Re: CISSP-ISSMP

From: Nathaniel Hirsch (nh2@njit.edu)
Date: Tue May 09 2006 - 09:46:45 EDT


Well filling out an SSAA is not all that complex. Hell if you use our
tool XIAM it pretty much does everything for you. You fill out your
min sec check list, go threw adding all the systems and what they have
It checks them against all the stigs and you say if it passed or
failed for each thing. It does pretty much everything except the
actual testing and real analysis. And if you wanted to you could have
it do the testing, I just don't trust it with out checking it myself.
As for working well in a team I'm not sure what you are implying here.
 If it is that I do not work well in a team, you are mistaken, in
every single one of my performance reviews I have always been
commented on how good of a "team player" I am and what an asset I am
to the team. As for bashing your coworkers, I feel, as does the rest
of my office that if you are not pulling your weight around then its a
problem and you are not working well. Now the guy I was talking about
is clueless and does not pull his own weight, he is a CISSP, and a
CEH, and an Oracle certified something or other, and he has his
masters, and is working on his PHd. So on paper he looks like he is
top notch, but after working with him for more then a hour you quickly
realise that he does not know what he is doing. And that is my point,
getting a cert or a degree is good as it gets your foot in the door in
some places, but it is no substitute to real world experience and
skill.

On 5/9/06, Angelacci, Anna M CTR SPAWAR, J616 <anna.angelacci@navy.mil> wrote:
> I disagree Nathaniel. I work with peers that do not have the CISSP. They
> do know how to fill out templates required for submission of an SSAA,
> but they have no clue about application of security controls and
> attributes. They can't even complete a proper sentence if were not for a
> spelling and grammar checker. They can run the scanners, mitigate the
> risks based on the STIG references, but still have no clue what they are
> doing.
>
> I lucked out by getting an NSA test bank for the CISSP. If I did not
> have 7 years experience plus, in scanning networks, I would have failed.
> I also must admit, I am an MCT, CCNA, CNE, Dell Certified Server Tech, a
> 3COM Certified Fiber Installer, have over 238 college credits, and have
> worked for 27 years in the field. The CISSP does only test you on
> security attributes if that is the test bank you were lucky enough to
> draw. The test banks are designed to test you on application of the
> attributes, not application of the DITSCAP. The point to remember in all
> this is," Not one single person knows it all!" Working as a team and not
> bashing your peers is a formula for success, not just certs.
> Annie
>
> -----Original Message-----
> From: nat@morgothan.com [mailto:nat@morgothan.com] On Behalf Of
> Nathaniel Hirsch
> Sent: Monday, May 08, 2006 4:19 PM
> To: Mohamed Abdel Kader
> Cc: pen-test@securityfocus.com
> Subject: Re: CISSP-ISSMP
>
>
> I recently got my CISSP. The company that I work for paid for me to go
> to a class, and take the test assuming I passed. If I failed then the
> $500 would be on my nickle. Thankfully I did not fail. The main reason
> they wanted me to get my CISSP is now they can charge more for the work
> they contract me out to, this and you need it or some other equivalent
> to do level 3 and 4 DITSCAP testing. As for an ROI after I passed a got
> a 15% raise which was nice, but I was also up for a raise, so I can not
> tell you how much that was due to the CISSP, and how much was due to my
> overall performance at the company. Personally I feel that the exam and
> certification process is a waste of time, and so does everyone else at
> the company, but they are needed, or so they say. However we have a guy
> who works here who is a CISSP and a CEH(certified ethical hacker), and
> to be truthful, he is quite possible the most worthless tester I have
> ever had to work with, and everyone else in the office knows this. So
> having the cert doesn't make you good, and doesn't prove to anyone that
> you have experience or skill. It just proves that you can pick the
> correct answer out of a four possible answer on a 250 question multiple
> choice exam. As for giving an out of 10 scale for everything you
> mentioned I guess they would all be 5s because it all really depends on
> a lot of other things. As for what job its good for, I would have to
> say more managerial then anything else. The topics covered are really
> only puddle deep, not enough to know whats going on, just enough to know
> that it is going on though.
>
>
> Nathaniel Hirsch, CISSP
> Xacta Corporation
> 656 Shrewsbury Ave.
> Shrewsbury, NJ 07702
>
> On 5/8/06, Mohamed Abdel Kader <makster12@hotmail.com> wrote:
> > Hi all,
> > I was wondering if anyone out there did the CISSP-ISSMP concentration.
>
> > I want to know the value added in the areas listed below, in an out of
>
> > 10 scale for example:
> >
> > Total ROI
> > Career Advancement
> > Industry Demand
> > Raise Potential
> >
> > Suitable for what job/position (not an out of 10 answer of course
> > :))
> >
> > I also want to know the material to study from.
> >
> > Thanks a million.
> > MAK
> >
> > ----------------------------------------------------------------------
> > --------
> > This List Sponsored by: Cenzic
> >
> > Concerned about Web Application Security?
> > Why not go with the #1 solution - Cenzic, the only one to win the
> > Analyst's Choice Award from eWeek. As attacks through web applications
>
> > continue to rise, you need to proactively protect your applications
> > from hackers. Cenzic has the most comprehensive solutions to meet your
>
> > application security penetration testing and vulnerability management
> > needs. You have an option to go with a managed service (Cenzic
> > ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download
> > FREE whitepaper on how a managed service can help you:
> > http://www.cenzic.com/news_events/wpappsec.php
> > And, now for a limited time we can do a FREE audit for you to confirm
> your
> > results from other product. Contact us at request@cenzic.com for
> details.
> >
> ------------------------------------------------------------------------
> ------
> >
> >
>
> ------------------------------------------------------------------------
> ------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the
> Analyst's
> Choice Award from eWeek. As attacks through web applications continue to
> rise,
> you need to proactively protect your applications from hackers. Cenzic
> has the
> most comprehensive solutions to meet your application security
> penetration
> testing and vulnerability management needs. You have an option to go
> with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service
> can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm
> your
> results from other product. Contact us at request@cenzic.com for
> details.
> ------------------------------------------------------------------------
> ------
>

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:55 EDT