RE: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)

From: Chris Pugrud (chris_at_pugrud.net)
Date: 06/03/05

  • Next message: Marcus J. Ranum: "Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 3 Jun 2005 14:09:14 -0700 (PDT)
    
    

    --- "Bill McGee (bam)" <bam@cisco.com> wrote:

    [BIG SNIP]
    > And, of course, it's a bit silly. While I agree that a parallel course
    > of action is to make the solutions idiot-proof, part of the problem is
    > one of scale. The pool of folks who understand what's going on is being
    > diluted by the growing influx of folks who haven't got a clue. So, while
    > the number of competent practitioners out there is actually going UP
    > (IMO), the general Security IQ has been going down (notice how the
    > crowds at the security conferences seem to actually know LESS each
    > year?) I would argue that we need to do MORE educating (including the
    > establishment of an Advanced Degree in Network Security, but that's
    > another discussion.)

    Having just completed an advanced (M.S.) degree in Network Security
    (Information Security and Assurance) from an NSA accredited CAE (Center of
    Academic Excellence) and yet another big name popular infosec certification
    after a 10 year career in infosec, I'd have to say I have a declining view of
    education and/or certification. I did both because some organizations value
    credentials more than they value skills (which are hard to measure), and I
    thought it would an interesting experience.

    I have no doubt that everyone on this list has had the experience of working
    with blithering idiots who have walls full of impressive credentials, people
    who are earnestly honest when they say things like deny rules and STIGS
    (federal security standards) are "a good idea, a nice guideline, but not really
    practical." I'm almost ashamed to admit I have the same security
    certifications as some of these alleged professionals.

    Marcus has an interesting approach in the "throw the bums out" initiative, and
    it actually has started happening. On the DoD side of the federal house every
    information security risk must be signed off on by a single individual, pen to
    paper, and those people are increasingly being held accountable, and even
    thrown out, when it hits the fan. Admittedly the federal government has the
    distinct advantage of being able to send people to jail when they do egregiusly
    stupid things, something that certainly helps people think twice.

    There are no easy answers or silver bullets to the question of how to identify
    and empower cognizant and responsible security professionals. I do think that
    implementing a process of formal risk acceptance by the CxO, something that
    they know will be in front of the board when everything goes wrong, with their
    pretty little signature at the bottom, is an excellent first step. Some level
    of truly challenging certification may be usefull as well, but they seem to
    keep failing. There are many reasons that the CCIE is the gold standard, but
    it is also testing a set of skills that are inherently testable and not
    memorizable. Security is not purely technical nor is it (yet) truly a science,
    and quantifiably judging somewhat of an artform is arbitrary at best.

    I think that the CCIE truly succeeds beause it's damned hard to get, yet it's
    accessible enough that you can self study and pass. It has the rote
    memorization aspect, but the real challenge is the one day, in person, in your
    face, blood, sweat and tears, full contact demonstration of skill, thinking,
    and ingenuity. It might not be fair to the timid, but the purpose of a hard
    certification is not to be fair, it is to clearly identify professionals who
    have proven their capabilities in the face of adversity.

    Enough sidetracks, I didn't even get to my joyous classroom experiences, like
    "network security" (I'll give you a hint - the "correct" answer is always
    cryptography). Accountability is paramount. There are very real damages being
    caused by lapses in information security, both in the public and private
    sector. "Sign on the dotted line" risk acceptance goes a long ways towards
    making risk takers think twice. It's much easier to dismiss responsibility
    when some thing was "approved" than when the nasty consequences are clearly
    spelled out above your signature.

    Enjoy!

    Chris

    ---
    "It's Friday, I may be short on sleep and tall on coffee..."
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Marcus J. Ranum: "Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)"

    Relevant Pages

    • Risks Digest 24.59
      ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Workshop on Web Security, ... FDA - MedWatch - Medical Device Safety - Change in Daylight ... Subject: REVIEW: "FISMA Certification and Accreditation Handbook", ...
      (comp.risks)
    • RE: CISSP-ISSMP
      ... the materials and touched the technology. ... trough a certification process and get certified. ... I am proud to be a certified security professional:) ... Certs are sort of new to the scene. ...
      (Pen-Test)
    • RE: CISSP-ISSMP
      ... management say "that's nice", and move on. ... education, certification, experience, know-how, abilities, and ... Many 'security jobs' are nothing shy than that of an overly glorified ... Download FREE whitepaper on how a managed service ...
      (Pen-Test)
    • [Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #649 - 5 msgs
      ... Firewall disablers ... Send Full-Disclosure mailing list submissions to ... RE: Security Certifications ... Security Certification Consortium has developed and released a potentially destructive trojan application, which masquerades as a valid standard for professional certification in the field of information security. ...
      (Full-Disclosure)
    • Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer
      ... and you meet with the technical lead of the group, this certification ... don't have any security certs or experience in the area. ... Download FREE whitepaper on how a managed service ... Download FREE whitepaper on how a managed service can ...
      (Pen-Test)