IT Systems, Network, Security and Education
This was a fun little gig:
“[Fox Interviewer” Nikki is joined by Glenn Norman, a Security Consultant, Teacher and Project Manager for Hacker High School, to discuss the innovative teaching method to teach security awareness and how it came to be.”
Published on Jun 25, 2012
I’ve been trying for some seven years to get the University of New Mexico to let me start offering hard-core cyber-security (i.e. hacking) certification courses, without even a whiff of success until recently. The Marketing Department and Custom Training division surveyed our captive audience, which is pretty sizable: Sandia National Labs, Los Alamos National Labs, Kirtland Air Force Base and three other bases in the state; sizeable state, county and tribal entities; and mega-corps like Intel and HP.
We looked at their interest in ITIL, (ISC)2’s CISSP, ISACA’s CISA, Cisco’s CCNA-Security, GIAC’s GPEN, ISECOM’s OPST, EC-Council’s CEH, and Offensive Security’s OSCP.
One big factor that all clients considered was national and local demand for certified pros here in New Mexico. While many of the job sites aren’t completely forthcoming about how many jobs match a keyword, LinkedIn offers hard numbers for both global and state job openings that request or require particular certifications. LinkedIn reported:
8954 job listings that mention ITIL certification, 26 in New Mexico;
9,036 jobs mentioning the CISSP, 22 in New Mexico,
8,779 jobs mentioning the CISA, 4 in New Mexico,
11,416 job listings that mention the CCNA, 37 in New Mexico
395 jobs mentioning GPEN certification, 1 in New Mexico,
13 jobs mentioning the OPST certification, 0 in New Mexico,
3006 jobs mentioning the CEH, 2 in New Mexico, and
794 jobs mentioning the OSCP, 1 in New Mexico.
Of these, the last four could be called the “hackiest.” ISECOM’s OPST showed very weak numbers both global and locally, so despite some interesting aspects to its practice, none of our audience members showed the slightest interest. The GPEN showed more global-level strength, and attracted some attention from the national facilities, but needs to exist in the ecosystem of GIAC curricula. The OSCP is the truly hard-core hacker’s cert, with its 24-hour examination, but isn’t really “taught” at all; you have to hack and crack your way to a conclusion. It kind of cuts out the middle-man (teachers).
Mentioning the CEH started phones ringing immediately. UNM let me set up an InfoByte session to discuss all these certs and get a feel for what people would pay for. Which cert made ears perk up? The CEH.
I know quite a bit about the organizations and people that were in play in the creation of EC-Council. Despite the extremely tricky test, one individual’s “Run Away From the CEH” propaganda campaign (you can find the various renditions of the article in lots of places in the Internet) succeeded in spreading an early conception that EC-Council is a “diploma mill,” among other accusations. I’ve studied v8 and v9, and find the CEH has definitely matured as a certification, with an exam that is still quite tough, and more tightly focused on current issues and tools than ever.
So finally – finally! – I got the certification and UNM scheduled one section of a Certified Ethical Hacker class. Where I’ve had to struggle to find students to make some classes run, the CEH class made minimum enrollment (5 students) within hours of appearing in the online catalog. And certain entities are already asking about custom and on-site trainings, always a sign of a program with legs.
We’ll see how this first section goes. If interest persists or increases, my next campaign will be urging UNM to become an “official” EC-Council training center (and getting myself EC-Council instructor certified). While the word “official” carries some weight, when you self-study or get “unofficial” training you simply pay $100 extra above the $650 test registration fee.
I’ll have a lot to say about how I studied, what materials I used and my impressions (without details, of course) of the exam. For the moment I’m delighted to have found a pony that can run in this race. Updates will follow.
One of my curriculum development projects is the School for Hackers course, Hacking 101. I’ve released the Introduction
and Lesson 1
on the School for Hackers site.
You’re welcome to register to post comments there, and tell me what you think. Thanks –
UNM Continuing Education
Instructor: Glenn Norman
CompTIA A+ Complete Study Guide, Third Edition (Exams 220-901 and 220-902)
ISBN 978-1-119-13785-6
Understand the CompTIA A+ Exam Objectives
Collect and utilize sample exams and questions
Increase hands-on familiarity with Windows and Linux
Understand virtualization
Pass the 901 and 902 tests.
