One of the issues I see with certifications nowadays is that, in this
industry, once upon a millenium ago it was honor to have a cert in
something whereas nowadays you can have any Joe Shmoe memorize a book and
get a cert. For that matter sell them in bubble gum machines and call it a
day.
Many of the "certs" nowadays seemed to have slowly tailored their prereqs
towards industry crybabies (Cisco, MS, Oracle, Symantec). Far too many in
my opinion have lost site of the fundamentals and have started focusing
far too deeply on "Who will be my gold/platinumn sponsor".
This is common of almost all education systems, and is product of humans
rarely wanting to truly understand what's going on. The first learners
to pass cert's and other education systems with flying colours are only
those who truly understand. Later on, the teaching becomes increasingly
sophisticated (with regard to the bell curve, and thus the bottom line
too) at generating passing students. These students don't need
understanding (or at least, they think so) and as such simple habitual
memorisation can be sufficient to pass. As I said, this is common of
most eduction systems as we're all lazy cheats. READ: Culture issue.
So what we need is a universal code of ethics that everyone could agree on
(herding cats by the way can be entertaining). So how ethical was it for
someone to post anon about msdss.dll this morning and how many people did
they put at risk (even if it took someone 6 months to do something, heck
Oracle has taken over 2 years to fix a security issue, very few whine about
them).
Universal codes are meant to be broken, that is just life. Everything
under the sun is made to be broken. What applies in one place might
destabilize something some place else. So who is to set standards?
Governments? So they can custom tailor things to their own will? Like
ECHELON used to snoop and steal contracts?
The standards will always be hard to set, this environment is too
dynamic. There is no substitute for experience as always, and the truest
test is putting someone on the spot and get them to solve a problem
which they have never seen before.
We need to do that more often, and stop slamming on each other, and start
setting real standards that can be directly applied, much like doctors,
lawyers, nurses. We have the same ability to ruin other people's lives as
any doctor, lawyer or nurse. We need accountablity against those standards,
much like any other profession.
Problem with this is, is again, who should you trust? Vendors should be
held accountable for not patching their shoddy programs up properly. Look
at the now-becoming-boring case of Lynn and Cisco. Lynn was punished. Know
what? If Cisco had this information for years now, didn't do squat, how
come no one is investigating them and fining them for every day their
holes aren't patched.
With regard to certifications for individuals, we understand the
problems there. With regard to getting vendors to act the way the
industry wants (READ: train them), they will need some kind of reward.
Set up and non-profit organisation relating to information handling with
regard to infosec and if you like other business factors. Certifications
can be granted to businesses, and an organisation of this manner will
gain weight in the industry if it is built properly and is allowed to grow.
so what are "we" going to do about it?
find some people who will be listened to to start the above.
Roll over and cry you spilled your milk.
Far too many companies are more concerned with appeasing their investors
to bother dealing with real issues. Microsoft walks all over governments
with their practices, Cisco just joined the "Buy a politician" club
obviously, so who do you look to. Obviously mentioning the government (any
government) is likely to throw another gov into a panic so in reality
there is little to be done. Invest in one of these seedy security
companies, make some cash off of others' misery. That's what you can do
about it.
The right people.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/