Don Parker, 2007-05-01
I wrote a column for Securityfocus some time ago that aired my concerns over GIAC dropping the practical portion of their certification process. That column resulted in a lot of feedback, with most agreeing about how GIAC bungled what was up till then, the best certification around.
Colapse all |
Post comment
Time for a new certification
2007-05-01
Wim Remes (2 replies)
Wim Remes (2 replies)
I understand where you are going but I am appalled that a supposed leader would call for the direct unemployment of thousands of people working in a specific industry. If they are performing jobs they are not qualified for, it usually is because their superiors lack the skills to identify the quali...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Time for a new certification
2007-05-09
Anonymous
Anonymous
I'm appalled that you are appalled that someone had the nerve to speak up and state what most of us feel. If a new standard comes out that causes the unemployment of dead weight, why would that bother you? Dead weight is dead weight, and slackers are slackers. That Mr. Parker finally called out t...
[ more ] [ reply ]
[ more ] [ reply ]
Time for a new certification
2007-05-02
Omar Herrera
Omar Herrera
Let us not just go beyond memory issues with exams. Understanding concepts is better but probably not good enough these days; we need people that is able to get the whole picture.
Hopefully, the following examples will make my point clear:
1) You have an infosec professional that understands w...
[ more ] [ reply ]
Hopefully, the following examples will make my point clear:
1) You have an infosec professional that understands w...
[ more ] [ reply ]
Time for a new certification
2007-05-02
Anonymous
Anonymous
This point may have been addressed in the past, but wanted to reiterate in case someone may have missed. The GIAC written pratical requirement was not favorable to non-English speaking network security specialist. Thus, the GIAC cert really could not be consider a global cert as it was prejudical ...
[ more ] [ reply ]
[ more ] [ reply ]
Time for a new certification
2007-05-02
Fatman
Fatman
Such a practical course/certification exists already as part of the CHECK accreditation of organisations to run Government standard pen tests here in the UK against Govt or CPNI targets for customers. The course is called the 'CHECK Service Assault Course' or CSAC.
At least one member of a CHECK ...
[ more ] [ reply ]
At least one member of a CHECK ...
[ more ] [ reply ]
Time for a new certification
2007-05-02
Anonymous
Anonymous
Wow, this article was refreshing. I've been saying this for a long time myself, and using the pen-test list as a specific example. Kudos to Don for getting this out into the open.
It is the under educated "security professional" who spreads the fear. These are the people who never even considere...
[ more ] [ reply ]
It is the under educated "security professional" who spreads the fear. These are the people who never even considere...
[ more ] [ reply ]
Time for a new certification
2007-05-02
Anonymous
Anonymous
A certification is just a piece of paper that says you can study for and pass a test, or write a paper. The old or new version of GIAC certifications did not guarantee a person could do a pen-test. There is also no indication on the pen-test page that the people posting are GIAC Silver and would hav...
[ more ] [ reply ]
[ more ] [ reply ]
Blocking port 53 TCP
2007-05-02
Richard Bejtlich (1 replies)
Richard Bejtlich (1 replies)
Don,
You said "It is only by understanding the theory that you truly understand something. An example of this is why it is good to deny inbound TCP Port 53 on your firewall. Regurgitating something that you heard on a course or in an IRC chat room isn?t good enough. You would only know why the ab...
[ more ] [ reply ]
You said "It is only by understanding the theory that you truly understand something. An example of this is why it is good to deny inbound TCP Port 53 on your firewall. Regurgitating something that you heard on a course or in an IRC chat room isn?t good enough. You would only know why the ab...
[ more ] [ reply ]
Re: Blocking port 53 TCP
2007-05-02
Don Parker (1 replies)
Don Parker (1 replies)
Hi Richard,
I don't disagree with you, however, quite a few clients don't care about that consequence. They still prefer to block TCP port 53 anyways, even after what you just said is explained to them.
Cheers,
Don...
[ more ] [ reply ]
I don't disagree with you, however, quite a few clients don't care about that consequence. They still prefer to block TCP port 53 anyways, even after what you just said is explained to them.
Cheers,
Don...
[ more ] [ reply ]
Re: Re: Blocking port 53 TCP
2007-05-03
Anonymous (2 replies)
Anonymous (2 replies)
Re: Re: Re: Blocking port 53 TCP
2007-05-04
Anonymous (2 replies)
Anonymous (2 replies)
Re: Re: Re: Re: Blocking port 53 TCP
2007-05-22
Raman (1 replies)
Raman (1 replies)
correct if im wrong but isnt it that DNS TCP port 53 is used for zone transfers and name queries are handled on DNS UDP port 53...
