SANS Boston 2010: Never Too Old to Learn

When a journalist writes about the same topic for a long time, he or she runs the risk of becoming jaded. You lose a certain fire in the belly and you don’t jump up and chase stories with the same zeal you had in the beginning. When I was night editor for a daily newspaper, I saw it all the time among the veteran police reporters.

I imagine information security practitioners face the same danger. When you’ve been running the same scans, working on the same machines and reading the same best-practice tips long enough, it’s not hard to start missing little things that can become a data breach later on.

That’s when frequent training can make all the difference.

[ Also see: Network Security: The Basics” ]

I decided to check out the annual SANS Boston training program. I’m always looking for tech-rich content to sharpen my knowledge. For security journalists, security conferences like Black Hat, RSA and many more are usually the place to get that broader perspective. But they’re also tasked with writing stories about the proceedings, which means learning new things can take a backseat to meeting a story quota. I’ve walked that tightrope many times over the years.

So it was refreshing to go to something like SANS Boston. There are no news stories to be had. These are six-day courses that take the student deep into the weeds. You start with the basics and work your way up.

I didn’t stick with one class for the entire time as most attendees do. I bounced from one class to the next to get a taste of everything that was going on. But I absorbed a lot of rich content along the way.

First, I sat in a course run by Dave Shackleford, an Atlanta-based security consultant and frequent SANS instructor. The course, “SANS Security Essentials Bootcamp Style,” focused hard on the language and underlying theory of computer security, the goal being to give students the chops to handle the constant fire drills that go with IT security management.

Next, I checked out the course run by SANS Institute President Stephen Northcutt called “SANS Security Leadership Essentials for Managers with Knowledge Compression.” This course also focused on network fundamentals, along with a fire hose full of content around applications, power, cooling and safety, architectural approaches to defense-in-depth techniques, cyber attacks, vulnerability assessment and management, security policies, contingency and continuity planning, awareness management, risk management analysis, incident handling, Web application security, offensive and defensive information warfare, and a management practicum. I spent most of my time there focusing on vulnerability management, and walked away with the material for a series of articles.

This morning, I checked out Jason Fossen’s class on securing Windows. I walked out of here with an armful of material for future articles as well. The students were eating it up. The focus was heavily on Windows 7, and with many IT shops making the uncomfortable transition from Windows XP to 7, interest was intense.

A lot of this stuff reinforced what I already know about information security from six-plus years of covering the subject. But I also got a deeper understanding of the mechanics of it all, which is going to come in handy going forward.

I think the other students felt the same way.

I chatted with some of the attendees during breaks and many are battle-hardened veterans of this industry. They’ve been getting their hands dirty for a long time. Yet they still soaked up a lot of new knowledge, and in our conversations it was clear they’re itching to get back to the office and put it to use.

I’m sure it’s not the same for everyone. I’ve been in journalism for 16 years and I long ago tired of all the typical classes on how to write a lead or talk to sources. That doesn’t mean I know it all. Far from it. I just haven’t heard anything new about how to approach these things.

But there’s always room for improvement, so I keep looking for good journalism workshops in hopes of finding some new enlightenment. Fortunately, I work for a company that encourages me to do so.

But there are many companies out there that are too short-sighted to get their employees some good training, whether the industry is media or security.

That’s very unfortunate.