Penetration Testing mailing list archives
RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
From: "Strand, John (Mission Systems)" <John.Strand () ngc com>
Date: Fri, 28 Jul 2006 07:45:28 -0600
David, Just a few small corrections. We don't want to scare anyone away from the test because they feel they do not fit the requirements you presented. First, you do not need 6 years of "security" work you only need to have 4 working in one of the 10 CBKs. Second, you do not need to have a CISSP vouch for your experience. An employer or manager will suffice. For maintenance, it requires 120 CPEs within three years.. These break out differently for different activities, but I don't think it would equate to "several hundred hours." I think it would be great if you did hundreds of hours, even thousands, but that is a digression. I agree that someone who has a CISSP thinking that they can now be a network security engineer, or a pen-tester solely on the CISSP alone is a tragedy. It is also a tragedy when a company only hires based on certs... Of any kind. I think this whole discussion about certs is a bit odd. I have seen people with masters, and PhDs in some IT field who knew little about practical applications, or much else for that matter. I have seen people with no security certs at all who were some of the most brilliant security engineers I have ever met. There are always exceptions and extremes. I think that the CISSP is a great cert for a person who wants to augment a current skill set (system admin, law, developer) and become more robust by getting an overview of security. It is also a great first transitional step into the world of security. But I would not let you touch my firewall simply because you have a CISSP. A long time ago I hoped that some cert like the CISSP would stand as the equivalent to becoming a licensed engineer, layer, or Doctor. This never came to pass. Hope springs eternal. john -----Original Message----- From: David Cross [mailto:davidcross () Post-N-Track com] Sent: Thursday, July 27, 2006 2:38 PM To: Robert E. Lee Cc: pen-test () securityfocus com Subject: RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Since you believe that a CISSP can be passed with no experience certainly you would also be aware that it has a practical experience requirement of 6 years of security work prior to being eligible for the test. It also requires that another CISSP vouch for your experience. It also requires that you show proof (yes actual proof) of industry experience for every year after you pass the test to the tune of several hundred hours of training and volunteer work (assuming you can pass the test it with a score greater than 70% of the applicants scores). It requires an ongoing credit-based system where you have to have served on industry boards, done volunteer work, written articles, published books and a number of other things. If you are lucky enough to pass all these requirements and when audit time rolls around and it's discovered that you didn't have the 6 years experience or you didn't really do all you said you did then you lose your credential and can never re-apply. Sure maybe you know someone who's taken a course and gone and passed the test but I bet you didn't know that many of them have not received their credential due to the lack of a credentialed CISSP to vouch for them or due to lack of actual ongoing experience to add to their credential after the fact. The CISSP credential is not a networking credential. It is a general security credential showing mastery of all aspects of security, not an in-depth knowledge of one. A CISSP would be expected to serve in an advisory or audit capacity and not in a network engineer capacity. The CISSP program also has specific knowledge area credential programs specific to application security among other things which apply to specific jobs. If a CISSP with no experience is applying for a networking job then shame on them. If you hire a CISSP for a networking job when they have no specific networking experience then shame on you. Credentials can only be looked at to strengthen the credibility of a person's resume, not to create credibility where this is no experience. Either way if you are going to criticize things in public you should know what you are talking about or you will just point out to everyone that you don't know the industry as well as you think. David -----Original Message----- From: Robert E. Lee [mailto:robert () dyadsecurity com] Sent: Thursday, July 27, 2006 4:40 AM To: shreyas () technitium com Cc: shreyasonline () yahoo com; slamboy () gmail com; pen-test () securityfocus com Subject: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) The "practical application" portion of the CISCO CCIE certification is why organizations can trust the CCIE job applicant can serve a useful cisco networking function in their organization. Any certification that fails to measure the candidates actual ability to perform a useful function in the subject of the certification is useless (ala CEH, CISSP, CISA, CISM, which can all be passed with 0 years of experience). To the best of my knowledge about the current infosec certs, ISECOM's OPST (www.opst.org) and OPSA (www.opsa.org) come the closest to fulfilling the the practical measurement requirement. For what it's worth, we would not consider hiring a candidate who advertised that they have a CEH certification. If you want to stand out in an interview, perform a useful function that your peers respect you for. Presenting your ideas at conferences or contributing to computer security research papers and projects will get you a lot more credibility in a job interview than "hacking stories" or "hacker certifications". There are a lot of projects to choose from. If none of them excite you, start your own. ;) Robert -- Robert E. Lee Chief Information Officer http://www.dyadsecurity.com phone: (949) 394-2033 fax : (949) 486-6601 email: robert () dyadsecurity com ------------------------------------------------------------------------ ------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------ ------ ------------------------------------------------------------------------ ------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------ ------ ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Graves, Jamie (Jul 27)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Shahin Ansari (Jul 27)
- <Possible follow-ups>
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) David Cross (Jul 27)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Syv Ritch (Jul 27)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Strand, John (Mission Systems) (Jul 29)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) R. DuFresne (Jul 29)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Pete Herzog (Jul 30)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer ankur jindal (Jul 31)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer Marc Munk (Jul 31)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer Michal Merta (Jul 31)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer Nathan Sportsman (Jul 31)