David,
Just a few small corrections. We don't want to scare anyone away from
the test because they feel they do not fit the requirements you
presented.
First, you do not need 6 years of "security" work you only need to have
4 working in one of the 10 CBKs.
Second, you do not need to have a CISSP vouch for your experience. An
employer or manager will suffice.
For maintenance, it requires 120 CPEs within three years.. These break
out differently for different activities, but I don't think it would
equate to "several hundred hours." I think it would be great if you did
hundreds of hours, even thousands, but that is a digression.
I agree that someone who has a CISSP thinking that they can now be a
network security engineer, or a pen-tester solely on the CISSP alone is
a tragedy.
It is also a tragedy when a company only hires based on certs... Of any
kind.
I think this whole discussion about certs is a bit odd. I have seen
people with masters, and PhDs in some IT field who knew little about
practical applications, or much else for that matter. I have seen people
with no security certs at all who were some of the most brilliant
security engineers I have ever met. There are always exceptions and
extremes.
I think that the CISSP is a great cert for a person who wants to augment
a current skill set (system admin, law, developer) and become more
robust by getting an overview of security. It is also a great first
transitional step into the world of security. But I would not let you
touch my firewall simply because you have a CISSP.
A long time ago I hoped that some cert like the CISSP would stand as the
equivalent to becoming a licensed engineer, layer, or Doctor. This never
came to pass.
Hope springs eternal.
john
-----Original Message-----
From: David Cross [mailto:davidcross@Post-N-Track.com]
Sent: Thursday, July 27, 2006 2:38 PM
To: Robert E. Lee
Cc: pen-test@securityfocus.com
Subject: RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC
Address Changer v3.1 (FREEWARE)
Since you believe that a CISSP can be passed with no experience
certainly you would also be aware that it has a practical experience
requirement of 6 years of security work prior to being eligible for the
test. It also requires that another CISSP vouch for your experience.
It also requires that you show proof (yes actual proof) of industry
experience for every year after you pass the test to the tune of several
hundred hours of training and volunteer work (assuming you can pass the
test it with a score greater than 70% of the applicants scores). It
requires an ongoing credit-based system where you have to have served on
industry boards, done volunteer work, written articles, published books
and a number of other things. If you are lucky enough to pass all these
requirements and when audit time rolls around and it's discovered that
you didn't have the 6 years experience or you didn't really do all you
said you did then you lose your credential and can never re-apply.
Sure maybe you know someone who's taken a course and gone and passed the
test but I bet you didn't know that many of them have not received their
credential due to the lack of a credentialed CISSP to vouch for them or
due to lack of actual ongoing experience to add to their credential
after the fact.
The CISSP credential is not a networking credential. It is a general
security credential showing mastery of all aspects of security, not an
in-depth knowledge of one. A CISSP would be expected to serve in an
advisory or audit capacity and not in a network engineer capacity. The
CISSP program also has specific knowledge area credential programs
specific to application security among other things which apply to
specific jobs.
If a CISSP with no experience is applying for a networking job then
shame on them. If you hire a CISSP for a networking job when they have
no specific networking experience then shame on you.
Credentials can only be looked at to strengthen the credibility of a
person's resume, not to create credibility where this is no experience.
Either way if you are going to criticize things in public you should
know what you are talking about or you will just point out to everyone
that you don't know the industry as well as you think.
David
-----Original Message-----
From: Robert E. Lee [mailto:robert@dyadsecurity.com]
Sent: Thursday, July 27, 2006 4:40 AM
To: shreyas@technitium.com
Cc: shreyasonline@yahoo.com; slamboy@gmail.com;
pen-test@securityfocus.com
Subject: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC
Address Changer v3.1 (FREEWARE)
The "practical application" portion of the CISCO CCIE certification is
why organizations can trust the CCIE job applicant can serve a useful
cisco networking function in their organization. Any certification that
fails to measure the candidates actual ability to perform a useful
function in the subject of the certification is useless (ala CEH, CISSP,
CISA, CISM, which can all be passed with 0 years of experience). To the
best of my knowledge about the current infosec certs, ISECOM's OPST
(www.opst.org) and OPSA (www.opsa.org) come the closest to fulfilling
the the practical measurement requirement. For what it's worth, we would
not consider hiring a candidate who advertised that they have a CEH
certification.
If you want to stand out in an interview, perform a useful function that
your peers respect you for. Presenting your ideas at conferences or
contributing to computer security research papers and projects will get
you a lot more credibility in a job interview than "hacking stories" or
"hacker certifications". There are a lot of projects to choose from.
If none of them excite you, start your own. ;)
Robert
--
Robert E. Lee
Chief Information Officer
http://www.dyadsecurity.com
phone: (949) 394-2033
fax : (949) 486-6601
email: robert@dyadsecurity.com
------------------------------------------------------------------------
------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's Choice Award from eWeek. As attacks through web applications
continue to rise, you need to proactively protect your applications from
hackers. Cenzic has the most comprehensive solutions to meet your
application security penetration testing and vulnerability management
needs. You have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download
FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your results from other product. Contact us at request@cenzic.com for
details.
------------------------------------------------------------------------
------
------------------------------------------------------------------------
------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's Choice Award from eWeek. As attacks through web applications
continue to rise, you need to proactively protect your applications from
hackers. Cenzic has the most comprehensive solutions to meet your
application security penetration testing and vulnerability management
needs. You have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download
FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your results from other product. Contact us at request@cenzic.com for
details.
------------------------------------------------------------------------
------
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
