[ISN] Security conferences versus practical knowledge

From: InfoSec News (alerts@private)
Date: Mon Jul 23 2007 - 22:08:07 PDT


http://www.theregister.co.uk/2007/07/19/security_conferences_practical_knowledge/

By Don Parker
SecurityFocus
19th July 2007 

Since computers became mainstream in the early to mid-nineties, a whole 
ecosystem has developed around them. The various parts of that ecosystem 
range from the companies who make computers to the software companies 
who program for them.

In between those two linchpins, though, are many other components which 
have now become a fixture on the landscape that we now know as the 
internet. For example, you have the computer certification industry, a 
myriad of computer magazines, a vast array of websites, and computer 
conferences, to name but a few parts of this very large pie.

One of the biggest parts of the computer industry as a whole is that of 
training. This training comes in many forms from a large variety of 
vendors. That training then in turn pretty much spawned the 
certification industry. Not long after that came the computer 
conference, be it a sysadmin oriented one, or that of the computer 
security themed one. While the training industry as a whole has evolved 
rather well to suit the needs of their clients, the computer conference
- specifically the computer security conference - has declined in 
relevance to the everyday sysadmin and network security practitioners.

Many would beg to differ with me on that last statement I am sure. Let 
me expand upon this before you render judgment. We go to training 
vendors who offer courseware on Cisco and Microsoft technologies, for 
example. By and large the course offerings are quite good, and just as 
importantly, relevant to the task at hand ie. maintaining your computer 
networks.

Today's computer security conferences no longer offer relevant or 
practical knowledge to the attendee. Be honest. How many recent computer 
security conferences did you come away from with several ideas to 
implement immediately onto your networks? I would wager none. The same 
can not be said of the training tracks now offered at most of these 
conferences. This training is offered by experts in the field and is 
quite good. Furthermore, it is one of the few places to find advanced 
courseware on such subjects as reverse engineering, to name but one.

There is an important point to be made before I go on further. I am in 
no way impugning the talent or skill of the people who present at 
today's computer security conferences. I myself have submitted talks 
only to not make the cut. Truth is, I don't feel too bad at losing out 
to the likes of those who ended up giving the talks. What my not making 
the cut drove home for me though was that there are precious few 
practical talks going on today at computer security conferences.

Throughout my time spent as a freelance writer and courseware 
developer/instructor I found that there is a very real demand for 
practical knowledge. This is why SANS still reigns supreme when it comes 
to computer security courses. One could argue that some of their 
courseware is dated, however, it is very much practical knowledge that 
one can implement immediately.


So why are the conferences still packed?

Well, with the arguments I have just made one would think that computer 
security conferences would be empty. The reality is that these 
conferences are pretty much always sold out or close to it.

Why is that, you ask? All IT managers have budgets, and that is no 
different for those IT managers in the employ of .gov .mil and other 
large government departments. What these managers must do is expend 
those dollars, and an excellent way of doing that is sending employees 
on a computer security conference. So what we now have is a company 
funded junket. Nothing wrong with that at all. I enjoy having a beer 
with friends that I meet at these conferences, and picking up some 
knowledge as much as the next guy. Problem is that even though I think I 
have a fairly well balanced skillset, a lot of the topics being offered 
are of no interest to me. This is due to the simple fact that they are 
not all that relevant to the network(s) that I work in.

Does this then mean it is a total waste of time to attend the cutting 
edge computer security conferences? Not at all. Just realise what it is 
that you are going to get out of it ahead of time. There are excellent 
speakers there with what is quite often cutting edge research. The 
question you need to ask yourself is whether or not you or your company 
will benefit from any of those talks. One of the best things to come out 
of these conferences is the training that is offered. That in itself is 
worth the attendance. It is not every day that you can receive training 
by some of the best minds in the business today.


Is there a solution?

Well, what we need to find is a happy middle ground. A conference that 
caters to the large mass of sysadmins and network security types who, 
while competent, still have not mastered their craft. After all, being 
the sysadmin in a large Microsoft Windows network is no easy task. There 
are a myriad of practical skills that one needs to attain, and ideally 
master. How many people can say that they reached a comfort point in the 
application and maintenance of Group Policy Objects (GPO)?

This and other like minded topics would make for some great conference 
talks or mini-workshops. That kind of practical knowledge is something 
you can readily implement on your networks. The example of GPOs is but 
one small one. What it exemplifies though is that there is a definite 
gap in the market.

What is missing today on the network security conference front is 
practical knowledge. It is not everybody who can attend today's cutting 
edge security conferences and actually walk away having learned 
something. Was it me being asked by an employee to attend a conference 
today, I would have a few questions to ask. What is it that you are 
going to get out of it, and just how will it benefit our network? If the 
answers aren't there, you're not going. Practical knowledge is where it 
is at.

This article originally appeared in Security Focus.

Copyright 2007, SecurityFocus


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jul 23 2007 - 22:29:24 PDT