Let us not just go beyond memory issues with exams. Understanding concepts is better but probably not good enough these days; we need people that is able to get the whole picture.

Hopefully, the following examples will make my point clear:

1) You have an infosec professional that understands what a DoS attack is. She/he knows that resource exhaustion puts systems to a halt. But then, you ask this infosec professional how resistant is your network to a certain network flooding attack and has no clue, probably because she/he does not even know how to measure network throughput, no to mention understanding the impact of several filtering devices and QoS boxes within it as well as the number of connections supported by the application within each server, considering load balancing and such.

2) You have an infosec professional that knows that an 16 character, alphanumeric + symbols password is more secure than a 8 character long, only letters password. Fine, but when you ask: My clients just can't memorize the 16 character long password, we have to go for less, so what is enough for my environment if I have passwords stored as MD5 hashes without salt? they just can do the math using an average processor speed to estimate brute force cracking time, let alone get statistics of dictionary attacks and estimate from there. There are other countermeasures and alternatives to password length and they know them (e.g. login retry delays, frequency to force password change) but they just can't work with them within a real situation and come up with a reasonable/feasible alternative.

Thus, in my opinion, making sure that people understand the concepts, while much better than just letting them memorize stuff is simply not enough. In fact, background knowledge necessary to understand and assess a real world situation is probably equally important, and I think that is what is needed most right now.

So the practical aspect is essential for a certification, but we shouldn't restrict it to closed labs (where everything usually happens as planned). Something similar to internships might work better, but it would also mean that we would need to change the current practice of apply-answer_exam-certify-pay_anual_fees_and report_credits_as_needed, applied by many professionals with most certifications. Instead, we should get seriously involved to really make it grow, so that those more experienced can help the new ones grow.

Just some thoughts.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/443/34502#34502