[ more ] [ reply ]
[ more ] [ reply ]
Time for a new certification
2007-05-02
Ron Black
Ron Black
Mr. Parker, since when did any knowledgable manager hire senior personnel based strictly on the basis of certifications on a resume? Entry level personnel are exactly that. Certifications can help establish that an individual has certian baseline knowledge but only job performance becomes a true mea...
[ more ] [ reply ]
[ more ] [ reply ]
Time for a new certification
2007-05-02
Anonymous (1 replies)
Anonymous (1 replies)
The type of certification program you speak of already exists today. There are a number of universities out there that offer certificate programs in network security, security management, etc. These programs typically include writing assignments, lab work with real world security solutions, projec...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Time for a new certification
2007-05-07
Anonymous
Anonymous
This methodology exists; it's called a technical interview. Assuming the business has someone who already holds proven knowledge in the field (or related fields, like networking), have him/her/them interview the candidate, to ensure that they are qualified. Ways to accomplish this involve question...
[ more ] [ reply ]
[ more ] [ reply ]
Time for a new certification
2007-05-02
Rob Shein (1 replies)
Rob Shein (1 replies)
While I agree that a practical test is the best way to ascertain someone's prowess for purposes of certification, this doesn't exactly scale. The cost of developing such a test, keeping it updated, and administering it is staggering. To make things even worse, could you imagine what would happen i...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Time for a new certification
2007-05-02
Don Parker (1 replies)
Don Parker (1 replies)
I believe you are overstating your case. It is most certainly doable, and scalable. You quote the DoD directive....so are you saying that everything will grind to a halt once it comes out? Of course not. Much like when SOX was implemented, everyone hated it, but people adapted and moved on with busi...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: Time for a new certification
2007-05-06
Rob Shein
Rob Shein
Your counter totally fails to address the challenges of a practical cert, save to say "No, that's not true," which is hardly an argument. And the directive would not grind to a halt; instead, it never would have come to be, since it would be infeasible. It would be akin to requiring that every net...
[ more ] [ reply ]
[ more ] [ reply ]
Time for a new certification
2007-05-03
Anonymous (2 replies)
Anonymous (2 replies)
It's funny that you chose the pen test list as an example, when there was a nice discussion on the Security Basics (http://www.securityfocus.com/archive/105/467211/30/90/threa
ded) list about this. I think this list is a way better example of what is wrong with certs, as people are constantly posting...
[ more ] [ reply ]
ded) list about this. I think this list is a way better example of what is wrong with certs, as people are constantly posting...
[ more ] [ reply ]
Re: Time for a new certification
2007-05-06
Don Parker
Don Parker
I can understand your frustration with the certification predicament. It is indeed a process which is broken, and now seems to simply be a money machine for those who offer them. That said, certs are not going to be going away any time soon. So I proposed a new cert that would level the playing fiel...
[ more ] [ reply ]
[ more ] [ reply ]
Bring it on!
2007-05-03
ichinin (2 replies)
ichinin (2 replies)
Like you said, doing a certification proves little beyond your memorization skills.
The idea of certifications sounds good, but they do little to help: If an idiot obtains a certificate, he will still be an idiot - but with a certificate.
My experience is that corporations rather hire people w...
[ more ] [ reply ]
The idea of certifications sounds good, but they do little to help: If an idiot obtains a certificate, he will still be an idiot - but with a certificate.
My experience is that corporations rather hire people w...
[ more ] [ reply ]
Re: Bring it on!
2007-05-06
Anonymous (1 replies)
Anonymous (1 replies)
again, who are you (we) to call others incompetent. You are probably the same guy that
calls them N00bs lusers and curses at every stupid
mistake they make. I still believe that when I focus on quality in everything I deliver, I can stand out. I don't judge, I work on myself....
[ more ] [ reply ]
calls them N00bs lusers and curses at every stupid
mistake they make. I still believe that when I focus on quality in everything I deliver, I can stand out. I don't judge, I work on myself....
[ more ] [ reply ]
Re: Re: Bring it on!
2007-05-15
Anonymous
Anonymous
I am not that person.
A professional is not a beginner. A professional should know what they are talking about because it is their JOB to know. Myself, i never call myself an expert in something i dont know about.
I dont point out *beginners* mistakes, i point out mistakes made by professional...
[ more ] [ reply ]
A professional is not a beginner. A professional should know what they are talking about because it is their JOB to know. Myself, i never call myself an expert in something i dont know about.
I dont point out *beginners* mistakes, i point out mistakes made by professional...
[ more ] [ reply ]
Re: Bring it on!
