Dailydave mailing list archives
Re: Information security certifications diversity and getting lost
From: "Kristian Erik Hermansen" <kristian.hermansen () gmail com>
Date: Mon, 10 Sep 2007 16:12:01 -0400
On 9/10/07, "Thomas Ptacek" <tqbf () matasano com> wrote:
How do you plan on solving the problems the CISSP has? 1. People will "teach to the test".
That is always the case with any test/certification. Sometimes people don't really care about about the topics, just about the financial reward it is presumed to bring them by having the cert. All certs are meant to establish a baseline. If someone has a CISSP, you at least know that they took the time to read about the topics and pass the test successfully. Of course, this doesn't mean that they have any actual experience with security at all. However, it does show that they have the capacity to become somewhat familiar with the material. Think back to that Differential Equations course you took in universuty ... do you still *really* remember how to apply Laplace transformations correctly and in what context :-)
2. Certs get stale fast.
No argument here. Technology is a fast-paced industry... What I think would be interesting is a certification that is meant to only be passed by 1% or so of security professionals. You make the questions so incredibly dependent on a wide array of knowledge, that only people who have done that sort of stuff before can pass. You could market it as something like the CCIE -- even have an 8-hour hands on lab exam. You set up a physical network with various devices to simulate an actual network, and then judge the testing candidate based on their technique and how far they are able to penetrate the network layers. Do they burn one of their 0days to get in, and how elegant was their hack? Of course, I have no idea how many govs/corps/individuals would actually be willing to pay for something like this, but that is not the point. Leave that to the savvy marketing and business people. Maybe such a certification is not viable... The Certified Expert Penetration Test certification is a good start and actually forces the candidate to think. In that cert, they threw in something that fooled a lot of people. One of the three stages was a non-standard printf() vulnerability on Linux. In order to exploit it, you needed to have some basic idea of what was going on. People who were just trying standard techniques and then dropping in shellcode would not succeed. Even writing your own, you had to know what you were doing. Another stage was a publicly disclosed stack-based vulnerability in an FTP server for Windows. And the last stage was a very very simple reverse engineering problem. Oh, and the prerequisite to all this was a written examination, which weeds out the people who don't have any clue at all. I took this while in the presence of Jack Koziol, who was proctoring the exam in person while in Washington, DC for the Infosec Institute. Now, I may know a little bit about security, but I am an amateur in comparison to visionaries like Mr. Aitel (hi dave!), Solar Designer, Halvar, and some of the real Black Hats who don't give talks at public security conferences :-) Even still, a really difficult hands-on security cert in non-existent... -- Kristian Erik Hermansen _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Information security certifications diversity andgetting lost, (continued)
- Re: Information security certifications diversity andgetting lost Security Admin (NetSec) (Sep 06)
- Re: Information security certifications diversity andgetting lost Dave Aitel (Sep 10)
- Re: Information security certifications diversity andgetting lost Thomas Ptacek (Sep 10)
- Re: Information security certifications diversity and getting lost Dave Aitel (Sep 10)
- Re: Information security certifications diversity and getting lost Andre Gironda (Sep 10)
- Re: Information security certifications diversity Lindley James R (Sep 10)
- Re: Information security certifications diversity andgetting lost Weston, David (Sep 10)
- Re: Information security certifications diversity andgetting lost nnp (Sep 10)
- Re: Information security certifications diversity andgetting lost Paul Wouters (Sep 11)
- Re: Information security certifications diversity andgetting lost matthew wollenweber (Sep 11)
- Re: Information security certifications diversity and getting lost Darren Spruell (Sep 10)
- Re: Information security certifications diversity and getting lost Thomas Ptacek (Sep 10)
- Re: Information security certifications diversity and getting lost Bruce Ediger (Sep 10)
- Re: Information security certifications diversity and getting lost Jason Alexander (Sep 11)
- Re: Information security certifications diversity and getting lost Andre Gironda (Sep 11)