Penetration Testing mailing list archives
Re: Federally Mandated Certification of cybersecurity professionals?
From: Andre Gironda <andreg () gmail com>
Date: Tue, 14 Apr 2009 16:11:05 -0700
On Tue, Apr 14, 2009 at 10:59 AM, Pete Herzog <lists () isecom org> wrote:
First, you're preaching to the choir. I am against federally mandated certification and licensing. Very against it. I am certainly not against wanting all security professionals to know how to do their jobs right though.
I am in full agreement with Peter Herzog. This man is a genius when it comes to this stuff. Our current certification and education programs all-in-all are JOKES. They are LITERALLY jokes, as you can see from the CUSSE, the Institute for Certified Application Security Specialists (ASS), the Legion Against Meaningless certificatioNs (LAMN - also known as "Letters After My Name"), et al. There is a backlash against certifications, correct? The reason why is because CISSP, CISA/CISM, and all of the SANS certs have purported to be something that they are not -- any measure of fairness or quality in people in our industry. Anyone can go to actualtests.com, pass4sure, or any private torrent tracker and download the EXACT Q&A's to ANY of these exams and pass with flying colors. These sites keep this stuff up-to-date! It's a joke! A HUGE JOKE AND NOBODY IS LISTENING.
Have you seen the OPST? The idea is to teach people how to test correctly, how to be self sufficient, and how to be in control of your tests. The OPSA teaches how to analyze through different types of tests, determining if results are factual, seeing through FUD and marketing, and many other walk-the-walk things an Analyst needs to know as well as where to keep learning. Something like that in colleges would be a good start. Why are schools graduating security practitioners without giving them operational security practice?
Unlike Pete, I'm not saying "Buy ISECOM" (note that I have no relation to ISECOM and I'm not certified in anything). However, ISECOM does set some major groundwork. It's not everything today like Pete sells it -- However (and a *big* However), if people do start buying into it, I could see it really taking off and flying... DoD Directive 8750.M, in my personal opinion, is severely flawed just like any metrics or requirements around today's industry certifications are severely flawed. We need this to change, but it's not going to any time soon. We've bought ourselves into a giant hole. The system is severely broken and there is almost no way to fix it. China has purchased over 300 "retirees" that all have US-University-based CompSci PhD's + actual talent. China doesn't care about certs. They are now in their Titan Rain II program. You don't see China complaining on the news about US DoD/CIA/NSA agents in their systems and controlling their power grids. Nobody is worried about the collapse of Chinese banks due to fraud and id-theft. Adult education is largely a failure. We need to start teaching much younger -- at least teaching OWASP LiveCD and similar in high-school and college classes around Information Technology, Business Management, and Sciences. For adults, we could use more CBT and Web-based training offerings, especially relevant and vetted information from the top-level sources (e.g. BlackHat, Toorcon, Shmoocon, SOURCE, CanSecWest, BlueHat, et al). As for hiring, I'm going to go with Pete's opinions on the matter... we need competitions and bake-offs to demonstrate capabilities. If you can demonstrate proper surgical hacking techniques in a surgical hacking theater in front of all of the top colleagues -- then you deserve to have a job. If you cater to the "security theater" in the Hollywood or Broadway sense, then you don't deserve to have a job. I know plenty of people who have the skills -- but no job -- because they are not certified as CISSP or whatever. Knowledge of risk is also extremely important, but it's something that can be taught. There are places to go for all of this information. The SecurityFocus Pen-Test mailing-list is one of the worst places to go. The SCADASec mailing-list is also bad. I prefer the securitymetrics mailing-list, the fuzzing mailing-list, the secure-coding mailing-list, DailyDave, et al. We need to stop reading books about getting CISSP certified and concentrate on real material such as Brotby's "Information Security Management Metrics", the Hacking-Exposed series, The New School of Information Security (and other related Addison Wesley titles), etc. People need to stop reading magazines, attending ISSA events, and buying SANS credits in order for this to eventually work out. If it involves a vendor or a product -- just drop it from your vocabulary -- let alone certification plan. Thank you for your time again, Andre Gironda ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Re: Federally Mandated Certification of cybersecurity professionals?, (continued)
- Re: Federally Mandated Certification of cybersecurity professionals? Michael Painter (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? Thomas Lim (Apr 07)
- Re: Federally Mandated Certification of cybersecurity professionals? Wolf (Apr 03)
- Re: Federally Mandated Certification of cybersecurity professionals? macubergeek (Apr 09)
- Re: Federally Mandated Certification of cybersecurity professionals? J. Oquendo (Apr 09)
- Re: Federally Mandated Certification of cybersecurity professionals? Pete Herzog (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Stephen Mullins (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Pete Herzog (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Stephen Mullins (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Pete Herzog (Apr 14)
- Re: Federally Mandated Certification of cybersecurity professionals? Andre Gironda (Apr 15)
- Re: Federally Mandated Certification of cybersecurity professionals? macubergeek (Apr 09)
- Re: Federally Mandated Certification of cybersecurity professionals? Michael Painter (Apr 03)