Penetration Testing mailing list archives
RE: OSCP
From: Al Rivas <ARivas () hyphensolutions com>
Date: Wed, 3 Dec 2008 12:52:21 -0600
I've been away for a while and so catching up today and noticed the idea that the CISSP required 5 years information security experience. While that may be a noble idea I don't believe that is what happens in practice. I know a CISSP (well several like him but) at least one off the top of my head that I can prove didn't know but the most basic Windows OS not 3 years ago. I believe the way folks get around this "5-year requirement" is to have another CISSP vouch for them. So for example, in his group of buddies, they all vouch for each other, buy test questions, and are now all CISSPs but they couldn't actually keep my 16 year old out of their networks. Hell they can't spell network. Now perhaps some will say so you know "one". What I'm actually saying is that I've noticed 7 to 8 in 10 CISSPs have no clue about security. Over the years this had me wondering, how the hell can these people have this supposedly respected certification and be so ignorant about basic security concepts let alone attacks and their defenses, effective policies, documentation, etc. Documentation is a funny one because after an incident that I ended up handling, a VP explained to me that his 2 CISSPs were not really security people but more like managers that documented security issues. Then I ended up having to write the reports because these two were basically illiterate. Now BOOM, I find out help-desk boy from 3 years ago (replacing hardware mind you - not allowed near a functioning PC), is a CISSP. That then explained much to me. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Pedro Drimel Sent: Monday, November 17, 2008 5:39 PM To: pen-test () securityfocus com Subject: Re: OSCP I agree, those certifications can't be compared. CISSP does not has a hands on exam, and its focus is totally different from OSCP, also CISSP requires 5 years of experience in information security. You need to ask yourself what do you want to know, not the certification you want to achieve, certification must be a consequence, not a goal, you can pass in a CISSP exam and even do not know how to write an exploit. IMHO. []'s 2008/11/17 Abe Getchell <me () abegetchell com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Do you really know how to protect information system resources if you don't understand the techniques used to penetrate the defensive mechanisms employed in these systems? Knowing your enemy and understanding the techniques and methodology that will be used against your critical assets are one of the most important pieces of knowledge you can posses as someone working in INFOSEC, IMHO. That being said, both the OSCP and CISSP are great certs, but completely different and really can't be compared. - -- Abe Getchell me () abegetchell com https://abegetchell.com/-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Craig Wilson Sent: Monday, November 17, 2008 2:19 PM To: chaitanya.sharma () gmail com; pen-test () securityfocus com Subject: Re: OSCP Hi, OSCP is great for practical knowhow but I would rather employ a CISSP anyday; why and how you would protect systems are much more important than how you break in. Its all very well knowing how to make a shell run on a poorly configed machine but understanding defensive configs to ensure the machine isn't in a position to be compromised are more important IMHO. Additionally I would ensure you have day to day experience and knowledge of why you would advocate certain things in corporate environments. Craig ----- Original Message ----- Craig Wilson Senior IT Network Administrator & Support Analyst T. 0207 264 5113 M. 07899895510 F. 02072645101 E. cwilson () ppilearning com W. http://www.ppilearning.com/ P Think Green - Please do not print this email unless you really need to http://www.ppilearning.com/promotions/winserver2008register.php This email and any attachments are confidential information and solely intended to be read by the email addressees above. If you inadvertently receive this email, your access is unauthorised and you may not copy, disclose, distribute or otherwise use this email and its contents. If you have received this email in error, please inform us immediately at mailto:SA () PPILearning com and delete all copies from your system. PPI Learning Services accepts no legal liability for the contents of this email including any errors, interception or interference, as internet communications are not secure. Whilst PPI Learning Services and the sender have taken every precaution to prevent transmission of computer viruses, should this inadvertently occur we do not accept any liability. Any offer or acceptance of a contract for goods or services made in this email is subject to our standard terms and conditions (available on request), unless other terms and conditions have been agreed in writing between authorised signatories of the parties. PPI Learning Services Limited. Registered Address: 3-5 Crutched Friars, London, EC3N 2HR. Registered in United Kingdom Company Number 06008725 ----- Original Message ----- From: listbounce () securityfocus com <listbounce () securityfocus com> To: Penetration Testing (SecFocus) <pen-test () securityfocus com> Sent: Mon Nov 17 07:24:33 2008Subject: Re: OSCP Hi, I am thinking of doing a certification and have short listed CISSP and OSCP. Which one would you suggest is good? CISSP is widely accepted and well known. OSCP is really good for getting hardcore experience, but does it have the same recognition as CISSP? On Thu, Nov 13, 2008 at 4:02 AM, Taras P. Ivashchenko <naplanetu () gmail com> wrote:Stephen, I took this course some months ago. My opinion is that very good practical course and certification forthisprice. On Mon, 2008-11-10 at 15:36 +1030, Stephen Argent wrote:Hi there - just out of curiosity, has anyone here taken the"OffensiveSecurity 101" course to receive the OSCP (Offensive SecurityCertifiedProfessional)? I'm curious as to if it is a good course, if it isrunwell, and if it's worth the 500+ USD you pay for it. Thanks ------------------------------------------------------------------------This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report -------------------------------------------------------------------------- Тарас Иващенко (Taras Ivashchenko), OSCP ---- "Software is like sex: it's better when it's free." - Linus Torvalds-- Regards, Chaitanya http://blog.chaitanyasharma.in-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: UTF-8 wsBVAwUBSSHThRgR0SeaGdcAAQhGlAgAhVnauxNIqZPph6+PMXPFZkHbVaVUlw1j AgWLl1IVJijTtoxWiz23fkCvv5YNkjSQVKfSVx+WB73E/eCnnVGILHqhcVb/tJRS BNSLFCd12LovIaNZKYdIqnXYbJDB24Xu4YyhhphiL+3A4DRPRElmMqDyl0sLy6L4 6pxvd91h5IlmwiotklYyGfkhevfgNn5vHCHilek3Oh/0Sf43ysJD+4XUpInzpytH FPpjBWGrJeJBqxvCGySKpMwb7N1ZibLBe0Gct7F0PaMFpdcPwuJk5JjVeYO8F+lY h+UMYN7MKct5eonMXJeNUF8xL2TBjGrsap52wKLTBeWhnUk8/45EPw== =zwju -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- RE: OSCP Al Rivas (Dec 03)