Do you guys want the review?

Hi guys, i'm writing a review of the QEH by Security University. The issue however is interesting, when SU gets mentioned, the threads dont seem to go anywhere. So do you guys want a review, should I post it here?

Find more posts tagged with

Comments

ChooseLife

Certainly, please do!

YuckTheFankees

Please do Sephstorm. Any review is helpful and interesting to me.

erpadmin

I would read it, if that helps.

Any good review is worth reading, IMO.

JDMurray

Although many threads may not see much posting activity, over the years they are still read by tens-of-thousands of people who never post or even join the TE membership.

YuckTheFankees

JDMurray wrote: »

Although many threads may not see much posting activity, over the years they are still read by tens-of-thousands of people who never post or even join the TE membership.

I never thought of it like that, good point.

onesaint

I think it would be a worthwhile read and would like to see it. Does SU have a poor reputation or something?

SephStorm

Quite the opposite actually. Everyone i've talked to who has taken them has given high reviews.

Warning, this is a long review, I am including an exec review in this post for those who dont want to read the whole thing.

QND Review

Hello all, this is my review of Security University and its Qualified Network Defender course. Security University is a security training company with its main product line being the Q/Information Security Professional (QISP) Program. What differentiates SU for me is its claim of hands on training, and its reviews from the community. Most of SU's students are government, This can be seen on the SU website, and indeed, I saw as much in my class. Before attending the class, I contacted one of the professionals listed on their site and spoke to him, he confirmed SU's high level of training and hands on methods. Now the QND is generally slotted as the last class in the QISP set of classes, combining experience received in the previous courses. However, in some cases if an individual has previous security knowledge/experience, it may be possible/advisable to take the QND when desired.

The Arrival-
Approximately a week prior to the course I received the pre-class material, in this case a set of questions mapping to the course objectives. This was my first preview of what was to come. I must admit myself surprised, these were not your standard questions. I had everything from definition of terms, to the proper was to write a firewall rule. Not just a collection of true false questions, we were occasionally asked to examine network diagrams and evaluate security practices or setups. I enjoyed it, though it did confirm the gaps in my knowledge I hoped to fill. I arrived at the QND location early and met the Course Instructor and the CEO of SU. A complementary breakfast and snacks were provided. Worth noting here is that SU recently moved locations, but this really did not affect our experience at all. The staff had obviously insured everything was in working condition prior to the class. The materials are provided, including a laptop and training booklet, lab guide, ect. Of note is that you are advised to bring a separate laptop and an external drive to copy the tools, and vm's that you have the opportunity to receive, including your own SIEM that you will build over the course of the week. While initially I considered just putting things on my laptop, I found myself very glad I brought a large external when I saw the size of some of the vm's.

Our course Instructor was H. Morrow Long from Yale University (I HAVE A YALE INSTRUCTOR!!!!) his bio can be found here (H. Morrow Long (Yale University) | EDUCAUSE) but basically he is the CIO for Yale, has worked with Carnegie Mellon University, Infragard, and teaches Computer Science.

So, the executive review, for those who don't want to read the wall of text: Good course. The course is part of a series and designed to be taken at the end. I would advise following that model. You aren't going to read 5 huge books like with some other companies. One book, one lab guide. Labs are good, do them, maybe more than once. Do all the exercises during the class. You won't necessarily learn new network defense techniques if you already know how security is implemented in today's networks. what you will learn is what we have, why, and that they can work if implemented. The feedback from the students, companies just dont want to do it. They are going to make you integrate ipods and iphones and androids into your network. They are not going to let you implement NAC. So this course will give you the knowledge and some experience, its up to you to put it into action.

Day 1-
Day 1 starts off early and is slotted to cover Policy Auditing. The course starts with what in my opinion is an explanation of the need for CND Talking about the continued existence and explosion of Malware in recent years, the rise of client side exploits as the initial point of intrusion into the network, risk management, C&A, and the mission for our week. We are tasked with using the information presented during the week to build a secure Network Defense Architecture. We move right into our first lab. Honestly, it was interesting, we attempted to build a quick network diagram with what we have learned so far, so mine included the required networks, numerous firewalls, vpn connections, IDS placement, ect. It doesnt immediately seem to mesh with the focus on policy that we have had, but it does make you think about how policy should be implemented in the planning process. Rather than simply rolling out devices and trying to secure the network afterwards, you can see the benefit, and the work involved with trying to plan first, and then work off your diagrams.

The second part of the day goes into vulnerability analysis. I enjoyed this portion as it is something that wasnt specifically covered as I would have liked in previous training I received. Our second lab included looking up several vulnerabilities, find the CVE, and then use the CVSS calculator to determine the impact rating, and how they would effect your organization.

Anyway, a good first day. Thanks for reading!