Introductions, experience and objectives
Texts, sample tests and sample questions
Assessment test
Chapter 1
Working With Components
Bus Details
Connectors
IRQs and Addresses
Utilities
Hands-on teardowns: workstations and processors
Chapters 2 and 3
IDE, SCSI, SAS
Power Supplies
Expansion busses
Exercises: Disk management tools; Open VMs
Chapters 4 and 5
Video standards and hardware
Custom configurations
Exercises: Hands-on video hardware; Linux and Windows command line
Chapters 6 and 7
The OSI model
TCP and UDP
Exercises: Command-line tools
Chapters 8 and 9
Wifi standards
Encryption and security
Laptop architecture
Exercises: laptop teardowns
Chapters 10 and 11
Mobile devices
Printing and Imaging
Mechanisms
Laser Printing and Charlie
Page Description Languages
Diagnostics
Exercises: Mapping to printer, configuration, test page
Chapter 12
Troubleshooting
Exercises: Installing PsTools
Chapters 13 and 14
OS Troubleshooting
Boot and Recovery
ASR and ERD
Tools and Consoles
The Registry
Boot Files
File Systems
Attributes
Exercise: Restore Points
Chapter 15, 16 and 17
Windows editions
Windows 7 administration
Windows Vista administration
Utilities
Remote Desktop/Remote Assistance/VNC
Advanced Startup and the Recovery Console
The Command Line
Exercise: Startup Script, Remote Connections
Chapter 18
Mac OS
Linux
Exercises: Command-line tools
Chapters 19 and 20
Security
Networking and services
Virtualization
Chapter 21
Mobile OSs
Chapters 22 and 23
Troubleshooting theory
Operations
Policy and Proceedure
Exercise: Practice Test
Here are the lessons I produced as a contributor and Project Manager of Hacker Highschool, 2012-2016, complete and uncut, with the names of all contributors intact.
These lessons are distributed under the Creative Commons 3.0 License. Parts of these lessons are Copyright 2016 Glenn Norman. For updated project information visit http://hackerhighschool.org.
HHS_en1_Being_a_Hacker.v2_GN_2015-09-28.pdf
HHS_en2_Commands.v2.GN_2015-01-06.pdf
HHS_en3_Beneath_the_Internet.v2.GN_2013-08-06a.pdf
HHS_en4_Playing_With_Daemons.v2_GN_2013-12-09.pdf
HHS_en5_System_Identification.v2.GN_2015-06-23.pdf
HHS_en6_Malware.v2_GN_2014-12-10.pdf
HHS_en7_Attack_Analysis.v2_GN_2014-12-22.pdf
HHS_en8_Forensics.v2.GN_2015-01-07.pdf
HHS_en9_Hacking_Email_GN_2014-12-24.pdf
HHS_en10_Web_Security_and_Privacy.v2.GN_2015-08-13.pdf
HHS_en11_Hacking_Passwords.v2_GN_2015-08-21.pdf
HHS_en12_Legalities-and-Ethics.v2_GN_2013-10-17.pdf
HHS_en13_Cloud_Computing.v2_GN_2013-10-25.pdf
HHS_en14_Databases.v2.GN_2012-08-22.pdf
HHS_en15_Doxing.v2_GN_2012-09-23.pdf
HHS_en16_Exploits_and_Vulnerabilities.v2.GN_2013-06-29.pdf
HHS_en17_Mobile_Devices.v2_GN_2015-05-12.pdf
HHS_en18_Physical_Security.v2_GN_2012-10-02.pdf
HHS_en19_Wireless_GN_2013-07-01.pdf
HHS_en20_Social_Engineering.v2.GN_2013-07-01.pdf
For the most part, I teach live classes. But I’ve used and reviewed many online school platforms (yes, including the obvious ones). Udemy and the like offer some excellent materials – and some not-so-exellent – but there are full-on universities online too, that offer real degrees, as well as the many certification organizations and trainers. This list isn’t an endorsement of any of these, but unless I see real value, providers don’t make this list.
