AW: Hacker Stories, Certs,vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)



Hi to everyone.

The main question is if a particular certification does prove your skill?
Yes it does, no matter if you passed by going through a boot camp or because
of your experience. Does a certification prove your experience? No, not at
all.
I've several certification starting with Microsoft, Check Point, ISS,
CISSP,....
Of course I've learned a lot through studying the materials for the certs,
but I've learned even more through going the hard way in projects. Many
people crossed my way with even more certs but no experience. So how can you
distinguish between those with only the skills but no experience? Only in
projects.

On the other hand, if you have enough experience for example working with
Check Point, you should easily pass the CCSA or CCSE exam. Or if you have
enough experience in the security field, you should easily pass the CISSP
exam. Is that the case?
I've always used the Certs to prove my experience.

So the question is what is more important, experience or skill? In my
opinion experience. Getting new customer or projects, the certs are always
dooropener. But doing a good job to satisfy the customer you need enough
experience and knowledge.

But on the other hand the business drives the certs. If you are respopnsible
for a very important project and you have to chose the contractor. Which one
would you use? The one with the most experience or the on with the certs?
Most of the time the poeple chose the one with the certs. Why? Because if
anything goes wrong they can say : " Not my fault, because I've choosen the
one with the best certs." And their boss would say: "OK, than it is not your
fault". But what if he had choosen the one'S without the certs? "How could
you chose the people without checking their experience?"

So from my point of view any cert shows that you have skills about the
particular area, tested in the exam. It does not show how you are able to
use that knowledge in real life projects. That's why my business card show
two numbers 95/01 and no certs. People ask and I answer: Since 1995 I'm in
the IT business and since 2001 I'm working the the IT security area. How can
you prove that? Because I'm a certified CCSA, CCSE, MCP, CISSP ,.......

OK, even working for more than 5 years in the IT Security area does not
prove if I'm doing a good job, that can only be proven by reference or
projects.

Just my 2 Cents

:-)Horst

-----Ursprüngliche Nachricht-----
Von: Jim [mailto:jimk@xxxxxxxxxxxxxxxxxxxxxxx]
Gesendet: Montag, 31. Juli 2006 19:17
An: David Cross; Pete Herzog; Wolf
Cc: Robert E. Lee; pen-test@xxxxxxxxxxxxxxxxx
Betreff: Re: Hacker Stories, Certs,vs Projects - Was Re: Technitium MAC
Address Changer v3.1 (FREEWARE)

Wolf

I think you are right on track with this issue. I know people with the
CISSP certs that should not even be in the industry.

Jim
Sent via BlackBerry from Cingular Wireless

-----Original Message-----
From: Wolf <wolfiroc@xxxxxxxxxxxxx>
Date: Sun, 30 Jul 2006 23:28:23 -0400 (GMT-04:00) To:Pete Herzog
<lists@xxxxxxxxxx>, David Cross <davidcross@xxxxxxxxxxxxxxxx> Cc:"Robert E.
Lee" <robert@xxxxxxxxxxxxxxxx>, pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Hacker Stories, Certs,
vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)

Hi David and Pete,
I really take the statement "... mastery of all aspects of security" as a
bit of a challenge as well as an insult to those who truly have mastered
their craft, but do not have the CISSP. I do - as well as OPST, OPSA, IEM
and IAM. Fact -not boasting or professing mastery. Too much comes down the
road each day to profess mastery at all aspects of security. If there were
so many masters out there, then we wouldn't have configuration management
issues, patch management and implementation issues, and every system and
network could be certified and accredited as being operationally secure.
I know for a FACT that some CISSPs have little or no experience or
understanding in the field, yet managed to take a damn good test! If the
prereqs were checked or truly told, they never would have been eligible.
Not a rant just something to think about the next time you claim mastery!

