Re: Federally Mandated Certification of cybersecurity professionals?

[Andre Gironda <andreg () gmail com>]

On Tue, Apr 14, 2009 at 10:59 AM, Pete Herzog <lists () isecom org> wrote:
> First, you're preaching to the choir. I am against federally mandated
> certification and licensing. Very against it. I am certainly not against
> wanting all security professionals to know how to do their jobs right
> though.

I am in full agreement with Peter Herzog.  This man is a genius when
it comes to this stuff.  Our current certification and education
programs all-in-all are JOKES.  They are LITERALLY jokes, as you can
see from the CUSSE, the Institute for Certified Application Security
Specialists (ASS), the Legion Against Meaningless certificatioNs (LAMN
- also known as "Letters After My Name"), et al.  There is a backlash
against certifications, correct?

The reason why is because CISSP, CISA/CISM, and all of the SANS certs
have purported to be something that they are not -- any measure of
fairness or quality in people in our industry.

Anyone can go to actualtests.com, pass4sure, or any private torrent
tracker and download the EXACT Q&A's to ANY of these exams and pass
with flying colors.  These sites keep this stuff up-to-date!  It's a
joke!  A HUGE JOKE AND NOBODY IS LISTENING.

> Have you seen the OPST? The idea is to teach people how to test correctly,
> how to be self sufficient, and how to be in control of your tests. The OPSA
> teaches how to analyze through different types of tests, determining if
> results are factual, seeing through FUD and marketing, and many other
> walk-the-walk things an Analyst needs to know as well as where to keep
> learning.  Something like that in colleges would be a good start. Why are
> schools graduating security practitioners without giving them operational
> security practice?

Unlike Pete, I'm not saying "Buy ISECOM" (note that I have no relation
to ISECOM and I'm not certified in anything). However, ISECOM does set
some major groundwork.  It's not everything today like Pete sells it
-- However (and a *big* However), if people do start buying into it, I
could see it really taking off and flying...

DoD Directive 8750.M, in my personal opinion, is severely flawed just
like any metrics or requirements around today's industry
certifications are severely flawed.  We need this to change, but it's
not going to any time soon.  We've bought ourselves into a giant hole.
 The system is severely broken and there is almost no way to fix it.

China has purchased over 300 "retirees" that all have
US-University-based CompSci PhD's + actual talent.  China doesn't care
about certs.  They are now in their Titan Rain II program.  You don't
see China complaining on the news about US DoD/CIA/NSA agents in their
systems and controlling their power grids.  Nobody is worried about
the collapse of Chinese banks due to fraud and id-theft.

Adult education is largely a failure.  We need to start teaching much
younger -- at least teaching OWASP LiveCD and similar in high-school
and college classes around Information Technology, Business
Management, and Sciences.  For adults, we could use more CBT and
Web-based training offerings, especially relevant and vetted
information from the top-level sources (e.g. BlackHat, Toorcon,
Shmoocon, SOURCE, CanSecWest, BlueHat, et al).

As for hiring, I'm going to go with Pete's opinions on the matter...
we need competitions and bake-offs to demonstrate capabilities.  If
you can demonstrate proper surgical hacking techniques in a surgical
hacking theater in front of all of the top colleagues -- then you
deserve to have a job.  If you cater to the "security theater" in the
Hollywood or Broadway sense, then you don't deserve to have a job.

I know plenty of people who have the skills -- but no job -- because
they are not certified as CISSP or whatever.  Knowledge of risk is
also extremely important, but it's something that can be taught.
There are places to go for all of this information.  The SecurityFocus
Pen-Test mailing-list is one of the worst places to go.  The SCADASec
mailing-list is also bad.  I prefer the securitymetrics mailing-list,
the fuzzing mailing-list, the secure-coding mailing-list, DailyDave,
et al.  We need to stop reading books about getting CISSP certified
and concentrate on real material such as Brotby's "Information
Security Management Metrics", the Hacking-Exposed series, The New
School of Information Security (and other related Addison Wesley
titles), etc.

People need to stop reading magazines, attending ISSA events, and
buying SANS credits in order for this to eventually work out.  If it
involves a vendor or a product -- just drop it from your vocabulary --
let alone certification plan.

Thank you for your time again,
Andre Gironda

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------