SephStorm

Day 2 revealed the weaknesses in this course. Surprisingly it seemed that the day dragged on forever. I suppose this is because this class in many ways recaps what should have been learned previously, and ties it together. The main focus of today was the Hacking Primer, a review of techniques used by the attackers. It covers the methodology used, as seen by SU (Not exactly as presented by say EC-Council) and some of the more used tools. We in one of our labs we performed open source recon on targets (It was nice to be lead in this rather than just given the resource. Also the instructor provided a few resources he likes to use.) We also used nmap to scan our internal subnet, and brought up vulnerable hosts to scan and perform attacks against. This where we first really had difficulties. I can understand using older OS's like Windows 2000 in a beginning EH class, not in this class. All of the students had been in an EH course, either the QEH or the CEH. We had difficulty bringing up that host, and moved onto a vulnerable WXP host, which we were going to use to demonstrate the MS03-026 vulnerability (I know, i am tired of it too, the instructor offered us some freedom on this, I tried to go out and download the code and run it manually against the target, while another student brought up Armitage and showed us how to use it, how to integrate the Nessus scan we had previously preformed. This section worked well in showing how the previous processes built on each other, i.e the ping scans, the version detection, vulnerability scans, then penetration.) But we did have some more issues getting the exploits to function correctly. While the instructor noted the unreliability of exploit code, we all know how easy it should be to run THAT exploit. After some trial and error we were able to get some exploits running through MSF, and of course ARM gave us 1 option (it seems it recognized that the PC wasnt vulnerable to all of the possible vulnerabilities, but missed at least 1 we were able to run. This lab seemed to take forever, however, this was not due to an issue with the class itself.

I used this time to ask questions, and gather resources that I can use in the future, but I wish that perhaps since the students had been through the basics, the labs for this course should be a little more advanced, perhaps some XXS, Web app attacks (even though I personally avoid them, i realize, and the instructor noted their prominence in the field today.) I will say that the labs can be quite useful. The Wireshark lab from day 1 showed us how to use a few tools to get different output from the same system (and uses different protocols to illicit different replies), and I found out from a student that SAINT is useful for scanning Unix networks, while other scanners may be better suited to windows or others. The day ended with a discussion about firewalls. I am looking forward to this section. We already started looking at some examples of router ACLs, and how they can be used to form a poor man's stateless firewall, and the pitfalls of doing so. At this point we were able to get some participation from the students with their experiences. We haven't gotten very far into this section, but I know we are going to have a few labs, and should get some hands on with an actual software based FW. I believe we will also look at other network boundary security devices ala IDS/IPS, ect.

With all that said, I will note some areas of improvement. The pre-class study material needs to be reviewed, and changes made. I wont say what specificly, but I will pass that on to the CEO. Also, I have heard that some of those issues are present within the exam. If that is the case, they will want to make those changes soon, before they increase their community presence.

EDIT: I spoke to the CEO, and she has her own opinions on this issue. While there are one or two answers in the pre-class material, she noted that it is an accepted practice, if not necessarily well liked technique of having answers that are similar or technically correct, but only one "best answer". I would say its a valid defense, but I have seen valid complaints about this style of testing. security is not static, there may be different interpretations of what is best.

The slides are for the most part pretty well written, (nowhere near as bad as ECC has been) but could use a little work. I have heard good things about the practical, but the exam itself, meh. And I think to be a rockstar training provider, they will need to resolve issues like that, hopefully before their competitors do. Quality is a small issue with a big impact.

SephStorm

Day 3
I didn't really write a full review of this day prior to posting this. I wanted to step back and look at the course from a different viewpoint. I'll say this. Honestly I had different expectations of the course. I honestly expected a class similar to the NetWars idea, where we would be first taught, then execute Network Defenses in a lab environment. I don't think this dream class exists yet. (SANS sounds like something that does this at night, not sure) Now I also want to say that as soon as I started thinking this class was loosing its appeal, we got a shock. I'll start from the beginning.

The day started off with a surprise. Sondra (the CEO, I didnt name her earlier) invited the team from ThreatGrid Security to come make a presentation. I'll call it what it was designed to be, a product presentation; though Sondra was by no means endorsing, or trying to sell us their product. I think they have a novel idea in their product, and everyone in our class was finding ways how it could be used in their organization. For me, I found the idea of having an malware intelligence database, that would be accessible by individuals needing access, who can say "okay, we know we got an alert that this file was downloaded, where can I look for signs of compromise, oh look! this could be Zeus! this is what it does, this is how I can remediate!" enticing.

But today is not the day for our Malware review. We started Perimeter Defense today, at first we went through the slides, which I honestly felt many were unnecessary. Again, we know what a firewall is, we know there are different kinds. Good info,m but we dont need to about the five kinds that are combined in today's solutions, just tell us about the end product and how it does what it does. Lets face it, why talk about a packet filter, then SPI, then ALG's ect. knowing that todays firewalls perform all of the functions? One good part of this was being able to do a lab involving fragroute, which I have heard of, but never seen, much less used. The lab unfortunately took some time because of some issues, I think we could have handled the lab differently ( i moved on to a new target, rather than the ones that weren't working. Honestly, Sondra and the Instructor stay late working on the course and such, but the labs are the golden egg for this company, they should be running through them every night before class to find bugs/workarounds. Not directly on the head of anyone at SU, just some feedback for implementation.)

