Penetration Testing mailing list archives
Re: OSCP
From: Nick <godaemon () gmail com>
Date: Thu, 04 Dec 2008 17:17:55 +0200
Al Rivas wrote:
I've been away for a while and so catching up today and noticed the
idea that the CISSP required 5 years information security experience. While that may be a noble idea I don't believe that is what happens in practice. I know a CISSP (well several like him but) at least one off the top of my head that I can prove didn't know but the most basic Windows OS not 3 years ago.
I believe the way folks get around this "5-year requirement" is to have
another CISSP vouch for them. So for example, in his group of buddies, they all vouch for each other, buy test questions, and are now all CISSPs but they couldn't actually keep my 16 year old out of their networks. Hell they can't spell network.
Now perhaps some will say so you know "one". What I'm actually saying
is that I've noticed 7 to 8 in 10 CISSPs have no clue about security. Over the years this had me wondering, how the hell can these people have this supposedly respected certification and be so ignorant about basic security concepts let alone attacks and their defenses, effective policies, documentation, etc. Documentation is a funny one because after an incident that I ended up handling, a VP explained to me that his 2 CISSPs were not really security people but more like managers that documented security issues. Then I ended up having to write the reports because these two were basically illiterate.
Now BOOM, I find out help-desk boy from 3 years ago (replacing hardware
mind you - not allowed near a functioning PC), is a CISSP.
That then explained much to me. -----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Pedro Drimel
Sent: Monday, November 17, 2008 5:39 PM To: pen-test () securityfocus com Subject: Re: OSCP I agree, those certifications can't be compared. CISSP does not has a hands on exam, and its focus is totally different from OSCP, also CISSP requires 5 years of experience in information security. You need to ask yourself what do you want to know, not the certification you want to achieve, certification must be a consequence, not a goal, you can pass in a CISSP exam and even do not know how to write an exploit. IMHO. []'s 2008/11/17 Abe Getchell <me () abegetchell com> Do you really know how to protect information system resources if you don't understand the techniques used to penetrate the defensive mechanisms employed in these systems? Knowing your enemy and understanding the techniques and methodology that will be used against your critical assets are one of the most important pieces of knowledge you can posses as someone working in INFOSEC, IMHO. That being said, both the OSCP and CISSP are great certs, but completely different and really can't be compared.
I watch this conversation over time and I couldn't hold the horses.... The real problem comes in when an information security manager(...) decide to ask help from a CISSP owner. I agree with the opinion that 7to8 out of 10 cissp owners do not have the neccessary experience(not only security wise but from information science aspect, too) to take decisions for critical systems and far more to handle critical insidents. But this is a cruel world and a CISSP certification is somethink really lovable by alot. Anyways the time is near. Everyone will have a cissp in a while it will not be something special..... Thanx Nik T
------------------------------------------------------------------------ This list is sponsored by: Cenzic
Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now
www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic
Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now
www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------