Being one othe the afor mentioned auditor I think I'll add my twopennys
Certainly it is a real problem proving that a security auditor can do the
job. Certification is all well and good - but who does the certification -
do they know what they are doing?
Most certification in the computer industry seems to be more on the basis
of - did you pay and did you turn up to our training course?
Now this is going to draw flames, but... it seems to be an american problem
- for instance entering the Institution of Electrical Engineers (a UK based
org) requires a fair bit of proof that you have actually completed an
accreditied engineering degree - IEE accredits the degrees (over here via
the IEAust) - that is just to enter. To get higher accreditation you need
proof of fully time experience, as well as things like honour degrees,
further accredited study etc...
Now lets look at the computer industry - to become a certified ISS engineer
I beleive you need to attend the course and pass the exam - it hardly
compares does it? ASIS is better - they require two members to vouch for
you as well as proof of at least one year's involvement within the security
industry - they also do a basic background check (I think). To be a
certified Novell of Ms 'engineer' you need to have sat all the exams and
passed - reasonable, but still no proof that you can really do it.
So what do we really need? Something more like a requirement of three years
experience in this field, clean police record, degree level in some
computer related field and two other member who know you enough for the org
to be able to do a basic vet on you.
Why all this - the basic need we have is not really the ability to audit
properly - you'll be found out soon enough if you can't. What we need is to
become professionals and to be seen to be weeding out the non-professional
among us. It is still a perception that a security auditor will merely
attempt to hack your system - if they punch through you've failed if they
don't you're clean.
Computer Security Audits are more than merely hacking the system. You need
to provide info about the probablity of attacks succeeding - this requires
a bucket of knowledge on probablity as well as the ability to do a good
systematic audit computer criminals turned 'respectable' often (not always)
simply attempt hacks randomly - it doesn't work guys - you better not let
your insurance company hear about it.
that's my bit...
Technical Incursion Countermeasures
ph: (+61)(08) 9454 2487(UTC+8 hrs) fax: (+61)(08) 9454 6042
The Insider - a e'zine on Computer security