The Value of a (Ethical Hacker) Certification
June 25, 2008
Ok, I admit it. I have totally slacked off on getting that CEH certification. I’ve had the boot camp, I’ve amassed lots of great books and resources, I’ve even talked to some people who have passed it, but I still haven’t been consistent about studying. For a while I was pretty consistent. I read the Official Study Guide and started working on an Unofficial one.
Why don’t I have that cert yet? I suppose I just don’t feel I have a reason to have it. It would just be for show because I don’t really do pen testing. ’d like to, but in my job, I don’t usually have the opportunity to do it or reason to do it. I’ve already got the CISSP so I don’t need the CEH for some kind of prestige. Many hackers piss on certifications they are not impressed with them and are willing hurt anyone who flashes the credentials. The CISSP trumps most certification. The only real benefit for me getting it is that it would force me to get more familiar with tools like netcat and Snort which I don’t use enough. I am interested in cyber kung fu. Lately, I have been more drawn to the scientific and mathematical side of technology.. the side where the innovation are born, not just mastered. I’ve been sharpening up my math skills and plan on getting into Computer Science, Electrical Engineering or physics.
I haven’t decided whether I want to take the CEH because I want to do something that has more depth. I suppose I could complete the CEH, go through Computer Science and specialize in security/crypto/info assurance and follow in the foot steps of Bruce Schneier and Steve Gibson. In the beginning, certifications were definitely a step up, but I’m in a place now where they are just ornaments, flashy bobbles I could decorate my name with when I need an ego boost. If my wife and kids are giving me lip I can say, “don’t you know I am a CISSP, A+, B, C, D, E, F, G. You MUST respect my awesome test taking ability!”
I’ve said it before, I think certifications can be of great value. If you work for the Department of Defense in IT you pretty much MUST have one (per DoD 8570). Certifications can give you that extra edge against competing employees in the private sector. Problem arise when the IT certifications value is taken out of context. Like the 8570 which makes it mandatory to have a certain certification regardless of your experience and/or degrees. That is a bit much. Not everyone who passes the CISSP can configure a firewall properly. But perhaps thats the reason the DoD wants system specific certification.
Popularity: 2% [?]
uCertify Software - IT Certifications
December 10, 2007
Warning: Shameless promotion of a kick ass product!!
I recently got a chance to test drive uCertify’s IT certification software. I loaded the CY0-101, Security+ PrepKit. I must say I like the software and I am thinking of getting the MCSA from them (think I only have to take two test to complete it). It features the usual breakdown of how you performed in each of the tests objectives. It also has Flash cards that allow you to type in answers to key points on the test… I don’t recall seeing that feature on other certification software.
The pricing depends on the tests you get. But its in the double digits so its a cool little investment toward a bright future. For those of you who are serious about certifications you know that the software (such as transcender - aka the software that must not be named), boot camps and training material can cost 100’s or even 1000’s of dollars.
I think that software such as uCertify is a good start toward attaining a new cert (although you can never replace a solid year of experience).
As for the CY0-101.. I believe Security+ will be changing their objectives sometime in 2008. Hopefully, uCerty will keep up with that. Comptia sent me a few surveys about the change and a couple of co-workers that are being pushed to get the Security+ told me that they want to get it before it changes.
My honest opinion is that software like uCerts Prepkits are great for gauging your level of preparation. I also recommend that you use more than one gauge (particularly on the bigger tests such as CISSP).
Popularity: 5% [?]
Which Security Certification Should I Get?
August 31, 2007
If you can, get the CISSP, don’t waste your time with anything else. You don’t have to make it your last cert, but (if you can) make it your first. It has become the gold standard that gives you “just add-water” credibility. You can slap those initials at the end of your name and flash a badge with your ISC2, CISSP number on it.
The statement above will piss off a lot of security people, but it is the truth.. the inconvenient, sad and pathetic truth. To all you skilled hackers and IS pro’s, don’t hate the blogger, hate the game. I did create the rules, I just hack them.
Old school hackers and security geniuses talk MAD shit about the CISSP, but what they fail to realize is that “to hack ‘the man’, you have to be ‘the man’”. What I mean is that playing the game is essential to your financial need$. There are always exceptions: Adrian ‘homeless hacker’ Lamos, Steve ‘I write entire apps in assembly’ Gibson, Gordon ‘I created nmap’ Lyon, Jeff ‘i created defcon and sold it in 2005 for 14mil’ Moss, Bruce ‘i decrypted code as a fetus’ Schneier..
For average bastards like you and me, the CISSP is way to go.
I do agree with DMiessler and Mckeay:
“I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.
More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge - not for testing whether or not you’d be qualified to actually do anything.” — dm
“..the CISSP is not a technical certificate! It is not now, nor was it ever meant to be, a technical certification.” — mckeay
Though you may see a couple of technical questions on the test, the over all test is pretty high level, unlike the Certified Ethical Hacker or the CCNA that ask specific technical questions about specific technical issues.
So what should you go for on the Security Certification front:
Go directly for the CISSP (if you can). The fact of the matter is that most companies, the government and foreign organization look for the CISSP. Aside from the CCIE, I don’t know of any other technical cert that will give so much credibility (even if you don’t deserve it).
A NOTE of caution: If you get it, be real with your self. The CISSP does not instantly make you an expert in all ten of its domains. It will not put an “S” on your chest and make you impervious to Kryptonite. Its just a test. Its not an I.Q. test or the Bar. Its just a test. If you have passed, congradulations… now the real work begins. Good security professionals are ALWAYs learning (even more so than your average IT guy, because we have to know the latest in IT as well as policies, some law and even some level of management). A real CISSP should be a “jack of all trades, Master of ONE“.
You should also consider that there is simply no replacement for a good degree except for experience. The good thing about the CISSP is that it requires you to have a certain amount of experience before you even attempt it.
Building to the CISSP:
Beginner: if you’re just starting, you want Comptia’s Security+ certification.
Now, if your just trying to the guy who looks at audit logs all day and report what they see, then your golden. But if you’re serious about security, then you need to play the game, get the damn CISSP (do not pass go, do not collect $200). It pays better than a Security+… much better.
Serious Beginner
Get into any kind of Information Security position and earn some “street cred“. You may even be in a typical IT position on a filthy help desk (sorry, I’ve done it and it sucks) you can still use it to your advantage by working your way into security tasks. If your in the military, volunteer to be the COMSEC guy or an IAO (it’ll be easy because nobody else wants to do it). Volunteer to work with the security guys and learn from them. The goal is the get into the security mindset and also rack up some experience. A degree will help to with a school that allows you to set up a lab.
Novice Security
After a solid year of security experience you should go for the Systems Security Certified Practitioner (SSCP®). Why the SSCP? It will help you build toward the CISSP. At this point, if you haven’t done so already I would recommend joining the Information System Security Association (ISSA). You’ll begin to network with other security folks from everything from forensics to the pentesters to information security managers (who don’t even know how to set up a network). By this time, you should have some idea what you’d like to specialize in. The CISSP is a great foundation as certification credibility goes, but you will need to specialize.
The CISSP
I found the test challenging. You don’t want to take it twice that is for damn sure. Just make sure your ready. You’ll have to have about 5 years total security experience.
Now checks this out:
“Effective 1 October 2007, professional work experience requirements for the CISSP® will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP® CBK® domains.” –ISC2
Even a Masters degree will only replace a maximum of 1 year of experience (sounds like *NS to me):
Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master’s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master’s degree, you may only apply for a one year waiver of experience.
*NS-non sense
Popularity: 5% [?]
Security Certifications: DoD 8570
September 26, 2006
For Government workers doing any kind of computer security/information assurance, the new regulation, DOD 8570 is a very important document.
DOD 8570, Information Assurance Training, Certification and Workforce Management, requires that all government workers (active duty, govt civilian and contractors) doing security work have a security certification. The DoD is really trying to crack down on security.
Among the top security certification that you can get are the CISSP and the CISA
Getting the top certs and then further specializing could give you the edge. For example, CISSP with an CISA (auditor) would cover a lot of ground as would a CISA and an IDS/C&A/Architecture specialists. It would really kick ass to cover ALL ground. This would not be difficult. Not sure if each specialization would require further certifications.
