As teenagers, we never liked rules growing up. Curfews. Chores. Homework. But we know now that the rules were good for us. It seems like nothing has changed for those of us in the DF/IR field. We don’t particularly want to be regulated simply because, like when we were teenagers, we know what is best for us.
The DF/IR field, as it stands today, is practically the Wild Wild West. We have few regulations outside of obtaining a business license. In some states, we might need a PI license, but that is about the most regulated we get today. It’s freewheeling at the moment without any government intervention. What a great time to be in DF/IR!
- Licensing requirements? Nope.
- Training requirements? Nope.
- Education requirements? Nope.
- Certification requirements? Nope.
- Experience requirements? Nope.
- Testing requirements? Nope.
- Annual update requirements? Nope.
To state the point quickly, I foresee this Wild Wild West coming to a screeching halt, where we will all be (willfully) blindsided, and potentially have our careers and businesses put on hiatus until we comply with mandated regulations that will take months, if not years for each of us to comply. I expect that some currently working in DF/IR may not be able to comply!
Let me get to the solution before getting into the issues. Simply copy and modify what is being done in other professions to fit the DF/IR profession, and give our ideas to the respective government regulatory agencies to implement. In this manner, everyone can keep doing what they are doing, begin to comply with the regulations, be grandfathered in where appropriate, and have reasonable standards created by those who know best (that’s you by the way). Pick a profession, any profession, and get started. The medical field, accounting field, anything. Even hair stylists are regulated with training and education standards. Pick several and meld them together to fit DF/IR.
Brett’s Opinion on a few things
Certifications
I usually get on a soap box and rant against certifications, but I’ll make it shorter this time. I’m not against certifications, and I believe that having a sheet of paper of classroom training completion is worthwhile. Having that sheet of paper shows:
- I attended ‘x’ number of hours on "x" date and time
- I was exposed to ‘x’ topics in those hours
- I was taught by ‘x’ (person or organization)
- I passed an exam (if one was given)
Licensing
Licensing is inconvenient to maintain, just ask any doctor if you are curious. But, licensing is important to prevent unqualified people from practicing a service that can have serious consequences. We certainly trust our doctors, but part of that trust is based on a license from the state, which is based on a successful internship, which is based on the degree granted by a university, which is based on the successful passages of a specific curriculum, and so forth.
In the DF/IR world, all we need to do is attend a 3-day FTK class and buy a dongle. No, all we need is just buy the dongle. Wait a sec, actually forget the dongle, we can just download some free forensic software and get started…
We need licensing, and a standardized process to meet those licensing requirements. Whatever that may end up becoming is currently up to the DFIR community, but will eventually be mandated by someone else if we sit idly by. If you are reading this and doing DF/IR work, I would imagine that grandfather clauses will be inserted in every requirement, otherwise, the entire DF/IR field will grind to a halt. Most of those working today in the DF/IR field can probably teach DF/IR at a post-graduate level, yet not personally hold a post-graduate degree (or any degree in any IT related field)
I can foresee licensing based on a healthcare provider licensing model. Each different job (doctor, nurse, etc…) has its basic foundational requirements. Additional specializations have additional requirements (heart surgeon, registered nurse, etc…). So that,
- DF/IR Licensed Professional (much like a family doctor in general practice)
- DF Licensed Specialist (operating system specialization, device type specialization, etc…)
- IR Licensed Specialist (penetration specialization, intrusion specialization, etc…)
- And so forth.
Imagine looking for an employee and you can instantly see what they should know based on a standardized licensing model. Today, you may be trying to weed out the IR applicants for a DF job you have, and that is not as easy to do when you have to go line-by-line to sort it out what the applicant’s skills are. When looking at other professions, I usually point to one example of becoming a hair stylist. I'm not knocking hair stylists, but the majority of us getting hair cuts don't even know the licensing requirements involved. In Washington State, it's a lot of requirements to just cut hair...
