Firewall Wizards mailing list archives
RE: CISSP
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 28 Nov 2001 17:50:23 -0500 (EST)
Sean, Please, do understand, I am not directing any attacks at you. I'm arguing my ideals and points against yours, only that. But, I do see a general lack of skills in the industry, and face them all the time, as the bottom line gets in the way of paying for the 'skills' that it takes time and experience for people to gain. Common sense in the It industry at large is lacking, let's face it, that in and of iteself makes all our jobs that much harder. If only because we are not only battling against that idiot admin across the country/globe that has refused to patch their systems for more then 6 months and did little to harden their exposed systems in the first place, think codered and nimda as an example here and expand upon it, as well as having to take on more then our far share at our own company cause our fellow employees take no pride in their workmanship and are only interested in taking home a paycheck, whether or not the money was earned, MCSE/CISSP aside. I've never cared much how many SANS conferences people I've worked with attended, and some sure attnded quite a few, while getting paid, and learned absolutly nothing!, nor how many letters they can place after their signatures, as long as when they rollup their sleeves and pound the keyboard it was for something other the web surfing. But, please, take nothing I say here as a direct attack upon yourself. I actually like the way you argure your points <smile>, we might well be friends if placed in co-joined offices or cubes! No matter how loudly we might argue our points... Thanks, Ron DuFresne On Wed, 28 Nov 2001, Baumann, Sean C. wrote:
Looks like no one will win this discussion. I have plenty of experience in security and system administration. I have my BS and will have my MS (CS of course) in May. I still found the exersise of studying for the CISSP helpful. Granted it did not force me to learn anything new technically, but now I understand how higher level concepts (management if you will) do effect how you have to implement things technically. Issues like evidence handling, employee monitoring, etc have legal ramifications that could make or break your company. I not a big fan of "certifications" in general, but anything that forces you to be exposed to things for the betterment of the profession then I am all for it. While you may find most the issues common sense, how many people do you think work in information security (not just system administration!) that are not quite as swift as you? Maybe you're just the exception to the rule. Regards, Sean ****************************************** Sean C. Baumann, CISSP Phone:240/453-3342 Security Engineer Fax :240/453-3305 Celera Genomics sean.baumann () celera com http://www.celera.com ******************************************-----Original Message----- From: R. DuFresne [mailto:dufresne () sysinfo com] Sent: Wednesday, November 28, 2001 4:44 PM To: Baumann, Sean C. Cc: 'robert_david_graham'; ark () eltex ru; 'David Hawley' Subject: RE: [fw-wiz] CISSP Actually, 75% of systems security is merely common sense system administration, something sorely lacking in the industry at large. when major companies marketing secureity tools and trinkets can have userbases consisting of users that are four years gone to the winds of time, and admins that install packages without fixingg not only permissions, but ownerships of files and directories, and even those admins being fours years gone with the wind, and those files and directories being inherited into the companies systems imaging schema, when a focus upon secure passwords for internal users ignores the fact that 75% of their systems lack a shadow password system, mostly defeating this endeavor <are you listening Mr. Hare?>, then there is a major stink in the industry at large. And this is not a smack against M$/windows users, but smacks in the face of unix geared folks. Common sense and key administration skills are seriouslty lacking, and the corporate world does not mind that it is, as long as matters are easy enough for users to do what they think they need to do to accomplish the bottom line. Even at the minimum, 50% of system forensics is common sense, so, I for one don't buy it, sorry. Thanks, Ron DuFresne On Tue, 27 Nov 2001, Baumann, Sean C. wrote:Agreed. However, you do need to know things like how tohandle evidence andplanning for disasters. You need to know how your actionsof securing andmonitoring systems effects your companies ability toprosecute intruders,etc. Engineers should not be lawyers, but they shouldstill be well roundedand understand the security industry. Regards, Sean ****************************************** Sean C. Baumann, CISSP Phone:240/453-3342 Security Engineer Fax :240/453-3305 Celera Genomics sean.baumann () celera com http://www.celera.com ******************************************-----Original Message----- From: R. DuFresne [mailto:dufresne () sysinfo com] Sent: Tuesday, November 27, 2001 2:19 PM To: Baumann, Sean C. Cc: 'robert_david_graham'; ark () eltex ru; 'David Hawley'; firewall-wizards () nfr com Subject: RE: [fw-wiz] CISSP On Tue, 27 Nov 2001, Baumann, Sean C. wrote:You must also take into account that the CISSP is not just technical knowledge, but also management andorganizational (policy,disaster recovery, law, etc) knowledge that MANY people whoare so called"wizards" have never been exposed to.It's for this very reason that my feelings on CISSP certs are they are far too braodly based and perhaps should be more catgorical. Security engineers should not be lawyers, and only occasionally management oriented, should they decide to take that track professionally. The guys in the trenches, administering the policies laidout byupper manegmentshould have the skills and tools and understanding to to that, it's enough of a job for them and they already wear far too many hats on the job as it is. My job is to secure amd maintain systems not worryabout how manycameras are watching folks in the restrooms and such, nor worring about the companies lawyers job<s>. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith inhumanity. Iteliminates dreams, goals, and ideals and lets us getstraight to thebusiness of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards