Re: Information security certifications diversity and getting lost

[Jason Alexander <jalexander () plus net>]

 I think a lot of the answers on this thread seem to concentrate on pen testing knowledge and techniques. The CISSP is 
much more than that (theres ten doamins) for example I am a information security manager and I would never pen test our 
networks. I always call in the "experts" to do this but having a CISSP helped me gain the knopwledge to know if those 
guys are really earning their cash !! Just my 2 cents.

-----Original Message-----
From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of 
Kristian Erik Hermansen
Sent: 10 September 2007 13:12
To: dailydave () lists immunitysec com
Subject: Re: [Dailydave] Information security certifications diversity and getting lost

On 9/10/07, "Thomas Ptacek" <tqbf () matasano com> wrote:
> How do you plan on solving the problems the CISSP has?
>
> 1. People will "teach to the test".

That is always the case with any test/certification.  Sometimes people don't really care about about the topics, just 
about the financial reward it is presumed to bring them by having the cert.  All certs are meant to establish a 
baseline.  If someone has a CISSP, you at least know that they took the time to read about the topics and pass the test 
successfully.  Of course, this doesn't mean that they have any actual experience with security at all.  However, it 
does show that they have the capacity to become somewhat familiar with the material.
Think back to that Differential Equations course you took in universuty ... do you still *really* remember how to apply 
Laplace transformations correctly and in what context :-)

> 2. Certs get stale fast.

No argument here.  Technology is a fast-paced industry...

What I think would be interesting is a certification that is meant to only be passed by 1% or so of security 
professionals.  You make the questions so incredibly dependent on a wide array of knowledge, that only people who have 
done that sort of stuff before can pass.  You could market it as something like the CCIE -- even have an 8-hour hands 
on lab exam.  You set up a physical network with various devices to simulate an actual network, and then judge the 
testing candidate based on their technique and how far they are able to penetrate the network layers.  Do they burn one 
of their 0days to get in, and how elegant was their hack?  Of course, I have no idea how many govs/corps/individuals 
would actually be willing to pay for something like this, but that is not the point.  Leave that to the savvy marketing 
and business people.  Maybe such a certification is not viable...

The Certified Expert Penetration Test certification is a good start and actually forces the candidate to think.  In 
that cert, they threw in something that fooled a lot of people.  One of the three stages was a non-standard printf() 
vulnerability on Linux.  In order to exploit it, you needed to have some basic idea of what was going on.  People who 
were just trying standard techniques and then dropping in shellcode would not succeed.  Even writing your own, you had 
to know what you were doing.  Another stage was a publicly disclosed stack-based vulnerability in an FTP server for 
Windows.  And the last stage was a very very simple reverse engineering problem.  Oh, and the prerequisite to all this 
was a written examination, which weeds out the people who don't have any clue at all.  I took this while in the 
presence of Jack Koziol, who was proctoring the exam in person while in Washington, DC for the Infosec Institute.

Now, I may know a little bit about security, but I am an amateur in comparison to visionaries like Mr. Aitel (hi 
dave!), Solar Designer, Halvar, and some of the real Black Hats who don't give talks at public security conferences :-) 
 Even still, a really difficult hands-on security cert in non-existent...
--
Kristian Erik Hermansen
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave