Penetration Testing mailing list archives
RE: CISSP
From: "Adam Morey" <amorey () healthydirections com>
Date: Wed, 06 Dec 2006 13:49:09 -0500
The CISSP requires that candidates have a minimum of 4 years direct full-time security experience in one of the 10 domains, this includes management, creative writing, technical, military MP - anything that is related to security - the CISSP is not all about firewall rules - it's completely academic, not technical. It also requires an officer of your company, another CISSP or some other official to endorse the candidate to verify. While an 11 year old could have 4 years direct security experience, it is highly unlikely. There's a lot of knowledge and studying required for the CISSP - as well as a very long (about 3 hour or so) test. I took my CISSP a few years back and I also have a Masters Degree in Information Assurance so I've studied information security in depth. Many of the folks in my masters program took the CISSP after graduating and passed it without studying, but some failed too. The CISSP is not a bad certificate to have if you want to know a little about a lot of different IA areas. It is truly a mile-wide and an inch deep as they say. It makes you memorize a lot about encryption methods, understand basic criminal investigation procedures, type of locks, different kinds of fire extinguishers, the network part is very elementary - what's a router/switch, is goes through a sort of history of firewalls (proxy, transitive, address translation). It goes into policies and procedures, risk analysis, access controls, and quite a bit about law and ethics. I don't care who you are - if you can study the 1000 pages recommended reading - you're probably going to learn something different each time you read it. If you didn't know - the CISSP also expires if you don't submit what they call CPE credits. Basically you need to attend trade shows, read books, go to school, watch webinars or volunteer as an exam proctor etc... to maintain your certification. This increases the value of the certificate, as it means those who have it continue to read and specialize in some way. I wouldn't let someone near my firewalls without proven work experience, and about 1000 policy pushes under their belt, product specific certs are more important here. I wouldn't even want to know if they had their CISSP or not. Adam
-----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of Nick Besant Sent: Tuesday, December 05, 2006 5:45 AM To: pen-test () securityfocus com Cc: dfullerton () mantor org Subject: Re: CISSP I think it's a worthwhile qualification to have if only from the point of view of structured learning. Unless you've already done a CS or equivalent degree, it's unlikely that you'll have covered some of the architectural or formal methodologies, practices, standards etc that
you
must know to take the CISSP exam. On-the-job learning is an excellent (I'm biased) way to learn all things security but you only tend to learn the technologies etc around the environments you're working
with.
I found the learning process, while covering some out-of-date material that I'm unlikely to use in future, did cover some additional areas which I've since applied to projects to my / my employer's benefit. So; in summary, I would recommend it if you're looking for a broader certification/career path/etc focusing on security. The breadth (not really the depth) of the body of knowledge has provided me with a way
to
cement together everything I've learned through working on or personal research. YMMV :) -- Nick Besant (lists () hwf cc) dfullerton () mantor org wrote:Then I wonder if this certification should really have this kind ofnotoriety. Looks like it's not technical and if an 11 years old boy
can
complete this cert ...it's not about security management experience either.Anyone can give me some good reason to acquire CISSP while not beingrelated to money and the wannabe marketing-made notoriety?Personally I done GCIH and GHTQ, the latest is harder and really
related
to penetration testing. I would like some GOOD reason for someone in
the
security field for a while and having others, more in deep, technical certification to go on with CISSP.Should we glorify such things? Tell me more about the exam, the
topics
are quite general and may not be totally in line with the exam and the real knowledge being certified.Danny Fullerton --------------- IT Security Specialist, GCIH GHTQ http://www.mantor.org/~northox Mantor Organization
------------------------------------------------------------------------
This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00
000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00
000008bOW
------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- RE: CISSP, (continued)
- RE: CISSP Shenk, Jerry A (Dec 03)
- Re: RE: CISSP mr . nasty (Dec 04)
- Re: Re: CISSP dfullerton (Dec 04)
- RE: Re: CISSP Cony.Zhou (Dec 05)
- RE: Re: CISSP Clement Dupuis (Dec 05)
- Re: Re: CISSP Bruno Cesar Moreira de Souza (Dec 05)
- Re: CISSP Anders Thulin (Dec 07)
- RE: Re: CISSP Clement Dupuis (Dec 07)
- Re: CISSP Joey Peloquin (Dec 07)
- Re: CISSP Nick Besant (Dec 05)
- RE: CISSP Adam Morey (Dec 07)
- RE: CISSP Angelacci, Anna M CTR SPAWAR, J616 (Dec 11)
- RE: CISSP Angelacci, Anna M CTR SPAWAR, J616 (Dec 07)
- RE: Re: CISSP Cony.Zhou (Dec 05)
- Re: Re: CISSP R. DuFresne (Dec 19)
- RE: Re: CISSP Mueller, Daniel (NMCI CIRT) (Dec 20)
- RE: CISSP Craig Wright (Dec 04)
- Re: RE: CISSP mr . nasty (Dec 04)
- RE: RE: CISSP Bates, Chris (Dec 05)
- Re: RE: CISSP Tim Shea (Dec 05)