Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CISSP

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 28 Nov 2001 17:50:23 -0500 (EST)

Sean,

Please, do understand, I am not directing any attacks at you.  I'm arguing
my ideals and points against yours, only that.  But, I do see a general
lack of skills in the industry, and face them all the time, as the bottom
line gets in the way of paying for the 'skills' that it takes time and
experience for people to gain.  Common sense in the It industry at large
is lacking, let's face it, that in and of iteself makes all our jobs that
much harder.  If only because we are not only battling against that idiot
admin across the country/globe that has refused to patch their systems for
more then 6 months and did little to harden their exposed systems in the
first place, think codered and nimda as an example here and expand upon
it, as well as having to take on more then our far share at our
own company cause our fellow employees take no pride in their workmanship
and are only interested in taking home a paycheck, whether or not the
money was earned, MCSE/CISSP aside.  I've never cared much how many SANS
conferences people I've worked with attended, and some sure attnded quite
a few, while getting paid, and learned absolutly nothing!, nor how many
letters they can place after their signatures, as long as when they rollup
their sleeves and pound the keyboard it was for something other the web
surfing.

But, please, take nothing I say here as a direct attack upon yourself.
I actually like the way you argure your points <smile>, we might well be
friends if placed in co-joined offices or cubes!  No matter how loudly we
might argue our points...

Thanks,

Ron DuFresne

On Wed, 28 Nov 2001, Baumann, Sean C. wrote:


Looks like no one will win this discussion.  I have plenty of experience in
security and system administration.  I have my BS and will have my MS (CS of
course) in May.  I still found the exersise of studying for the CISSP
helpful.  Granted it did not force me to learn anything new technically, but
now I understand how higher level concepts (management if you will) do
effect how you have to implement things technically.  Issues like evidence
handling, employee monitoring, etc have legal ramifications that could make
or break your company.  I not a big fan of "certifications" in general, but
anything that forces you to be exposed to things for the betterment of the
profession then I am all for it.  While you may find most the issues common
sense, how many people do you think work in information security (not just
system administration!) that are not quite as swift as you?  Maybe you're
just the exception to the rule.

Regards,
Sean

******************************************
Sean C. Baumann, CISSP  Phone:240/453-3342
Security Engineer       Fax  :240/453-3305     
Celera Genomics    sean.baumann () celera com
         http://www.celera.com
******************************************



-----Original Message-----
From: R. DuFresne [mailto:dufresne () sysinfo com]
Sent: Wednesday, November 28, 2001 4:44 PM
To: Baumann, Sean C.
Cc: 'robert_david_graham'; ark () eltex ru; 'David Hawley'
Subject: RE: [fw-wiz] CISSP



Actually, 75% of systems security is merely common sense system
administration, something sorely lacking in the industry at 
large.  when
major companies marketing secureity tools and trinkets can 
have userbases
consisting of users that are four years gone to the winds of time, and
admins that install packages without fixingg not only permissions, but
ownerships of files and directories, and even those admins being fours
years gone with the wind, and those files and directories 
being inherited
into the companies systems imaging schema, when a focus upon secure
passwords for internal users ignores the fact that 75% of 
their systems
lack a shadow password system, mostly defeating this endeavor <are you
listening Mr. Hare?>, then there is a major stink in the industry at
large.  And this is not a smack against M$/windows users, but 
smacks in
the face of unix geared folks.  Common sense and key 
administration skills
are seriouslty lacking, and the corporate world does not mind 
that it is,
as long as matters are easy enough for users to do what they 
think they
need to do to accomplish the bottom line.  Even at the minimum, 50% of
system forensics is common sense, so, I for one don't buy it, sorry.

Thanks,

Ron DuFresne

On Tue, 27 Nov 2001, Baumann, Sean C. wrote:


Agreed.  However, you do need to know things like how to 

handle evidence and

planning for disasters.  You need to know how your actions 

of securing and

monitoring systems effects your companies ability to 

prosecute intruders,

etc.  Engineers should not be lawyers, but they should 

still be well rounded

and understand the security industry.

Regards,
Sean

******************************************
Sean C. Baumann, CISSP  Phone:240/453-3342
Security Engineer       Fax  :240/453-3305     
Celera Genomics    sean.baumann () celera com
         http://www.celera.com
******************************************



-----Original Message-----
From: R. DuFresne [mailto:dufresne () sysinfo com]
Sent: Tuesday, November 27, 2001 2:19 PM
To: Baumann, Sean C.
Cc: 'robert_david_graham'; ark () eltex ru; 'David Hawley';
firewall-wizards () nfr com
Subject: RE: [fw-wiz] CISSP


On Tue, 27 Nov 2001, Baumann, Sean C. wrote:


You must also take into account that the CISSP is not just
technical knowledge, but also management and 

organizational (policy,

disaster recovery, law, etc) knowledge that MANY people who 

are so called

"wizards" have never been exposed to.  


It's for this very reason that my feelings on CISSP certs are 
they are far
too braodly based and perhaps should be more catgorical.  Security
engineers should not be lawyers, and only occasionally management
oriented, should they decide to take that track 
professionally.  The guys
in the trenches, administering the policies laidout by 

upper manegment

should have the skills and tools and understanding to to 
that, it's enough
of a job for them and they already wear far too many hats on 
the job as it
is.  My job is to secure amd maintain systems not worry 

about how many

cameras are watching folks in the restrooms and such, nor 
worring about
the companies lawyers job<s>.


Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in 

humanity.  It

eliminates dreams, goals, and ideals and lets us get 

straight to the

business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!





-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!





-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: