> I recently worked with a large big six corporation that conducted a
> security audit/penetration review. I was astounded when I asked a couple
> of them how they were trained and they had stated to me that they had
> received no training.
Your kidding, you where surprised? Why do you think ISS kicks out such a
through report? ;)
I would expect this is the norm. There is no single, large and very public
entity (i.e. MS, Novell, etc.) sitting behind security technology who is
spending large $$ on marketing to get their point across. Also, I do not think
that any one security/firewall vendor has gobbled up enough market share to be
able to leverage their training programs.
For example, you get the same thing in the LAN/WAN world. Sure Cisco and the
like have training programs, but how many people working in this field have
actually achieved this or any other related certification? Also, when it comes
to consulting, how many clients actually push back and state "I want to see
applicable credentials for the Engineer that will be doing the work"? The lack
of this challenge is what allows the situation you describe to perpetuate
Finally, I think there are some misconceptions by people outside the field that
an MS or Novell certification automagically makes you an expert in every topic
dealing with computers. After all, a firewall is just another piece of software
that runs on NT, right? <eg>
> My question is who certifies them to ensure that the
> following: 1. Actually under what they are auditing? 2. Can interpret the
> results of an ISS/Ballista Scan and not just present the report 3. They
> attended training at one of the various vendors to understand how to use
> the tool.
I see this as being a "time" issue. It is going to take time for organizations
to be able to identify the differences between a good and a bad security audit.
This will push back and force "security auditors" to seek out certification. I
see this as taking longer than typical engineering work as it is difficult to
identify immediate results.
For example, if I show up at your site as a consultant to fix your down server,
you'll have a pretty good idea by the time I am done whether I have a clue or
not (i.e. did I fix the server). With a security audit, the results are no so
immediate. It may be months or years before a security breech is attempted, or
> This situation concerned me since the customer was given the perception
> that the people conducting the work were actually bonafide "Certified"
> Security Auditors. Is this the common trend currently??
I do not see this as any different than every company under the sun claiming to
be "business partners" with MS. It's simply marketing hype. Can a company
certify their own "security auditors"? Absolutely. The question is, does it
really mean anything? Don't get me wrong, I agree with your statements 100%.
The issue is that until clients start insisting on having certified auditors, I
do not see this trend changing any time soon. This does not however mean that a
consulting company can not take it upon themselves to do it right. Just that
there is less motivation to do it if it has not hit them in the old pocket book
Multiprotocol Network Design & Troubleshooting
Support the anti-spam movement: http://www.cauce.org/