[Dailydave] Information security certifications diversity and getting lost

Jason Alexander jalexander at plus.net
Tue Sep 11 12:32:00 EDT 2007 

 I think a lot of the answers on this thread seem to concentrate on pen testing knowledge and techniques. The CISSP is much more than that (theres ten doamins) for example I am a information security manager and I would never pen test our networks. I always call in the "experts" to do this but having a CISSP helped me gain the knopwledge to know if those guys are really earning their cash !! Just my 2 cents.

-----Original Message-----
From: dailydave-bounces at lists.immunitysec.com [mailto:dailydave-bounces at lists.immunitysec.com] On Behalf Of Kristian Erik Hermansen
Sent: 10 September 2007 13:12
To: dailydave at lists.immunitysec.com
Subject: Re: [Dailydave] Information security certifications diversity and getting lost

On 9/10/07, "Thomas Ptacek" <tqbf at matasano.com> wrote:
> How do you plan on solving the problems the CISSP has?
>
> 1. People will "teach to the test".

That is always the case with any test/certification.  Sometimes people don't really care about about the topics, just about the financial reward it is presumed to bring them by having the cert.  All certs are meant to establish a baseline.  If someone has a CISSP, you at least know that they took the time to read about the topics and pass the test successfully.  Of course, this doesn't mean that they have any actual experience with security at all.  However, it does show that they have the capacity to become somewhat familiar with the material.
Think back to that Differential Equations course you took in universuty ... do you still *really* remember how to apply Laplace transformations correctly and in what context :-)

> 2. Certs get stale fast.

No argument here.  Technology is a fast-paced industry...

What I think would be interesting is a certification that is meant to only be passed by 1% or so of security professionals.  You make the questions so incredibly dependent on a wide array of knowledge, that only people who have done that sort of stuff before can pass.  You could market it as something like the CCIE -- even have an 8-hour hands on lab exam.  You set up a physical network with various devices to simulate an actual network, and then judge the testing candidate based on their technique and how far they are able to penetrate the network layers.  Do they burn one of their 0days to get in, and how elegant was their hack?  Of course, I have no idea how many govs/corps/individuals would actually be willing to pay for something like this, but that is not the point.  Leave that to the savvy marketing and business people.  Maybe such a certification is not viable...

The Certified Expert Penetration Test certification is a good start and actually forces the candidate to think.  In that cert, they threw in something that fooled a lot of people.  One of the three stages was a non-standard printf() vulnerability on Linux.  In order to exploit it, you needed to have some basic idea of what was going on.  People who were just trying standard techniques and then dropping in shellcode would not succeed.  Even writing your own, you had to know what you were doing.  Another stage was a publicly disclosed stack-based vulnerability in an FTP server for Windows.  And the last stage was a very very simple reverse engineering problem.  Oh, and the prerequisite to all this was a written examination, which weeds out the people who don't have any clue at all.  I took this while in the presence of Jack Koziol, who was proctoring the exam in person while in Washington, DC for the Infosec Institute.

Now, I may know a little bit about security, but I am an amateur in comparison to visionaries like Mr. Aitel (hi dave!), Solar Designer, Halvar, and some of the real Black Hats who don't give talks at public security conferences :-)  Even still, a really difficult hands-on security cert in non-existent...
--
Kristian Erik Hermansen
_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

More information about the Dailydave mailing list