AW: Hacker Stories, Certs,vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)

["Horst Moll" <Horst.Moll () tts-security com>]

Hi to everyone.

The main question is if a particular certification does prove your skill?
Yes it does, no matter if you passed by going through a boot camp or because
of your experience. Does a certification prove your experience? No, not at
all.
I've several certification starting with Microsoft, Check Point, ISS,
CISSP,....
Of course I've learned a lot through studying the materials for the certs,
but I've learned even more through going the hard way in projects. Many
people crossed my way with even more certs but no experience. So how can you
distinguish between those with only the skills but no experience? Only in
projects.

On the other hand, if you have enough experience for example working with
Check Point, you should easily pass the CCSA or CCSE exam. Or if you have
enough experience in the security field, you should easily pass the CISSP
exam. Is that the case? 
I've always used the Certs to prove my experience. 

So the question is what is more important, experience or skill? In my
opinion experience. Getting new customer or projects, the certs are always
dooropener. But doing a good job to satisfy the customer you need enough
experience and knowledge. 

But on the other hand the business drives the certs. If you are respopnsible
for a very important project and you have to chose the contractor. Which one
would you use? The one with the most experience or the on with the certs?
Most of the time the poeple chose the one with the certs. Why? Because if
anything goes wrong they can say : " Not my fault, because I've choosen the
one with the best certs." And their boss would say: "OK, than it is not your
fault". But what if he had choosen the one'S without  the certs? "How could
you chose the people without checking their experience?"

So from my point of view any cert shows that you have skills about the
particular area, tested in the exam. It does not show how you are able to
use that knowledge in real life projects. That's why my business card show
two numbers 95/01 and no certs. People ask and I answer: Since 1995 I'm in
the IT business and since 2001 I'm working the the IT security area. How can
you prove that? Because I'm a certified CCSA, CCSE, MCP, CISSP ,.......

OK, even working for more than 5 years in the IT Security area does not
prove if I'm doing a good job, that can only be proven by reference or
projects.

Just my 2 Cents

:-)Horst

-----Ursprüngliche Nachricht-----
Von: Jim [mailto:jimk () missinglinksecurity com] 
Gesendet: Montag, 31. Juli 2006 19:17
An: David Cross; Pete Herzog; Wolf
Cc: Robert E. Lee; pen-test () securityfocus com
Betreff: Re: Hacker Stories, Certs,vs Projects - Was Re: Technitium MAC
Address Changer v3.1 (FREEWARE)

Wolf

I think you are right on track with this issue.  I know people with the
CISSP certs that should not even be in the industry.

Jim
Sent via BlackBerry from Cingular Wireless

-----Original Message-----
From: Wolf <wolfiroc () earthlink net>
Date: Sun, 30 Jul 2006 23:28:23 -0400 (GMT-04:00) To:Pete Herzog
<lists () isecom org>, David Cross <davidcross () Post-N-Track com> Cc:"Robert E.
Lee" <robert () dyadsecurity com>, pen-test () securityfocus com
Subject: Re: Hacker Stories, Certs,
 vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)

Hi David and Pete,
I really take the statement "... mastery of all aspects of security" as a
bit of a challenge as well as an insult to those who truly have mastered
their craft, but do not have the CISSP.  I do - as well as OPST, OPSA, IEM
and IAM.  Fact -not boasting or professing mastery.  Too much comes down the
road each day to profess mastery at all aspects of security.  If there were
so many masters out there, then we wouldn't have configuration management
issues, patch management and implementation issues, and every system and
network could be certified and accredited as being operationally secure.  
I know for a FACT that  some CISSPs have little or no experience or
understanding in the field, yet managed to take a damn good test!  If the
prereqs were checked or truly told, they never would have been eligible.
Not a rant just something to think about the next time you claim mastery!

-----Original Message-----
> From: Pete Herzog <lists () isecom org>
> Sent: Jul 30, 2006 5:39 AM
> To: David Cross <davidcross () Post-N-Track com>
> Cc: "Robert E. Lee" <robert () dyadsecurity com>, 
> pen-test () securityfocus com
> Subject: Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium 
> MAC Address Changer v3.1 (FREEWARE)
>
> Hi David,
>
> > The CISSP credential is not a networking credential.  It is a general 
> > security credential showing mastery of all aspects of security, not 
> > an in-depth knowledge of one.  A CISSP would be expected to serve in 
> > an
>
> I think "mastery" includes capability and not just knowledge thereof.  
> To master something means to be at the top of a craft.  It means to 
> know something deeply and to be able to apply that knowledge broadly.  
> I disagree that a CISSP shows a mastery of all things security.
>
> > advisory or audit capacity and not in a network engineer capacity.  
> > The
>
> Just broad knowledge of security best practices to apply broadly where 
> one sees them is unhealthy to any organization.
>
> > If a CISSP with no experience is applying for a networking job then 
> > shame on them.  If you hire a CISSP for a networking job when they 
> > have no specific networking experience then shame on you.
>
> And yet they do all the time.  Many of us know many CISSPs who didn't 
> have the experience, were able to fudge it, and were able to get their 
> certification without having any problem finding another CISSP vouch 
> for them. Talking a solution does not show successful implementation of
one.
> > Credentials can only be looked at to strengthen the credibility of a 
> > person's resume, not to create credibility where this is no experience.
>
> Not true. Certification can provide those lacking experience to show 
> ability and be an asset to an organization in that particular field. So 
> it can show credibility where no experience exists. People already do 
> this now looking to switch job descriptions, need to learn a specific 
> aspect of a job, seek to enhance current ability, or to improve their 
> marketability for new jobs.
>
> > Either way if you are going to criticize things in public you should 
> > know what you are talking about or you will just point out to 
> > everyone that you don't know the industry as well as you think.
>
> I agree with that statement however I also think putting on 
> rose-colored glasses does not make the current industry on-goings any 
> rosier for other people who end up being the victims instead of the
benefactors of security.
> -pete.
>
> -----------------------------------------------------------------------
> -------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security? 
> Why not go with the #1 solution - Cenzic, the only one to win the 
> Analyst's Choice Award from eWeek. As attacks through web applications 
> continue to rise, you need to proactively protect your applications 
> from hackers. Cenzic has the most comprehensive solutions to meet your 
> application security penetration testing and vulnerability management 
> needs. You have an option to go with a managed service (Cenzic 
> ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download 
> FREE whitepaper on how a managed service can help you: 
> http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm 
> your results from other product. Contact us at request () cenzic com for
details.
> -----------------------------------------------------------------------
> -------


----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise, you need to proactively protect your applications from hackers. Cenzic
has the most comprehensive solutions to meet your application security
penetration testing and vulnerability management needs. You have an option
to go with a managed service (Cenzic ClickToSecure) or an enterprise
software (Cenzic Hailstorm). Download FREE whitepaper on how a managed
service can help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
----------------------------------------------------------------------------
--




------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------