Think about what it takes to cut hair the next time you argue against any licensing requirements for DF/IR work...because we don't have anything that compares. Another benefit of licensing is getting rid of the bad apples. An example of how this is done in the police world (at least in WA state), is the Peace Officer Certification. If the Peace Officer Certification is revoked, then that police officer will not be able to work anywhere in the state. The world of lawyers is similar in they can be disbarred from practicing law. How nice would it be to de-certify a DF/IR person who falsified evidence or doesn’t meet any minimum standards? Everyone would benefit.
<on soapbox>
I want to rant a bit on certifications, only because I am asked about ‘which certs should I get’ all the time. I am not anti-certification, but I have strong feelings about some of the certifications and about how certifications are looked at by students, employers, courts, and vendors.
I believe certifications are important to more easily show in court that you at least completed training in a certain subject especially if you are using DF/IR skills in (1) helping put someone in or keep out of jail, or (2) helping someone keep or lose their job. It doesn’t mean you know what you are doing, just that you had training in the subject. Otherwise, it looks like you were winging it. **exceptions exist, I know, but bear with me as speaking generally**.
Here are some of issues I have personally seen in courses offering certifications:
- · Students sleeping in class
- · Students showing up late and leaving early due to “work”
- · 2-hour lunches on some rarer occasions
- · 20-minute breaks on many occasions
- · Course over by lunchtime on the last day
- · Everyone passes the test with multiple attempts
- · Everyone getting a certificate even if they failed the test or didn’t attend the entire course
Here are some of the issues I have personally seen about certification perceptions:
- · Only “x” certified DF/IR employees know how to use “x” software
- · You must have “x” certification to apply for this job
- · If you self-studied and mastered “x”, you aren’t as good as an “x” certified applicant
- · The “x” certification is better than the “y” certification
- · The “x” certification is more expensive because it is the best certification
I have seen certification-junkies, where almost like an obsessive collector, the more acronyms they collect, the better they feel. What about the Challenge Coins! Gotta have them! Vendors have got to love these types. It's like the Pokemon or Furby craze. Employers are also at a loss because the only certifications they care about are the ones that are most hyped by a vendor that gives out the most cherished acryomn.
As for me, if I were ever a hiring manager again, rather than look at an applicant and see that box for “x” certification exists, I’d rather make sure that the certification was (1) relevant to the job, and (2) the applicant knows the material that the certificate says. Otherwise, I look at certs as simply a document showing the number of hours that a person completed for professional development. No more. No less.
Speaking of number of hours in courses, I am a stickler on actual numbers. Every statement that I have ever made of the number of classroom hours I have completed, I have cut the documented number down by at least 25%. On paper, I may have a certain number of hours in print, but in depositions, testimony, resumes, CVs, and informal conversations, I state the lower number. Why? Because I see classroom hours as not including the breaks or the early-outs on Friday morning. Or when the instructor has to cut the class short to make a flight
I have taken courses where a 40-hour course turns out to be 60 (like SWAT training….), but I have never seen that happen in the DF/IR training world. If you don’t believe that a 40-hour course classroom time is closer to 30 hours, crank up Excel and put in the number to your last course. Be honest in the numbers and you will be surprised. And be sure to put in the extra-long breaks, the days that the class started late and ended early. And the days that the class stalled because of this-reason or that-reason. Add the time you stepped out for a phone call (if you ever did such a terrible thing!).
The next time you testify and are asked about your classroom (formal) hours of training, think about the actual numbers before you answer). Lunch time is not typically going to be considered DF/IR learning time.
<off soapbox>
I see the future where the road to working DF/IR will be as easy to figure out as it is today if you want to be a doctor or lawyer or house builder. Follow the path to licensing and you will be good to go. Salaries will be much higher, the profession will advance faster than ever, and employers/clients will have an easier time of finding exactly who they need.
The requirements and qualifications? That’s up to us to figure out, and figure out fast. Otherwise, I can also see government making the requirements so burdensome that it will push out those who are competent and prevent those with great potential from coming in. That is totally opposite of what we want to happen.
Article Link: http://www.brettshavers.cc/index.php/brettsblog/entry/the-last-thing-we-want-is-the-first-thing-we-need-in-df-ir