Penetration Testing mailing list archives
RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
From: "David Cross" <davidcross () Post-N-Track com>
Date: Fri, 28 Jul 2006 15:19:50 -0500
CISSP != network admin. CISSP = massive amounts of information on how security works, how to structure security in an organization, how to manage it, how to audit it, how to keep it compliant with laws and how to meet best practices. This information is useful only to senior security people who intend to manage security. If you want to know the details of what keeping your credential requires go to ISC2.org and read the details yourself. I'm not going to spend my time babysitting you through it. Also if you actually read the response you see a cert only serves to add credibility to what experience a person claims to have. A cert does not magically imbue you with power from above. WHAT IT DOES DO IS PROVE YOU KNOW ENOUGH OF WHAT YOU'RE DOING TO PASS A VERY DIFFICULT TEST AND IT BINDS YOU TO A CODE OF ETHICS THAT REQUIRES YOU RESPONSIBLY REPORT AND RESOLVE VULNERABILITIES. (the industry as a whole needs that) A cert, in most cases is better than none. When I hire people I ask them about certifications. People tell me "oh, I'm a security expert" and I ask them why they didn't spend the money to prove that they know what they're talking about. The response is always, "I don't have the money," or "I studied but got too busy to take the test." I've never had a person say they didn't think it was necessary. But at this point the burden is on me to test them. So I have to spend $99 of my own money to set them up with an online test to test their knowledge. I have to spend another hundred dollars to have my HR person track down all their references and call each one and quiz them at length. I have to spend 2 or more hours versus one hour to interview them costing a few hundred dollars of my time to try to coax out of them all the insipid details of their experience in all the companies they've ever worked for. So by the time it's all done I've basically paid for them to take the stinking test anyway. A lot of people come to me to find out how they can get certified in computer security. Usually it someone who's been programming for 10 years and they're bummed because they want a more exciting job or a better paying job. They say, "I have always wanted to be a security expert. How did you get your certification?" Notice they don't ask how to become a security expert... only how to get the piece of paper. When I explain what it takes they cheerfully ignore the details and wander starry-eyed back to their cube dreaming of how they will be the next big security expert. Most of them even go buy a study book or books before they get discouraged but there are always one or two that take it a step further. But I've never had one come back and ask for an endorsement or never known one to actually complete it. What I do know is that some of them have gone on to other jobs and convinced companies to hire them as "security experts" sans a certification. <<hey that's s pun - sans meaning "without" and SANS being a certifying body>> Granted I've known great security gurus without certifications... fine... in my opinion if you have a very public and unassailable rep to stand on. If you don't have an industry known rep then you'd better have a cert or string of CVEs to tack on to your resume to get noticed. Either way I'm happy with my investment and I earn a modest 6 figure income netting a cool 25k more than my cert-less buddies. Plus when I consult I can charge well above $100/hr and companies don't even blink. So for me the investment in myself and in my test-taking ability has paid off. If you can do as well without a cert then I concede you are a winner. David -----Original Message----- From: R. DuFresne [mailto:dufresne () sysinfo com] Sent: Friday, July 28, 2006 1:11 PM To: David Cross Cc: Robert E. Lee; pen-test () securityfocus com Subject: RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 27 Jul 2006, David Cross wrote:
Since you believe that a CISSP can be passed with no experience certainly you would also be aware that it has a practical experience requirement of 6 years of security work prior to being eligible for
the
test. It also requires that another CISSP vouch for your experience. It also requires that you show proof (yes actual proof) of industry experience for every year after you pass the test to the tune of
several
hundred hours of training and volunteer work (assuming you can pass
the
test it with a score greater than 70% of the applicants scores). It requires an ongoing credit-based system where you have to have served
on
industry boards, done volunteer work, written articles, published
books
and a number of other things. If you are lucky enough to pass all
these
requirements and when audit time rolls around and it's discovered that you didn't have the 6 years experience or you didn't really do all you said you did then you lose your credential and can never re-apply.
Most of which are new requirements instituted a few years ago when a very young Indian gentleman passed the CISSP exam earning the right and fame to claim as the o7ungest certified CISSP in existance. If I recall correctly, his father or fathers comapny vouched for his, at that time 4 years of practical work expierience. It's not hard to get another CISSP to "vouch" for you, I can achieve that with certified's that I've never met notr really corresponded with even, cept the request to sign their mname in the dotted line to get my papers. Now, as for proof of employment, I'm lacking in knowledge here, what is considered proof though? pay stubs for the period? A signed and certified listing from a manager as to the kinds of work preformed? Or merely a resume that documents my supposed history?
Sure maybe you know someone who's taken a course and gone and passed
the
test but I bet you didn't know that many of them have not received
their
credential due to the lack of a credentialed CISSP to vouch for them
or
due to lack of actual ongoing experience to add to their credential after the fact. The CISSP credential is not a networking credential. It is a general security credential showing mastery of all aspects of security, not an in-depth knowledge of one. A CISSP would be expected to serve in an advisory or audit capacity and not in a network engineer capacity.
The
CISSP program also has specific knowledge area credential programs specific to application security among other things which apply to specific jobs.
Umm, no, no "mastery" is show nor demonstrated, it highlights a braod base of knowledge gleend from study prmairly. And I do know certified fewls that have not a single skill in security bascis nor a clue as to any concepts of networking. I'm guessing that the broad base of studies was drunked away the first weekend after "testing".
If a CISSP with no experience is applying for a networking job then shame on them. If you hire a CISSP for a networking job when they
have
no specific networking experience then shame on you. Credentials can only be looked at to strengthen the credibility of a person's resume, not to create credibility where this is no
experience.
Either way if you are going to criticize things in public you should know what you are talking about or you will just point out to everyone that you don't know the industry as well as you think.
I'm sorry you fgeel so threatened cause your cert has such little real merit except to a HR rep or a clueless manager on the prowl for a cheap hire and a cya glance over of the credentials offered by a potential candidate for a position, but thems the facts. Where I work our secrity "guru's" all certified, make about 30k a year, far below our most junior admins who averae in at about 55-60k. Thing is the clueles guru's they can feign along quite awhile and retain those pow checks, while the admins are found out quite quickly as to how well they really know their stuffs. Sad fact here where I work, the sec guru's have taken down production envs on a regular basis, while the admins pick up the pieces and make the fixes, while advising the sec guru's on proper net-ettiquete. Thanks, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFEymFZst+vzJSwZikRAt8xAJ9fwd2UbKOnZIlG/BPeGPKtyB0zxgCguNeb +H1Wp27ZV13sZF4u0bOagEk= =a8mJ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE), (continued)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Strand, John (Mission Systems) (Jul 29)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) R. DuFresne (Jul 29)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Pete Herzog (Jul 30)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer ankur jindal (Jul 31)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer Marc Munk (Jul 31)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer Michal Merta (Jul 31)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer Nathan Sportsman (Jul 31)