Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Value of certifications

from [Yousef Syed] Network Security [Permanent Link]
Subject: Re: Value of certifications
Date: Fri, 27 Apr 2007 18:41:48 +0200 
James,
On the matter of Vendor certs I would definitely have to disagree.

I've met plenty of MCSE people that just happened to study hard for
the exam and passed it, but haven't the first clue about setting up an
enterprise Windows system.

For a previous consultancy that I worked at, I was forced to take the
Sun Java Certification (despite the fact that I already had 8years
Java/J2EE real world experience). It is the the most worthless
certification that I've ever come accross and it actually teaches you
things that you'll NEVER do in the real world! I'd gone so long in my
career without it, in-part, due to the fact that so many
"Java-Certified" types that I'd meet, were useless developers.

The vendors care just as little about the student's knowledge as
anyone else - they are also in it for the money. Anytime they change
the OS, you need a new Cert. Anytime a new version of Java comes out,
they want a new Cert... KER-CHING!

What I like about the CISSP is that you are expected to have atleast 4
years prior experience before you take the exam. It covers ten
different security domains. It isn't a technical paper where you
memories a bunch or procedures; rather, you really have to know what
you are security, why it needs security. It isn't at such a high-level
to make it irrelevant, and nor is it at such a low-level as to make it
too technically demanding for people that might never have used a
firewall before.

Are you going to get Fakers picking a CISSP; ofcourse you are (just as
is the case with any qualification); but such persons will be weeded
out swiftly once they are in the workforce and can't produce.

Is it a substitute for experience, no. But it does complement your
experience and if all your experience is only in one particular
security domain, it shows you that there are other security domains
and they all need to be considired together.

Yes, I would prefer to have externally audited orgs performing such
certifications that aren't profit driven; but outside of Universities,
they don't exist - and accademic knowledge and real world knowledge
are two very different things.

ys

On 26/04/07, Simmons, James <jsimmons@eds.com> wrote: 

Yes, I agree about determining the pecking order, but what is a better
way of proving that you know something? Actually going out there and
demonstrating that you know it. Or taking some cheaply made test, that
no one knows how it was formed, as your validation?
I am not saying that certifications do not serve a purpose, but I have
found very few that are actually good enough to live up to that purpose.
My example differs between vendor certs (CCNA, MCSE, etc.) and general
knowledge certs (CISSP, security+, etc.)  The vendor certs are by far
superior (though expensive for no reason) because who would know the
subject matter better then vendor.  The general knowledge certs are a
joke. What designates these people as experts? Both in the field that
the cert is focusing on, and in creating a meaningful cert?
In my rant off my link I make reference to the ASE certs for Automotive
technicians. ASE was formed by the major automakers of the day to
maintain a acceptable skill level. They employed psychologists,
professors, and other education experts to research and ensure that
their testing methods give an accurate portrayal of the skill level of
the individual. Do you honestly think that any of these companies have
put that much time and effort into their tests? These are start-up
companies that believe they can make some money off of trying to
sudo-train individuals to do a complicated job. And companies are
trusting these "certified" professionals to protect them and conduct
business critical work on their systems.
And I am not saying that this is the case for everyone. Some very
intelligent, and capable individuals are getting the certs because that
is what will attract customers. They are not getting the certs to learn
anything new. They are getting them to prove that they know. And at that
point I question why these certs have to cost so much?
While every other question I see in this forum about certs is "I want to
learn about security, what is the cert I should go after?".
It is just a messed up system that really needs an overhaul.

Regards,

Simmons





--
Yousef Syed
"To ask a question is to show ignorance; not to ask a question, means
you remain ignorant" - Japanese Proverb

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: RE: Value of certifications, Lim Ming Wei
Next by Date:  Re: RE: Value of certifications, Yousef Syed
Previous by Thread:  RE: Value of certifications, Simmons, James
Next by Thread:  RE: Value of certifications, Simmons, James
Indexes:  [Date] [Thread] [Top] [All Lists]