Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Information security certifications diversity andgetting lost

From: nnp <version5 () gmail com>
Date: Tue, 11 Sep 2007 00:12:38 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sounds like yet another way for a vendor to make money of stupid
people to be honest. I mean come on, a certificate saying you can
write a stupid Windows 2000 overflow? Who cares? I mean really, who
actually cares that you can do something that any donkey with an hour
or so free time, a basic understanding of software architecture and a
quick guide from one of several sites can do?

If so called 'hackers' are so insecure in themselves that they feel
they need a certificate to say they can do something that to be
honest, is about the bottom rung of the food chain for anyone serious
about it then they're not the kind of people I'd want to hire anyway.
Its like those certificates for things like 'I swam 10 metres'. Great,
congratulations, its good for you and all but you're not exactly on
your way to the olympics.

A cert like this will be popular with 2 kinds of people, the first are
those that collect certs because they believe it gives them bragging
rights or something. They may have basic competency but put them up
against something requiring a bit of creativity and they're stumped (a
common trait with the cert holding elite). The second will be those
that don't have the motivation or the ability to learn this stuff on
their own and are doing it for either career advancement or because of
reasons similar to the first case.

If you're hiring someone for a position that will primarily be an
offensive role and you're going to go looking for people with certs as
a primary recruiting technique then you might as well give up before
you've even started. I would imagine that most of the really good
people wouldn't insult themselves by feeling they need a silly piece
of paper to say they can do something they could do in their sleep and
if they see that your organisation is recruiting based on this kind of
'achievement' it already reeks of corporate red tape and the very
stuff most hackers will want nothing to do with.

Yup... thats my .02 euro.

nnp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: http://firegpg.tuxfamily.org

iD8DBQFG5c8WwWIBIgfLjmQRAlodAJ0VGJfrqjmchMZx7lo2NgWwRbZHuQCaAh1r
CvrvO9+kpMykS3KNjE6M6t4=
=Wrdt
-----END PGP SIGNATURE-----

On 9/10/07, Dave Aitel <dave () immunityinc com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One thing we've been working on here at Immunity are Network Offense
Professional certifications. Essentially it would be practical tests
that established someone was capable of doing certain actions we
should all be able to do.

For example, the first certification was a simple stack overflow
against Windows 2000. Testee's would exploit it using Immunity
Debugger/WinDBG and VisualSploit, which would keep it as technology
agnostic as possible. You can either write a simple Win32 overflow or
you can't.

We were going to launch it during DefCon, but had a few other things
going on. :>

- -dave


J.M. Seitz wrote:

Hey Mike,


The CISSP is the undisputed king of information security
certifications. Currently, every now and then a security company
starts pushing their employees towards certification programs.
These are usually known for featuring insanely long exams,
absurdly pedantic requirements and other kinds of doubtfully
respectable necessities.


I wouldn't say it's the king, I would say it has some very broad
objectives, but is moreso a Security+ on steroids. When the CISSP
got traction, you have to look at the timing of the certification,
and the fact that the only other certification that would get you a
high paying job was a CCIE, and the CCIE is a nasty cert to get to
say the least. SANS has put out some incredibly strong programs
that can range from technical (GCIH/GCFA/GREM) to CISSP-like
certifications.



We all know that there are several other certifications, but
CISSP brings, without doubt, the very best. Be it a security
operations manager, a field operative or some other kind of
consulting freak, a CISSP will always deliver.


I still disagree, and to be honest, I have interviewed more CISSP's
that couldn't answer questions like "What does PKI stand for?",
"Give me an analogy of a buffer overflow.","What is transparent
proxying and why is it important in some circumstances?". Come on,
certs are as good as the people who take them, I again disagree.



My question for people out there, is this madness _that_
necessary? Do we have a good reason for spending loads of budget
on certification programs and wasting our companies' money in
such investments?


Yep, again it's a baseline, one for HR. The people to watch out for
are the ones who go the extra mile, some who has a GCIH most
definitely doesn't make me giggle with glee, but someone who has a
GCIH Gold I look forward to meeting with, and definitely love to
engage on their research topic. It's worth a company's time and
money to do it (a) employees are more loyal to companies that give
(b) you'd be amazed at how often you will apply things straight
from a certification.


Employees feel constrained since they might lose the
certification after quitting their jobs, surfing towards another
employer as intrusive and wasteful as the previous one, etc.


Not sure how you would lose a certification if you left your job?
Once you write the exam, it's yours not your company's.


If certifications exist for ethical hackers, are we going to see
certifications for unethical hackers anytime soon? What if the
mob and shady underground organizations needed to certify that
they are employing the very best of the federal prison's Module
5? Will a Certified Unethical Software Security Expert (CUSSE)
certification ever exist? "My name is Lincoln Six Echo, Certified
Information Insecurity Systems Professional".


http://blog.wired.com/27bstroke6/2007/08/a-look-inside-a.html

There ya go :) I bet one or two unscrupulous people are
"black-belts" :)

In the end, certifications are good, but the reality is that they
are only good if you are looking for work, and you get what you put
into them. You want to get noticed in the security world? Build a
tool, join and help people on forums, help Sourcefire write
signatures (they need it), contact George Theall at Tenable and ask
if you can help write NASL plugins, help the OSVDB with mangling.
These are all things that will help round out a newcomer, and add
it to the list of things that can benefit you when its time to go
job hunting. Now, if you _really_ want to get noticed, tackle the
tough problems, write books, and try to talk at Black Hat, etc.

Coming from an unknown security guy, low profile, I am still in the
phase of doing all of these things. As such I have a Sec+ and a
GCIH (which I am wrapping up my research paper on), and I can
honestly say I do use some of it in my day-to-day. You don't see
these acronyms on my email signature but that's because I am not
looking for work :)

JS



_______________________________________________ Dailydave mailing
list Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG5Uq/B8JNm+PA+iURAl+CAKDAkJkhJvSNf+lIAtF55A6IotizfgCgtZiP
od5Gzue0h/Q6P4MTq5E7/pM=
=VXSu
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave




-- 
http://www.smashthestack.org
http://www.unprotectedhex.com
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: