RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)

CISSP != network admin.  
CISSP = massive amounts of information on how security works, how to
structure security in an organization, how to manage it, how to audit
it, how to keep it compliant with laws and how to meet best practices.
This information is useful only to senior security people who intend to
manage security.

If you want to know the details of what keeping your credential requires
go to ISC2.org and read the details yourself.  I'm not going to spend my
time babysitting you through it.  

Also if you actually read the response you see a cert only serves to add
credibility to what experience a person claims to have.  A cert does not
magically imbue you with power from above.  WHAT IT DOES DO IS PROVE YOU
KNOW ENOUGH OF WHAT YOU'RE DOING TO PASS A VERY DIFFICULT TEST AND IT
BINDS YOU TO A CODE OF ETHICS THAT REQUIRES YOU RESPONSIBLY REPORT AND
RESOLVE VULNERABILITIES.  (the industry as a whole needs that)

A cert, in most cases is better than none.  When I hire people I ask
them about certifications.  People tell me "oh, I'm a security expert"
and I ask them why they didn't spend the money to prove that they know
what they're talking about.  The response is always, "I don't have the
money," or "I studied but got too busy to take the test."  I've never
had a person say they didn't think it was necessary.   But at this point
the burden is on me to test them.  So I have to spend $99 of my own
money to set them up with an online test to test their knowledge.  I
have to spend another hundred dollars to have my HR person track down
all their references and call each one and quiz them at length.  I have
to spend 2 or more hours versus one hour to interview them costing a few
hundred dollars of my time to try to coax out of them all the insipid
details of their experience in all the companies they've ever worked
for.  So by the time it's all done I've basically paid for them to take
the stinking test anyway.

A lot of people come to me to find out how they can get certified in
computer security.  Usually it someone who's been programming for 10
years and they're bummed because they want a more exciting job or a
better paying job.  They say, "I have always wanted to be a security
expert.  How did you get your certification?"  Notice they don't ask how
to become a security expert... only how to get the piece of paper.  When
I explain what it takes they cheerfully ignore the details and wander
starry-eyed back to their cube dreaming of how they will be the next big
security expert.  Most of them even go buy a study book or books before
they get discouraged but there are always one or two that take it a step
further.  But I've never had one come back and ask for an endorsement or
never known one to actually complete it.  What I do know is that some of
them have gone on to other jobs and convinced companies to hire them as
"security experts" sans a certification. <<hey that's s pun - sans
meaning "without" and SANS being a certifying body>>

Granted I've known great security gurus without certifications...
fine... in my opinion if you have a very public and unassailable rep to
stand on.  If you don't have an industry known rep then you'd better
have a cert or string of CVEs to tack on to your resume to get noticed.

Either way I'm happy with my investment and I earn a modest 6 figure
income netting a cool 25k more than my cert-less buddies.  Plus when I
consult I can charge well above $100/hr and companies don't even blink.
So for me the investment in myself and in my test-taking ability has
paid off.  If you can do as well without a cert then I concede you are a
winner.

David







-----Original Message-----
From: R. DuFresne [mailto:dufresne@sysinfo.com] 
Sent: Friday, July 28, 2006 1:11 PM
To: David Cross
Cc: Robert E. Lee; pen-test@securityfocus.com
Subject: RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC
Address Changer v3.1 (FREEWARE)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 27 Jul 2006, David Cross wrote:

> Since you believe that a CISSP can be passed with no experience
> certainly you would also be aware that it has a practical experience
> requirement of 6 years of security work prior to being eligible for
the
> test.  It also requires that another CISSP vouch for your experience.
> It also requires that you show proof (yes actual proof) of industry
> experience for every year after you pass the test to the tune of
several
> hundred hours of training and volunteer work (assuming you can pass
the
> test it with a score greater than 70% of the applicants scores).  It
> requires an ongoing credit-based system where you have to have served
on
> industry boards, done volunteer work, written articles, published
books
> and a number of other things.  If you are lucky enough to pass all
these
> requirements and when audit time rolls around and it's discovered that
> you didn't have the 6 years experience or you didn't really do all you
> said you did then you lose your credential and can never re-apply.


Most of which are new requirements instituted a few years ago when a
very 
young Indian gentleman passed the CISSP exam earning the right and fame
to 
claim as the o7ungest certified CISSP in existance.  If I recall 
correctly, his father or fathers comapny vouched for his, at that time 4

years of practical work expierience.

It's not hard to get another CISSP to "vouch" for you, I can achieve
that 
with certified's that I've never met notr really corresponded with even,

cept the request to sign their mname in the dotted line to get my
papers.

Now, as for proof of employment, I'm lacking in knowledge here, what is 
considered proof though?  pay stubs for the period?  A signed and 
certified listing from a manager as to the kinds of work preformed?  Or 
merely a resume that documents my supposed history?


> Sure maybe you know someone who's taken a course and gone and passed
the
> test but I bet you didn't know that many of them have not received
their
> credential due to the lack of a credentialed CISSP to vouch for them
or
> due to lack of actual ongoing experience to add to their credential
> after the fact.
>
> The CISSP credential is not a networking credential.  It is a general
> security credential showing mastery of all aspects of security, not an
> in-depth knowledge of one.  A CISSP would be expected to serve in an
> advisory or audit capacity and not in a network engineer capacity.
The
> CISSP program also has specific knowledge area credential programs
> specific to application security among other things which apply to
> specific jobs.


Umm, no, no "mastery" is show nor demonstrated, it highlights a braod
base 
of knowledge gleend from study prmairly.  And I do know certified fewls 
that have not a single skill in security bascis nor a clue as to any 
concepts of networking.  I'm guessing that the broad base of studies was

drunked away the first weekend after "testing".

> If a CISSP with no experience is applying for a networking job then
> shame on them.  If you hire a CISSP for a networking job when they
have
> no specific networking experience then shame on you.
>
> Credentials can only be looked at to strengthen the credibility of a
> person's resume, not to create credibility where this is no
experience.
> Either way if you are going to criticize things in public you should
> know what you are talking about or you will just point out to everyone
> that you don't know the industry as well as you think.

I'm sorry you fgeel so threatened cause your cert has such little real 
merit except to a HR rep or a clueless manager on the prowl for a cheap 
hire and a cya glance over of the credentials offered by a potential 
candidate for a position, but thems the facts.  Where I work our secrity

"guru's"  all certified, make about 30k a year, far below our most
junior 
admins who averae in at about 55-60k.  Thing is the clueles guru's they 
can feign along quite awhile and retain those pow checks, while the
admins 
are found out quite quickly as to how well they really know their
stuffs.
Sad fact here where I work, the sec guru's have taken down production
envs 
on a regular basis, while the admins pick up the pieces and make the 
fixes, while advising the sec guru's on proper net-ettiquete.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFEymFZst+vzJSwZikRAt8xAJ9fwd2UbKOnZIlG/BPeGPKtyB0zxgCguNeb
+H1Wp27ZV13sZF4u0bOagEk=
=a8mJ
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------