<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7652.24">
<TITLE>RE: [Dailydave] Information security certifications diversity andgetting lost</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Dave,<BR>
THat sounds like a really interesing idea but wouldnt win xp sp2 be more realistic? I would want someone at the basic level to at least understand trampolines as jmping straight to the stack would work on your test but is unrealistic in the real world.<BR>
Thanks,<BR>
David Weston<BR>
FGM, Inc<BR>
<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: dailydave-bounces@lists.immunitysec.com on behalf of Dave Aitel<BR>
Sent: Mon 9/10/2007 6:46 AM<BR>
To: dailydave@lists.immunitysec.com<BR>
Subject: Re: [Dailydave] Information security certifications diversity andgetting lost<BR>
<BR>
-----BEGIN PGP SIGNED MESSAGE-----<BR>
Hash: SHA1<BR>
<BR>
One thing we've been working on here at Immunity are Network Offense<BR>
Professional certifications. Essentially it would be practical tests<BR>
that established someone was capable of doing certain actions we<BR>
should all be able to do.<BR>
<BR>
For example, the first certification was a simple stack overflow<BR>
against Windows 2000. Testee's would exploit it using Immunity<BR>
Debugger/WinDBG and VisualSploit, which would keep it as technology<BR>
agnostic as possible. You can either write a simple Win32 overflow or<BR>
you can't.<BR>
<BR>
We were going to launch it during DefCon, but had a few other things<BR>
going on. :><BR>
<BR>
- -dave<BR>
<BR>
<BR>
J.M. Seitz wrote:<BR>
> Hey Mike,<BR>
><BR>
>> The CISSP is the undisputed king of information security<BR>
>> certifications. Currently, every now and then a security company<BR>
>> starts pushing their employees towards certification programs.<BR>
>> These are usually known for featuring insanely long exams,<BR>
>> absurdly pedantic requirements and other kinds of doubtfully<BR>
>> respectable necessities.<BR>
><BR>
> I wouldn't say it's the king, I would say it has some very broad<BR>
> objectives, but is moreso a Security+ on steroids. When the CISSP<BR>
> got traction, you have to look at the timing of the certification,<BR>
> and the fact that the only other certification that would get you a<BR>
> high paying job was a CCIE, and the CCIE is a nasty cert to get to<BR>
> say the least. SANS has put out some incredibly strong programs<BR>
> that can range from technical (GCIH/GCFA/GREM) to CISSP-like<BR>
> certifications.<BR>
><BR>
><BR>
>> We all know that there are several other certifications, but<BR>
>> CISSP brings, without doubt, the very best. Be it a security<BR>
>> operations manager, a field operative or some other kind of<BR>
>> consulting freak, a CISSP will always deliver.<BR>
><BR>
> I still disagree, and to be honest, I have interviewed more CISSP's<BR>
> that couldn't answer questions like "What does PKI stand for?",<BR>
> "Give me an analogy of a buffer overflow.","What is transparent<BR>
> proxying and why is it important in some circumstances?". Come on,<BR>
> certs are as good as the people who take them, I again disagree.<BR>
><BR>
><BR>
>> My question for people out there, is this madness _that_<BR>
>> necessary? Do we have a good reason for spending loads of budget<BR>
>> on certification programs and wasting our companies' money in<BR>
>> such investments?<BR>
><BR>
> Yep, again it's a baseline, one for HR. The people to watch out for<BR>
> are the ones who go the extra mile, some who has a GCIH most<BR>
> definitely doesn't make me giggle with glee, but someone who has a<BR>
> GCIH Gold I look forward to meeting with, and definitely love to<BR>
> engage on their research topic. It's worth a company's time and<BR>
> money to do it (a) employees are more loyal to companies that give<BR>
> (b) you'd be amazed at how often you will apply things straight<BR>
> from a certification.<BR>
><BR>
>> Employees feel constrained since they might lose the<BR>
>> certification after quitting their jobs, surfing towards another<BR>
>> employer as intrusive and wasteful as the previous one, etc.<BR>
><BR>
> Not sure how you would lose a certification if you left your job?<BR>
> Once you write the exam, it's yours not your company's.<BR>
><BR>
>> If certifications exist for ethical hackers, are we going to see<BR>
>> certifications for unethical hackers anytime soon? What if the<BR>
>> mob and shady underground organizations needed to certify that<BR>
>> they are employing the very best of the federal prison's Module<BR>
>> 5? Will a Certified Unethical Software Security Expert (CUSSE)<BR>
>> certification ever exist? "My name is Lincoln Six Echo, Certified<BR>
>> Information Insecurity Systems Professional".<BR>
><BR>
> <A HREF="http://blog.wired.com/27bstroke6/2007/08/a-look-inside-a.html">http://blog.wired.com/27bstroke6/2007/08/a-look-inside-a.html</A><BR>
><BR>
> There ya go :) I bet one or two unscrupulous people are<BR>
> "black-belts" :)<BR>
><BR>
> In the end, certifications are good, but the reality is that they<BR>
> are only good if you are looking for work, and you get what you put<BR>
> into them. You want to get noticed in the security world? Build a<BR>
> tool, join and help people on forums, help Sourcefire write<BR>
> signatures (they need it), contact George Theall at Tenable and ask<BR>
> if you can help write NASL plugins, help the OSVDB with mangling.<BR>
> These are all things that will help round out a newcomer, and add<BR>
> it to the list of things that can benefit you when its time to go<BR>
> job hunting. Now, if you _really_ want to get noticed, tackle the<BR>
> tough problems, write books, and try to talk at Black Hat, etc.<BR>
><BR>
> Coming from an unknown security guy, low profile, I am still in the<BR>
> phase of doing all of these things. As such I have a Sec+ and a<BR>
> GCIH (which I am wrapping up my research paper on), and I can<BR>
> honestly say I do use some of it in my day-to-day. You don't see<BR>
> these acronyms on my email signature but that's because I am not<BR>
> looking for work :)<BR>
><BR>
> JS<BR>
><BR>
><BR>
><BR>
> _______________________________________________ Dailydave mailing<BR>
> list Dailydave@lists.immunitysec.com<BR>
> <A HREF="http://lists.immunitysec.com/mailman/listinfo/dailydave">http://lists.immunitysec.com/mailman/listinfo/dailydave</A><BR>
<BR>
-----BEGIN PGP SIGNATURE-----<BR>
Version: GnuPG v1.4.6 (GNU/Linux)<BR>
<BR>
iD8DBQFG5Uq/B8JNm+PA+iURAl+CAKDAkJkhJvSNf+lIAtF55A6IotizfgCgtZiP<BR>
od5Gzue0h/Q6P4MTq5E7/pM=<BR>
=VXSu<BR>
-----END PGP SIGNATURE-----<BR>
<BR>
_______________________________________________<BR>
Dailydave mailing list<BR>
Dailydave@lists.immunitysec.com<BR>
<A HREF="http://lists.immunitysec.com/mailman/listinfo/dailydave">http://lists.immunitysec.com/mailman/listinfo/dailydave</A><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>