I'd say that 90% of security breaches originate with some kind of misconfiguration, such as the admittedly extreme example of someone opening up a firewall to test a multimedia application and then not reconfiguring said firewall back to its original state. Successful cracker attacks against some identified OS design flaw get 90% of the press, but in my judgment account for only a minor percentage of the actual security breaches.

Good technical certifications such as the ones I mentioned will not only enable you to work effectively with the manufacturer's product, but will reduce your learning curve if you if you have to deal with competing products and give you a solid insight as to what larger issues these products are designed to resolve. Example: If you are using routing protocols internally, you would want to configure your perimeter routers as passive interfaces so as not to broadcast your internal routes wether you are using Cisco, Nortel or Juniper routers. If you were certified on Cisco, you have the training to look for the right features so that you can configure your employer's Nortel or Juniper's equipment the right way.

I am a technical guy. The last thing I want and need to hear when my network is under attack is to hear useless b.s. from my management when the bullets are flying all over the place. I don't need a CISSP to know how to set up security policies - in fact, there are prototypes of these policies lying all over the Internet that are just begging to be customized for your network's circumstances.

I can stand nontechnical people as my management as long as they are people with integrity - and I have a met a few that did not have integrity. Tell me again what a nontechnical person with a CISSP can do for me when my network is under attack, and he does not have the technical training either to ask the right questions as to what is happening or to develop and understand the right answers as to how to counterattack. I have been promoted several times from staff into line management. As a line manager, I provided my staff with technical and moral support. Not useless second guessing.

I will say this for the benefit of those of us who are still caught up in this Microsoft/Linux catfight: when your employer's systems are under attack, the only thing that matters is wether you have a good enough understanding of the OSses you support to ask the right diagnostic questions so that you can take the right corrective actions. Everything else is bull until the danger passes.

I am sure that many CISSPs are solid technical people who can be counted on to react effectively when they are shot at. But that's because of the knowledge they accumulated prior to taking the CISSP exam, and which the exam does not test for. I repeat my assertion that the CISSP certification itself is worthless because it does not guarantee in any way that its holders have an incident response capability.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/159/19996#19996