Re: [ok] Certifications

[Scott Renna <srenna () vdbmusic com>]

You know, i noticed that recently.  I used to be at Symantec and several 
analysts had attended GIAC training and never completed the paper.  It 
always bothered me because it's such an incredible waste of money.  As 
soon as the paper length for GCIA was dropped to 25 pages, there was a 
resurgence of interest, like now i can do it because it's so easy.

I have to say though, that doing the GCIA in 25 pages is more difficult 
than in 70, like I did.  25 pages is not alot of space to communicate 
your point.  New GIACs must be concise and effective at communicating 
their ideas.

The online exam thing...yeah kind of sucks because who knows who is 
taking the exam.  I have not heard of anyone paying another to write 
their paper, but I guess I could see it happening.

The GIACs are arduous but so worthwhile. You'll learn more than you ever 
imagined.  I may even be doing another GIAC Challenge for GCFW, so you 
may see my next paper float your way..



Clement Dupuis wrote:
> Good day Scott,
>
> I totally agree with you that the GIAC's certs are definitively very
> challenging.  I have done a few myself and can only agree.
>
> There are only a few points that bother me with the SANS GIAC certification
> process.  The first one is that the paper that must be written is done at
> home without any supervision.  Does this means that some people will attempt
> to cheat, you bet!!  I have done my fair share of grading on the GCFW exams
> and we did catch quite a few that had plagiarism or simply copied on others.
> However, there are smarter ones who could simply buy their way in and get
> someone to write it on their behalf.   The same applies for the exam, they
> are web based and unsupervised, which means you have no clue who is really
> doing the exam.  Lately SANS has lowered their requirement for their paper,
> they are now asking for papers that are a lot shorter, they are targeting
> around 30 pages.  I am afraid this will water down the requirements a bit.
> You know as well as I know that defining a company security architecture or
> analyzing 900 megs of data takes a whole lot more.  I guess the scenarios
> will be changed and focused on more specific subset if they wish to really
> reduce the size.  
>
> The only changes I would really like to see from SANS would be to have
> supervised tests and a written challenge that is supervised as well.  That
> would add a lot of value and prove that the person really did the test and
> is able to perform within the sphere of expertise that they have learned.
> It would be easy for them to add a day to their current conference to
> perform testing onsite instead of relying on someone claiming they are who
> they pretend to be.
>
> Comparing the CISSP to the GIAC Exams is like comparing fire and water.  One
> is very technical in one specific domain while the other if very general in
> a lot of domains and management oriented.
>
> Take care
>
> Clement
>
> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Scott Renna
> Sent: Monday, November 22, 2004 9:48 AM
> To: Curt Purdy
> Cc: 'Paul'; full-disclosure () lists netsys com
> Subject: Re: [ok] [Full-disclosure] Certifications
>
> I would agree with these statements as well.  I'm carrying 2 GIACs(GCIA 
> and GCIH) as well as CISSP.  I feel that the CISSP is a very broad 
> general overview of the concepts of security; however, there are far too 
> many unqualified people attending boot camps and passing the 
> examination.  The CISSP definitely helped get me in the door for jobs, 
> but if you want some really technical meaty stuff that requires study 
> and talent, I would recommend pursuing the GIACs.  Each one of them 
> requires that the candidate write a paper and if that passes, you get to 
> take the exams.  This way of testing ensures that the student has not 
> just spent time memorizing things like HIPAA enforcement.  It's a rough 
> journey, but you'll learn alot pursuing a GIAC.
>
> Scott Renna CISSP, GCIA, GCIH, CCNA, CCDA
>
>
> Curt Purdy wrote:
>
> > Paul wrote:
> >
> >
> > > While I gotta agree that experience is what counts, what (if 
> > > any) specialist certs should a tertiary student, with a 
> > > special interest in security, use to underpin their prac?
> > >
> > > P.S. If I'm too ignorant to warrant a civil answer, like 
> > > being told to go to the movies, my apologies in advance so no 
> > > flame needed.
> >
> >
> > Not everyone on this list are crude brainless kiddies Paul (though too
>
> many
>
> > are ;) Having said that, let me address your main point.  With a number of
> > letters behind my name (will have to drop the CCDA to accommodate my
> > upcoming GSNA), I feel qualified to answer your question.
> >
> > For some reason the CISSP is considered one of the most prestigious certs.
> > I describe it as a river a mile wide and 6 inches deep.  However, I found
>
> it
>
> > relatively easy to obtain with no schooling required, as were all my other
> > certs, except for the GSEC that required an 8x12-hour day intensive SANS
> > class (in my case complemented with a co-ordinated national meeting of
> > military IS people and keynote by Richard Clarke, who I respect very
>
> much).
>
> > I tell people that you come out of that either scared to death or with a
> > brain, two hat-sizes bigger.
> >
> > Most GIAC certs are very technical in nature. I describe them as being a
> > quarter-mile wide and 20 feet deep. Although I passed the GSEC on first
>
> try,
>
> > the test was much more difficult than the CISSP. That is why I decided to
> > pursue my GSNA as opposed to a CISA.  And in that one 6-day class, I
> > shoe-horned enough stuff in my brain to keep me busy for months.  Well
>
> worth
>
> > the money.
> >
> > My .02
> >
> > Curt Purdy CISSP, GSEC, CNE, MCSE+I, CCDA
> > Information Security Engineer
> > DP Solutions
> >
> > ----------------------------------------
> >
> > If you spend more on coffee than on IT security, you will be hacked. 
> > What's more, you deserve to be hacked.
> > -- former White House cybersecurity adviser Richard Clarke 
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html