Penetration Testing mailing list archives
RE: CISSP
From: "Angelacci, Anna M CTR SPAWAR, J616" <anna.angelacci () navy mil>
Date: Mon, 11 Dec 2006 10:11:28 -0500
Adam, I agree 100% with your posting on this issue. I must also say that it could be possible for a 14 year old to have that much experience in the 10 domains. I worked for the SANs Institute as a volunteer years ago. They had staged IO War games at the seminar in Washington DC, and had a half dozen young children attend to "Hack the Net." To my surprise they arrived with their own computers, loaded with the libraries and scripts from Hxxx. I always assumed young boys at that age would be more interested in sports or noticing ladies, but that was not the case. These children spent their days, nights, any spare time they had, working on how to hack and how to program, a completely amazing group of young people. Some very prominent firewall appliance vendors set up the security posture of the multi platform server farm. These young people found the holes with in 3 days. It was a learning experience to have them prove nothing is 100%. Happy and safe holidays to all Annie -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Adam Morey Sent: Wednesday, December 06, 2006 1:49 PM To: pen-test () securityfocus com Subject: RE: CISSP The CISSP requires that candidates have a minimum of 4 years direct full-time security experience in one of the 10 domains, this includes management, creative writing, technical, military MP - anything that is related to security - the CISSP is not all about firewall rules - it's completely academic, not technical. It also requires an officer of your company, another CISSP or some other official to endorse the candidate to verify. While an 11 year old could have 4 years direct security experience, it is highly unlikely. There's a lot of knowledge and studying required for the CISSP - as well as a very long (about 3 hour or so) test. I took my CISSP a few years back and I also have a Masters Degree in Information Assurance so I've studied information security in depth. Many of the folks in my masters program took the CISSP after graduating and passed it without studying, but some failed too. The CISSP is not a bad certificate to have if you want to know a little about a lot of different IA areas. It is truly a mile-wide and an inch deep as they say. It makes you memorize a lot about encryption methods, understand basic criminal investigation procedures, type of locks, different kinds of fire extinguishers, the network part is very elementary - what's a router/switch, is goes through a sort of history of firewalls (proxy, transitive, address translation). It goes into policies and procedures, risk analysis, access controls, and quite a bit about law and ethics. I don't care who you are - if you can study the 1000 pages recommended reading - you're probably going to learn something different each time you read it. If you didn't know - the CISSP also expires if you don't submit what they call CPE credits. Basically you need to attend trade shows, read books, go to school, watch webinars or volunteer as an exam proctor etc... to maintain your certification. This increases the value of the certificate, as it means those who have it continue to read and specialize in some way. I wouldn't let someone near my firewalls without proven work experience, and about 1000 policy pushes under their belt, product specific certs are more important here. I wouldn't even want to know if they had their CISSP or not. Adam
-----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of Nick Besant Sent: Tuesday, December 05, 2006 5:45 AM To: pen-test () securityfocus com Cc: dfullerton () mantor org Subject: Re: CISSP I think it's a worthwhile qualification to have if only from the point
of view of structured learning. Unless you've already done a CS or equivalent degree, it's unlikely that you'll have covered some of the architectural or formal methodologies, practices, standards etc that
you
must know to take the CISSP exam. On-the-job learning is an excellent
(I'm biased) way to learn all things security but you only tend to learn the technologies etc around the environments you're working
with.
I found the learning process, while covering some out-of-date material
that I'm unlikely to use in future, did cover some additional areas which I've since applied to projects to my / my employer's benefit. So; in summary, I would recommend it if you're looking for a broader certification/career path/etc focusing on security. The breadth (not really the depth) of the body of knowledge has provided me with a way
to
cement together everything I've learned through working on or personal research. YMMV :) -- Nick Besant (lists () hwf cc) dfullerton () mantor org wrote:Then I wonder if this certification should really have this kind ofnotoriety. Looks like it's not technical and if an 11 years old boy
can
complete this cert ...it's not about security management experience either.Anyone can give me some good reason to acquire CISSP while not beingrelated to money and the wannabe marketing-made notoriety?Personally I done GCIH and GHTQ, the latest is harder and really
related
to penetration testing. I would like some GOOD reason for someone in
the
security field for a while and having others, more in deep, technical certification to go on with CISSP.Should we glorify such things? Tell me more about the exam, the
topics
are quite general and may not be totally in line with the exam and the
real knowledge being certified.Danny Fullerton --------------- IT Security Specialist, GCIH GHTQ http://www.mantor.org/~northox Mantor Organization
------------------------------------------------------------------------
This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00
000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00
000008bOW
------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: RE: CISSP, (continued)
- Re: RE: CISSP mr . nasty (Dec 04)
- Re: Re: CISSP dfullerton (Dec 04)
- RE: Re: CISSP Cony.Zhou (Dec 05)
- RE: Re: CISSP Clement Dupuis (Dec 05)
- Re: Re: CISSP Bruno Cesar Moreira de Souza (Dec 05)
- Re: CISSP Anders Thulin (Dec 07)
- RE: Re: CISSP Clement Dupuis (Dec 07)
- Re: CISSP Joey Peloquin (Dec 07)
- Re: CISSP Nick Besant (Dec 05)
- RE: CISSP Adam Morey (Dec 07)
- RE: CISSP Angelacci, Anna M CTR SPAWAR, J616 (Dec 11)
- RE: CISSP Angelacci, Anna M CTR SPAWAR, J616 (Dec 07)
- RE: Re: CISSP Cony.Zhou (Dec 05)
- Re: Re: CISSP R. DuFresne (Dec 19)
- RE: Re: CISSP Mueller, Daniel (NMCI CIRT) (Dec 20)
- RE: CISSP Craig Wright (Dec 04)
- Re: RE: CISSP mr . nasty (Dec 04)
- RE: RE: CISSP Bates, Chris (Dec 05)
- Re: RE: CISSP Tim Shea (Dec 05)