Re: Information security certifications diversity and getting lost

["Andre Gironda" <andreg () gmail com>]

On 9/3/07, Michael Myers <tehshape () info-pull com> wrote:
> The CISSP is the undisputed king of information security
> certifications.

Two reasons why:
1)  The CBK (compare Business Analyst to Security Analyst)
2)  The ethical sign-off

> Currently, every now and then a security company
> starts pushing their employees towards certification programs. These
> are usually known for featuring insanely long exams, absurdly pedantic
> requirements and other kinds of doubtfully respectable necessities.

Instructional capital around a particular technology or sub-set in order to denote specialization within a field.

Microsoft, Oracle, and Cisco have their equivalents.  These are meant to show domination in those areas of technology 
by making "learning easy" by providing a path to supposed excellence.

> We all know that there are several other certifications, but CISSP
> brings, without doubt, the very best. Be it a security operations
> manager, a field operative or some other kind of consulting freak, a
> CISSP will always deliver.

http://en.wikipedia.org/wiki/Business_Analyst

> The problem is that we end with such a diverse, heterogeneous (no
> sexual connotations here), span of certifications that newcomers
> really don't know where to start.

There are too many security products/solutions.  Thus, analyst level knowledge is most important.

Start with CISSP.  Specialization areas include: pen-testing (OSSTMM), SDLC/code review (OWASP), auditing/compliance 
(CISA), and incident response (FIRST).  Important areas such as vulnerability management, network security, and process 
improvement are currently wrapped up under compliance because they are all well-known.  Eventually everything will be 
under the compliance umbrella.

Everything else is too narrow, and quickly becomes "spoon-fed" information.  Nobody needs a firewall (quick thoughts of 
Cisco  PIX/ASA, CP on Nokia, Netscreen) - what they need is network level access-control.  Can a router or software 
firewall provide that?  Nobody needs NAC - what they need is endpoint security.  Can Vista and SSL provide that?

> My question for people out there, is this madness _that_ necessary? Do
> we have a good reason for spending loads of budget on certification
> programs and wasting our companies' money in such investments?

Investments in individual capital (talent) that can build instructional capital (training) provides a better 
investment, especially over time.

Instructional capital is cheapest when done in-house (Lunch 'n Learn).   It is next most cheaply done at local, free 
events (OWASP, CitySec, 2600) or cheap local events (ISSA).  Vendors sometimes offer local events on the cheap or free 
(Secure Software Forum from SPI).  The next comes with the yearly local (or regional) conferences, specifically the 
cheap forty to eighty dollar ones (ToorCon).

I think some certifications are great.  One person at my local CitySec recently mentioned a reluctance to get CISSP 
because it was a lot to spend in one lump.  Cheap certs are always possible - CCNA, MCSA, and ITSM being my top 
favorites (all under 150 dollars), and then possibly CWNA, Oracle, various Linux/Sun, and other Microsoft and Cisco 
specializations.

Some certs are priced somewhere in between the basic level and CISSP such as SANS, Security+, CEH, and the ones that 
promise "hacker" level skills.  I encourage you to not waste your time on these.  BTW - training classes for certs are 
a complete waste of money... at least last I checked.

If your company seeks higher levels of expertise and has the money... go with the NSA IAM / IEM classes/certs.  Again, 
these certs provide analyst skills like CISSP, CISA, CISM, etc.

Lastly, there are forms of learning left completely unmentioned such as "books".  Every serious company will pay for 
their employees to have SafariBooksOnline Library access, full ACM (including Books24x7 access), Audible.com and an 
iPod, and a group spending account on Amazon or Bookpool.  Want to measure something effective out of this spending?  
Lunch 'n Learns based on book reports.

> If certifications exist for ethical hackers, are we going to see
> certifications for unethical hackers anytime soon? 

ImmunitySec has classes for such.  I suppose a good certification measure for unethical hackers would be something akin 
to: "wrote Metasploit module x.  Here is a sample" or "I was responsible for Code Red".  It appears that the online 
organized crime recruitment methods follow the old Andersen Consulting logic of "hire top 5% of ivy league right out of 
school".  Why?  Because they make good analysts!

They have the money to pull these sorts of stunts off.  Then they leverage these individuals to create instructional 
capital in the very same ways that I described above.

Cheers,
Andre
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave