-----BEGIN PGP SIGNED MESSAGE-----
from the point of view of a newcomer to the field (approx 1 year on the job +
college classes) I don't see much worth in most of the certs that I have seen.
It is like a college degree, it doesn't tell you if they really understand or
not. The idea of requiring a sponser or two, or time on the job makes much more
practical sense. The trouble is that (as others have pointed out) no one company
is trusted enough to enfoece this. We would need to setup a cert like this
through one of the professional orginizations (I leave it to others to argue
which one :).
David Lang
On Mon, 16 Feb 1998, Bret Watson wrote:
> Date: Mon, 16 Feb 1998 22:43:04
> From: Bret Watson <lists @
bwa .
net>
> To: firewalls @
GreatCircle .
COM
> Subject: Re: Certifiying Security Auditors -reply
>
> Being one othe the afor mentioned auditor I think I'll add my twopennys
> worth...
>
> Certainly it is a real problem proving that a security auditor can do the
> job. Certification is all well and good - but who does the certification -
> do they know what they are doing?
>
> Most certification in the computer industry seems to be more on the basis
> of - did you pay and did you turn up to our training course?
>
> Now this is going to draw flames, but... it seems to be an american problem
> - for instance entering the Institution of Electrical Engineers (a UK based
> org) requires a fair bit of proof that you have actually completed an
> accreditied engineering degree - IEE accredits the degrees (over here via
> the IEAust) - that is just to enter. To get higher accreditation you need
> proof of fully time experience, as well as things like honour degrees,
> further accredited study etc...
>
> Now lets look at the computer industry - to become a certified ISS engineer
> I beleive you need to attend the course and pass the exam - it hardly
> compares does it? ASIS is better - they require two members to vouch for
> you as well as proof of at least one year's involvement within the security
> industry - they also do a basic background check (I think). To be a
> certified Novell of Ms 'engineer' you need to have sat all the exams and
> passed - reasonable, but still no proof that you can really do it.
>
> So what do we really need? Something more like a requirement of three years
> experience in this field, clean police record, degree level in some
> computer related field and two other member who know you enough for the org
> to be able to do a basic vet on you.
>
> Why all this - the basic need we have is not really the ability to audit
> properly - you'll be found out soon enough if you can't. What we need is to
> become professionals and to be seen to be weeding out the non-professional
> among us. It is still a perception that a security auditor will merely
> attempt to hack your system - if they punch through you've failed if they
> don't you're clean.
>
> <soapbox>
> Computer Security Audits are more than merely hacking the system. You need
> to provide info about the probablity of attacks succeeding - this requires
> a bucket of knowledge on probablity as well as the ability to do a good
> systematic audit computer criminals turned 'respectable' often (not always)
> simply attempt hacks randomly - it doesn't work guys - you better not let
> your insurance company hear about it.
> </soapbox>
>
> that's my bit...
>
> Cheers,
>
> Bret
> Technical Incursion Countermeasures
> consulting @
bwa .
net http://www.ticm.com/
> ph: (+61)(08) 9454 2487(UTC+8 hrs) fax: (+61)(08) 9454 6042
>
> The Insider - a e'zine on Computer security
> http://www.ticm.com/about/insider.html
>
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBNOjUND7msCGEppcbAQGEjggAjwHCR1O7o6UBPC3MRiAyDH1alRyaXK84
YISM18F2Y7kD4B5K/gAXNPvmYG5CRD51pL2ln8I7oIhly7ZytNEikpfopMeN0EyF
F5etMgeKIzP4z7iRe85F57ejO61MpwaKFlj8uczc/7p6XqDWWornx8t8883Rzu3z
OCTm2SePyzPU6/bA3W4wg3GgMjJvJY/fCDtnbhdPJGhLC2eulKq72X9jP90Psq3N
28uzT6Smsodm+YbWJ5PiwoFZ7L+wsTIpzv539K5F/D+1PzOysbLOJA4gumAHx1O9
U9u0qMqKDQvbBsQV/PbvLmdzSngVG97mMNbJwte0UYayZ/mzlawHog==
=VD+/
-----END PGP SIGNATURE-----
References:
|
|
