Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: CISSP-ISSMP
From: "Williamson, Clyde" <CWilliamson () Limitedbrands com>
Date: Tue, 9 May 2006 16:57:49 -0400

I have to agree with Nat here.

Our team is made up of CISSP and non-CISSP alike. The only functional
difference between us that I have found seems to be that some of us have a
piece of paper. However, we have had similar years of experience and tend to
work at the same highly professional level. Of course, I'm spoiled with
quite possibly one of the best IT security teams in existence (not that I'm
biased). The experience, not the cert seems most valuable to me. Heck, we've
been interviewing for a new position and while we can find degrees and certs
out the wazoo... We can't find experience and experience is what we need.

Clyde Williamson, CISSP and Stuff

PS: Anyone who has experience with application pen testing and would like to
enjoy the exciting world of Columbus Ohio... feel free to email me. *sigh*

-----Original Message-----
From: nat () morgothan com [mailto:nat () morgothan com] On Behalf Of Nathaniel
Hirsch
Sent: Tuesday, May 09, 2006 9:47 AM
To: Angelacci, Anna M CTR SPAWAR, J616
Cc: Mohamed Abdel Kader; pen-test () securityfocus com
Subject: Re: CISSP-ISSMP

Well filling out an SSAA is not all that complex.  Hell if you use our tool
XIAM it pretty much does everything for you.  You fill out your min sec
check list, go threw adding all the systems and what they have It checks
them against all the stigs and you say if it passed or failed for each
thing.  It does pretty much everything except the actual testing and real
analysis.  And if you wanted to you could have it do the testing, I just
don't trust it with out checking it myself.
As for working well in a team I'm not sure what you are implying here.
 If it is that I do not work well in a team, you are mistaken, in every
single one of my performance reviews I have always been commented on how
good of a "team player" I am and what an asset I am to the  team.  As for
bashing your coworkers, I feel, as does the rest of my office that if you
are not pulling your weight around then its a problem and you are not
working well.  Now the guy I was talking about is clueless and does not pull
his own weight, he is a CISSP, and a CEH, and an Oracle certified something
or other, and he has his masters, and is working on his PHd.  So on paper he
looks like he is top notch, but after working with him for more then a hour
you quickly realise that he does not know what he is doing. And that is my
point, getting a cert or a degree is good as it gets your foot in the door
in some places, but it is no substitute to real world experience and skill.

On 5/9/06, Angelacci, Anna M CTR SPAWAR, J616 <anna.angelacci () navy mil>
wrote:
I disagree Nathaniel. I work with peers that do not have the CISSP. 
They do know how to fill out templates required for submission of an 
SSAA, but they have no clue about application of security controls and 
attributes. They can't even complete a proper sentence if were not for 
a spelling and grammar checker. They can run the scanners, mitigate 
the risks based on the STIG references, but still have no clue what 
they are doing.

I lucked out by getting an NSA test bank for the CISSP. If I did not 
have 7 years experience plus, in scanning networks, I would have failed.
I also must admit, I am an MCT, CCNA, CNE, Dell Certified Server Tech, 
a 3COM Certified Fiber Installer, have over 238 college credits, and 
have worked for 27 years in the field. The CISSP does only test you on 
security attributes if that is the test bank you were lucky enough to 
draw. The test banks are designed to test you on application of the 
attributes, not application of the DITSCAP. The point to remember in 
all this is," Not one single person knows it all!" Working as a team 
and not bashing your peers is a formula for success, not just certs.
Annie

-----Original Message-----
From: nat () morgothan com [mailto:nat () morgothan com] On Behalf Of 
Nathaniel Hirsch
Sent: Monday, May 08, 2006 4:19 PM
To: Mohamed Abdel Kader
Cc: pen-test () securityfocus com
Subject: Re: CISSP-ISSMP


I recently got my CISSP.  The company that I work for paid for me to 
go to a class, and take the test assuming I passed. If I failed then 
the $500 would be on my nickle.  Thankfully I did not fail.  The main 
reason they wanted me to get my CISSP is now they can charge more for 
the work they contract me out to, this and you need it or some other 
equivalent to do level 3 and 4 DITSCAP testing.  As for an ROI after I 
passed a got a 15% raise which was nice, but I was also up for a 
raise, so I can not tell you how much that was due to the CISSP, and 
how much was due to my overall performance at the company.  Personally 
I feel that the exam and certification process is a waste of time, and 
so does everyone else at the company, but they are needed, or so they 
say.  However we have a guy who works here who is a CISSP and a 
CEH(certified ethical hacker), and to be truthful, he is quite 
possible the most worthless tester I have ever had to work with, and 
everyone else in the office knows this.  So having the cert doesn't 
make you good, and doesn't prove to anyone that you have experience or 
skill.  It just proves that you can pick the correct answer out of a 
four possible answer on a 250 question multiple choice exam. As for 
giving an out of 10 scale for everything you mentioned I guess they 
would all be 5s because it all really depends on a lot of other 
things.  As for what job its good for, I would have to say more 
managerial then anything else.  The topics covered are really only 
puddle deep, not enough to know whats going on, just enough to know that
it is going on though.


Nathaniel Hirsch, CISSP
Xacta Corporation
656 Shrewsbury Ave.
Shrewsbury, NJ 07702

On 5/8/06, Mohamed Abdel Kader <makster12 () hotmail com> wrote:
Hi all,
I was wondering if anyone out there did the CISSP-ISSMP concentration.

I want to know the value added in the areas listed below, in an out 
of

10 scale for example:

    Total ROI
    Career Advancement
    Industry Demand
    Raise Potential

    Suitable for what job/position (not an out of 10 answer of 
course
:))

I also want to know the material to study from.

Thanks a million.
MAK

--------------------------------------------------------------------
--
--------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the 
Analyst's Choice Award from eWeek. As attacks through web 
applications

continue to rise, you need to proactively protect your applications 
from hackers. Cenzic has the most comprehensive solutions to meet 
your

application security penetration testing and vulnerability 
management needs. You have an option to go with a managed service 
(Cenzic
ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to 
confirm
your
results from other product. Contact us at request () cenzic com for
details.

----------------------------------------------------------------------
--
------



----------------------------------------------------------------------
--
------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the 
Analyst's Choice Award from eWeek. As attacks through web applications 
continue to rise, you need to proactively protect your applications 
from hackers. Cenzic has the most comprehensive solutions to meet your 
application security penetration testing and vulnerability management 
needs. You have an option to go with a managed service (Cenzic 
ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download 
FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm 
your results from other product. Contact us at request () cenzic com for 
details.
----------------------------------------------------------------------
--
------


----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise, you need to proactively protect your applications from hackers. Cenzic
has the most comprehensive solutions to meet your application security
penetration testing and vulnerability management needs. You have an option
to go with a managed service (Cenzic ClickToSecure) or an enterprise
software (Cenzic Hailstorm). Download FREE whitepaper on how a managed
service can help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
----------------------------------------------------------------------------
--



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]