RE: just starting as Traffic Analyst

["Flory, Jeffrey CTR USAF AETC 59 MDSS/SGSBIH" <Jeffrey.Flory () LACKLAND AF MIL>]

Not sure how long you have been working in the security field, but if it has not been that long you may want to 
re-think obtaining your CISSP; you might want to master the following first:

GCIA Certification Bulletin
The GIAC Intrusion Detection In-Depth (GCIA) was created to provide assurance that a certified individual holds the 
appropriate level of knowledge and skill necessary for anyone relied upon by an organization to perform intrusion 
detection using network and host-based techniques.

All GIAC certifications expire after a period of 4 years. In order to recertify, candidates must take the current 
version of the certification exam.

The practice tests are taken on-line and are designed to simulate the format of the actual GIAC exams with the same 
number of tests, multiple-choice questions and time-limits. The practice test questions are written by the same authors 
who write the questions for the actual GIAC exams and are representative of the types of questions you can expect to 
see. However, it is important to keep in mind that no exam questions are identical in content to practice exam 
questions. During the practice tests, each time you choose a wrong answer you will receive the correct answer along 
with an explanation that will help to reinforce the subject matter presented in the question. The practice tests also 
keep track of the number of questions you have answered correctly, incorrectly and how many questions you have 
remaining. You will only have one attempt at each practice test, but if you would like additional attempts they are 
available for purchase. If you do purchase a new practice test set, the on-line system will re-quiz you on those 
questions you had difficulty with, in addition to new questions.

Type: 
Certification 
Target: 
Individuals responsible for network and host monitoring, traffic analysis, and intrusion detection

GIAC Certified Intrusion Analysts (GCIAs) have the knowledge, skills, and abilities to configure and monitor intrusion 
detection systems, and to read, interpret, and analyze network traffic and related log files.

Requirements: 
1 proctored exam - 150 questions - 4-hour time limit - 67.3% (101 of 150 questions) minimum passing score 
Renewal: 
Every 4 years 
The topic areas for each exam part follow:

Exam Certification Objectives Certification Objective Outcome Statement 
Abnormal Stimulus Response
 The candidate will show a fundamental understanding of abnormal looking network traffic that results from specific 
hacking techniques.
 
Advanced Analysis with Tcpdump
 The candidate will demonstrate an understanding of how to determine specific attacks by analyzing network traffic with 
tcpdump.
 
Advanced Snort Concepts
 The candidate will demonstrate a fundamental understanding of advanced Snort concepts such as rule ordering, false 
negatives and positives.
 
Analyst Toolkit
 The candidate will demonstrate an understanding of the different tools that are available when analyzing intrusions.
 
Checksums
 The candidate will demonstrate a fundamental understanding of what checksums are and how they can be used to validate 
packets.
 
Correlating Traffic
 The candidate will show an understanding of the issues and solutions of data correlation.
 
Dissecting Datagrams
 The candidate will demonstrate a thorough understanding of how to dissect a datagram using tcpdump.
 
Domain Name System (DNS)
 The candidate will show a thorough understanding of how DNS works for both legitimate and malicious purposes.
 
Examining ICMP Fields
 The candidate will show a thorough understanding of normal and abnormal ICMP fields.
 
Examining IP Header Fields
 The candidate will show a thorough understanding of normal and abnormal IP header fields.
 
Examining Packet Crafting
 The candidate will demonstrate familiarity with how packets are crafted using different tools.
 
Examining Packet Headers with TCPDump
 The candidate will demonstrate a thorough understanding of how to analyze a packet header using tcpdump.
 
Examining TCP Fields
 The candidate will show a thorough understanding of normal and abnormal TCP fields.
 
Examining UDP Fields
 The candidate will show a thorough understanding of normal and abnormal UDP fields.
 
Firewalls and Intrusion Prevention
 The candidate will understand how firewall technology can be employed to improve intrusion detection/prevention
 
ICMP Theory
 The candidate will understand the ICMP protocol, how ICMP can be used for mapping, and the concepts behind ICMP based 
attacks
 
IDS Interoperability
 The candidate will show a fundamental understanding of the different types of interoperability models.
 
IDS Patterns
 The candidate will show a thorough understanding of in the wild detects including DoS attacks, network mapping, and 
coordinated attacks.
 
IDS Signatures & Response Time
 The candidate will show a fundamental understanding of the flow and process of detecting intrusions.
 
IDS/IPS Architecture Issues
 The candidate will show a thorough understanding of the specific technical related issues with regard to deploying 
IDS/IPS systems.
 
IDS/IPS Management Issues
 The candidate will show a thorough understanding of the management related issues with regard to deploying IDS/IPS 
systems.
 
