RE: CISSP

["Angelacci, Anna M CTR SPAWAR, J616" <anna.angelacci () navy mil>]

Adam, I agree 100% with your posting on this issue. I must also say that
it could be possible for a 14 year old to have that much experience in
the 10 domains. I worked for the SANs Institute as a volunteer years
ago. They had staged IO War games at the seminar in Washington DC, and
had a half dozen young children attend to "Hack the Net." To my surprise
they arrived with their own computers, loaded with the libraries and
scripts from Hxxx. I always assumed young boys at that age would be more
interested in sports or noticing ladies, but that was not the case.
These children spent their days, nights, any spare time they had,
working on how to hack and how to program, a completely amazing group of
young people. Some very prominent firewall appliance vendors set up the
security posture of the multi platform server farm. These young people
found the holes with in 3 days. It was a learning experience to have
them prove nothing is 100%. 
Happy and safe holidays to all 
Annie

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Adam Morey
Sent: Wednesday, December 06, 2006 1:49 PM
To: pen-test () securityfocus com
Subject: RE: CISSP


The CISSP requires that candidates have a minimum of 4 years direct
full-time security experience in one of the 10 domains, this includes
management, creative writing, technical, military MP - anything that is
related to security - the CISSP is not all about firewall rules - it's
completely academic, not technical.  It also requires an officer of your
company, another CISSP or some other official to endorse the candidate
to verify.  While an 11 year old could have 4 years direct security
experience, it is highly unlikely.

There's a lot of knowledge and studying required for the CISSP - as well
as a very long (about 3 hour or so) test.  I took my CISSP a few years
back and I also have a Masters Degree in Information Assurance so I've
studied information security in depth.  Many of the folks in my masters
program took the CISSP after graduating and passed it without studying,
but some failed too.

The CISSP is not a bad certificate to have if you want to know a little
about a lot of different IA areas.  It is truly a mile-wide and an inch
deep as they say.  It makes you memorize a lot about encryption methods,
understand basic criminal investigation procedures, type of locks,
different kinds of fire extinguishers, the network part is very
elementary - what's a router/switch, is goes through a sort of history
of firewalls (proxy, transitive, address translation).  It goes into
policies and procedures, risk analysis, access controls, and quite a bit
about law and ethics.

I don't care who you are - if you can study the 1000 pages recommended
reading - you're probably going to learn something different each time
you read it.

If you didn't know - the CISSP also expires if you don't submit what
they call CPE credits.  Basically you need to attend trade shows, read
books, go to school, watch webinars or volunteer as an exam proctor
etc... to maintain your certification.  This increases the value of the
certificate, as it means those who have it continue to read and
specialize in some way.

I wouldn't let someone near my firewalls without proven work experience,
and about 1000 policy pushes under their belt, product specific certs
are more important here.  I wouldn't even want to know if they had their
CISSP or not.

Adam



> -----Original Message-----
> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
> On Behalf Of Nick Besant
> Sent: Tuesday, December 05, 2006 5:45 AM
> To: pen-test () securityfocus com
> Cc: dfullerton () mantor org
> Subject: Re: CISSP
>
> I think it's a worthwhile qualification to have if only from the point

> of view of structured learning.  Unless you've already done a CS or 
> equivalent degree, it's unlikely that you'll have covered some of the 
> architectural or formal methodologies, practices, standards etc that
you
> must know to take the CISSP exam.  On-the-job learning is an excellent

> (I'm biased) way to learn all things security but you only tend to 
> learn  the technologies etc around the environments you're working
with.
> I found the learning process, while covering some out-of-date material

> that I'm unlikely to use in future, did cover some additional areas 
> which I've since applied to projects to my / my employer's benefit.
>
> So; in summary, I would recommend it if you're looking for a broader 
> certification/career path/etc focusing on security.  The breadth (not 
> really the depth) of the body of knowledge has provided me with a way
to
> cement together everything I've learned through working on or personal
> research.   YMMV :)
>
>
> --
> Nick Besant (lists () hwf cc)
>
>
>
> dfullerton () mantor org wrote:
> > Then I wonder if this certification should really have this kind of
> notoriety. Looks like it's not technical and if an 11 years old boy
can
> complete this cert ...it's not about security management experience 
> either.
> > Anyone can give me some good reason to acquire CISSP while not being
> related to money and the wannabe marketing-made notoriety?
> > Personally I done GCIH and GHTQ, the latest is harder and really
related
> to penetration testing. I would like some GOOD reason for someone in
the
> security field for a while and having others, more in deep, technical 
> certification to go on with CISSP.
> > Should we glorify such things? Tell me more about the exam, the
topics
> are quite general and may not be totally in line with the exam and the

> real knowledge being certified.
> > Danny Fullerton
> > ---------------
> > IT Security Specialist, GCIH GHTQ http://www.mantor.org/~northox
> > Mantor Organization
------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00
> 000008bOW
> >
------------------------------------------------------------------------
> >
------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00
> 000008bOW
------------------------------------------------------------------------





------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------