Re: Notes from CISSP class with Dr. Eric Cole

[intel96 <intel96 () bellsouth net>]

IMHO....

The CISSP is strictly a paper certification. The reason that I feel this 
way is that too many people obtain this certification with no real 
security experience.  Over the past 2 years, I have been called in to 
fix security problems that were caused by other CISSPs.  

The first case was for a vulnerability assessment for a bank where the 
first CISSP could not finish the project.  When I showed up to finish 
the project the bank could care less that I had a CISSP.  They would not 
let me start the project until they checked my background.  The bank 
finally let me start the project, but only after learning that I also 
had SANS GIAC certifications, a Master in Security Management and one in 
Information Systems, a published author in the field and decades of 
experience.

The second case involved a pentest where a CISSP had conducted a project 
for a web portal.  The CISSP told the customer the portal was secure, 
but the customer had concerns about the quality of the work perform.  
Again I was called in to check the other CISSP's work and I was able to 
gain root access in 6 hours.  That customer now checks the background 
and even tests CISSP before they are allowed to do any work.

Recently I had the pleasure of conducting a pentest for a client who was 
the CSO the organization and held a CISSP.  When I provided the results 
of the project to this CISSP, I was informed that I could not have gain 
access to the network, because he had deployed IDS and IPS devices that 
cost $$$$.  He also stated that the vendors of these devices assured 
him  that no one could bypass them.  I had to provide this CISSP a class 
in how IDS and IPS worked which was WAY over his head.  I found out that 
this CISSP had no technical and came from the business side of the house. 

Overall I think that the CISSP serves a purpose, but that purpose is 
being diluted by individuals who have no security experience, but are 
passing the exam after taking one of the CISSP boot camps.  When I see 
magazine editors and sales people with their CISSPs I know that the 
certification is becoming strictly a paper tiger........

Just my 2¢

--------------------------------------------------------------------------------------------------------------------------------------




PPowenski () oag com wrote:

> please elaborate on what certification HAS NOT turned into all those
> items you cite?
> It is the nature of the beast and this industry.
>
> BTW I am a CISSP and worked in the information security field for 20
> years before aquiring the CISSP.
>
> Finishing my masters in information security which I also feel is a more
> solid foundation in terms of discovering new ideas and overall security
> management than being 'certified' in some vendor interpertation of
> security or IT for that matter.
>
> The only other group I would pursue in terms of a worthwhile
> certification is the SANS series. There are probably others as worthy as
> SANS but who has the time to keep track. There develops another problem
> and where does it end.
>
> Do you believe any vendor firewall, IDS, IPS, OS Platform certification
> enlightens you on overall network security management?
>
>
>
>
>
> -----Original Message-----
> From: dreamwvr [mailto:dreamwvr () dreamwvr com] 
> Sent: 11 October 2005 16:51
> To: webappsec () securityfocus com
> Subject: Re: Notes from CISSP class with Dr. Eric Cole
>
>
> >A pre requisite for getting certified as a CISSP is to have at least 4
>
> years
> >experience in the field of security, in at least one of the domains 
> covered
> >in the common body of knowledge.
> > 
> >The certification is also non vendor specific, and to say that it is
> based  >on jargon or 'certain terminology' is pure folly.  >  >\As far
> as I am concerned, if you have issues with the certification, it
>  
>
> > probably means you haven't got it, or you can't get it. It is doubtful
> >    
> the censors will allow this to make the list anyways..
>
> IMHO/FWIW the CISSP certification meant well, it really did. However Iit
> has noticably it fleshed out into much less than what was intended  
> this
> I am sure. Don't get me wrong the 10 domains of knowledge are valid.
> However, it is a little offensive for someone with say over a decade
> plus of security experience in the domains to find this the only
> criteria of 
> validation
> for some. (Shall I say a false sense of security? ;-)
>
> It makes one want to avoid corps that use this as their exclusive skill
> validation tool..
>
> It has become largely like the MCSE paper program..
> It has become a little mucky muck ..
> It has become a cash cow..
> [...]
>
>
> Best Regards,
> dreamwvr () dreamwvr com
>
> NOTICE: This e-mail is intended for the named recipient(s). It may contain privileged and/or confidential information. 
> If you are not one of the intended recipients, please notify the sender immediately and destroy this e-mail and 
> attachment(s): you must not copy, distribute, retain or take any action in reliance upon the email or attachment(s). 
> While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Ltd and its affiliate 
> companies cannot guarantee that attachments are virus-free or are compatible with your systems, and does not accept 
> liability in respect of viruses or computer problems experienced. Thank you.
>
>
>