Adam, I agree 100% with your posting on this issue. I must also say that
it could be possible for a 14 year old to have that much experience in
the 10 domains. I worked for the SANs Institute as a volunteer years
ago. They had staged IO War games at the seminar in Washington DC, and
had a half dozen young children attend to "Hack the Net." To my surprise
they arrived with their own computers, loaded with the libraries and
scripts from Hxxx. I always assumed young boys at that age would be more
interested in sports or noticing ladies, but that was not the case.
These children spent their days, nights, any spare time they had,
working on how to hack and how to program, a completely amazing group of
young people. Some very prominent firewall appliance vendors set up the
security posture of the multi platform server farm. These young people
found the holes with in 3 days. It was a learning experience to have
them prove nothing is 100%.
Happy and safe holidays to all
Annie
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Adam Morey
Sent: Wednesday, December 06, 2006 1:49 PM
To: pen-test@securityfocus.com
Subject: RE: CISSP
The CISSP requires that candidates have a minimum of 4 years direct
full-time security experience in one of the 10 domains, this includes
management, creative writing, technical, military MP - anything that is
related to security - the CISSP is not all about firewall rules - it's
completely academic, not technical. It also requires an officer of your
company, another CISSP or some other official to endorse the candidate
to verify. While an 11 year old could have 4 years direct security
experience, it is highly unlikely.
There's a lot of knowledge and studying required for the CISSP - as well
as a very long (about 3 hour or so) test. I took my CISSP a few years
back and I also have a Masters Degree in Information Assurance so I've
studied information security in depth. Many of the folks in my masters
program took the CISSP after graduating and passed it without studying,
but some failed too.
The CISSP is not a bad certificate to have if you want to know a little
about a lot of different IA areas. It is truly a mile-wide and an inch
deep as they say. It makes you memorize a lot about encryption methods,
understand basic criminal investigation procedures, type of locks,
different kinds of fire extinguishers, the network part is very
elementary - what's a router/switch, is goes through a sort of history
of firewalls (proxy, transitive, address translation). It goes into
policies and procedures, risk analysis, access controls, and quite a bit
about law and ethics.
I don't care who you are - if you can study the 1000 pages recommended
reading - you're probably going to learn something different each time
you read it.
If you didn't know - the CISSP also expires if you don't submit what
they call CPE credits. Basically you need to attend trade shows, read
books, go to school, watch webinars or volunteer as an exam proctor
etc... to maintain your certification. This increases the value of the
certificate, as it means those who have it continue to read and
specialize in some way.
I wouldn't let someone near my firewalls without proven work experience,
and about 1000 policy pushes under their belt, product specific certs
are more important here. I wouldn't even want to know if they had their
CISSP or not.
Adam
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]
On Behalf Of Nick Besant
Sent: Tuesday, December 05, 2006 5:45 AM
To: pen-test@securityfocus.com
Cc: dfullerton@mantor.org
Subject: Re: CISSP
I think it's a worthwhile qualification to have if only from the point
of view of structured learning. Unless you've already done a CS or
equivalent degree, it's unlikely that you'll have covered some of the
architectural or formal methodologies, practices, standards etc that
you
must know to take the CISSP exam. On-the-job learning is an excellent
(I'm biased) way to learn all things security but you only tend to
learn the technologies etc around the environments you're working
with.
I found the learning process, while covering some out-of-date material
that I'm unlikely to use in future, did cover some additional areas
which I've since applied to projects to my / my employer's benefit.
So; in summary, I would recommend it if you're looking for a broader
certification/career path/etc focusing on security. The breadth (not
really the depth) of the body of knowledge has provided me with a way
to
cement together everything I've learned through working on or personal
research. YMMV :)
--
Nick Besant (lists@hwf.cc)
dfullerton@mantor.org wrote:
Then I wonder if this certification should really have this kind of
notoriety. Looks like it's not technical and if an 11 years old boy
can
complete this cert ...it's not about security management experience
either.
Anyone can give me some good reason to acquire CISSP while not being
related to money and the wannabe marketing-made notoriety?
Personally I done GCIH and GHTQ, the latest is harder and really
related
to penetration testing. I would like some GOOD reason for someone in
the
security field for a while and having others, more in deep, technical
certification to go on with CISSP.
Should we glorify such things? Tell me more about the exam, the
topics
are quite general and may not be totally in line with the exam and the
real knowledge being certified.
Danny Fullerton
---------------
IT Security Specialist, GCIH GHTQ http://www.mantor.org/~northox
Mantor Organization
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00
000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00
000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