-----Original Message-----
From: Pete Herzog <lists@xxxxxxxxxx>
Sent: Jul 30, 2006 5:39 AM
To: David Cross <davidcross@xxxxxxxxxxxxxxxx>
Cc: "Robert E. Lee" <robert@xxxxxxxxxxxxxxxx>,
pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium
MAC Address Changer v3.1 (FREEWARE)

Hi David,

The CISSP credential is not a networking credential. It is a general
security credential showing mastery of all aspects of security, not
an in-depth knowledge of one. A CISSP would be expected to serve in
an

I think "mastery" includes capability and not just knowledge thereof.
To master something means to be at the top of a craft. It means to
know something deeply and to be able to apply that knowledge broadly.
I disagree that a CISSP shows a mastery of all things security.

advisory or audit capacity and not in a network engineer capacity.
The

Just broad knowledge of security best practices to apply broadly where
one sees them is unhealthy to any organization.

If a CISSP with no experience is applying for a networking job then
shame on them. If you hire a CISSP for a networking job when they
have no specific networking experience then shame on you.

And yet they do all the time. Many of us know many CISSPs who didn't
have the experience, were able to fudge it, and were able to get their
certification without having any problem finding another CISSP vouch
for them. Talking a solution does not show successful implementation of
one.

Credentials can only be looked at to strengthen the credibility of a
person's resume, not to create credibility where this is no experience.

Not true. Certification can provide those lacking experience to show
ability and be an asset to an organization in that particular field. So
it can show credibility where no experience exists. People already do
this now looking to switch job descriptions, need to learn a specific
aspect of a job, seek to enhance current ability, or to improve their
marketability for new jobs.

Either way if you are going to criticize things in public you should
know what you are talking about or you will just point out to
everyone that you don't know the industry as well as you think.

I agree with that statement however I also think putting on
rose-colored glasses does not make the current industry on-goings any
rosier for other people who end up being the victims instead of the
benefactors of security.

-pete.

-----------------------------------------------------------------------
-------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's Choice Award from eWeek. As attacks through web applications
continue to rise, you need to proactively protect your applications
from hackers. Cenzic has the most comprehensive solutions to meet your
application security penetration testing and vulnerability management
needs. You have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download
FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your results from other product. Contact us at request@xxxxxxxxxx for
details.
-----------------------------------------------------------------------
-------



----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise, you need to proactively protect your applications from hackers. Cenzic
has the most comprehensive solutions to meet your application security
penetration testing and vulnerability management needs. You have an option
to go with a managed service (Cenzic ClickToSecure) or an enterprise
software (Cenzic Hailstorm). Download FREE whitepaper on how a managed
service can help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
----------------------------------------------------------------------------
--




------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------



Relevant Pages

  • RE: Hacker Stories, Certs, vs Projects - the real problem?
    ... mastery was a poor word to insert. ... How can one give a hands-on test on managing the audit process? ... Have I ever had issues with cert test questions and certs in general... ... teaching a class but not writing security related freeware. ...
    (Pen-Test)
  • Re: Hacker Stories, Certs,vs Projects
    ... The CISSP cert should be kept in perspective. ... It is a good certification for people on a managerial level to have because it gives them a fairly broad, high level view of the security field, which they need to do their job more effectively. ... -not boasting or professing mastery. ... there, then we wouldn't have configuration management issues, patch management ...
    (Pen-Test)
  • Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
    ... Not a rant just something to think about the next time you claim mastery! ... security credential showing mastery of all aspects of security, ... disagree that a CISSP shows a mastery of all things security. ... testing and vulnerability management needs. ...
    (Pen-Test)
  • RE: Value of certifications
    ... Certifications get you through Biodata scanners in HR:) ... certs are important for career advancement. ... My employer offers classes for 2 security certifications, ... know that the CISSP certification is aimed more at management, ...
    (Security-Basics)
  • accredited schools
    ... I think you hade to do the security training at grad schools because ... Some years spent at a decent school outnumbers any cert. ... Subject: CISSP-ISSMP ... You've got a B.S. in infosys, yet due to the certs, you have to go get them to break through the HR ...
    (Pen-Test)