RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)

From: Utz, Ralph (rutz@realtime-it.com)
Date: Fri Jul 28 2006 - 09:24:06 EDT


" Either way if you are going to criticize things in public you should
know what you are talking about or you will just point out to everyone
that you don't know the industry as well as you think."

I challenge you to take your own advice. As you say, the CISSP is a
general security credential. It does NOT show a mastery of all aspects
of security as you say. Yes, I understand that a CISSP can tell me that
the glass encasing my server room is too thin, but you go way too far
out on a limb by saying that one certification makes you a master of all
aspects of security. Are you a CISSP? Can you configure multiple
vendor's firewall products to allow for 30 remote sites and 150 roaming
salesmen? Can you then configure multiple vendor's IDS/IPS products to
provide enhanced security to your customer's network? How well are you
at incidence response on a HP-Unix box? When you catch malicious
software on your honeypot, can you reverse it to determine it's function
and take proper action at your routers/firewalls/IDS/IPS to prevent it's
propagation in future? How's about configuring that customers wireless
network for 802.1x and smart cards? I can go on and on, but my point is
this. Are there people with the CISSP certification that are capable of
doing these things? Yes. Are they the majority? No. The CISSP does not
as you say "show mastery of all aspects of security"

-----Original Message-----
From: David Cross [mailto:davidcross@Post-N-Track.com]
Sent: Thursday, July 27, 2006 3:38 PM
To: Robert E. Lee
Cc: pen-test@securityfocus.com
Subject: RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC
Address Changer v3.1 (FREEWARE)

Since you believe that a CISSP can be passed with no experience
certainly you would also be aware that it has a practical experience
requirement of 6 years of security work prior to being eligible for the
test. It also requires that another CISSP vouch for your experience.
It also requires that you show proof (yes actual proof) of industry
experience for every year after you pass the test to the tune of several
hundred hours of training and volunteer work (assuming you can pass the
test it with a score greater than 70% of the applicants scores). It
requires an ongoing credit-based system where you have to have served on
industry boards, done volunteer work, written articles, published books
and a number of other things. If you are lucky enough to pass all these
requirements and when audit time rolls around and it's discovered that
you didn't have the 6 years experience or you didn't really do all you
said you did then you lose your credential and can never re-apply.

Sure maybe you know someone who's taken a course and gone and passed the
test but I bet you didn't know that many of them have not received their
credential due to the lack of a credentialed CISSP to vouch for them or
due to lack of actual ongoing experience to add to their credential
after the fact.

The CISSP credential is not a networking credential. It is a general
security credential showing mastery of all aspects of security, not an
in-depth knowledge of one. A CISSP would be expected to serve in an
advisory or audit capacity and not in a network engineer capacity. The
CISSP program also has specific knowledge area credential programs
specific to application security among other things which apply to
specific jobs.

If a CISSP with no experience is applying for a networking job then
shame on them. If you hire a CISSP for a networking job when they have
no specific networking experience then shame on you.

Credentials can only be looked at to strengthen the credibility of a
person's resume, not to create credibility where this is no experience.

Either way if you are going to criticize things in public you should
know what you are talking about or you will just point out to everyone
that you don't know the industry as well as you think.

David

-----Original Message-----
From: Robert E. Lee [mailto:robert@dyadsecurity.com]
Sent: Thursday, July 27, 2006 4:40 AM
To: shreyas@technitium.com
Cc: shreyasonline@yahoo.com; slamboy@gmail.com;
pen-test@securityfocus.com
Subject: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC
Address Changer v3.1 (FREEWARE)

The "practical application" portion of the CISCO CCIE certification is
why organizations can trust the CCIE job applicant can serve a useful
cisco networking function in their organization. Any certification that
fails to measure the candidates actual ability to perform a useful
function in the subject of the certification is useless (ala CEH, CISSP,
CISA, CISM, which can all be passed with 0 years of experience). To the
best of my knowledge about the current infosec certs, ISECOM's OPST
(www.opst.org) and OPSA (www.opsa.org) come the closest to fulfilling
the the practical measurement requirement. For what it's worth, we would
not consider hiring a candidate who advertised that they have a CEH
certification.

If you want to stand out in an interview, perform a useful function that
your peers respect you for. Presenting your ideas at conferences or
contributing to computer security research papers and projects will get
you a lot more credibility in a job interview than "hacking stories" or
"hacker certifications". There are a lot of projects to choose from.
If none of them excite you, start your own. ;)

Robert

-- 
Robert E. Lee
Chief Information Officer
http://www.dyadsecurity.com
 
phone: (949) 394-2033
fax  : (949) 486-6601
email: robert@dyadsecurity.com
------------------------------------------------------------------------
------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's 
Choice Award from eWeek. As attacks through web applications continue to
rise, 
you need to proactively protect your applications from hackers. Cenzic
has the 
most comprehensive solutions to meet your application security
penetration 
testing and vulnerability management needs. You have an option to go
with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm
your 
results from other product. Contact us at request@cenzic.com for
details.
------------------------------------------------------------------------
------
------------------------------------------------------------------------
------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's 
Choice Award from eWeek. As attacks through web applications continue to
rise, 
you need to proactively protect your applications from hackers. Cenzic
has the 
most comprehensive solutions to meet your application security
penetration 
testing and vulnerability management needs. You have an option to go
with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm
your 
results from other product. Contact us at request@cenzic.com for
details.
------------------------------------------------------------------------
------
The information in this email and in any attachments is confidential and may be privileged. 
If you are not the intended recipient, please destroy this message, delete any copies held 
on your systems and notify the sender immediately. You should not retain, copy, or use this 
email for any purpose, and any review or other use of this information by persons or 
entities other than the intended recipient or any retransmission without the written consent 
of the sender is expressly prohibited.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:26 EDT