Finally here came the big labs, I enjoyed what we were doing, we through up a router emulator and added ACL's (which I have never written before) and saw how traffic reached the machines before the filtering rules were added and after. We then switched the router out with a firewall and saw the differences. What I really liked was that we also pulled up wireshark while we were scanning or attacking, allowing us to see how the traffic might look like, a good skill perhaps for anyone who may have to look at the network traffic. At the end of the day we began talking about Web App vulnerabilities and included a lib involving Nikto (I see what all the fuss was about finally! I heard about it in the 504 class I think, but never used it)

Suggestions: Honestly, I want something different, the labs were great, suppressor to what kind of labs you may have seen in the past, but they are labs, not a fully immerse environment. Halfway through the week, heres what I would have made this course:

EDIT: I'll keep those ideas to myself for now

Maybe I can create my own course one day. Anyone want to go into business, I got some ideas

SephStorm

Day 4 was good. plenty of lab time. and the labs worked pretty well through. Sorry, im writing this on fumes right now, so forgive me if its not in depth. I think we did some Web Application Attacks using Nikto and implemented a WAF (prosense) to act as a proxy, and block some of the attacks. The really nice thing is that it was a multi step lab. We talked about IDP/IPS and learned a little bit about writing snort rules. We got a lot of good class interaction during this portion of the class. we also did a lab. We then moved into a review of Stuxnet as an advanced piece of Malware, leading to our discussion on Malware analysis. Discussions on rootkits, both historical and modern, detection, and how these kits work, much of it over my head. No malware lab per say, but the instructor did ask us to go to the HB Gary website so we could test their tools against infected vm's. Most of us didnt get to do this yet, because of the registration process, and the need to run the **** program in a 32bit vm, not a 64bit host.

good class today.

Day 5
Day 5 we finished up with Malware Analysis and SIEM. We didnt really get to do the MA lab, because of issues with HB Gary tools, (they require licensing for all or most of their evaluations, and we werent able to get them in time. In any case, we did that and went over SIEM's, again, more good conversation. We then moved into exam prep and the exam. What I can say about the exam? It showcased that the exam is meant to be taken after the other SU courses. While some of the info and ideas can be learned from the sectional reviews, there was obviously extra info covered in those classes. I remember one question that asked about a tool that was likely covered in the QEH, but not the Hacking Primer. I think that is a good thing, as long as the students take the class in order, or have good experience; There were some questions that required hex analysis skills I dont have, I scored low in that area. Very few technical issues with the exam, one question did not display the diagram we were supposed to use. There is one other issue with the exam I wont go into here. I passed, and am proud to be a new QND. One point I want to harp on, there is also a practical.

I wont give away specifics, but in our practical, we were given a network to design and secure. This method of testing is unique as I have seen, and I look forward to working on mine.

Thanks for reading, questions and comments are welcome.

onesaint

Great review, thanks for taking the time to write it. Sounds like your instructor was pretty awesome.

ChooseLife

Thank you for the detailed review!

I agree with JD, some of the TE reviews end up being prominent (and sometimes the only available) feedback on specific courses, training companies, etc.

ChooseLife

Briefly looked at the SU site and it's not clear... Is QND a certification or a course? Is there an exam? Can you take one without taking the other?

onesaint

ChooseLife wrote: »

Briefly looked at the SU site and it's not clear... Is QND a certification or a course? Is there an exam? Can you take one without taking the other?

QND is a cert and a course, Qualified Network Defender. I was doing some digging around the site, here is a roadmap:
http://www.securityuniversity.net/Assets/PDF/2011SUroadmap.pdf

SephStorm

Aye. The website is a little confusing, I submitted some suggestions to Sondra, and she liked them, but can't say when they may be implemented.

Each cert has its own course, QEH, QSA/PTL, QFE, QND in that order (suggested). If you complete the whole series, then you are a Q/ISP (Information Security Professional). Of course they have other training, Sec+, CISSP, CWNA, ect.

We had one guy in my class who earned his QISP, having been through the series.

ChooseLife

Sorry, still not clear. Does one have to take an exam after the course to get the certification, or is the certification achieved by attending the class? Can one get the certification without taking the course, e.g. by self-study? (like the Exam Challenge option for SANS GIAC).

SephStorm

We were awarded our certificate after passing the exam. It looks as though the individual certs are awarded after passing the exams, but in order to get the QISP you have to complete all the practicals. I'll get clarification.

"The Q/ISP Certification does not require you to complete Q/ISP hands-on classes - however to "validate" your security skills and use the "Qualified" symbol as your trust mark, you will be asked to complete the Q/PTL workshop, the Q/FE & Q/ND practical's that validate your tactical security skills."