RE: credibility (was 'more security people')

["Steven Alexander" <alexander.s () mccd edu>]

WTF makes people think that passing a single test qualifies someone as
an expert in anything?  

People need to realize that while tests/certifications are not
worthless, they should only complement other qualifications.  Tests are
used in other professional fields: lawyers have to pass the bar exam in
the state where they intend to practice law, accountants have to pass
the CPA exam.  However, you can't take the bar exam without a law degree
or the CPA exam without taking a specified number of accounting classes.

Knowing a lot of random facts about security simply isn't enough.  It's
nice that everybody and their mom knows what a buffer overflow is
nowadays but it doesn't enable them to evaluate StackGuard, ProPolice,
PaX, W^X, etc.  Knowing what an intrusion detection system is doesn't
mean that you have tcpdump skills.  Expertise is based on knowledge that
has both breadth and depth. 

Security people need to know a lot about a lot of things: one of the
most important books that I've read WRT to security is Richard Steven's
TCP/IP Illustrated Vol. 1 and it doesn't directly deal with security.
But, without an in-depth understanding of TCP/IP, how formidable can
one's knowledge of security (especially firewalls and intrusion
detection systems) be?  

Also, it's important to be able to think outside the box.  Bruce
Schneier has argued for years that good cryptosystems are designed by
people who are good cryptanalysts.  It makes sense to me; why should I
trust the ciphers that you design if you don't understand what was wrong
with the old ones?  Likewise, why should I trust in the security of a
network/system "secured" by some random CISSP when they don't know
anything about breaking into systems.

I don't think that every security expert has to be a reformed
{cr|h}acker.  I do think however, that anyone who dares call themselves
a security expert should understand how systems are broken into.  If you
don't know what attackers are doing, how the hell do you know what to
protect against?  

There should be a hands-on challenge to any security certification
requirements.  Perhaps something like: "Find and infiltrate the PaX
protected system on network X.  You must write your own exploit to gain
root through ssh using return-into-libc.  Remove all traces of your
intrusion from the logs (they're append only).  Don't alert the Snort
box." 

I don't have a CISSP btw so I'm biased.

My $.02

-steven     


> -----Original Message-----
> From: Gregory A. Gilliss [mailto:ggilliss () netpublishing com] 
> Sent: Wednesday, February 04, 2004 10:47 AM
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] credibility (was 'more security people')

<snip>

> BTW, to be clear I am *not* saying that certifications are
bad/worthless.
> I am saying that they are weak, ineffectual, and not nearly enough to
> qualify someone to market themselves as a "security expert". From the
> perspective of weeding out the phonys, I'm all in favor of
certifications.
>

<snip>

> In summary, the industry deserves what it gets, which is a large number
> of untalented posers who couldn't root a Linux 5.0 box running wu-ftp
>
> =;^)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html