I have been taking a bit of flak regarding my post comparing the CISSP to the GSEC. It’s been interpreted as negative towards the CISSP, which I suppose is fair to some degree. I find the prevailing argument put forth by Martin McKeay in support of the certification to be weak at best (essentially that GSEC is technical and CISSP is management), and I wanted to briefly refine my thoughts on the matter.

An Ideal World

I think we can all accept that a perfect certification would guarantee that a holder of said credential would be excellent for any information security role. We can also agree that no such certification is practical nor even possible. So given that constraint we are forced to create certifications that are focused in particular areas. So the GSEC is focused on the technical implementation side, and the CISSP is focused on the management side. Fair enough.

What I think is important to note, however, is that this doesn’t mean the GSEC doesn’t cover conceptual topics, nor that the CISSP doesn’t cover technical ones. In other words, even if a major certification is weighted in a certain area it doesn’t mean it’s not going to at least touch on the opposite end of the spectrum. So the question becomes one of simply deciding where the weight is — technical or conceptual.

My point is simple: it’s far more responsible for a low level certification not to cover upper-level concepts than it is for a higher level certification to not cover technical basics. I again point to the battle field. You don’t require infantrymen to know the basics of military strategy, but you do require generals to know the basics of soldiering.

A Knowledge Progression

Remember that this is why generals must move up the ranks. This is for the precise reason that strategic understanding is built upon the requisite practical knowledge gained in the lower ranks. Without this foundation a general may ask a soldier to drop a bomb on a target from 500 feet in the air, or ask a tank to sneak into an enemy building and conduct a room to room search. I’m exaggerating, but you get the point.

Upper echelon leaders must understand the capabilities of the entities they control before they can make sound strategic decisions. This applies equally to information security managers and military generals. The notion that in information security one can simply jump right into management without having at least a decent understanding of the moving parts (technology) is no less asinine then putting a private in charge of an army.

This is my argument against the CISSP’s history of being non-technical. More importantly it’s my argument against those who claim it’s permissible for it not to be technical because it’s a management certification. That makes it more important for an all-encompassing knowledge base to be tested, not less. And I think it’s clear that ISC2 knows this. That’s why they included all 10 domains.

They had the right idea — management certifications require holistic knowledge of the discipline, just as generals require a holistic understanding of warfare. This isn’t just the reason for the 10 domains, but also for the experience requirement — just like for the general. The analogy could not be more clear.

Conclusion

It’s simply absurd to claim that people in “management” roles don’t need to be versed in technology. Chefs learn about food. Architects learn about the structural integrity of their building materials. Physicists learn math. Why should information security experts not have to learn the building blocks of their discipline like everyone else?

And most importantly, technical managers need to speak technology at least to a level that prevents them from being seduced by salesmen and GUIs. Some may argue that this is the role of non-management engineers, but it’s a weak argument. They should supplement a manager’s technical knowledge, not represent the totality of it.

If the CISSP wishes to become a true test of leadership-level information security expertise it needs to be able to test for a higher level of technical knowledge. Not extreme — but higher.:

I say yes.

Martin McKeay from Network Security Blog disagrees. He writes:

I kind of like Daniel Miessler’s writing and think he has some good posts, but he totally misses the point of the CISSP when he complains about CISSPs who can’t program a home network. The CISSP isn’t aimed at testing someone’s ability to program their Linksys router, it’s aimed at testing someone’s ability to think about the philosophy of security.

Ok, here’s the thing: part of the CISSP is technical. They cover everything from trojans to encryption algorithms to covert channels. It’s just an overview, but it’s part of the CBK for a reason.

If the fundamental networking knowledge required to configure a Linksys router isn’t within a candidate’s grasp, then they shouldn’t be discussing security philosophy with anyone. As Martin points out, this is a management certification. Don’t we already have enough managers who learn big buzzwords like risk management and don’t know even the fundamentals of that which they are trying to protect?

Why do you think they teach generals how to fight and require them to move up the ranks before letting them command large armies? It’s because that knowledge of the lower-level capabilities is what offers the foundation for making sound decisions at the higher levels.

Think about the decisions that security managers are supposed to be making — how to implement a DMZ, host IPS vs. network IPS, DLP?, NAC?, how to publish information in a secure fashion within an extranet. Can one effectively make these decisions without basic networking knowledge? One can say, “secure that”, but if you don’t have any knowledge of what it entails then you’re not adding any value to the organization.

Quite simply, managers who don’t know the basics are dangerous. They have all the power and none of the knowledge. This combination leads to frustrated employees, poor policy making and negative outcomes for their organization.:

p style=”text-align: center”> aotmp.com

I’ve had some discussions about how the GIAC GSEC credential compares to the CISSP in terms of difficulty and respectability. Here is one such discussion from a forum I frequent.:

The main reason the CISSP in more respected is because of the standards the ISC2 has established, such as proving the identification of the applicant, verifying they meet the experience requirements, and the way the exam is hosted.

That definitely earns the exam some respect, to be sure, but keep in mind that the first time pass rate is over 70%.

I would give you this analogy: The CISSP is like taking the SAT’s You walk into a room with just a pencil and take a 6hr, 250 question exam that many of the times has more than 1 right answer but you have to draw on your experience to determine which one is “more right” The GSEC is like creating and turning in an Essay and taking an open book test.

