Home page logo

pen-test logo Penetration Testing mailing list archives

From: Al Rivas <ARivas () hyphensolutions com>
Date: Wed, 3 Dec 2008 12:52:21 -0600

I've been away for a while and so catching up today and noticed the idea that the CISSP required 5 years information 
security experience.  While that may be a noble idea I don't believe that is what happens in practice.  I know a CISSP 
(well several like him but) at least one off the top of my head that I can prove didn't know but the most basic Windows 
OS not 3 years ago.

I believe the way folks get around this "5-year requirement" is to have another CISSP vouch for them.  So for example, 
in his group of buddies, they all vouch for each other, buy test questions, and are now all CISSPs but they couldn't 
actually keep my 16 year old out of their networks.  Hell they can't spell network.

Now perhaps some will say so you know "one".  What I'm actually saying is that I've noticed 7 to 8 in 10 CISSPs have no 
clue about security.  Over the years this had me wondering, how the hell can these people have this supposedly 
respected certification and be so ignorant about basic security concepts let alone attacks and their defenses, 
effective policies, documentation, etc.  Documentation is a funny one because after an incident that I ended up 
handling, a VP explained to me that his 2 CISSPs were not really security people but more like managers that documented 
security issues.  Then I ended up having to write the reports because these two were basically illiterate.

Now BOOM, I find out help-desk boy from 3 years ago (replacing hardware mind you - not allowed near a functioning PC), 
is a CISSP.

That then explained much to me.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Pedro Drimel
Sent: Monday, November 17, 2008 5:39 PM
To: pen-test () securityfocus com
Subject: Re: OSCP

I agree, those certifications can't be compared.

CISSP does not has a hands on exam, and its focus is totally different
from OSCP, also CISSP requires 5 years of experience in information
You need to ask yourself what do you want to know, not the
certification you want to achieve, certification must be a
consequence, not a goal, you can pass in a CISSP exam and even do not
know how to write an exploit. IMHO.


2008/11/17 Abe Getchell <me () abegetchell com>

Hash: SHA256

Do you really know how to protect information system resources if you don't understand the techniques used to 
penetrate the defensive mechanisms employed in these systems? Knowing your enemy and understanding the techniques and 
methodology that will be used against your critical assets are one of the most important pieces of knowledge you can 
posses as someone working in INFOSEC, IMHO.

That being said, both the OSCP and CISSP are great certs, but completely different and really can't be compared.

- --
Abe Getchell
me () abegetchell com

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Craig Wilson
Sent: Monday, November 17, 2008 2:19 PM
To: chaitanya.sharma () gmail com; pen-test () securityfocus com
Subject: Re: OSCP


OSCP is great for practical knowhow but I would rather employ a CISSP
anyday; why and how you would protect systems are much more important
than how you break in.  Its all very well knowing how to make a shell
run on a poorly configed machine but understanding defensive configs to
ensure the machine isn't in a position to be compromised are more
important IMHO.

Additionally I would ensure you have day to day experience and
knowledge of why you would advocate certain things in corporate


----- Original Message -----
Craig Wilson
Senior IT Network Administrator & Support Analyst
T. 0207 264 5113
M. 07899895510
F. 02072645101
E. cwilson () ppilearning com
W. http://www.ppilearning.com/
P Think Green - Please do not print this email unless you really need

This email and any attachments are confidential information and solely
intended to be read by the email addressees above. If you inadvertently
receive this email, your access is unauthorised and you may not copy,
disclose, distribute or otherwise use this email and its contents. If
you have received this email in error, please inform us immediately at
mailto:SA () PPILearning com and delete all copies from your system. PPI
Learning Services accepts no legal liability for the contents of this
email including any errors, interception or interference, as internet
communications are not secure. Whilst PPI Learning Services and the
sender have taken every precaution to prevent transmission of computer
viruses, should this inadvertently occur we do not accept any
liability. Any offer or acceptance of a contract for goods or services
made in this email is subject to our standard terms and conditions
(available on request), unless other terms and conditions have been
agreed in writing between authorised signatories of the parties. PPI
Learning Services Limited. Registered Address: 3-5 Crutched Friars,
London, EC3N 2HR. Registered in United Kingdom Company Number 06008725

----- Original Message -----

From: listbounce () securityfocus com <listbounce () securityfocus com>
To: Penetration Testing (SecFocus) <pen-test () securityfocus com>
Sent: Mon Nov 17 07:24:33 2008Subject: Re: OSCP


I am thinking of doing a certification and have short listed CISSP and
OSCP.  Which one would you suggest is good?  CISSP is widely accepted
and well known. OSCP is really good for getting hardcore experience,
but does it have the same recognition as CISSP?

On Thu, Nov 13, 2008 at 4:02 AM, Taras P. Ivashchenko
<naplanetu () gmail com> wrote:
Stephen, I took this course some months ago.

My opinion is that very good practical course and certification for

On Mon, 2008-11-10 at 15:36 +1030, Stephen Argent wrote:
Hi there - just out of curiosity, has anyone here taken the
Security 101" course to receive the OSCP (Offensive Security
Professional)? I'm curious as to if it is a good course, if it is
well, and if it's worth the 500+ USD you pay for it. Thanks

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


Тарас Иващенко (Taras Ivashchenko), OSCP
"Software is like sex: it's better when it's free." - Linus Torvalds



Version: PGP Desktop 9.8.3 (Build 4028)
Charset: UTF-8


This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]