for when an organization relies solely on well understood commercial tools to measure exposures.   For example: Snort for intrusion detection, Nessus for scanning, and Metasploit for testing,  will overlap and mostly prove each other while a creative and informed attacker will avoid that track.

In short, it is best if a security team can see both approaches, both formal and informal.

 

Some people have tried to link the C|EH to other certifications. What in your opinion is the key feature of the C|EH that you have not seen in any other program?

 

I think this happens with many of their products, but one thing that rarely gets mentioned is EC-Council itself.   Years ago I was a training manager in San Diego and was evaluating information security programs from other vendors that we could adopt.  EC-Council was by far the best to work with. Since then I have been able to maintain an excellent relationship with them.

 

It is important from a training point of view to be able to work with a program vendor that provides the support we need to make sure our paying customers can be served completely.  EC-Council has always been willing to work with us in the field, accept our feedback, and continuously improve their programs to meet the expanding needs of the security training community.

 

 

The recent research by Foote partners , an independent market research company comprised of former Gartner and META Group industry analysts that report the industry's only comprehensive survey of pay for certified and non-certified IT skills  has listed EC-Council's Certified Ethical Hacker as the certification posting the second greatest gains for the highest pay increase in 2008, up 40%. What is your reaction to this development?

 

I think results like this are inevitable. I have believed in EC-Council’s approach since I taught my first class for them which I think was when we had CEHv3 (it's been awhile). They are just getting started. There is so much more work yet to be done.

 

 

What in your opinion are the Key Security Challenges in 2009?

 

Education will be the first item on any list of what to do in any coming year.  Education at the organizational level is about building a strong culture, and strengthening and raising security awareness. Employees will have to be willing to expand beyond their comfort zone and increasingly express themselves in business terms.

I also think a more rational approach to security as opposed to FUD (Fear, Uncertainty, and Doubt) will be a part of this evolution. Part of security is understanding psychology.   And this is also part of our education. 

 

What is the single most serious threat every organization will face that needs to be tackled immediately?

 

Looting. I have to go way out there a bit on this question because I really feel the most immediate concern of most organizations is the current global economic climate.

However, when a disaster occurs, for instance the financial uncertainty of these times, there are always those that will take advantage of every opportunity to exploit weaknesses even as others attempt to rebuild.  Security professionals will be facing some serious personal and ethical dilemmas in the coming months within some organizations.  At the same time, external criminals are lying in wait to harvest disgruntled employees. Apathy and desperation would lead to security breach.

Older exploits will make a return if a focus on security gives way to other priorities. There will be a wide variety of attackers at every level of skill and position.  Social engineering on a global level will increase as well as targeted attacks on individuals.  We will see attacks coming from people with very diverse backgrounds causing a range of vectors to expand.

 

 

What’s the difference between a risk and vulnerability?

 

Risks are the actualization of events that can throw a plan off track.  These events can have positive or negative outcomes.  The objective of risk management is to keep a rational point of view regarding things that might happen outside of what is within our control or perceptive capability.  We make active or passive risk related choices in proportion to strategies and tactics that are most important to us.

Vulnerability is a weakness with some exposure to exploitation.  In order to assess the risk level of a weakness, it will be necessary to conduct test.   Automated tools have an important place, but they only test what everybody is already looking for.  It will require a resourceful and creative security professional to discover and prove the exposure of vulnerabilities that will present the greatest negative risk.

 

 

Are open-source projects more or less secure than proprietary ones?

 

The philosophies of Open source vs. Proprietary models can be argued from many angles.  Innovation, economic models and intellectual property ethics are interesting debates in this area but asking about security differences is bringing up a false argument. 

There are some areas such as cryptographic systems that benefit from being open.  Custom applications should be closed since they could reveal internal processes and other trade secrets.  Software applications that are ubiquitous are about interoperability at the business level so what we really need is for them to just work.

An attacker will target what he can or wants to.  If it is my network, I don't care who wrote the code.  I need to find the best way to protect my assets and enable services.   If I had to pick, I would go with a fit for purpose mix of open and closed source materials.

 

 

Can you tell us what is your reaction to the old saying "Security by Obscurity"?

 

This is a practice we are often warned “won't fool a clever attacker”.  The common wisdom then goes on to say that in order to avoid confusing a hapless admin we should not bother with this approach.  This is collective social engineering at its best. 

When someone sets up a Wi-Fi access point at their home, they absolutely should obscure its location by not using an obvious SSID in addition to enabling encryption. Like any other countermeasure, obscurity is a layer, not a complete solution.  There are times it makes sense and times it doesn't.

 

 

Any other comments?

 

These series of classes produces the best results in skills improvement of any courses I have taught or observed. I will highly recommend it to anyone in the security community!