RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)



" Either way if you are going to criticize things in public you should
know what you are talking about or you will just point out to everyone
that you don't know the industry as well as you think."

I challenge you to take your own advice. As you say, the CISSP is a
general security credential. It does NOT show a mastery of all aspects
of security as you say. Yes, I understand that a CISSP can tell me that
the glass encasing my server room is too thin, but you go way too far
out on a limb by saying that one certification makes you a master of all
aspects of security. Are you a CISSP? Can you configure multiple
vendor's firewall products to allow for 30 remote sites and 150 roaming
salesmen? Can you then configure multiple vendor's IDS/IPS products to
provide enhanced security to your customer's network? How well are you
at incidence response on a HP-Unix box? When you catch malicious
software on your honeypot, can you reverse it to determine it's function
and take proper action at your routers/firewalls/IDS/IPS to prevent it's
propagation in future? How's about configuring that customers wireless
network for 802.1x and smart cards? I can go on and on, but my point is
this. Are there people with the CISSP certification that are capable of
doing these things? Yes. Are they the majority? No. The CISSP does not
as you say "show mastery of all aspects of security"



-----Original Message-----
From: David Cross [mailto:davidcross@xxxxxxxxxxxxxxxx]
Sent: Thursday, July 27, 2006 3:38 PM
To: Robert E. Lee
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC
Address Changer v3.1 (FREEWARE)


Since you believe that a CISSP can be passed with no experience
certainly you would also be aware that it has a practical experience
requirement of 6 years of security work prior to being eligible for the
test. It also requires that another CISSP vouch for your experience.
It also requires that you show proof (yes actual proof) of industry
experience for every year after you pass the test to the tune of several
hundred hours of training and volunteer work (assuming you can pass the
test it with a score greater than 70% of the applicants scores). It
requires an ongoing credit-based system where you have to have served on
industry boards, done volunteer work, written articles, published books
and a number of other things. If you are lucky enough to pass all these
requirements and when audit time rolls around and it's discovered that
you didn't have the 6 years experience or you didn't really do all you
said you did then you lose your credential and can never re-apply.

Sure maybe you know someone who's taken a course and gone and passed the
test but I bet you didn't know that many of them have not received their
credential due to the lack of a credentialed CISSP to vouch for them or
due to lack of actual ongoing experience to add to their credential
after the fact.

The CISSP credential is not a networking credential. It is a general
security credential showing mastery of all aspects of security, not an
in-depth knowledge of one. A CISSP would be expected to serve in an
advisory or audit capacity and not in a network engineer capacity. The
CISSP program also has specific knowledge area credential programs
specific to application security among other things which apply to
specific jobs.

If a CISSP with no experience is applying for a networking job then
shame on them. If you hire a CISSP for a networking job when they have
no specific networking experience then shame on you.

Credentials can only be looked at to strengthen the credibility of a
person's resume, not to create credibility where this is no experience.

Either way if you are going to criticize things in public you should
know what you are talking about or you will just point out to everyone
that you don't know the industry as well as you think.

David



-----Original Message-----
From: Robert E. Lee [mailto:robert@xxxxxxxxxxxxxxxx]
Sent: Thursday, July 27, 2006 4:40 AM
To: shreyas@xxxxxxxxxxxxxx
Cc: shreyasonline@xxxxxxxxx; slamboy@xxxxxxxxx;
pen-test@xxxxxxxxxxxxxxxxx
Subject: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC
Address Changer v3.1 (FREEWARE)

The "practical application" portion of the CISCO CCIE certification is
why organizations can trust the CCIE job applicant can serve a useful
cisco networking function in their organization. Any certification that
fails to measure the candidates actual ability to perform a useful
function in the subject of the certification is useless (ala CEH, CISSP,
CISA, CISM, which can all be passed with 0 years of experience). To the
best of my knowledge about the current infosec certs, ISECOM's OPST
(www.opst.org) and OPSA (www.opsa.org) come the closest to fulfilling
the the practical measurement requirement. For what it's worth, we would
not consider hiring a candidate who advertised that they have a CEH
certification.

If you want to stand out in an interview, perform a useful function that
your peers respect you for. Presenting your ideas at conferences or
contributing to computer security research papers and projects will get
you a lot more credibility in a job interview than "hacking stories" or
"hacker certifications". There are a lot of projects to choose from.
If none of them excite you, start your own. ;)

Robert

--
Robert E. Lee
Chief Information Officer
http://www.dyadsecurity.com

phone: (949) 394-2033
fax : (949) 486-6601
email: robert@xxxxxxxxxxxxxxxx

------------------------------------------------------------------------
------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic
has the
most comprehensive solutions to meet your application security
penetration
testing and vulnerability management needs. You have an option to go
with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your
results from other product. Contact us at request@xxxxxxxxxx for
details.
------------------------------------------------------------------------
------


------------------------------------------------------------------------
------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic
has the
most comprehensive solutions to meet your application security
penetration
testing and vulnerability management needs. You have an option to go
with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your
results from other product. Contact us at request@xxxxxxxxxx for
details.
------------------------------------------------------------------------
------




The information in this email and in any attachments is confidential and may be privileged.
If you are not the intended recipient, please destroy this message, delete any copies held
on your systems and notify the sender immediately. You should not retain, copy, or use this
email for any purpose, and any review or other use of this information by persons or
entities other than the intended recipient or any retransmission without the written consent
of the sender is expressly prohibited.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------



Relevant Pages

  • RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
    ... requirement of 6 years of security work prior to being eligible for the ... It also requires that another CISSP vouch for your experience. ... Credentials can only be looked at to strengthen the credibility of a ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)
  • Re: CISSP-ISSMP
    ... I lucked out by getting an NSA test bank for the CISSP. ... security attributes if that is the test bank you were lucky enough to ... You have an option to go with a managed service (Cenzic ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)
  • RE: CISSP-ISSMP
    ... Our team is made up of CISSP and non-CISSP alike. ... quite possibly one of the best IT security teams in existence (not that I'm ... Download FREE whitepaper on how a managed service can help you: ... Cenzic has the most comprehensive solutions to meet your ...
    (Pen-Test)
  • RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
    ... requirement of 6 years of security work prior to being eligible for the ... Most of which are new requirements instituted a few years ago when a very young Indian gentleman passed the CISSP exam earning the right and fame to claim as the o7ungest certified CISSP in existance. ... And I do know certified fewls that have not a single skill in security bascis nor a clue as to any concepts of networking. ... I'm sorry you fgeel so threatened cause your cert has such little real merit except to a HR rep or a clueless manager on the prowl for a cheap hire and a cya glance over of the credentials offered by a potential candidate for a position, ...
    (Pen-Test)
  • RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
    ... you do not need 6 years of "security" work you only need to have ... you do not need to have a CISSP vouch for your experience. ... Credentials can only be looked at to strengthen the credibility of a ... You have an option to go with a managed service (Cenzic ...
    (Pen-Test)