Not primarily a training site, Cyber Degrees is a great resource for people looking for the right degree or certification to advance their careers. They offer school listings, descriptions of career paths and degrees and a ton of useful resources. If you’re considering online education, start right here and know the field before you spend a dime. Highly recommended.
It’s accredited, which is huge: these are real AS, BS and MBA degrees in Business Administration, Computer Science and Health Science. And it’s free.
During my time as Project Manager of Hacker Highschool (2012-2016) I had the opportunity to write articles for several security publications. This article, “Interactions, Trust, and Google Chrome”, appeared on January 14, 2016, and looked at the obvious and not-so-obvious trusts we give Google and interactions we allow with them.
I’m not a Google Hater; in fact I find their tools really useful in my consulting work. But I’m very cautious about sharing certain things, for instance my wifi network passwords. Check it out for a fuller discussion.
Article links:
https://www.veracode.com/blog/2016/01/interactions-trust-and-google-chrome
Perma.cc cache: https://perma.cc/KL36-8RZA
Author profile:
https://www.veracode.com/blog/author/glenn-norman
Perma.cc cache: https://perma.cc/F832-EMF4
Flash forward from my first conversations on LinkedIn with Pete Herzog in 2010 to February of 2015, and one of the most persistent topics about Hacker Highschool: Should we be doing what we were doing at all? Were we training evil little script-kiddies, or maybe al-Qaida?
That whole line of thinking leads straight back to the problem of definition: “hacker” means something very different to the public than it does to the hacking community itself. Yes, we were in fact trying to bring young people into the hacking community, but no, we were not leading anyone to a life of crime. Far from it. Examples of ominous consequences are sprinkled liberally through Hacker Highschool, and discussion of exactly how visible you are when you’re doing inquisitive things.
The Hechinger Report tackled exactly this issue in the article “Should we train more students to be hackers?” by Chris Berdik, who defines it brilliantly (see links below):
For many people, the word ‘hacker’ conjures up shadowy criminals unleashing malicious cyber attacks. Beyond the headlines, however, there’s a whole world of hacking that has nothing to do with criminality and everything to do with becoming inventive, autonomous and more secure members of a society immersed in technology. Broadly speaking, these young hackers fall into two groups — security hackers, who learn how computer networks can be attacked in order to better defend them, and hackathon hackers, who compete in all-night coding binges to invent new applications and re-engineer hardware.
Notice that there’s no major third group called “criminals.” One way or another, it’s all about the engineering, about figuring things out and making things work and keeping things running. There’s a definite mentality here, maybe similar to aspiring chessmaster mentality or violin virtuoso-in-training mentality.
Chris quotes me:
“It’s the hacker mentality,” and technology employers can’t get enough of it, says Glenn Norman, a network security consultant who teaches the subject at the University of New Mexico.
Norman also teaches security hacking to high school students at an after-school club in Albuquerque called Warehouse 508. He’s a co-developer of “Hacker High School,” a nine-lesson curriculum published by the Institute for Security and Open Methodologies (ISECOM), a nonprofit network security consultancy.
The whole reason I was into all of this was the grins I get when my students open a whole new set of digital eyes on the universe. But I could see, as my teaching career approached two decades, a long, steep decline in younger students. My security courses brought lots of mature network admins and developers, but fewer and fewer students under 30. Were high school students losing interest? Or were they, I began to suspect, being steered away? Consider:
As college hackathons proliferated, high school hackers started to filter into the competitions. Soon, they started high-school hackathons. One of the first was held in March, 2014, at Bergen County Academies High School in Hackensack, New Jersey. Jared Zoneraich, now a senior at the school, organized the all-night coding bash (hackBCA) along with other kids he’d met at college hackathons. Four hundred students showed up….
