Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Michael Condon (adminsingulartechnologysolutions.com)
Date: Tue Mar 03 2009 - 20:56:23 CST
I'm really curious if the EC Council still even mentions the IPC$ share and
demonstrates software with a version 0.0.4, last updated in 2002.
From: "Andre Gironda" <andreggmail.com>
Sent: Sunday, March 01, 2009 2:15 PM
Cc: "Miller Grey" <vigilantgregoriusgmail.com>; "Alcides"
<alcides.herculesgmail.com>; "John Perea" <JPereacontegosecurity.com>;
"Matt Gardenghi" <mtgardengmail.com>; "Stephen Northcutt"
Subject: Re: Security Certifications for SOC team
> On Sun, Mar 1, 2009 at 11:54 AM, Miller Grey
> <vigilantgregoriusgmail.com> wrote:
>> My apologies Andre, I realize now you were not the original poster, so
>> my response was way off base and I jumped the gun prematurely (stepped
> Hey no problem. I just want to get ideas out in the open and
> discussed. I know that they come off as harsh. I apologize for being
> a bit hasty and reckless in my approach.
>> Putting metrics to training quality (especiialy feedback) is an
>> awesome idea, one that should be implemented in every business, no
>> doubt. I also think for a soc, your assertion on CERT is dead on.
>> What better a training vendor for IR than CERT, or at least that would
>> be my assumption. Again, I have no experience with their training
>> materials/instruction. I do know the training and GCIH cert is pretty
>> good. (Out of curiosity, what's your opinion of EC-Council and the
>> CEH cert?)
> I have read through the CEH training, as well as the many books
> available out there (including the official ones that EC-Council put
> out). I really feel that if this is the direction of
> penetration-testing, then it's no wonder the bad guys are winning.
> CEH teaches basic network attack paradigms and focuses on
> freeware/crippleware Windows/GUI-dominant tools.
> I would be hard pressed to ever take anything that the EC-Council
> produces seriously given their history. It's extremely likely that I
> would hire someone with zero certifications and less experience over
> someone who had CEH on their resume. Maybe that is harsh, but I would
> say that I have my reasons.
>> It would be wonderful if the emphasis on certification was minimized
>> and the focus was put more on quality subject matter. Look at OWASP,
>> amazing subject matter, open to the public, and no certification in
>> sight (I hope).
> Right on! Well said.
>> Your idea about people educating themselves on education is a good
>> one, but who educates the clients looking for a global, recognized,
>> gold-seal of approval? Which in the end is what they need, right? In
>> this case, a SOC that is staffed with intelligent, knowledgable folks
>> who can perform high quality work. How else do they base their
> In the same way that the best security checklists provide up to only
> three-fourths of the security that needs to be managed away from risk
> - a global gold-seal is going to be [at best] the same.
> I think companies should base their decisions on where their risk and
> compliance issues most stand out. Focus on SOX? : CISA / CISM. Focus
> on PCI-DSS? : CPISA / CPISM. Focus on ISO 27001/27002? : ISO 27001
> Lead Auditor.
> Focus on penetration-testing assessments? : ISECOM OPST or possibly
> even HP Accredited Integration Specialist (AIS) in Application
> Security using HP WebInspect v7 and/or Fortify
> Associate/Professional/Expert certifications. Focus on risk analysis
> / assessment? : ISECOM OPSA or NSA IAM and IEM. Focus on incident
> handling / response? : CERT CSIH.
>> Again, I apologize for my last post, it was a useless rant misdirected
>> and totally out of line. Every bit of information you posted was
>> informative (even if I disagree on your view of SANS) and very useful.
> Well, certainly SANS does not agree. Steven Northcutt sent me an
> email rebuttal, and he brought up some excellent points:
> On Sun, Mar 1, 2009 at 11:27 AM, Stephen Northcutt <stephensans.edu>
>> > SANS works fairly exclusively with InGuardians for instructors, making
>> > their
>> > focus and scope rather limited.
>> = = = Er, not even close. I think four of the 80+ faculty are
>> maybe it is five. Granted they are some of our heavy hitters. You end up
>> recommending IntenseSchool and they are a good outfit, I admire the work
>> the Kaufman brothers. However, who do they have on their faculty that you
>> can put in the same league as Ed Skoudis, Josh Wright, Mike Poor, Kevin
>> Johnson. ( I stuck with InGuardians for a reason, I have a heck of a lot
>> bench strength left), that have written major security books, contributed
>> proof of concept exploit demonstrations, spoken at major events,
>> to congress, etc, etc.
> I meant that in the application security (including
> penetration-testing and ethical hacking) and incident handling spaces,
> InGuardians is over-represented by SANS/GIAC for this "type" of
> material (i.e. appsec and IH) in "comparison" to the other long list
> of appsec/IH security boutiques that I listed.
> Mind you, I have every respect for the InGuardian guys, but I see them
> as only one voice of many.
> Please let this correction to my previous email stand. I didn't want
> to make it seem like I don't understand SANS/GIAC, their instructors,
> or their training/certification models.
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.0.237 / Virus Database: 270.11.6/1981 - Release Date: 03/03/09