Re: RES: CISSP Test

["DAN MORRILL" <dan_20407 () msn com>]

Given that many of the certificates are now "boot camp" type, this should 
put a different light on those colleges that are pumping out Bachelors of 
Information Security, Masters and Doctors of Information security as well.

Wondering if the acedemic credentials will become important in the longer 
run. But without Big Business, and ISSA, OSCOMM, ISC2, SANs and others, an 
international standard is going to be hard to hammer out. What does a 
security person really need to know in what role, analyst, engineer, code 
walker, network engineer, systems security, firewall/ids admin?

Previous in this thread, its going to take money, and while the money 
motivation is there, it will be really hard to get anyone to take anything 
seriously past the "bottom line". There are going to have to be major 
sources of aggrivation, and maybe the feds will step in with minimum 
qualifications much like GSA or NSA have done? Who knows, its going to be a 
rough couple of years for IS.

Going to be a lifetimes work for whom ever takes this one up.
r/
Dan




Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.





> From: R Mondesir <rmondesir () gmail com>
> Reply-To: R Mondesir <rmondesir () gmail com>
> To: SecurityLSI <security () lan-slam com>
> CC: full-disclosure () lists grok org uk
> Subject: Re: RES: [Full-disclosure] CISSP Test
> Date: Tue, 29 Mar 2005 16:36:13 -0500
>
> The C.P.A exam for accountants is a better comparison to the CISSP
> than the Bar exam is for lawyers if we are going to compare industry
> benchmarks.  Eitherway, an internationally accepted stantard seems
> inevitable.
>
> -Rafiyq
>
>
> On Sat, 26 Mar 2005 01:26:36 -0500, SecurityLSI <security () lan-slam com> 
> wrote:
> > I wholeheartedly agree that there needs to be an industry benchmark,
> > something that says you cannot operate in this field unless you have 
> passed
> > x. I'm thinking along the lines of something similar to the Bar exam 
> that
> > lawyers have to take, or perhaps a license like what doctors are 
> required to
> > obtain before being able to practice. I fear its going to take something 
> of
> > that level to truly separate the chaff from the wheat. Anything less and 
> you
> > only end up with braindumps and bootcampers throwing resume after resume 
> at
> > you.
> >
> > The added bonus of having an industry benchmark that bars entry into the
> > field tracks to something a mentor once told me: people that belong to
> > unions drive Chevys and Fords. Those that belong to associations drive 
> BMWs
> > and Mercedes.
> >
> > --Joe
> >
> > ----- Original Message -----
> > From: "Vladamir" <wireless.insecurity () gmail com>
> > To: "Jose Ribeiro Junior" <ribeiro () microcity com br>
> > Cc: <>
> > Sent: Wednesday, March 23, 2005 1:52 PM
> > Subject: Re: RES: [Full-disclosure] CISSP Test
> >
> > > CCIE is where it's at.
> > >
> > > I love writing practice tests, but I'm only 20, so what do I know
> > >
> > > Jose Ribeiro Junior wrote:
> > > > Hi Friends,
> > > >
> > > > What you think about CCIE certification model, practice and write 
> tests
> > ?
> > > >
> > > > I think that is a good model to Security Certifications.
> > > >
> > > > But, can you create a practice tests not using especific vendors ?
> > > >
> > > > -----Mensagem original-----
> > > > De: full-disclosure-bounces () lists grok org uk
> > > > [mailto:full-disclosure-bounces () lists grok org uk]Em nome de 
> Vladamir
> > > > Enviada em: quarta-feira, 23 de março de 2005 14:23
> > > > Para: DAN MORRILL
> > > > Cc: full-disclosure () lists grok org uk
> > > > Assunto: Re: [Full-disclosure] CISSP Test
> > > >
> > > >
> > > > Very good points, so.. who wants to start writing to the mentioned
> > > > organizations about this?
> > > >
> > > > DAN MORRILL wrote:
> > > >
> > > >>I think in reading the multiple threads on this issue, there there 
> are a
> > > >>number of perspectives on the value of the CISSP.
> > > >>
> > > >>What was most interesting was the CEO's perspective. Since the CISSP 
> is
> > > >>a boot camp, and the SANS is bootcampable in the longer run with the
> > > >>removal of the practicle. The real question is working towards a
> > > >>certificate that demonstrates ability to work in the security arena, 
> one
> > > >>that is really hard to get, and one that really tests the ability to 
> do
> > > >>the work.
> > > >>
> > > >>While CISSP and SANS are great to have as a resume filter, it does 
> not
> > > >>imply that anyone with either certificate to their name can actually 
> do
> > > >>the work. What I am seeing is that many people are going for these, 
> and
> > > >>have them, but had them a result from an IDS system, or ask them to 
> do a
> > > >>security design for either a network or a chunk of code, the ability 
> to
> > > >>actually perform the task is not there, even though they have the
> > > >>certificate.
> > > >>
> > > >>Personally, I believe the community needs something, certificate,
> > > >>degree, internship, what ever, that actually means you can perform
> > > >>competently in the security arena. That there is a skill set there 
> that
> > > >>the entire community agree's upon is the minimum recommended skill 
> set
> > > >>to work in this field. If we had something like that, then any 
> school
> > > >>that is pumping out Bachelors of Information Security folks would 
> have a
