Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Learning vs. Play Time
From: "Les Bell" <lesbell () lesbell com au>
Date: Sun, 8 Feb 2004 08:52:01 +1100

"Robert E. Lee" <robert () dyadsecurity com> wrote

<For me, the value of a class is not in the test or even the
certification at the end. The lasting value is in the knowledge and
skill set that you refine and take with you back to your job.

Couldn't agree more, Robert. I agree with everything you say in your email,
with one proviso. I'm the author of a Linux security class; however, the
company that markets the class was insistent on renaming it "Hacking and
Securing Linux", even though there's very little "hacking" in it and it's
almost entirely "securing". Fact is, course titles that mention hacking
sell much better than ones that don't, and that can make the difference
between a profitable course that will continue to run, and an excellent
course that dies due to lack of attendance.

One other point, while I'm here - doesn't anyone's bullshit meter move
across to the yellow when they realise that just about the only training
available for a certification is from the same organisation that promotes
the certification itself? In these cases, don't people realise that the
certification is a marketing tool to sell the course, and that there are no
external guarantees about the quality of either?

As a contract instructor, I've had the experience of teaching
vendor-developed courses that contained incorrect material - downright
factually incorrect information. However, the certification exam is
*directly based on the course*, so that the exam *also* expects the
candidate to provide the incorrect answer in order to be marked correct!
I've had to teach people "This is wrong - in the real world, do it *this*
way - however, if you're doing the exam, make sure you answer *that* way!".
Knowledgeable people who attempt the test without attending the course are
disadvantaged, of course, as they will give the factually correct answer,
but be marked wrong. The close relationship between the course developer
and test developer (the same person?) allows poor quality material to slip
through, to the detriment of all parties.

To me, the ideal is to have an independent body that develops and maintains
a respected certification. Third parties then develop courses, books and
other training material to prepare candidates for the exam. This way, the
examining body assures not only the quality of the candidates, but also of
the training they've undergone, and it avoids the incestuous situation of
poorly-educated candidates scoring well on a poorly-designed exam. I would
only countenance a single body doing both training and certification if it
was accredited, i.e. its systems and procedures had been thoroughly audited
(a process I'm looking into for my own courses, so people won't have to
take just my word for how good they are!).


--- Les Bell, RHCE, CISSP

Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:

  By Date           By Thread  

Current thread:
  • RE: Learning vs. Play Time Les Bell (Feb 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]