Penetration Testing mailing list archives
AW: Hacker Stories, Certs,vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
From: "Horst Moll" <Horst.Moll () tts-security com>
Date: Tue, 1 Aug 2006 09:23:13 +0200
Hi to everyone. The main question is if a particular certification does prove your skill? Yes it does, no matter if you passed by going through a boot camp or because of your experience. Does a certification prove your experience? No, not at all. I've several certification starting with Microsoft, Check Point, ISS, CISSP,.... Of course I've learned a lot through studying the materials for the certs, but I've learned even more through going the hard way in projects. Many people crossed my way with even more certs but no experience. So how can you distinguish between those with only the skills but no experience? Only in projects. On the other hand, if you have enough experience for example working with Check Point, you should easily pass the CCSA or CCSE exam. Or if you have enough experience in the security field, you should easily pass the CISSP exam. Is that the case? I've always used the Certs to prove my experience. So the question is what is more important, experience or skill? In my opinion experience. Getting new customer or projects, the certs are always dooropener. But doing a good job to satisfy the customer you need enough experience and knowledge. But on the other hand the business drives the certs. If you are respopnsible for a very important project and you have to chose the contractor. Which one would you use? The one with the most experience or the on with the certs? Most of the time the poeple chose the one with the certs. Why? Because if anything goes wrong they can say : " Not my fault, because I've choosen the one with the best certs." And their boss would say: "OK, than it is not your fault". But what if he had choosen the one'S without the certs? "How could you chose the people without checking their experience?" So from my point of view any cert shows that you have skills about the particular area, tested in the exam. It does not show how you are able to use that knowledge in real life projects. That's why my business card show two numbers 95/01 and no certs. People ask and I answer: Since 1995 I'm in the IT business and since 2001 I'm working the the IT security area. How can you prove that? Because I'm a certified CCSA, CCSE, MCP, CISSP ,....... OK, even working for more than 5 years in the IT Security area does not prove if I'm doing a good job, that can only be proven by reference or projects. Just my 2 Cents :-)Horst -----Ursprüngliche Nachricht----- Von: Jim [mailto:jimk () missinglinksecurity com] Gesendet: Montag, 31. Juli 2006 19:17 An: David Cross; Pete Herzog; Wolf Cc: Robert E. Lee; pen-test () securityfocus com Betreff: Re: Hacker Stories, Certs,vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Wolf I think you are right on track with this issue. I know people with the CISSP certs that should not even be in the industry. Jim Sent via BlackBerry from Cingular Wireless -----Original Message----- From: Wolf <wolfiroc () earthlink net> Date: Sun, 30 Jul 2006 23:28:23 -0400 (GMT-04:00) To:Pete Herzog <lists () isecom org>, David Cross <davidcross () Post-N-Track com> Cc:"Robert E. Lee" <robert () dyadsecurity com>, pen-test () securityfocus com Subject: Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Hi David and Pete, I really take the statement "... mastery of all aspects of security" as a bit of a challenge as well as an insult to those who truly have mastered their craft, but do not have the CISSP. I do - as well as OPST, OPSA, IEM and IAM. Fact -not boasting or professing mastery. Too much comes down the road each day to profess mastery at all aspects of security. If there were so many masters out there, then we wouldn't have configuration management issues, patch management and implementation issues, and every system and network could be certified and accredited as being operationally secure. I know for a FACT that some CISSPs have little or no experience or understanding in the field, yet managed to take a damn good test! If the prereqs were checked or truly told, they never would have been eligible. Not a rant just something to think about the next time you claim mastery! -----Original Message-----
From: Pete Herzog <lists () isecom org> Sent: Jul 30, 2006 5:39 AM To: David Cross <davidcross () Post-N-Track com> Cc: "Robert E. Lee" <robert () dyadsecurity com>, pen-test () securityfocus com Subject: Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Hi David,The CISSP credential is not a networking credential. It is a general security credential showing mastery of all aspects of security, not an in-depth knowledge of one. A CISSP would be expected to serve in anI think "mastery" includes capability and not just knowledge thereof. To master something means to be at the top of a craft. It means to know something deeply and to be able to apply that knowledge broadly. I disagree that a CISSP shows a mastery of all things security.advisory or audit capacity and not in a network engineer capacity. TheJust broad knowledge of security best practices to apply broadly where one sees them is unhealthy to any organization.If a CISSP with no experience is applying for a networking job then shame on them. If you hire a CISSP for a networking job when they have no specific networking experience then shame on you.And yet they do all the time. Many of us know many CISSPs who didn't have the experience, were able to fudge it, and were able to get their certification without having any problem finding another CISSP vouch for them. Talking a solution does not show successful implementation of
one.
Credentials can only be looked at to strengthen the credibility of a person's resume, not to create credibility where this is no experience.Not true. Certification can provide those lacking experience to show ability and be an asset to an organization in that particular field. So it can show credibility where no experience exists. People already do this now looking to switch job descriptions, need to learn a specific aspect of a job, seek to enhance current ability, or to improve their marketability for new jobs.Either way if you are going to criticize things in public you should know what you are talking about or you will just point out to everyone that you don't know the industry as well as you think.I agree with that statement however I also think putting on rose-colored glasses does not make the current industry on-goings any rosier for other people who end up being the victims instead of the
benefactors of security.
-pete. ----------------------------------------------------------------------- ------- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for
details.
----------------------------------------------------------------------- -------
---------------------------------------------------------------------------- -- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ---------------------------------------------------------------------------- -- ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- AW: Hacker Stories, Certs,vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Horst Moll (Aug 01)