I think there’s plenty of interest, if the will can be found. I’ve worked on too many hiring committees in my consulting career seeking highly qualified and specialized people that I knew would eventually be hired on an H-1B visa. There’s a huge debate on both sides about whether there really is a STEM worker shortage, whether the US can or does generate as many tech workers as the enterprise needs, whether we really need to bring tens of thousands of tech workers from overseas when we have American workers training their own cheap replacements.
So I hooked up with, and then managed, Hacker Highschool, and promoted it locally and nationally. It was a time-sucker and I loved it. But it wasn’t sustainable for me.
Hacker High School’s founder, Pete Herzog, managing director at ISECOM, says that despite the curriculum’s popularity, it’s becoming too costly to support and update, and won’t survive much longer without corporate sponsorship.
How true.
http://hechingerreport.org/train-students-hackers/
Perma Link: https://perma.cc/95QB-TDFQ
I first started talking with Pete Herzog through LinkedIn in 2010. His pocket institute, ISECOM, had produced some really interesting material, including the Open Source Security Testing Methodology Manual (OSSTMM) and Hacker Highschool (HHS). Lots of his ideas were great, but wrapped in language that made them really difficult to understand. In my innocence I thought, “Hey, I can contribute by drastically improving the quality of the prose here.” Soon I was working on a lesson, and by 2012 Pete had asked me to take over as Project Manager of Hacker Highschool.
It was a fun, and hysterically busy, beginning. We charted out a whole series of lessons beyond the original 12 released in 2004, and enlisted what grew to become a cadre of contributors over 200 strong. There’s a trail of articles and updates by me, Pete and many others that chart that effort. It was a ton of fun, and I met a lot of great people, but it also consumed every bit of my free time for several years, and most important, didn’t make money.
Eventually we tried to improve the financial situation, but that’s a story for another post. (We weren’t successful.)
Anthony Freed, a cool open-source writer and commentator, penned the article “Hacker Highschool Revamps Lesson One on Being a Hacker” (November 29, 2012) at https://www.corero.com/blog/278-hacker-highschool-revamps-lesson-one-on-being-a-hacker.html (cache at https://webcache.googleusercontent.com/search?q=cache:ui9CjyGtt6wJ:https://www.corero.com/blog/278-hacker-highschool-revamps-lesson-one-on-being-a-hacker.html+&cd=1&hl=en&ct=clnk&gl=us, Perma link at https://perma.cc/5ZMN-SYE5 ):
Hey kids, wanna get your hack on? The developers of Hacker Highschool, a free cybersecurity awareness and education project, have just issued a newly revamped version of the organization’s first lesson plan titled Being a Hacker, and will soon be reissuing updated curricula for all 23 of the course’s tutorials.
Pete described it as “open, free”, which is not to be confused with Open Source (the 2004 version was copyrighted, and version 2 was released under a Creative Commons-attribs-no-derivs “license”):
“This open, free project is a relaunch of the lessons first published in 2004. Over 60 volunteers, led by me and managed by Glenn Norman have been working months to provide a total of 23 lessons. The first of which has been released today, ‘Lesson 1, Being a Hacker’. The final lesson is on Trolling,” Herzog said.
Ah, those optimistic early days. I wish we could have made HHS a viable ongoing enterprise, but there’s no money in “open and free.” There is, however, a viable business model for shared community education about hacking, and I’m working to develop that now (2017) at School for Hackers (S4H): https://schoolforhackers.com/. I’ll have a lot more to say about S4H in coming posts, but for now I’ll just say it’s NOT about teaching teens cyber-security awareness; it’s very much for adults.
Stay tuned.
If you’ve followed me for long, you’ll recognize that this site made a dramatic change recently. All the content is still here; it’s simply riding on a different platform, which I hope we’ll all find easier to work with. The old platform didn’t let me set up comments, but going forward most of my material will allow them from registered users.
So here at GNorman.org you’ll find my personal posts, discussions and class materials. Keep in mind that my “companion” site, https://schoolforhackers.com, will house our growing hacker community, with the understanding that we’re talking about “clever engineers,” not “criminal engineers.”
There will be plenty of material coming on both. Thanks for following, and don’t hesitate to drop me a line.
Glenn
* * *