2007-05-07
Anonymous
Anonymous
There are pleanty of incompetent people with certifications.
Certifications are good for those who sell them and convince us they are needed. They make pleanty of money from the process.
Additionally, while I have certifications, I did it because it was required by my employer and meant mor...
[ more ] [ reply ]
Certifications are good for those who sell them and convince us they are needed. They make pleanty of money from the process.
Additionally, while I have certifications, I did it because it was required by my employer and meant mor...
[ more ] [ reply ]
Time for a new certification
2007-05-09
Anonymous
Anonymous
I agree that today's certifications are inadequate to test the whole picture.
I consider myself a security professional. I understand the concepts, limitations, and proper uses of technical controls (IDS, vuln scans, etc) and have coded signatures, NASL scripts, data analysis scripts, and repo...
[ more ] [ reply ]
I consider myself a security professional. I understand the concepts, limitations, and proper uses of technical controls (IDS, vuln scans, etc) and have coded signatures, NASL scripts, data analysis scripts, and repo...
[ more ] [ reply ]
Time for a new certification
2007-05-10
Anonymous
Anonymous
Doesn't GIAC already have a "pen-test" focused certification? I thought that is what their GHTQ certification was for, why do they need another one?
While I agree with many of your points regarding the practical exam I do not believe another cert is the answer. Look at jobs postings and I think y...
[ more ] [ reply ]
While I agree with many of your points regarding the practical exam I do not believe another cert is the answer. Look at jobs postings and I think y...
[ more ] [ reply ]
Time for a new certification
2007-05-10
Allen
Allen
I agree with Don 100%. A test of this kind is a must in order to keep a certifications value, and I hope that such a one is being developed. This is not such a big problem so I do not see why the many certification authorities are not implementing this basic method as Don describes. I could really h...
[ more ] [ reply ]
[ more ] [ reply ]
Time for a new certification
2007-05-11
Anonymous
Anonymous
Back in 1999, I considered the GIAC and didn't try for it. Why? I looked at the papers being submitted, and I never saw anything so amateurish in all my days. One paper had as its subject if an individual 'x' was a black hat or a white hat. Papers don't make a professional qualified, and neither...
[ more ] [ reply ]
[ more ] [ reply ]
The CEPT & CPTE
2007-05-16
Anonymous
Anonymous
There are (2) pen-testing certs that come to mind that have a practical portion at the "expert level". The CEPT & the CPTE.
The CEPT from Infosec Institute recently added a practical portion to their Certified Expert Pen-Testing certification that requires you to find two vulnerabilities (one Wi...
[ more ] [ reply ]
The CEPT from Infosec Institute recently added a practical portion to their Certified Expert Pen-Testing certification that requires you to find two vulnerabilities (one Wi...
[ more ] [ reply ]
Time for a new certification - It is already existing from Orchidseven!
2007-05-19
Anonymous
Anonymous
Well, have you ever checked out certifications from a lesser but well respected company - Orchidseven? It has been around for a few years now, and the standards are EXACTLY based on what you have written... They had this "silver" and "gold" exam concept from long back. Here check this (Gold - LAB ex...
[ more ] [ reply ]
[ more ] [ reply ]
Time for a new certification
2007-05-20
CISSP guy (1 replies)
CISSP guy (1 replies)
If you want a good cert, to get a CISSP or NSA cert. GIAC is and has always been weak. Almost nobody outside a few infosec folk know or care about this cert. Even CEH is a better cert than the GIAC mumbo jumbo they have. How many on their site? Like 50 different GIAC GSEC GCIH GCWhatever. Too ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Time for a new certification
2007-05-25
DeMartian
DeMartian
While in reality, HR sees CISSP certs as the favorable certification because most HR departments scan based on non-IT information, the CISSP certification is really EASY!
Easy I say because I work more than 60 hours a week, have a family and don't have much time to study anything. The CISSP was ...
[ more ] [ reply ]
Easy I say because I work more than 60 hours a week, have a family and don't have much time to study anything. The CISSP was ...
[ more ] [ reply ]
Time for a new certification
2007-05-24
CISA, CISSP, GSEC, CEH, MCSE, CCNA, CCSA, SEC+ Guy
CISA, CISSP, GSEC, CEH, MCSE, CCNA, CCSA, SEC+ Guy
"The certification itself would then be scenario based in a computer lab. It would encompass a simulated network security incident that would then test the person across various bodies of knowledge."
Would be good only for someone performing forensic and incidents response but totally useless for...
[ more ] [ reply ]
Would be good only for someone performing forensic and incidents response but totally useless for...
[ more ] [ reply ]
[ more ] [ reply ]