I as well as several other people on this list will vouch for
Peter/ISECOM and his opinion. There are a lot of "Security
Professionals" that are basically either scanner monkeys, or writers.
Quotes like "No, I really don't use Linux" from people that do security
should at least raise an eyebrow. Although there are some really good
SecPros out there that use/code in Windows - most of the people that can
really sit down and do this stuff use either Linux or BSD. True, the
movement toward WebApp/DB security is changing this, but most of the
heavy lifting is still done on *nix OSs.
As far as certification is concerned I have to admit that getting the
certs REALLY helped me professionally, but not so much technically. I
would always learn more in Def Con's Capture the Flag, RootWars, and
other hacking competitions around the web. For me there was no greater
place than Def Con's CTF. My first Def Con I was a bright eyed bushy
tailed Windows guy and I have just gotten my MCSE and CCNA. After
playing in the CTF, and getting my feelings hurt by a bunch of people
that didn't have any certs. Those guys even knew more about Windows than
I did. After that I stopped using Windows, started playing in and
hosting hacking competitions. I've gotten better over the years, but the
better I get the more I really understand just how good some of the
people in this field really are.
I like to read old Black Hat talks, and I recommend that all newbies do
the same:
http://blackhat.com/html/bh-media-archives/bh-multi-media-archives.html
Even talks that I went to years ago - when I look at the slides now I
understand so much more of what they were talking about back then - and
there are plenty of times that I still don't understand what they are
talking about. People like Dan Kaminsky, Silvio, David Litchfield, FX,
Mudge, Ofir Arkin, Dave Aitel, Last Stage of Dellirium, and several
others are ones who's research is driving security product development
today.
/me is getting off his soap box. Short version is:
Get the certs (you gotta eat), just know your sh*t so you can look at
yourself in the mirror every morning.
Joe
On Thu, 2006-12-07 at 20:20 +0100, Pete Herzog wrote:
But I also think certification by itself means next to nothing for the
most part. I have seen way to many Consultants with certifications and
degrees not know their head from a hole in the ground.
There are certifications and there are certifications. Knowledge
certifications where one memorizes security trivia and regurgitates it on
an exam has much less applicability in the real world than a formal
education where case studies and experience may be introduced or an applied
knowledge certification.
But a certification should mean something. It should prove that a person
can apply a particular type of knowledge, a specialty, with a measurable
degree of accuracy and efficiency. If a group has convinced you that they
can certify, accredit, or graduate you in a trade or specialty in a manner
which requires no proof of skill then you should question your own critical
thinking skills. Because it just doesn't work that way. Even with
experience, that means nothing if what you learned is wrong from the start.
The US Department of Education has a word for organizations who sell
diplomas for experience alone and often no additional coursework: Diploma
Mills (http://en.wikipedia.org/wiki/Diploma_mills).
I'm saying this because at ISECOM we have been an authority for applied
knowledge security certifications for nearly 5 years because the security
community we work with asked for it. They asked for a security cert that
didn't suck. They wanted one where people actually had to apply their
knowledge of testing and analysis with accuracy and efficiency in order to
pass an exam against a live network. So we built it and you know what, we
still sometimes get complaints that it's too hard and too complicated.
When we first rolled this out in the US, the training organization we
worked with didn't see a future for it because they said they needed an
easier exam, a knowledge-based one, so people can pass and take a
certification back to the office which will bring in more people. Then
they can also promote a high pass rate in their marketing for that
training. So we stopped working with those training companies in the U.S.
that wanted an easy pass to sell easily to the masses. But that's just
mainly a problem in the US and most other regions have been just fine for
us. In those other places the ISECOM certifications really mean something
and get people employed and advanced and vetted for having them.
So please don't lump all security certifications together. Some of us are
working hard to help and such comments don't.
Sincerely,
-pete.
PS: Sure I work for ISECOM so I am biased about the quality of our
certifications but facts are facts and our certifications really are
applied knowledge, hands-on examinations.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe@learnsecurityonline.com
Web: https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access
signature.asc
Description: This is a digitally signed message part
