DerbyCon is the Shizzle Bizzle!!

How many times do we as security professionals, nerds, and H4x0rs get to participate in a ground breaking industry event?  Not many, and this is one not to be missed!!  Better than the Shamwow and more versatile than the Magic Bullet DerbyCon is poised to give many other security conferences  a run for their money.  The schedule for the event reads like the “who’s who” in information security and is poised to be just as good as DefCon, ShmooCon, and ToorCon.

Interested?  Good, then click the image above!!

I’m thinking that this will the Sean Connery James Bond of Security Conferences to come.  I hope to see you there!


Certifiably certified certification

Outside of the normal security stuff from Dark Reading I came across an article on Security Certifications. I’ve had some great conversations with different risk and security individuals on this topic and while most agree that it shows you’re competent in the discipline it also has a dark side.  A side that hopefully the security certifications are not heading toward but I’ve seen evidence to the contrary.  I’ll keep from naming certs that, in my estimation, are being abused or at the very least misrepresented by some who have them but I’m fairly confident that you know what certifications.

REWIND… back to the late 90’s early 2k’s.  Radio ads blasting about the shortage of IT professionals  an the promise of a great salary after you obtain the latest and hottest certifications.  Take the test online to see if you have the aptitude and ability to get yours in 6 months!  What certification can you earn?  MCSE (Microsoft Certified System Engineer), CNA (Certified Novell Administrator), CCNA (Cisco Certified Network Administrator) among other top tier certifications…

Listener1:  Wow!  I can become certified in less than 6 months and they guarantee that I’ll pass!

Listener2:  And we can start making real money!!!!  Did you hear that?  Companies are paying more than 60k for someone with those!!!!

Listener1:  Yeah, let’s go and blow the 7k it’s gonna cost us to get certified!  We’ll be able to pay back the loan in no time once we get the job.

REALITY… The market became flooded with these paper tigers who had no practical experience but they had a certification!  Like any good multi-level marketing scheme those who got in first realized the gain and got out while the rest rode out the trend without no realization on the salary claims being made.  Wah, wah, wahhhhhhh….. Thanks for playing!!!  I saw that time and time again with these guys coming in and not even being able to perform basic troubleshooting because it wasn’t something they learned how to fix or do in their class.  Or better yet, I’ve got some idiot telling me that what I’m doing is wrong, even if it corrects their mistake!  Sounds to me like the certification mills have churned out a true disparity of certified to practical skills.  I haven’t heard much about those lately, maybe my economics class was correct in saying the market will correct itself!

I’m not against certification at all.  I have a few myself, but they are in things that I actually have experience in that is backed up by my resume and a list of people that are willing to provide recommendations.  I also, don’t have any issue with the testing centers.  My issue is in how they’re marketing their services for certifications.  There are many which are reputable and have been used for those in the field who are looking to expand their repertoire.  My fear is that we have people with security certifications, because they’re the hottest, most sexy thing on the market that will make them beau-coup greenbacks.  In reality, all it is doing is detracting from the legitimate security professionals who’ve put the time into the profession and realize that the certifications are just another step in their career and not just a payday.  It’s also potentially promoting a false sense of comfort that the individual a company is hiring is fully competent.  To me this is the most disturbing part is we’ve not got people proselytizing security and not being able to practically help protect the company that’s hired them.  How many times have we been in meetings where a self-professed, certified, security guy starts spouting off “we need to secure…”, “if we don’t we’ll be hacked” and other self serving comments to instill FUD in those in the meeting.  In my mind, not only did they diminish the certification but they made the rest of us look like a bunch of Chicken Little’s.  Why?  Because they used emotion and passion to invoke a response from something they’ve read about rather than having the practical experience and data to back up the request or argument.

So you’re probably asking well what certifications would I select and why.  Here’ a small subset of my list:

  • If you’re going to be in Management then the CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager) are good.  As a bit of  a disclaimer, do not expect someone with a CISSP to be extremely technical.  The CISM is a bit more technically focused but not as in-depth technically as it could be.  Again, from the Management perspective I would expect a Manager to have one of these as the breadth of knowledge is required versus a certification that is more technically focused.
  • If you’re going to be a security assessment/pentester type, again this is my opinion, the OSCP (Offensive Security Certified Professional) is one of the more technically in-depth certifications.  Based on my experiences with those who have this certification, they really know how to get in and perform manual and tool based pentesting.  After learning that Dave Kennedy (ReL1k) has even gone through the testing has put the Offensive Security certifications even higher on my legitimacy radar.
  • There are also vendor certifications like Cisco’s which I think are valid but for my own path more of a way to get deeper into their technology.

I’ve ranted enough on this for the evening….  Paper tigers are a pet peeve and only serve to over saturate an already tough profession with their inexperience and inability to provide solid recommendations that actually make a company more secure.

Oddjob, grab your bowler and sharpen the new ceramic blade we bought… Time to go hunting!

Security is no guarantee, vigilance is!

Going through one of many portable drives I came across this video I made.  The company shall remain nameless but it was probably made around 2005 in a vacant office within the building.  I remember that we wanted to create an educational and fun video around the physical aspect of cabled laptops and the false sense of security they provide.  During that time there were a rash of thefts and the response to the thefts were to buy the cables and mandate that they be used.  Alas, the tools of our security became another challenge to the “Gone in 60 Seconds” crew.  Forget the fact that you can pop the top of the work surface and most of the cubical prairie dog population will ignore or have their iPod full blast.  This was much more subtle and effective.  During lunch or before/after hours, it was the perfect physical exploit.  Now Oddjob and Jaws had a physical asset to resell with the potential for access to valuable data that could be sold and resold in secondary markets.

The funny thing is that this is still as relevant today as it was back then…  Security is no guarantee, vigilance is!

  • April 2019
    M T W T F S S
    « Apr    
  • Categories

  • oddjob

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 60 other followers