Home page logo
/

pen-test logo Penetration Testing mailing list archives

AW: Hacker Stories, Certs,vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
From: "Horst Moll" <Horst.Moll () tts-security com>
Date: Tue, 1 Aug 2006 09:23:13 +0200

Hi to everyone.

The main question is if a particular certification does prove your skill?
Yes it does, no matter if you passed by going through a boot camp or because
of your experience. Does a certification prove your experience? No, not at
all.
I've several certification starting with Microsoft, Check Point, ISS,
CISSP,....
Of course I've learned a lot through studying the materials for the certs,
but I've learned even more through going the hard way in projects. Many
people crossed my way with even more certs but no experience. So how can you
distinguish between those with only the skills but no experience? Only in
projects.

On the other hand, if you have enough experience for example working with
Check Point, you should easily pass the CCSA or CCSE exam. Or if you have
enough experience in the security field, you should easily pass the CISSP
exam. Is that the case? 
I've always used the Certs to prove my experience. 

So the question is what is more important, experience or skill? In my
opinion experience. Getting new customer or projects, the certs are always
dooropener. But doing a good job to satisfy the customer you need enough
experience and knowledge. 

But on the other hand the business drives the certs. If you are respopnsible
for a very important project and you have to chose the contractor. Which one
would you use? The one with the most experience or the on with the certs?
Most of the time the poeple chose the one with the certs. Why? Because if
anything goes wrong they can say : " Not my fault, because I've choosen the
one with the best certs." And their boss would say: "OK, than it is not your
fault". But what if he had choosen the one'S without  the certs? "How could
you chose the people without checking their experience?"

So from my point of view any cert shows that you have skills about the
particular area, tested in the exam. It does not show how you are able to
use that knowledge in real life projects. That's why my business card show
two numbers 95/01 and no certs. People ask and I answer: Since 1995 I'm in
the IT business and since 2001 I'm working the the IT security area. How can
you prove that? Because I'm a certified CCSA, CCSE, MCP, CISSP ,.......

OK, even working for more than 5 years in the IT Security area does not
prove if I'm doing a good job, that can only be proven by reference or
projects.

Just my 2 Cents

:-)Horst

-----Urspr√ľngliche Nachricht-----
Von: Jim [mailto:jimk () missinglinksecurity com] 
Gesendet: Montag, 31. Juli 2006 19:17
An: David Cross; Pete Herzog; Wolf
Cc: Robert E. Lee; pen-test () securityfocus com
Betreff: Re: Hacker Stories, Certs,vs Projects - Was Re: Technitium MAC
Address Changer v3.1 (FREEWARE)

Wolf

I think you are right on track with this issue.  I know people with the
CISSP certs that should not even be in the industry.

Jim
Sent via BlackBerry from Cingular Wireless

-----Original Message-----
From: Wolf <wolfiroc () earthlink net>
Date: Sun, 30 Jul 2006 23:28:23 -0400 (GMT-04:00) To:Pete Herzog
<lists () isecom org>, David Cross <davidcross () Post-N-Track com> Cc:"Robert E.
Lee" <robert () dyadsecurity com>, pen-test () securityfocus com
Subject: Re: Hacker Stories, Certs,
 vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)

Hi David and Pete,
I really take the statement "... mastery of all aspects of security" as a
bit of a challenge as well as an insult to those who truly have mastered
their craft, but do not have the CISSP.  I do - as well as OPST, OPSA, IEM
and IAM.  Fact -not boasting or professing mastery.  Too much comes down the
road each day to profess mastery at all aspects of security.  If there were
so many masters out there, then we wouldn't have configuration management
issues, patch management and implementation issues, and every system and
network could be certified and accredited as being operationally secure.  
I know for a FACT that  some CISSPs have little or no experience or
understanding in the field, yet managed to take a damn good test!  If the
prereqs were checked or truly told, they never would have been eligible.
Not a rant just something to think about the next time you claim mastery!

-----Original Message-----
From: Pete Herzog <lists () isecom org>
Sent: Jul 30, 2006 5:39 AM
To: David Cross <davidcross () Post-N-Track com>
Cc: "Robert E. Lee" <robert () dyadsecurity com>, 
pen-test () securityfocus com
Subject: Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium 
MAC Address Changer v3.1 (FREEWARE)

Hi David,

The CISSP credential is not a networking credential.  It is a general 
security credential showing mastery of all aspects of security, not 
an in-depth knowledge of one.  A CISSP would be expected to serve in 
an

I think "mastery" includes capability and not just knowledge thereof.  
To master something means to be at the top of a craft.  It means to 
know something deeply and to be able to apply that knowledge broadly.  
I disagree that a CISSP shows a mastery of all things security.

advisory or audit capacity and not in a network engineer capacity.  
The

Just broad knowledge of security best practices to apply broadly where 
one sees them is unhealthy to any organization.

If a CISSP with no experience is applying for a networking job then 
shame on them.  If you hire a CISSP for a networking job when they 
have no specific networking experience then shame on you.

And yet they do all the time.  Many of us know many CISSPs who didn't 
have the experience, were able to fudge it, and were able to get their 
certification without having any problem finding another CISSP vouch 
for them. Talking a solution does not show successful implementation of
one.

Credentials can only be looked at to strengthen the credibility of a 
person's resume, not to create credibility where this is no experience.

Not true. Certification can provide those lacking experience to show 
ability and be an asset to an organization in that particular field. So 
it can show credibility where no experience exists. People already do 
this now looking to switch job descriptions, need to learn a specific 
aspect of a job, seek to enhance current ability, or to improve their 
marketability for new jobs.

Either way if you are going to criticize things in public you should 
know what you are talking about or you will just point out to 
everyone that you don't know the industry as well as you think.

I agree with that statement however I also think putting on 
rose-colored glasses does not make the current industry on-goings any 
rosier for other people who end up being the victims instead of the
benefactors of security.

-pete.

-----------------------------------------------------------------------
-------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the 
Analyst's Choice Award from eWeek. As attacks through web applications 
continue to rise, you need to proactively protect your applications 
from hackers. Cenzic has the most comprehensive solutions to meet your 
application security penetration testing and vulnerability management 
needs. You have an option to go with a managed service (Cenzic 
ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download 
FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm 
your results from other product. Contact us at request () cenzic com for
details.
-----------------------------------------------------------------------
-------



----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise, you need to proactively protect your applications from hackers. Cenzic
has the most comprehensive solutions to meet your application security
penetration testing and vulnerability management needs. You have an option
to go with a managed service (Cenzic ClickToSecure) or an enterprise
software (Cenzic Hailstorm). Download FREE whitepaper on how a managed
service can help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
----------------------------------------------------------------------------
--




------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • AW: Hacker Stories, Certs,vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Horst Moll (Aug 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]