RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)

From: R. DuFresne (dufresne@sysinfo.com)
Date: Fri Jul 28 2006 - 15:11:18 EDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 27 Jul 2006, David Cross wrote:

>
> Since you believe that a CISSP can be passed with no experience
> certainly you would also be aware that it has a practical experience
> requirement of 6 years of security work prior to being eligible for the
> test. It also requires that another CISSP vouch for your experience.
> It also requires that you show proof (yes actual proof) of industry
> experience for every year after you pass the test to the tune of several
> hundred hours of training and volunteer work (assuming you can pass the
> test it with a score greater than 70% of the applicants scores). It
> requires an ongoing credit-based system where you have to have served on
> industry boards, done volunteer work, written articles, published books
> and a number of other things. If you are lucky enough to pass all these
> requirements and when audit time rolls around and it's discovered that
> you didn't have the 6 years experience or you didn't really do all you
> said you did then you lose your credential and can never re-apply.

Most of which are new requirements instituted a few years ago when a very
young Indian gentleman passed the CISSP exam earning the right and fame to
claim as the o7ungest certified CISSP in existance. If I recall
correctly, his father or fathers comapny vouched for his, at that time 4
years of practical work expierience.

It's not hard to get another CISSP to "vouch" for you, I can achieve that
with certified's that I've never met notr really corresponded with even,
cept the request to sign their mname in the dotted line to get my papers.

Now, as for proof of employment, I'm lacking in knowledge here, what is
considered proof though? pay stubs for the period? A signed and
certified listing from a manager as to the kinds of work preformed? Or
merely a resume that documents my supposed history?

>
> Sure maybe you know someone who's taken a course and gone and passed the
> test but I bet you didn't know that many of them have not received their
> credential due to the lack of a credentialed CISSP to vouch for them or
> due to lack of actual ongoing experience to add to their credential
> after the fact.
>
> The CISSP credential is not a networking credential. It is a general
> security credential showing mastery of all aspects of security, not an
> in-depth knowledge of one. A CISSP would be expected to serve in an
> advisory or audit capacity and not in a network engineer capacity. The
> CISSP program also has specific knowledge area credential programs
> specific to application security among other things which apply to
> specific jobs.

Umm, no, no "mastery" is show nor demonstrated, it highlights a braod base
of knowledge gleend from study prmairly. And I do know certified fewls
that have not a single skill in security bascis nor a clue as to any
concepts of networking. I'm guessing that the broad base of studies was
drunked away the first weekend after "testing".

>
> If a CISSP with no experience is applying for a networking job then
> shame on them. If you hire a CISSP for a networking job when they have
> no specific networking experience then shame on you.
>
> Credentials can only be looked at to strengthen the credibility of a
> person's resume, not to create credibility where this is no experience.
>
> Either way if you are going to criticize things in public you should
> know what you are talking about or you will just point out to everyone
> that you don't know the industry as well as you think.
>

I'm sorry you fgeel so threatened cause your cert has such little real
merit except to a HR rep or a clueless manager on the prowl for a cheap
hire and a cya glance over of the credentials offered by a potential
candidate for a position, but thems the facts. Where I work our secrity
"guru's" all certified, make about 30k a year, far below our most junior
admins who averae in at about 55-60k. Thing is the clueles guru's they
can feign along quite awhile and retain those pow checks, while the admins
are found out quite quickly as to how well they really know their stuffs.
Sad fact here where I work, the sec guru's have taken down production envs
on a regular basis, while the admins pick up the pieces and make the
fixes, while advising the sec guru's on proper net-ettiquete.

Thanks,

Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant: sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFEymFZst+vzJSwZikRAt8xAJ9fwd2UbKOnZIlG/BPeGPKtyB0zxgCguNeb
+H1Wp27ZV13sZF4u0bOagEk=
=a8mJ
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:27 EDT