Dailydave mailing list archives
Re: Information security certifications diversity and getting lost
From: Jason Alexander <jalexander () plus net>
Date: Tue, 11 Sep 2007 09:32:00 -0700
I think a lot of the answers on this thread seem to concentrate on pen testing knowledge and techniques. The CISSP is much more than that (theres ten doamins) for example I am a information security manager and I would never pen test our networks. I always call in the "experts" to do this but having a CISSP helped me gain the knopwledge to know if those guys are really earning their cash !! Just my 2 cents. -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Kristian Erik Hermansen Sent: 10 September 2007 13:12 To: dailydave () lists immunitysec com Subject: Re: [Dailydave] Information security certifications diversity and getting lost On 9/10/07, "Thomas Ptacek" <tqbf () matasano com> wrote:
How do you plan on solving the problems the CISSP has? 1. People will "teach to the test".
That is always the case with any test/certification. Sometimes people don't really care about about the topics, just about the financial reward it is presumed to bring them by having the cert. All certs are meant to establish a baseline. If someone has a CISSP, you at least know that they took the time to read about the topics and pass the test successfully. Of course, this doesn't mean that they have any actual experience with security at all. However, it does show that they have the capacity to become somewhat familiar with the material. Think back to that Differential Equations course you took in universuty ... do you still *really* remember how to apply Laplace transformations correctly and in what context :-)
2. Certs get stale fast.
No argument here. Technology is a fast-paced industry... What I think would be interesting is a certification that is meant to only be passed by 1% or so of security professionals. You make the questions so incredibly dependent on a wide array of knowledge, that only people who have done that sort of stuff before can pass. You could market it as something like the CCIE -- even have an 8-hour hands on lab exam. You set up a physical network with various devices to simulate an actual network, and then judge the testing candidate based on their technique and how far they are able to penetrate the network layers. Do they burn one of their 0days to get in, and how elegant was their hack? Of course, I have no idea how many govs/corps/individuals would actually be willing to pay for something like this, but that is not the point. Leave that to the savvy marketing and business people. Maybe such a certification is not viable... The Certified Expert Penetration Test certification is a good start and actually forces the candidate to think. In that cert, they threw in something that fooled a lot of people. One of the three stages was a non-standard printf() vulnerability on Linux. In order to exploit it, you needed to have some basic idea of what was going on. People who were just trying standard techniques and then dropping in shellcode would not succeed. Even writing your own, you had to know what you were doing. Another stage was a publicly disclosed stack-based vulnerability in an FTP server for Windows. And the last stage was a very very simple reverse engineering problem. Oh, and the prerequisite to all this was a written examination, which weeds out the people who don't have any clue at all. I took this while in the presence of Jack Koziol, who was proctoring the exam in person while in Washington, DC for the Infosec Institute. Now, I may know a little bit about security, but I am an amateur in comparison to visionaries like Mr. Aitel (hi dave!), Solar Designer, Halvar, and some of the real Black Hats who don't give talks at public security conferences :-) Even still, a really difficult hands-on security cert in non-existent... -- Kristian Erik Hermansen _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Information security certifications diversity and getting lost, (continued)
- Re: Information security certifications diversity and getting lost Andre Gironda (Sep 10)
- Re: Information security certifications diversity Lindley James R (Sep 10)
- Re: Information security certifications diversity andgetting lost Weston, David (Sep 10)
- Re: Information security certifications diversity andgetting lost nnp (Sep 10)
- Re: Information security certifications diversity andgetting lost Paul Wouters (Sep 11)
- Re: Information security certifications diversity andgetting lost matthew wollenweber (Sep 11)
- Re: Information security certifications diversity and getting lost Kristian Erik Hermansen (Sep 10)
- Re: Information security certifications diversity and getting lost Darren Spruell (Sep 10)
- Re: Information security certifications diversity and getting lost Thomas Ptacek (Sep 10)
- Re: Information security certifications diversity and getting lost Bruce Ediger (Sep 10)
- Re: Information security certifications diversity and getting lost Jason Alexander (Sep 11)
- Re: Information security certifications diversity and getting lost Andre Gironda (Sep 11)