Indications & Warnings
 The candidate will show an understanding of the importance of two indication and warning models.
 
Introduction to Snort
 The candidate will demonstrate a fundamental understanding of the installation of Snort as an Intrusion Detection 
System.
 
IP Routing
 The candidate will demonstrate an understanding of how packets are routed across IP networks.
 
IPv6
 The candidate will understand the key differences between IPv4 and IPv6 and methods for implemeting IPv6 over IPv4 
networks. 
 
Malicious Fragmentation
 The candidate will show an understanding of the concepts behind fragmentation-based attacks.
 
Manual & Automated Correlation
 The candidate will show an understanding of with the importance of correlation in intrusion detection.
 
Microsoft Protocols
 The candidate will demonstrate an understanding of Microsoft's SMB/CIFS, RPC, and Active Directory protocols.
 
Network Mapping & Info Gathering
 The candidate will demonstrate a thorough understanding of the reconnaissance techniques that attackers use to gather 
information.
 
NIDS Evasion & Insertion
 The candidate will show a fundamental understanding of the evasion and insertion techniques hackers utilize to confuse 
NID systems.
 
Normal Fragmentation
 The candidate will demonstrate an understanding of how fragmentation works through theory and packet capture examples.
 
Normal Stimulus Response
 The candidate will show a fundamental understanding of everyday network traffic behavior and typical responses.
 
Snort Configuration
 The candidate will demonstrate an understanding of how to configure the Snort Intrusion Detection System.
 
Snort GUIs & Sensor Management
 The candidate will show familiarity with GUI tools that are available to management a Snort implementation.
 
Snort Modes of Operation
 The candidate will show an understanding of the different methods of operation that Snort currently supports.
 
Snort Performance, Active Response & Tagging
 The candidate will demonstrate a fundamental understanding of Snort performance options, active response techniques 
and tagging.
 
Snort Rules
 The candidate will demonstrate familiarity with how to effectively configure Snort rules.
 
TCPIP Refresher & Beyond
 The candidate will demonstrate familiarity with tcpdump/windump, and have a thorough understanding of IP.
 
Traffic Analysis
 The candidate will be familiar with organizing multiple log formats for analysis, how to detect the source of an 
event, normal vs abnormal behavior, link analysis, periodic reports, and profiling.
 
Traffic Analysis with Tcpdump
 The candidate will demonstrate an understanding of how to analyze network traffic in relation to other traffic using 
tcpdump.
 
Writing Tcpdump Filters
 The candidate will demonstrate familiarity with the techniques that are involved when writing tcpdump filters.
 

Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self 
study.

Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many 
professionals have the experience to meet the certification objectives identified.

Finally, college level courses or study through another program may meet the needs for mastery.

The procedure to contest exam results can be found at http://www.giac.org/grievance.php.

||SIGNED|| 
JEFFREY D. FLORY, Contractor 
Wing COMPUSEC Manager 
Information Assurance/Network Security Manager 
Comm:  210-292-6920  DSN:  554-6920


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Stephen Mullins
Sent: Friday, March 26, 2010 11:56 AM
To: s garcia
Cc: security-basics () securityfocus com
Subject: Re: just starting as Traffic Analyst

I recommend you ditch the CISSP book until after you learn to do your
current job, unless it is a requirement to keep said job.

I suggest the following books to learn the basics of network security
monitoring:

The Tao of Network Security Monitoring: Beyond Intrusion Detection
~ Richard Bejtlich

This should be required reading and I strongly recommend you pick it up.

Internet Core Protocols: The Definitive Guide: Help for Network Administrators
~ Eric Hall

This is a good reference manual even if you are already well versed in
the protocols covered.

Is your position more focused on monitoring for security or ensuring up time?

Finally, with no offense intended, is English your second language?

Steve Mullins

On Wed, Mar 24, 2010 at 2:58 PM, s garcia <g.f.samuel () gmail com> wrote:
> Hello guys!
>
> I have good news to share with all you guys, I'm going to start a new
> phase where I am currently working. I'm going to start to work as
> Traffic Analyst and another duty is doing an proactive monitoring for
> status about too many services, including web services. Do you want to
> share with me any tips? in the past (ago a year) I worked with Sniffer
> Pro and is awesome to see how a network is under fire... wow! so,
> after few months working with Legato Networker (pfff!) doing backup
> job, meanwhile reading the book AllInOne CISSP exam guide, written by
> Shon Harris for preparing the way for CISSP certification, finally
> after been in the wrong place I will be in the right place doing the
> right job... wiiiiiiiiiiiii!!!!!!
>
> thank you all!!!
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------