> > > >>standard. Anyone building a bootcamp or certificate program would 
> have
> > > >>an agreed upon community standard to work with.
> > > >>
> > > >>ISC2, ISSA, WSA, SANS, et al. Could build a board in conjunction 
> with
> > > >>the community, develop the minimum qualifications to work in the 
> field,
> > > >>and actually accomplish something once they have been certified or
> > > >>degreed. NSA has been hugely successful in developing security 
> schools
> > > >>through James Madison, Boise, et al. But they have to agree to and 
> teach
> > > >>to the minimum standard that NSA has put together to meet the needs 
> that
> > > >>NSA has identified.
> > > >>
> > > >>I think until we as a community agree upon a minimum standard, apply 
> it
> > > >>consistantly across the board much like doctors, lawyers, social
> > > >>workers, and other degreed or licensed professionals, we will 
> continue
> > > >>to have this debate until the house burns down. As security
> > > >>professionals, as security folks, we have the same ability to either 
> do
> > > >>good, or do harm as any other profession does. We need to understand
> > > >>this, and begin working towards skill sets either certificate or 
> degree
> > > >>that actually mean something useful at the end of the day.
> > > >>
> > > >>My thoughts, flames invited.
> > > >>r/
> > > >>Dan
> > > >>
> > > >>
> > > >>
> > > >>Sometimes MSN E-mail will indicate that the mesasge failed to be
> > > >>delivered. Please resend when you get those, it does not mean that 
> the
> > > >>mail box is bad, merely that MSN mail is over worked at the time.
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>>From: "Clement Dupuis" <cdupuis () cccure org>
> > > >>>To: <robert () dyadsecurity com>,"'Vladamir'"
> > > >>><wireless.insecurity () gmail com>
> > > >>>CC: full-disclosure () lists grok org uk
> > > >>>Subject: RE: [Full-disclosure] CISSP Test
> > > >>>Date: Wed, 23 Mar 2005 06:45:47 -0500
> > > >>>
> > > >>>Robert E. Lee wrote:
> > > >>>
> > > >>>"SANS programs have little to do with security.  I'm glad they 
> changed
> > > >>>their
> > > >>>policy.  They seem more honest now."
> > > >>>
> > > >>>Good day Robert,
> > > >>>
> > > >>>Honesty is a very neat goal to achieve, however it has many facets.
> > > >>>
> > > >>>I lately learned (under all reserve, please correct me if you know
> > > >>>otherwise) that SANS no longer has any NON PROFIT portion left.  
> They
> > > >>>used
> > > >>>to be registered as a non-profit entity in the state of Maryland 
> but it
> > > >>>seems that it was dissolved.  Technically we could say there is no 
> SANS
> > > >>>Institute left anymore as we knew it on the non profit side.  After
> > they
> > > >>>dissolve SANS they created a FOR PROFIT corporation called ESCAL 
> which
> > > >>>registered the names used in the non-profit as trademarks for their
> > > >>>new for
> > > >>>profit organization.  Even thou you see the name GIAC and SANS 
> being
> > used
> > > >>>everywhere, they are all trademark (not organizations) of the new
> > > >>>privately
> > > >>>owned company.
> > > >>>
> > > >>>Principals at SANS have NEVER claimed to be non-profit, it is a 
> myth
> > > >>>that we
> > > >>>the people that have been dealing with SANS for a long time (since 
> the
> > > >>>time
> > > >>>they were non profit) have been propagating.  We have been keeping
> > > >>>this myth
> > > >>>alive simply because we did not know any better and we did not know
> > > >>>that the
> > > >>>non-profit was dissolved.  It was done without any noise or public
> > > >>>announcement to the people that were already certified.
> > > >>>
> > > >>>So they NEVER lied but they never went to any length to inform 
> people
> > > >>>of the
> > > >>>real and current status of their corporation activity.  Most people
> > think
> > > >>>that GIAC is non profit which is not the case anymore and this 
> better
> > > >>>explains the decision of dropping the practical requirement: it 
> does
> > not
> > > >>>generate money and it is not a good business decision to keep 
> something
> > > >>>alive that will become a drain on the bottom line.  Which is a bit
> > > >>>contrary
> > > >>>to the reason given of improving the overall state of the security
> > > >>>community
> > > >>>:-)
> > > >>>
> > > >>>Take care
> > > >>>
> > > >>>Clement
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>>_______________________________________________
> > > >>>Full-Disclosure - We believe in it.
> > > >>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > >>>Hosted and sponsored by Secunia - http://secunia.com/
> > > >>
> > > >>
> > > >>_________________________________________________________________
> > > >>Express yourself instantly with MSN Messenger! Download today - it's
> > > >>FREE! 
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> > > >>
> > > >>
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > >
> > > >
> > > > Esta mensagem pode conter informacao confidencial e /ou 
> privilegiada. Se
> > voce nao for o destinatario ou a pessoa autorizada a receber a mensagem, 
> nao
> > pode usar, copiar ou divulgar as informacoes nela contidas ou tomar 
> qualquer
> > acao baseada nessas informacoes. Se voce recebeu esta mensagem por 
> engano
> > favor avise imediatamente ao remetente respondendo o e-mail e em seguida
> > apague-o. Agradecemos sua cooperacao
> > > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/