Cost, Renown, Difficulty Comparisons:http://dmiessler.com/writing/infoseccerts/
Includes: GSEC, CISSP, CISA*note: GSEC is $800 and difficult
Security Certs and their levels according to 8570:http://taosecurity.blogspot.com/2006/01/dod-directive-8570.html
Tech level I-III & Management Level I-III*note: GSEC is Tech level II
Future Areas of IA Certification:
Certification and Accreditation
IDS and Analysts
Auditors
CND/SP members
IA architectures, engineers
(slide 10)On a recent FISC slide I saw Red team (pentesting/hacking) among these future specializations.
Popularity: 5% [?]
Security+ Instructor: Communications Security domain
September 9, 2006
Today, I did my first certification lecture.
As I think about how many common public speaking mistakes I made out of nervousness, it makes me laugh. I repeated things like “um”, “and what not”, “that kind of stuff”. I studdered and stammered.
I did my best so I still feel good about what I did. It is actually volunteer work for the local ISSA chapter as well as a way to get “CPEs” or Continued Professional Education points toward my CISSP certification (have to get 120 in the course of 3 years).
It was actually a really good refresher course for me. I love helping people so it was a pleasure to put out some helpful material to fellow Information Security professionals, but I need to get better at public speaking.
Our local Information System Security Association Chapter here in the Springs puts on certification classes a few times a year for Comptia Security+ and the CISSP. I hope that they eventually drum up enough interest for certified ethical hacker course.
Popularity: 2% [?]
Training on Security+
September 25, 2005
I will be doing training on the Security+ for the ISSA-COS. I'm
traing the Communcation Security portion of the test. This is one
of my favorite sections.
I told the ISSA guys I'd do it as long as I didn't have to train on Crypto which is one of my weaker subjects.
I'm excited about the training because I feel like I will really be
able to help people ace this test. Most security professionals
who have been IT for more than a couple of years won't have a problem
studying for it and passing it.
It really is just basic technical information security
stuff. There is also a lot of support on the Internet for
this test: practice tests, guidance on what to study, and
encouragement.
Don't sweat this test. Especially if you've studied.
Popularity: 3% [?]
Taking the CISSP: part 1
August 25, 2005
I took the CISSP. I really don’t know what to say about it aside from acknowledging that it was extremily difficult. Andrew Briney’s article is the most accurate description of the CISSP test. Briney says, “It’s a mystery wrapped in riddle inside an enigma.”
His other very true point:
“The exam is best characterized as an ‘inch deep and a mile wide.’ Whether this makes it easy or difficult is a matter of perspective.”
For me the hardest part were the answers. I feel like I’ve mastered the art of studying for a test. The fact that there is so much knowledge crammed in a 250 question test makes my study techniques watered down. Its very difficult to cover all 10 domains effectively.
I’m not one of those bastards that can walk into a test cold (no studying, no worries) finish in half the average time and pass. If I don’t study, I fail. I’ve learned to live with this. I know my weakness. I just second guess myself too much on every answer. I’m one of those guys that does not believe that everything is black and white but that everything is a million shades of gray. For me that is where the difficulty lies. The CISSP wants you to choose the “best” answer. So while many or even ALL of the answers might be true, there is only one BEST answer. But my best might not be your best.
I’ve taken many certifications. They have become almost a hobby of mine. In June, I took the Security+ hoping it would help prepare me for the CISSP. First of all let me just say comparing the the CISSP and the Security+ is like comparing Lennox Lewis’ fighting style to that of some 12 year old girl from John C. Still Middle School. There is NO freakin’ comparison… NONE, do you hear me! The preparation that I put into the Security+ is what help me in my CISSP success. That being said, there were about 6 very similar questions from the Security+ that were on the CISSP but the CISSP contains ALL of the domains of the Security+ on a comprehensive level.
As I said, I’ve taken many certs. And I DO NOT think that taking a test will make anyone instantly smarter or more technically skilled then some “l33t hacker” that has been cracking databases since age 12, but I DO believe some certifications have great value to the IT and Security industry. With the possible exception of the CISA, the CISSP is the most exaulted security cert you can get right now. Many say that any dependency on certification is what is lowering the amount of IT and security professionals with skills. While there maybe truth to that, I say it is just another way for employers to gauge whether or not they are investing in a skilled employee. Whether they choose the right candidate will ultimately be decided (just like anyone else) by time.
