“Step back, I’m certified.” I just passed the test for the GIAC Certified Forensic Analyst (GCFA). So I’m certified at the Silver level. I was happy to pass and happy to get the score I was shooting for.
The GIAC certifications now have a Silver and Gold level. Back when I first received my GCWN there was only the Gold level. The Silver level certification is what you receive when you pass the test. The Gold level is attained by additionally writing a practical (technical paper).
When this requirement was changed, Richard Bejtlich of TaoSecurity blogged “Of course students will perform this assignment. Who would want to drop $3000-$4000+ and end up with a “Silver Certification?”.
I think time has proven that wrong. If I’d blogged about that I back then I would have disagreed with him concluding most people would stop at Silver. Silver gets GCFA on the resume. My experience shows that Human Resources and HIring Managers do not understand certifications. They often dont bother to verify that they were really earned. In addition to not verifying them, they dont know what they mean. I’ve seen resume after resume claim MCSE. MCSE in what? Windows NT 4.0? This says to me that HR and Hiring Managers wont know the difference between a GIAC Silver and a GIAC Gold unless I take the time to explain it to them. GIAC Gold wont help get me through the HR resume filter. Once I make it to the Hiring Manager and future co-workers, the emphasis should be on skills not credentials; can I actually do forensics.
It looks to me like the market agrees with me. Unless the SANS listing of certified professionals is horribly out of date, no one has obtained a Gold GCFA in about 9 months. People haven’t gone Gold regularly since the requirement was dropped.
I’m a sucker for resume bling, so most likely I’ll be dropping my $300 for the Gold attempt . Or maybe I should just spend that on a professional resume writer.
Archive for August 2009
GIAC: Going for the Gold
Loose Lips
I thought this was an interesting anecdote in todays Washington Times Inside the Beltway column.
An observer who works near the White House comments Obama staffers. Unaware that people might be listening in they discuss forthcoming White House policy.
Rather than discretely hiding their White House badge as Bush staffers did, it remains on display as a trophy. (reminds me of this scene from Jake 2.0 http://www.youtube.com/watch?v=t-vh9vNLMRY#t=3m50s )
High security environments often have a policy of not displaying badges outside of work. Certainly talking business as you wait for your barista is a security risk.
SEP11 and MS090-35
The vulnerability scanner is finding a bunch of systems with %windir%\system32\atl71.dll version 7.10.5057.0 and the registry key HKLM\Software\Microsoft\VisualStudio\7.1. This indicates that the system may be MS09-035 vulnerable. The patched version of atl71.dll is 7.10.6101.0.
I also have some systems that dont have that registry key but have atl71.dll.
I decided to do some testing to determine how the file is getting on the computer. We haven’t rolled out Visual Studio .Net 2003, but clearly some application is putting it there.
A clean load of XPsp3 has no atl71.dll is present on the system. However after installing Symantec Endpoint Protection 11, I find that I have atl71.dll. This test system does not have the registry key.
So it appears that Symantec is using Microsoft’s ATL library and distributing a vulnerable version of the DLL.
I couldn’t find anything about this at the Symantec forums or in the knowledgebase. I may have to open a support ticket. I’m not sure I’m prepared for that kind of crap shoot today.
Symantec now has a knowledgebase article available. See comments on this post.
Symantec reports they are not actually vulnerable. A future version of SEP will have a updated file to avoid the detection by vulnerability scanner.
Adobe Acrobat and Reader 9.1.3
Adobe Acrobat and Reader updates came out on July 31st as you no doubt already know. I believe I tweeted that but didn’t do a longer post.
I find myself wondering if Gartner or Forrester have done a survey of FoxIT Reader adoption. Is that all security noise or is a significant number of companies making the switch? I find myself wondering what obscure processes would break if I moved the enterprise to FoxIT Reader for security purposes.
Adobe has implemented security initiatives similar to Microsoft’s Secure Development Lifecycle. However, I kind of expect not to see the benefit of that for quite a while. Its like when people expected XP sp2 to be the fully formed implementation of Microsoft security initiative. Some things you have to develop more from the ground up, a service pack doesn’t do it. So when does Adobe Reader 10 come out?
Adobe continued their habit of issuing incremental updates. Its nice to have smaller updates. As I recall 9.1.3 was about 1.5 MB and a full install of Reader might be 85 MB. Incrementals however it creates update issues. As Secunia writes, if you go to Adobe and install Reader, you get 9.1. After installation you can open Adobe Reader and you should be prompted to upgrade. In my experience with Acrobat, you might be prompted to reboot after each incremental update. Oh joy. Has anyone tried to slipstream the updates into 9.1?
The other fun part occurs with corrupt installations. I have some Reader 9 installs where Adobe Reader isn’t listed in Add/Remove programs so the update isn’t pushed by ConfigMgr. Then if I manually create the reg key the update will not apply, says it isn’t needed. The only solution is to install 9.1 full and then you can patch. I suppose the good news is if the Reader 9 install is that munged maybe the user wont be able to open the program.
So Adobe patching seems like a full time job lately, no?
Do you guys have a lot of Acrobat Standard and Professional installed in the enterprise? Does I.T. patch it or is the onus on the user since its not deployed on every system the way Reader is.
