RE: Notes from CISSP class with Dr. Eric Cole

["Mark Roxberry" <mroxberr () msn com>]

"That customer now checks the background
> > > and even tests CISSP before they are allowed to do any work."

"allowed to do any work"  CISSP is not for techs, plain and simple.  There
are those that use it to boost their image as a tech, but it's not tech.
It's like asking an MBA to be a retail clerk.  

Personally, as a CISSP, I consult clients on Risk Analysis, Disaster
Recovery Planning and Business Continuity, and Legal / Investigative
(Forensic Analysis).  I farm out tech work to many different companies
(IDS/IPS providers, Physical security providers).  Like finding a
specialist.  Does that make me unqualified as a pen-tester with 5 letters
after my name?  Sure.  So what?  You can get an MD in Guatemala or order
your JD online.  Just a bunch of letters.  One thing that my experience as a
CISSP has taught me, of all fields, DUE DILIGENCE is mandatory.  The
anecdotes provided only show that companies hiring people are not performing
due diligence.  They're even more guilty than the fraud they hired.

Mark Roxberry, CISSP


> -----Original Message-----
> From: kgp () nethere com [mailto:kgp () nethere com]
> Sent: Wednesday, October 12, 2005 12:24 PM
> To: Saqib Ali
> Cc: intel96; PPowenski () oag com; dreamwvr () dreamwvr com;
> webappsec () securityfocus com
> Subject: Re: Notes from CISSP class with Dr. Eric Cole
>
> I'm glad this was stated.
>
> I was going to say something similar but Saqib said it more eloquently.
> I will reinforce the statement.
> An SSCP should be able to perform some technical skills (this hasn't
> caught
> on however). A CISSP is a managerial qualification. Lee Iacocca better
> know
> damn well how to manage car manufacturing, risks, architecture, and
> appropriate laws. But it would be a mistake to think he could go operate
> the machinery. I'd even go so far as to say he may know a great deal about
> the machinery (mean time to failure, load capacities, etc) but he wouldn't
> know what knobs to turn or buttons to push.
>
> Nothing in the CISSP focuses on anything very technical. Why would we
> expect
> a CISSP to do things we didn't test them on?
>
> Kevin
>
> Quoting Saqib Ali <docbook.xml () gmail com>:
>
> > > The second case involved a pentest where a CISSP had conducted a
> > project
> > > for a web portal.  The CISSP told the customer the portal was secure,
> > > but the customer had concerns about the quality of the work perform.
> > > Again I was called in to check the other CISSP's work and I was able
> to
> > > gain root access in 6 hours.  That customer now checks the background
> > > and even tests CISSP before they are allowed to do any work.
> >
> > It is not the job of a CISSP to tell if a application is secure (hack
> > proof) or not. It is like asking a District Attorney to perform Police
> > Detective work. It doesn't work like that. You need a different
> > skillset to perform detective work.
> > --
> > In Peace,
> > Saqib Ali
> > http://www.xml-dev.com/blog/
> > Consensus is good, but informed dictatorship is better.