Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: OSCP
From: Nick <godaemon () gmail com>
Date: Thu, 04 Dec 2008 17:17:55 +0200

Al Rivas wrote:
I've been away for a while and so catching up today and noticed the
idea that the CISSP required 5 years information security experience. 
While that may be a noble idea I don't believe that is what happens in
practice.  I know a CISSP (well several like him but) at least one off
the top of my head that I can prove didn't know but the most basic
Windows OS not 3 years ago.

I believe the way folks get around this "5-year requirement" is to have
another CISSP vouch for them.  So for example, in his group of buddies,
they all vouch for each other, buy test questions, and are now all
CISSPs but they couldn't actually keep my 16 year old out of their
networks.  Hell they can't spell network.

Now perhaps some will say so you know "one".  What I'm actually saying
is that I've noticed 7 to 8 in 10 CISSPs have no clue about security. 
Over the years this had me wondering, how the hell can these people have
this supposedly respected certification and be so ignorant about basic
security concepts let alone attacks and their defenses, effective
policies, documentation, etc.  Documentation is a funny one because
after an incident that I ended up handling, a VP explained to me that
his 2 CISSPs were not really security people but more like managers that
documented security issues.  Then I ended up having to write the reports
because these two were basically illiterate.

Now BOOM, I find out help-desk boy from 3 years ago (replacing hardware
mind you - not allowed near a functioning PC), is a CISSP.

That then explained much to me.

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Pedro Drimel
Sent: Monday, November 17, 2008 5:39 PM
To: pen-test () securityfocus com
Subject: Re: OSCP

I agree, those certifications can't be compared.

CISSP does not has a hands on exam, and its focus is totally different
from OSCP, also CISSP requires 5 years of experience in information
security.
You need to ask yourself what do you want to know, not the
certification you want to achieve, certification must be a
consequence, not a goal, you can pass in a CISSP exam and even do not
know how to write an exploit. IMHO.

[]'s

2008/11/17 Abe Getchell <me () abegetchell com>
Do you really know how to protect information system resources if you
don't understand the techniques used to penetrate the defensive
mechanisms employed in these systems? Knowing your enemy and
understanding the techniques and methodology that will be used against
your critical assets are one of the most important pieces of knowledge
you can posses as someone working in INFOSEC, IMHO.

That being said, both the OSCP and CISSP are great certs, but
completely different and really can't be compared.

I watch this conversation over time and I couldn't hold the horses....
The real problem comes in when an information security manager(...)
decide to ask help from a CISSP owner.
I agree with the opinion that 7to8 out of 10 cissp owners do not have
the neccessary experience(not only security wise but from information
science aspect, too) to take decisions for critical systems and far more
to handle critical insidents. But this is a cruel world and a CISSP
certification is somethink really lovable by alot. Anyways the time is
near. Everyone will have a cissp in a while it will not be something
special.....

Thanx
Nik T


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------





------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]