From: Joseph McCray (joe@learnsecurityonline.com)
Date: Fri Dec 08 2006 - 01:13:40 EST
I as well as several other people on this list will vouch for
Peter/ISECOM and his opinion. There are a lot of "Security
Professionals" that are basically either scanner monkeys, or writers.
Quotes like "No, I really don't use Linux" from people that do security
should at least raise an eyebrow. Although there are some really good
SecPros out there that use/code in Windows - most of the people that can
really sit down and do this stuff use either Linux or BSD. True, the
movement toward WebApp/DB security is changing this, but most of the
heavy lifting is still done on *nix OSs.
As far as certification is concerned I have to admit that getting the
certs REALLY helped me professionally, but not so much technically. I
would always learn more in Def Con's Capture the Flag, RootWars, and
other hacking competitions around the web. For me there was no greater
place than Def Con's CTF. My first Def Con I was a bright eyed bushy
tailed Windows guy and I have just gotten my MCSE and CCNA. After
playing in the CTF, and getting my feelings hurt by a bunch of people
that didn't have any certs. Those guys even knew more about Windows than
I did. After that I stopped using Windows, started playing in and
hosting hacking competitions. I've gotten better over the years, but the
better I get the more I really understand just how good some of the
people in this field really are.
I like to read old Black Hat talks, and I recommend that all newbies do
the same:
http://blackhat.com/html/bh-media-archives/bh-multi-media-archives.html
Even talks that I went to years ago - when I look at the slides now I
understand so much more of what they were talking about back then - and
there are plenty of times that I still don't understand what they are
talking about. People like Dan Kaminsky, Silvio, David Litchfield, FX,
Mudge, Ofir Arkin, Dave Aitel, Last Stage of Dellirium, and several
others are ones who's research is driving security product development
today.
/me is getting off his soap box. Short version is:
Get the certs (you gotta eat), just know your sh*t so you can look at
yourself in the mirror every morning.
Joe
On Thu, 2006-12-07 at 20:20 +0100, Pete Herzog wrote:
> > But I also think certification by itself means next to nothing for the
> > most part. I have seen way to many Consultants with certifications and
> > degrees not know their head from a hole in the ground.
>
> There are certifications and there are certifications. Knowledge
> certifications where one memorizes security trivia and regurgitates it on
> an exam has much less applicability in the real world than a formal
> education where case studies and experience may be introduced or an applied
> knowledge certification.
>
> But a certification should mean something. It should prove that a person
> can apply a particular type of knowledge, a specialty, with a measurable
> degree of accuracy and efficiency. If a group has convinced you that they
> can certify, accredit, or graduate you in a trade or specialty in a manner
> which requires no proof of skill then you should question your own critical
> thinking skills. Because it just doesn't work that way. Even with
> experience, that means nothing if what you learned is wrong from the start.
> The US Department of Education has a word for organizations who sell
> diplomas for experience alone and often no additional coursework: Diploma
> Mills (http://en.wikipedia.org/wiki/Diploma_mills).
>
> I'm saying this because at ISECOM we have been an authority for applied
> knowledge security certifications for nearly 5 years because the security
> community we work with asked for it. They asked for a security cert that
> didn't suck. They wanted one where people actually had to apply their
> knowledge of testing and analysis with accuracy and efficiency in order to
> pass an exam against a live network. So we built it and you know what, we
> still sometimes get complaints that it's too hard and too complicated.
> When we first rolled this out in the US, the training organization we
> worked with didn't see a future for it because they said they needed an
> easier exam, a knowledge-based one, so people can pass and take a
> certification back to the office which will bring in more people. Then
> they can also promote a high pass rate in their marketing for that
> training. So we stopped working with those training companies in the U.S.
> that wanted an easy pass to sell easily to the masses. But that's just
> mainly a problem in the US and most other regions have been just fine for
> us. In those other places the ISECOM certifications really mean something
> and get people employed and advanced and vetted for having them.
>
> So please don't lump all security certifications together. Some of us are
> working hard to help and such comments don't.
>
> Sincerely,
> -pete.
>
> PS: Sure I work for ISECOM so I am biased about the quality of our
> certifications but facts are facts and our certifications really are
> applied knowledge, hands-on examinations.
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
-- Joe McCray Toll Free: 1-866-892-2132 Email: joe@learnsecurityonline.com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:26 EDT