RE: Hacker Stories, Certs, vs Projects - the real problem?

From: David Cross (davidcross@Post-N-Track.com)
Date: Mon Jul 31 2006 - 12:22:50 EDT


I have to agree that I hastily chose words in my email. I agree that
mastery was a poor word to insert.

Do certs need to change and raise the bar? Probably. I have no issues
with making the test harder or making people prove they can do anything.
That's all well and good if it can be done.

If there are constructive ideas I will gladly pass them on as I did when
I discovered that CISSP had no mechanism for renewal credits for
reporting CVEs. (Everyone can contribute to making their cert more
valuable if they care to)

* How can one give a hands-on test on managing the audit process?
* How can one give a hands-on test person on writing a business
continuity plan? (if they write one how do you know it's not
plagiarized?)
* How can one give a hands-on test on what authentication mechanism is
best in a particular setting? (without using a written test?)
* How can one give a hands-on test on what cryptographic algorithm is
best in a particular setting?
* How can one give a hands-on test on how HIPAA law applies to a claims
clearinghouse?

If you were a CISSP for example you may have a fuzzy recollection of
that information tucked away in your brain and an idea of where to go to
refresh your memory. If you are a CISSP and you also have done it
before then you probably have a very bright recollection of what it
takes. (leading back to my original point that experience plus a cert
helps an employer know you have some knowledge... maybe not any more
than a bachelors degree tells them that you are qualified to be a
programmer but it's a bar by which you can be measured)

Have I ever had issues with cert test questions and certs in general...
yes! Actually I find it irritating to be asked questions about 1980s
technology even if they are few and far between. It frustrates me to be
quizzed on details of organge-book stuff when that is no longer the
standard. It bugs me when certs have renewal requirements that include
teaching a class but not writing security related freeware. But if you
bring those things up they get addressed and it improves the cert for
everyone thereafter which is why these kind of things need to be dealt
with.

The thing I take issue with is the damn boot-camp things or the study
books that take someone off the street and guarantee that they will pass
cert XYZ. I think those things are the REAL cert killers. People who
put on those classes and print those books are the real problem in my
opinion. That is probably why so many certs are changing to add renewal
requirements or require additional investments in hours and contribution
to the craft. So as long as there's no way to practically test a person
to see if they can actually perform a real risk assessment or how to
write a business continuity plan... At least it's less likely that many
of the boot-camp variety of people were able to meet their renewal
requirements. If there are some good ideas to keep boot-campers out of
it altogether then I'm all for it.

If someone has a formula for how a general knowledge of security and
security processes can be tested with a hands-on test. I'm all ears.

I can't imagine how running metasploit or nessus can prove you know how
to hack. But maybe to some it can. If you add some arbitrary skill
testing task versus skill testing question then you limit whatever you
are testing to some pinpoint sub-set of a greater whole ultimately
proving that you have the ability to take a test and also run nessus
version X. So perhaps the real deal is to have a hands-on test for
every piece of hardware/software (version) and break down certs into
individual modules. Ex: cert XYZ - Linux/IPtables module, cert XYZ -
tripwire module, cert XYZ - Certificate Practice Statement writing etc.
at that point we have a Microsoft-like system where certs are an
off-shoot of a product line instead of a spectrum of knowledge.

This is a serious question for our industry as a whole. It probably
does need to be solved before the value of all certs goes in the toilet.

Let me know if you have any good ideas.

Dave

-----Original Message-----
From: Wolf [mailto:wolfiroc@earthlink.net]
Sent: Sunday, July 30, 2006 9:28 PM
To: Pete Herzog; David Cross
Cc: Robert E. Lee; pen-test@securityfocus.com
Subject: Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC
Address Changer v3.1 (FREEWARE)

Hi David and Pete,
I really take the statement "... mastery of all aspects of security" as
a bit of a challenge as well as an insult to those who truly have
mastered their craft, but do not have the CISSP. I do - as well as
OPST, OPSA, IEM and IAM. Fact -not boasting or professing mastery. Too
much comes down the road each day to profess mastery at all aspects of
security. If there were so many masters out there, then we wouldn't
have configuration management issues, patch management and
implementation issues, and every system and network could be certified
and accredited as being operationally secure.
I know for a FACT that some CISSPs have little or no experience or
understanding in the field, yet managed to take a damn good test! If
the prereqs were checked or truly told, they never would have been
eligible.
Not a rant just something to think about the next time you claim
mastery!

-----Original Message-----
>From: Pete Herzog <lists@isecom.org>
>Sent: Jul 30, 2006 5:39 AM
>To: David Cross <davidcross@Post-N-Track.com>
>Cc: "Robert E. Lee" <robert@dyadsecurity.com>,
pen-test@securityfocus.com
>Subject: Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium
MAC Address Changer v3.1 (FREEWARE)
>
>Hi David,
>
>> The CISSP credential is not a networking credential. It is a general
>> security credential showing mastery of all aspects of security, not
an
>> in-depth knowledge of one. A CISSP would be expected to serve in an
>
>I think "mastery" includes capability and not just knowledge thereof.
To
>master something means to be at the top of a craft. It means to know
>something deeply and to be able to apply that knowledge broadly. I
>disagree that a CISSP shows a mastery of all things security.
>
>> advisory or audit capacity and not in a network engineer capacity.
The
>
>Just broad knowledge of security best practices to apply broadly where
one
>sees them is unhealthy to any organization.
>
>> If a CISSP with no experience is applying for a networking job then
>> shame on them. If you hire a CISSP for a networking job when they
have
>> no specific networking experience then shame on you.
>
>And yet they do all the time. Many of us know many CISSPs who didn't
have
>the experience, were able to fudge it, and were able to get their
>certification without having any problem finding another CISSP vouch
for
>them. Talking a solution does not show successful implementation of
one.
>
>> Credentials can only be looked at to strengthen the credibility of a
>> person's resume, not to create credibility where this is no
experience.
>
>Not true. Certification can provide those lacking experience to show
>ability and be an asset to an organization in that particular field. So
it
>can show credibility where no experience exists. People already do this
now
>looking to switch job descriptions, need to learn a specific aspect of
a
>job, seek to enhance current ability, or to improve their marketability
for
>new jobs.
>
>> Either way if you are going to criticize things in public you should
>> know what you are talking about or you will just point out to
everyone
>> that you don't know the industry as well as you think.
>
>I agree with that statement however I also think putting on
rose-colored
>glasses does not make the current industry on-goings any rosier for
other
>people who end up being the victims instead of the benefactors of
security.
>
>-pete.
>
>-----------------------------------------------------------------------
-------
>This List Sponsored by: Cenzic
>
>Concerned about Web Application Security?
>Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
>Choice Award from eWeek. As attacks through web applications continue
to rise,
>you need to proactively protect your applications from hackers. Cenzic
has the
>most comprehensive solutions to meet your application security
penetration
>testing and vulnerability management needs. You have an option to go
with a
>managed service (Cenzic ClickToSecure) or an enterprise software
>(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can
>help you: http://www.cenzic.com/news_events/wpappsec.php
>And, now for a limited time we can do a FREE audit for you to confirm
your
>results from other product. Contact us at request@cenzic.com for
details.
>-----------------------------------------------------------------------
-------
>

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:28 EDT