Penetration Testing mailing list archives
RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 28 Jul 2006 15:11:18 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 27 Jul 2006, David Cross wrote:
Since you believe that a CISSP can be passed with no experience certainly you would also be aware that it has a practical experience requirement of 6 years of security work prior to being eligible for the test. It also requires that another CISSP vouch for your experience. It also requires that you show proof (yes actual proof) of industry experience for every year after you pass the test to the tune of several hundred hours of training and volunteer work (assuming you can pass the test it with a score greater than 70% of the applicants scores). It requires an ongoing credit-based system where you have to have served on industry boards, done volunteer work, written articles, published books and a number of other things. If you are lucky enough to pass all these requirements and when audit time rolls around and it's discovered that you didn't have the 6 years experience or you didn't really do all you said you did then you lose your credential and can never re-apply.
Most of which are new requirements instituted a few years ago when a very young Indian gentleman passed the CISSP exam earning the right and fame to claim as the o7ungest certified CISSP in existance. If I recall correctly, his father or fathers comapny vouched for his, at that time 4 years of practical work expierience.
It's not hard to get another CISSP to "vouch" for you, I can achieve that with certified's that I've never met notr really corresponded with even, cept the request to sign their mname in the dotted line to get my papers.
Now, as for proof of employment, I'm lacking in knowledge here, what is considered proof though? pay stubs for the period? A signed and certified listing from a manager as to the kinds of work preformed? Or merely a resume that documents my supposed history?
Sure maybe you know someone who's taken a course and gone and passed the test but I bet you didn't know that many of them have not received their credential due to the lack of a credentialed CISSP to vouch for them or due to lack of actual ongoing experience to add to their credential after the fact. The CISSP credential is not a networking credential. It is a general security credential showing mastery of all aspects of security, not an in-depth knowledge of one. A CISSP would be expected to serve in an advisory or audit capacity and not in a network engineer capacity. The CISSP program also has specific knowledge area credential programs specific to application security among other things which apply to specific jobs.
Umm, no, no "mastery" is show nor demonstrated, it highlights a braod base of knowledge gleend from study prmairly. And I do know certified fewls that have not a single skill in security bascis nor a clue as to any concepts of networking. I'm guessing that the broad base of studies was drunked away the first weekend after "testing".
If a CISSP with no experience is applying for a networking job then shame on them. If you hire a CISSP for a networking job when they have no specific networking experience then shame on you. Credentials can only be looked at to strengthen the credibility of a person's resume, not to create credibility where this is no experience. Either way if you are going to criticize things in public you should know what you are talking about or you will just point out to everyone that you don't know the industry as well as you think.
I'm sorry you fgeel so threatened cause your cert has such little real merit except to a HR rep or a clueless manager on the prowl for a cheap hire and a cya glance over of the credentials offered by a potential candidate for a position, but thems the facts. Where I work our secrity "guru's" all certified, make about 30k a year, far below our most junior admins who averae in at about 55-60k. Thing is the clueles guru's they can feign along quite awhile and retain those pow checks, while the admins are found out quite quickly as to how well they really know their stuffs. Sad fact here where I work, the sec guru's have taken down production envs on a regular basis, while the admins pick up the pieces and make the fixes, while advising the sec guru's on proper net-ettiquete.
Thanks, Ron DuFresne- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFEymFZst+vzJSwZikRAt8xAJ9fwd2UbKOnZIlG/BPeGPKtyB0zxgCguNeb +H1Wp27ZV13sZF4u0bOagEk= =a8mJ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Graves, Jamie (Jul 27)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Shahin Ansari (Jul 27)
- <Possible follow-ups>
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) David Cross (Jul 27)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Syv Ritch (Jul 27)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Strand, John (Mission Systems) (Jul 29)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) R. DuFresne (Jul 29)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Pete Herzog (Jul 30)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer ankur jindal (Jul 31)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer Marc Munk (Jul 31)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer Michal Merta (Jul 31)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer Nathan Sportsman (Jul 31)