NO certification I have taken comes within an Astronomical Unit of the CISSP. Of course I’m not an MCSE or a CCNP (though I’ve tasted the fruits of both) so perhaps there is a match in its level of difficulty.
Having taken the test I don’t feel I was fully prepared even though I have legitamate experience in nearly all aspects of security, I read a book and studied on and off for a year before taking the test. I tell you, this test beat the shit out of me. They give you 6 hours to complete the test and I finished in 5 1/2 hours. When I was done, I was sure I’d failed. I started trying to think of ways I’d pay the company back since they would not pay for a failed certification. I also started studying for the repeat. I was pleasantly surprised when I got the ”congradulations” email.
Adequate study for me would have consisted of reading no less that two “600 page” books and going to a boot camp.
This is the best online CISSP resource I have found: www.cccure.org.
Special Shout outs go to the ISSA COS chapter and Mr. Proeller, so long and thanks for all the bagels.. bad, bad joke…42.
Popularity: 6% [?]
Is The Security+ Still Worth It?
July 21, 2005
How relevant is it? Just do as Michelle Rowton did and do a search for it on Monster or Dice.. compare those results to other certs that employers are looking for.
I was taking the Security+ to prepare for the CISSP. As I've been studying for the CISSP the Security+ seems to have been a drop in the ocean. While I was able to draw on my years of experience to pass the Security+ (and not study as much) the CISSP is spread so thin over so MANY domains that it requires much more dedication.
Comment from DIGG:
In my opinion the Security+ certification is over-rated and is no more than another logo and a cert on the wall. Several people probably take the test as a stepping stone to the CISSP, or they take it for the simple fact that it?s a cheap certification that they never have to renew.
Popularity: 3% [?]
Security+ vs. CISSP Part 1
July 18, 2005
I took the Security+ certification test. I didn't read any books but I did read a lot of test questions, went to a seminar sponsored by my local ISSA chapter and I've got a few years experience in all the Security+ domains. After studying hard for a few weeks, I don't think that the test was that hard. If I had not been prepared then I can see how it might have been difficult as there are some pretty specific questions on things I did four years ago.
The Security+ is NOTHING compared to the CISSP. I've yet to take the actual CISSP cert test, but as I've been studying it is VERY clear that these tests are from different planets. It is like comparing the Comptia N+ to cisco's CCNP or CCIE… o.k. maybe not CCIE, but CCNP for sure.
I've been studying to take the CISSP on and off for about a year due to a fairly full plate. I plan on taking the test in the next few months so I've started reading up on some practice questions. My orginal plan was to get a Security+ cert so that I could prepare for the CISSP. As I've been reading the practice questions on CISSP I'm finding that the Security+ is simply not robust enough to even come close to helping me study for the CISSP.
Once I take the actual CISSP I'll be able to make a better assessment, though.
One of the most helpful items I found on was a Security+ cheat sheet. It is a very concentrated view of all five security+ domains and makes for a great study reference.
Popularity: 4% [?]
Domain 1.0 General Security Concepts (Security+)
June 29, 2005
1.1 Recognize and be able to differentiate and explain the following access control models
o MAC (Mandatory Access Control)
· Access controls based on security labels (Sensitivity labels) associated with each data item
· Lattice = MAC model
· Uses levels of security to classify users and data is a characteristic of MAC
o DAC (Discretionary Access Control)
· Access controls that are created and administered by the data owner are considered.
· Each object has an owner, which has full control over the object
· Inherent flaw in DAC is that it relies only on the identity of the user or process, leaving room for a Trojan horse
o RBAC (Role Based Access Control)
· Access control decisions are based on responsibilities that an individual user or process has in an organization
· Relationship of user, role, operation: multiple users, multiple roles and multiple operations
http://del.icio.us/rss/tag/access+control
http://del.icio.us/rss/tag/rbac
Popularity: 3% [?]
