Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Notes from CISSP class with Dr. Eric Cole

Re: Notes from CISSP class with Dr. Eric Cole

From: intel96 <intel96_at_bellsouth.net>
Date: Wed, 12 Oct 2005 10:20:37 -0400

IMHO....

The CISSP is strictly a paper certification. The reason that I feel this
way is that too many people obtain this certification with no real
security experience. Over the past 2 years, I have been called in to
fix security problems that were caused by other CISSPs.

The first case was for a vulnerability assessment for a bank where the
first CISSP could not finish the project. When I showed up to finish
the project the bank could care less that I had a CISSP. They would not
let me start the project until they checked my background. The bank
finally let me start the project, but only after learning that I also
had SANS GIAC certifications, a Master in Security Management and one in
Information Systems, a published author in the field and decades of
experience.

The second case involved a pentest where a CISSP had conducted a project
for a web portal. The CISSP told the customer the portal was secure,
but the customer had concerns about the quality of the work perform.
Again I was called in to check the other CISSP's work and I was able to
gain root access in 6 hours. That customer now checks the background
and even tests CISSP before they are allowed to do any work.

Recently I had the pleasure of conducting a pentest for a client who was
the CSO the organization and held a CISSP. When I provided the results
of the project to this CISSP, I was informed that I could not have gain
access to the network, because he had deployed IDS and IPS devices that
cost $$$$. He also stated that the vendors of these devices assured
him that no one could bypass them. I had to provide this CISSP a class
in how IDS and IPS worked which was WAY over his head. I found out that
this CISSP had no technical and came from the business side of the house.

Overall I think that the CISSP serves a purpose, but that purpose is
being diluted by individuals who have no security experience, but are
passing the exam after taking one of the CISSP boot camps. When I see
magazine editors and sales people with their CISSPs I know that the
certification is becoming strictly a paper tiger........

Just my 2¢

--------------------------------------------------------------------------------------------------------------------------------------

PPowenski_at_oag.com wrote:

>please elaborate on what certification HAS NOT turned into all those
>items you cite?
>It is the nature of the beast and this industry.
>
>BTW I am a CISSP and worked in the information security field for 20
>years before aquiring the CISSP.
>
>Finishing my masters in information security which I also feel is a more
>solid foundation in terms of discovering new ideas and overall security
>management than being 'certified' in some vendor interpertation of
>security or IT for that matter.
>
>The only other group I would pursue in terms of a worthwhile
>certification is the SANS series. There are probably others as worthy as
>SANS but who has the time to keep track. There develops another problem
>and where does it end.
>
>Do you believe any vendor firewall, IDS, IPS, OS Platform certification
>enlightens you on overall network security management?
>
>
>
>
>
>-----Original Message-----
>From: dreamwvr [mailto:dreamwvr_at_dreamwvr.com]
>Sent: 11 October 2005 16:51
>To: webappsec_at_securityfocus.com
>Subject: Re: Notes from CISSP class with Dr. Eric Cole
>
>
> >A pre requisite for getting certified as a CISSP is to have at least 4
>
>years
> >experience in the field of security, in at least one of the domains
>covered
> >in the common body of knowledge.
> >
> >The certification is also non vendor specific, and to say that it is
>based >on jargon or 'certain terminology' is pure folly. > >\As far
>as I am concerned, if you have issues with the certification, it
>
>
>>probably means you haven't got it, or you can't get it. It is doubtful
>>
>>
>the censors will allow this to make the list anyways..
>
>IMHO/FWIW the CISSP certification meant well, it really did. However Iit
>has noticably it fleshed out into much less than what was intended
>this
>I am sure. Don't get me wrong the 10 domains of knowledge are valid.
>However, it is a little offensive for someone with say over a decade
>plus of security experience in the domains to find this the only
>criteria of
>validation
> for some. (Shall I say a false sense of security? ;-)
>
>It makes one want to avoid corps that use this as their exclusive skill
>validation tool..
>
>It has become largely like the MCSE paper program..
>It has become a little mucky muck ..
>It has become a cash cow..
>[...]
>
>
>Best Regards,
>dreamwvr_at_dreamwvr.com
>
>NOTICE: This e-mail is intended for the named recipient(s). It may contain privileged and/or confidential information. If you are not one of the intended recipients, please notify the sender immediately and destroy this e-mail and attachment(s): you must not copy, distribute, retain or take any action in reliance upon the email or attachment(s). While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Ltd and its affiliate companies cannot guarantee that attachments are virus-free or are compatible with your systems, and does not accept liability in respect of viruses or computer problems experienced. Thank you.
>
>
>
>
Received on Oct 12 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]