Ok, let me put it this way, which of those two scenarios do you think represents reality in the infosec world? Cramming facts and regurgitating them via #2 pencil, or dealing with harder, more technical questions with access to any book and any search engine you want?

It’s the latter.

That’s what problem-solving is — you have Google, you have the text books, you have anything you want. That doesn’t make complex problems easy, it just makes them possible. That’s how the real world works.

Put it this way, I’d be willing to bet that 50% of all CISSPs don’t know what netcat is. What does that say about their infosec skills? What percentage of GSEC holders know what it is? Probably 99%.

Don’t confuse world-wide acceptance with proof of superiority. CISSP is standard, it requires experience, and it’s got a good, broad base of questions, but it’s the kind of test people cram for, pass, and then forget the material it was made up of. That’s not a good measure of a dedicated, technical infosec professional; it’s more a measure of someone who takes their career seriously and knows how to study.

I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.

More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge – not for testing whether or not you’d be qualified to actually do anything.

Don’t get me wrong, if you are going to do one first, or only one of the two, I’d say get the CISSP. It’s more recognized and more respected than any other cert out there. All I am saying is that you shouldn’t confuse this with its difficulty. Almost nobody knows anything about the GSE certification either, but the two PhDs that have it said it was harder to get than their degrees.

I think after you have both you may see it more the way I do. I’d hire a GSEC holder to do some security on a network with significantly less reservation, whereas a CISSP-holder would have to go through the same sorts of checks that someone with nothing more than a 4-year degree would. Just because they can study and take themselves seriously doesn’t mean they know or love their discipline.:

File: ldp.exe.bz2

I just think it’d be nice to start fresh. Everyone who manages keyservers could send a series of notification emails to the addresses listed in their key database, and after like a year (or whatever agreed upon amount of time), the deletions would begin.

Worst case scenario is that some people need to re-upload their public keys. I think it’s a small price to pay given the resulting “fresh” feeling. I for one can’t stand looking at all those redundant, orphaned keys — it’s the OC in me I suppose.

Thoughts? Anyone agree?

These sorts of lists are helpful for me when trying to incorporate new functionality into how I currently use a tool. So, here’s the short overview:

• A rewritten scan engine makes it far faster and more memory efficient.
• Can now send raw ethernet frames — which allows it to attain full functionality on Windows XP SP2 systems that don’t have raw socket support.
• New ARP scanning and MAC spoofing capabilities.
• Far better documentation.
• Version detection vastly improved (including a threefold increase in the size of the signature database).
• You can now do runtime modification of scans, i.e. you can press enter during a scan to get an estimated time to finish, or press "v" to switch to verbose mode. Very cool.
• Major improvements in scanning multiple hosts and multiple ports on each host simultaneously.
• Parallel DNS queries.
• The addition of “port scan pings” that allow for improved performance vs. firewalled systems.

Overall, this release just looks incredible. I’m highly enthused about it (have already compiled it on my Mac), and look forward to using these new features. Oh, and for a complete list of changes, be sure to check out the changelog.:

http://dmiessler.com/study/infosecconcepts

The piece covers some of the basic information security concepts and includes some of my thoughts on the discipline at the end. I think it may be useful for people who are getting into the field and/or those who are lacking in the “concepts” area.

Enjoy.

The main reason the CISSP in more respected is because of the standards the ISC2 has established, such as proving the identification of the applicant, verifying they meet the experience requirements, and the way the exam is hosted.

That definitely earns the exam some respect, to be sure, but keep in mind that the first time pass rate is over 70%.

I would give you this analogy: The CISSP is like taking the SAT’s You walk into a room with just a pencil and take a 6hr, 250 question exam that many of the times has more than 1 right answer but you have to draw on your experience to determine which one is “more right” The GSEC is like creating and turning in an Essay and taking an open book test.

Ok, let me put it this way, which of those two scenarios do you think represents reality in the infosec world? Cramming facts and regurgitating them via #2 pencil, or dealing with harder, more technical questions with access to any book and any search engine you want?

It’s the latter.

That’s what problem-solving is — you have Google, you have the text books, you have anything you want. That doesn’t make complex problems easy, it just makes them possible. That’s how the real world works.

Put it this way, I’d be willing to bet that 50% of all CISSPs don’t know what netcat is. What does that say about their infosec skills? What percentage of GSEC holders know what it is? Probably 99%.

Don’t confuse world-wide acceptance with proof of superiority. CISSP is standard, it requires experience, and it’s got a good, broad base of questions, but it’s the kind of test people cram for, pass, and then forget the material it was made up of. That’s not a good measure of a dedicated, technical infosec professional; it’s more a measure of someone who takes their career seriously and knows how to study.

I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.

More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge – not for testing whether or not you’d be qualified to actually do anything.

Don’t get me wrong, if you are going to do one first, or only one of the two, I’d say to get the CISSP. It’s more recognized and more respected than any other cert out there. All I am saying is that you shouldn’t confuse this with its difficulty. Almost nobody knows anything about the GSE certification either, but the two PhDs that have it said it was harder to get than their degrees.

I think after you have both you may see it more the way I do. It’s almost as simple as academic vs. hands-on, or birds-eye-view vs. in-the-trenches. I’d hire a GSEC holder to do some security on a network with significantly less reservation, whereas a CISSP-holder would have to go through the same sorts of checks that someone with nothing more than a 4-year degree would. Just because they can study and take themselves seriously doesn’t mean they know or love their discipline.: