At 11:26 AM 17/02/98, Bret Watson wrote:
## Reply Start ##
>I think I could go for this concept - professional improvement is always
>part of the big professional organisations...
Professional improvement is not the same as professional certification.
And certification doesn't mean improvement.
>But remember security is more than just the computer system.
>In reality security is always a people problem...
Very very true.
And an important part of auditing, as any forensic CPA will
tell you, is having the field experience to know what can go wrong.
KNowing how to read an ISS scan means blah.
There are many of us who could set up a machine which would
look clean to one of these tools which the Big N-1 put so
much faith in, but would still be not just vulnerable but in a
definite CFM (Come Fiddlearound with Me) mode.
Contrarywise, we could set it up so ISS said it was vulnerable on
all counts but would suck any hacker in and cage him.
[I say this purely as an example, in no way prejudicing
the value of ISS as part of a larger toolkit used in
experienced hands. The point is that the Big N-1 present
things like this as if they were absolutes.
That and the 80/20 rule. Eighty percent of your problems
aren't going to come from the internet, they're going to
come from the lack of experience, procedures and controls
of your own people.
Which is the most fundamental rule of all in security, be it
for InfoSec, bank clerks or theme parks.
"Certification? We don' nee' no steenking certification"
.... because they'll be certifying the wrong things.
We've got the CISSP. Lets shift the debate over to how
relevant that is and how we can make the industry pay
more attention to the certifications which already exist.
## Reply End ##