RES: [Full-disclosure] CISSP Test
security at lan-slam.com
Sat Mar 26 06:26:36 GMT 2005
I wholeheartedly agree that there needs to be an industry benchmark,
something that says you cannot operate in this field unless you have passed
x. I'm thinking along the lines of something similar to the Bar exam that
lawyers have to take, or perhaps a license like what doctors are required to
obtain before being able to practice. I fear its going to take something of
that level to truly separate the chaff from the wheat. Anything less and you
only end up with braindumps and bootcampers throwing resume after resume at
The added bonus of having an industry benchmark that bars entry into the
field tracks to something a mentor once told me: people that belong to
unions drive Chevys and Fords. Those that belong to associations drive BMWs
----- Original Message -----
From: "Vladamir" <wireless.insecurity at gmail.com>
To: "Jose Ribeiro Junior" <ribeiro at microcity.com.br>
Sent: Wednesday, March 23, 2005 1:52 PM
Subject: Re: RES: [Full-disclosure] CISSP Test
> CCIE is where it's at.
> I love writing practice tests, but I'm only 20, so what do I know
> Jose Ribeiro Junior wrote:
> > Hi Friends,
> > What you think about CCIE certification model, practice and write tests
> > I think that is a good model to Security Certifications.
> > But, can you create a practice tests not using especific vendors ?
> > -----Mensagem original-----
> > De: full-disclosure-bounces at lists.grok.org.uk
> > [mailto:full-disclosure-bounces at lists.grok.org.uk]Em nome de Vladamir
> > Enviada em: quarta-feira, 23 de março de 2005 14:23
> > Para: DAN MORRILL
> > Cc: full-disclosure at lists.grok.org.uk
> > Assunto: Re: [Full-disclosure] CISSP Test
> > Very good points, so.. who wants to start writing to the mentioned
> > organizations about this?
> > DAN MORRILL wrote:
> >>I think in reading the multiple threads on this issue, there there are a
> >>number of perspectives on the value of the CISSP.
> >>What was most interesting was the CEO's perspective. Since the CISSP is
> >>a boot camp, and the SANS is bootcampable in the longer run with the
> >>removal of the practicle. The real question is working towards a
> >>certificate that demonstrates ability to work in the security arena, one
> >>that is really hard to get, and one that really tests the ability to do
> >>the work.
> >>While CISSP and SANS are great to have as a resume filter, it does not
> >>imply that anyone with either certificate to their name can actually do
> >>the work. What I am seeing is that many people are going for these, and
> >>have them, but had them a result from an IDS system, or ask them to do a
> >>security design for either a network or a chunk of code, the ability to
> >>actually perform the task is not there, even though they have the
> >>Personally, I believe the community needs something, certificate,
> >>degree, internship, what ever, that actually means you can perform
> >>competently in the security arena. That there is a skill set there that
> >>the entire community agree's upon is the minimum recommended skill set
> >>to work in this field. If we had something like that, then any school
> >>that is pumping out Bachelors of Information Security folks would have a
> >>standard. Anyone building a bootcamp or certificate program would have
> >>an agreed upon community standard to work with.
> >>ISC2, ISSA, WSA, SANS, et al. Could build a board in conjunction with
> >>the community, develop the minimum qualifications to work in the field,
> >>and actually accomplish something once they have been certified or
> >>degreed. NSA has been hugely successful in developing security schools
> >>through James Madison, Boise, et al. But they have to agree to and teach
> >>to the minimum standard that NSA has put together to meet the needs that
> >>NSA has identified.
> >>I think until we as a community agree upon a minimum standard, apply it
> >>consistantly across the board much like doctors, lawyers, social
> >>workers, and other degreed or licensed professionals, we will continue
> >>to have this debate until the house burns down. As security
> >>professionals, as security folks, we have the same ability to either do
> >>good, or do harm as any other profession does. We need to understand
> >>this, and begin working towards skill sets either certificate or degree
> >>that actually mean something useful at the end of the day.
> >>My thoughts, flames invited.
> >>Sometimes MSN E-mail will indicate that the mesasge failed to be
> >>delivered. Please resend when you get those, it does not mean that the
> >>mail box is bad, merely that MSN mail is over worked at the time.
> >>>From: "Clement Dupuis" <cdupuis at cccure.org>
> >>>To: <robert at dyadsecurity.com>,"'Vladamir'"
> >>><wireless.insecurity at gmail.com>
> >>>CC: full-disclosure at lists.grok.org.uk
> >>>Subject: RE: [Full-disclosure] CISSP Test
> >>>Date: Wed, 23 Mar 2005 06:45:47 -0500
> >>>Robert E. Lee wrote:
> >>>"SANS programs have little to do with security. I'm glad they changed
> >>>policy. They seem more honest now."
> >>>Good day Robert,
> >>>Honesty is a very neat goal to achieve, however it has many facets.
> >>>I lately learned (under all reserve, please correct me if you know
> >>>otherwise) that SANS no longer has any NON PROFIT portion left. They
> >>>to be registered as a non-profit entity in the state of Maryland but it
> >>>seems that it was dissolved. Technically we could say there is no SANS
> >>>Institute left anymore as we knew it on the non profit side. After
> >>>dissolve SANS they created a FOR PROFIT corporation called ESCAL which
> >>>registered the names used in the non-profit as trademarks for their
> >>>new for
> >>>profit organization. Even thou you see the name GIAC and SANS being
> >>>everywhere, they are all trademark (not organizations) of the new
> >>>owned company.
> >>>Principals at SANS have NEVER claimed to be non-profit, it is a myth
> >>>that we
> >>>the people that have been dealing with SANS for a long time (since the
> >>>they were non profit) have been propagating. We have been keeping
> >>>this myth
> >>>alive simply because we did not know any better and we did not know
> >>>that the
> >>>non-profit was dissolved. It was done without any noise or public
> >>>announcement to the people that were already certified.
> >>>So they NEVER lied but they never went to any length to inform people
> >>>of the
> >>>real and current status of their corporation activity. Most people
> >>>that GIAC is non profit which is not the case anymore and this better
> >>>explains the decision of dropping the practical requirement: it does
> >>>generate money and it is not a good business decision to keep something
> >>>alive that will become a drain on the bottom line. Which is a bit
> >>>to the reason given of improving the overall state of the security
> >>>Take care
> >>>Full-Disclosure - We believe in it.
> >>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>>Hosted and sponsored by Secunia - http://secunia.com/
> >>Express yourself instantly with MSN Messenger! Download today - it's
> >>FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> > Esta mensagem pode conter informacao confidencial e /ou privilegiada. Se
voce nao for o destinatario ou a pessoa autorizada a receber a mensagem, nao
pode usar, copiar ou divulgar as informacoes nela contidas ou tomar qualquer
acao baseada nessas informacoes. Se voce recebeu esta mensagem por engano
favor avise imediatamente ao remetente respondendo o e-mail e em seguida
apague-o. Agradecemos sua cooperacao
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure is hosted and sponsored by Secunia.