Re: Information security certifications diversity and getting lost

["Kristian Erik Hermansen" <kristian.hermansen () gmail com>]

On 9/10/07, "Thomas Ptacek" <tqbf () matasano com> wrote:
> How do you plan on solving the problems the CISSP has?
>
> 1. People will "teach to the test".

That is always the case with any test/certification.  Sometimes people
don't really care about about the topics, just about the financial
reward it is presumed to bring them by having the cert.  All certs are
meant to establish a baseline.  If someone has a CISSP, you at least
know that they took the time to read about the topics and pass the
test successfully.  Of course, this doesn't mean that they have any
actual experience with security at all.  However, it does show that
they have the capacity to become somewhat familiar with the material.
Think back to that Differential Equations course you took in
universuty ... do you still *really* remember how to apply Laplace
transformations correctly and in what context :-)

> 2. Certs get stale fast.

No argument here.  Technology is a fast-paced industry...

What I think would be interesting is a certification that is meant to
only be passed by 1% or so of security professionals.  You make the
questions so incredibly dependent on a wide array of knowledge, that
only people who have done that sort of stuff before can pass.  You
could market it as something like the CCIE -- even have an 8-hour
hands on lab exam.  You set up a physical network with various devices
to simulate an actual network, and then judge the testing candidate
based on their technique and how far they are able to penetrate the
network layers.  Do they burn one of their 0days to get in, and how
elegant was their hack?  Of course, I have no idea how many
govs/corps/individuals would actually be willing to pay for something
like this, but that is not the point.  Leave that to the savvy
marketing and business people.  Maybe such a certification is not
viable...

The Certified Expert Penetration Test certification is a good start
and actually forces the candidate to think.  In that cert, they threw
in something that fooled a lot of people.  One of the three stages was
a non-standard printf() vulnerability on Linux.  In order to exploit
it, you needed to have some basic idea of what was going on.  People
who were just trying standard techniques and then dropping in
shellcode would not succeed.  Even writing your own, you had to know
what you were doing.  Another stage was a publicly disclosed
stack-based vulnerability in an FTP server for Windows.  And the last
stage was a very very simple reverse engineering problem.  Oh, and the
prerequisite to all this was a written examination, which weeds out
the people who don't have any clue at all.  I took this while in the
presence of Jack Koziol, who was proctoring the exam in person while
in Washington, DC for the Infosec Institute.

Now, I may know a little bit about security, but I am an amateur in
comparison to visionaries like Mr. Aitel (hi dave!), Solar Designer,
Halvar, and some of the real Black Hats who don't give talks at public
security conferences :-)  Even still, a really difficult hands-on
security cert in non-existent...
-- 
Kristian Erik Hermansen
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave