Firewalls: Re: Use the CISSP, Luke (was Re: Certifiying Security Auditors)

Firewalls
(February 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Use the CISSP, Luke (was Re: Certifiying Security Auditors)
From:	"Paul D. Robertson" <proberts @ clark . net>
Date:	Sun, 22 Feb 1998 09:40:27 -0500 (EST)
To:	Bennett Todd <bet @ rahul . net>
Cc:	Mark Teicher <mht @ clark . net>, Anton J Aylward <anton @ the-wire . com>, firewalls @ GreatCircle . COM
In-reply-to:	<19980222061350 . 01681 @ waltz . rahul . net>

On Sun, 22 Feb 1998, Bennett Todd wrote:

> 1998-02-21-21:44:09 Paul D. Robertson:
> > I honestly don't think you can provide a complete network security audit
> > without having been in the trenches dealing with the issues for a few
> > *years*.
> 
> That's dead-on perfect. When we demanded skilled auditors and insisted
> on interviewing them to determine that they really knew enough, the big
> firms fielded teams that included consultants they'd pulled in specially
> for our audit --- and those consultants were experienced security admins
> from large sites.
> 
> _That_ is a credential that counts: someone who successfully maintains
> the security at a large site knows enough to test someone else's
> security implementation.

This ties back in, and I'm interested in it a great deal.  Were those 
folks who were pulled in certified, and were the original team you were 
disatisfied also certified?  In other words, was there a way to seperate 
the wheat from the chaff without being able to personally identify the wheat?

How do we seperate the guys who can only hit the 10 ring at the range from 
those who've been in the trenches ducking real bullets and survived?  
Moreover, given the legal climate that can't discuss dismissal, how do we know
that we're not looking at a ghost that's been dead a while?

Is it that this industry needs a way to periodicly free up the currently 
practicing for peer reviews?  Does that make more sense than certifying 
"those who would be" practicioners?  Certainly it would make the process 
of finding "those who would be" easier, since they'd be knocking down the 
doors to get in.  That would give a rationale for having such a process 
which might even be palatable for businesses to free up their own 
temporarily.  Maybe we could go from the Fortune 500 to the Firewall 500?

Thinking out loud,

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts @
 clark .
 net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Follow-Ups:

Re: Use the CISSP, Luke (was Re: Certifiying Security Auditors)
From: Bennett Todd <bet @ rahul . net>
Re: Use the CISSP, Luke (was Re: Certifiying Security Auditors)
From: Mark Teicher <mht @ clark . net>

References:

Re: Use the CISSP, Luke (was Re: Certifiying Security Auditors)
From: Bennett Todd <bet @ rahul . net>

Indexed By Date	Previous:	Re: Use the CISSP, Luke (was Re: Certifiying Security Auditors) From: Bennett Todd <bet @ rahul . net>
Indexed By Date	Next:	Re: Use the CISSP, Luke (was Re: Certifiying Security Auditors) From: Mark Teicher <mht @ clark . net>
Indexed By Thread	Previous:	Re: Use the CISSP, Luke (was Re: Certifiying Security Auditors) From: Bennett Todd <bet @ rahul . net>
Indexed By Thread	Next:	Re: Use the CISSP, Luke (was Re: Certifiying Security Auditors) From: Mark Teicher <mht @ clark . net>