Certified Malware Removal Expert
I read the following in the latest SANS NewsBites (link will work shortly):
Does anyone on your staff do an excellent job of cleaning out PCs that have been infected by spyware and other malicious software. We are just starting development of a new certification (and related training) for Certified Malware Removal Experts and we are looking for a council of 30 people who have done a lot of it to help vet the skills an dknowledge required for the certification exam and classes. Email cmre@sans.org if you have a lot of experience.
This must be the easiest SANS certification of all! The safest way to remove malware is to reinstall from trusted original media (not backups which could be compromised). That doesn't even account for BIOS or other hardware rootkits, but hardly anyone cares about that problem yet.
Hopefully SANS will come to the same conclusion that Microsoft already did and drop this idea.
Does anyone on your staff do an excellent job of cleaning out PCs that have been infected by spyware and other malicious software. We are just starting development of a new certification (and related training) for Certified Malware Removal Experts and we are looking for a council of 30 people who have done a lot of it to help vet the skills an dknowledge required for the certification exam and classes. Email cmre@sans.org if you have a lot of experience.
This must be the easiest SANS certification of all! The safest way to remove malware is to reinstall from trusted original media (not backups which could be compromised). That doesn't even account for BIOS or other hardware rootkits, but hardly anyone cares about that problem yet.
Hopefully SANS will come to the same conclusion that Microsoft already did and drop this idea.
Comments
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
I think that you (and the people who have commented before me) are taking the short view of reacting to malware within an environment. There is a lot more to reacting to an infestation than just wiping the system and driving on. There must be a certain amount of incident response involved. You have to determine how the infestation occured so that it does not happen the same system again or to others within your environment. You have to determine if the system contained sensitive information or was connected to any that do. And in some cases it may be necessary to analyze the malware to determine what it was capable of doing. I just recently wrote about this very subject in my post titled When to Initiate Malware Incident Response.
Sure, the end result might be to wipe the system and drive on. But you cannot negate the need for these steps. That said, I am not certain that SANS needs another certification beyond the ones they already have that deal with malware analysis and incident response. But perhaps we should wait until they have a curriculum before we start making assumptions as to the necessity of the training.
Go forth and do good things,
Cutaway
If no root cause analysis (or even simple troubleshooting) is done, then what stops the malware from propogating, or getting in again? It's not always about patches, folks...sometimes is weak or non-existant passwords. As you're sweeping through the infrastructure, merrily cleaning systems, those systems can easily be reinfected by active malware, as you move on to the next one.
Training and knowledge are the key. Managers need to know how to manage incident response, and IR staff needs to have the skills to retrieve and analyze the necessary information from systems under their control. More importantly, they need to have the training and knowledge to (a) ensure that they have the right tools, and (b) ensure that they react the right way.
This time, I wish you had.
What security related topics have not been covered in formal training yet but you feel should be?
I've posted a series of questions, including the above, on my blog (http://www.andrewhay.ca/archives/67).
I'd appreciate any feedback as I'm curious what people are thinking.
I've tagged you on my blog for the "5 Things You Didn't Know About Me" Blog Tag Game.
The blog link that tagged you is: http://blogs.ittoolbox.com/wireless/networks/archives/tag-im-it-5-things-you-didnt-know-about-me-13929
Bea
I would have liked to play with some of the techniques in your book for the paper, but didn't have the time.
I loved the book, especially the detail on how to use the tools you mention in your book to their fullest.
I will eventually play with some of those techniques, down the road.
I looked into Squil a bit, which is pretty cool. I'd never heard of TCL/TK before. Since then I've been working with some TCL. =)
Bea
Any chance you could share your paper?
taosecurity [at] gmail [dot] com
Thank you.