JeffBolden.net

Tuesday and Wednesday were both full days for me, covering the ISO27002 controls as well as hitting lunch and learns, some great after-hours talks, and a trip or two down the strip as well. The highlight of the past 2 days was a couple of excellent talks on bluetooth eavesdropping as well as a talk on VM Escape issues.

Josh Wright’s Wednesday evening talk on bluetooth eavesdropping was excellent (as usual, great talk Josh!) and showed just how bad bluetooth security is. He has a great YouTube video up showing the issues as well as a great paper on Dispelling Common Bluetooth Misconceptions that he just released. I highly recommend taking a look at both. Also, be sure to check out his website www.willhackforsushi.com for lots more wireless info.

Tonight is the PaulDotCom security podcast live here at SANS and I’ll be dropping in for that. It’s only fitting since I was lucky enough to be at their first podcast at SANS 2005 in LA. They’ve come a long way since then! =) They will be running a live stream as well as taking questions over IRC, so be sure to jump over to their site and get the info, then join us tonight!

It’s been a fun  couple of days down here at Vegas! I flew down Saturday night and got to Caesars around 8pm and got settled in. A nice surprise was getting bumped up to a nicer room in the Augustus Tower, with a great view of the Bellagio Fountain right out my window. It’s been awhile since I’ve been to Vegas, and man the strip sure has changed! After class yesterday I managed to get out and do a little exploring, then went down to the Hilton and checked out the Star Trek Experience. I have to say it was pretty cool, but I was ready to hit the sack after all the wandering around.

I’m heading down to check out the vendors, pick up some swag, and mingle with the security elite. =) Also on the agenda for after-hours Wednesday night is a talk from Josh Wright on Bluetooth Headset eavesdropping, as well as a presentation from Ed Skoudis on VM Escape. I’m also going to try to get over to the PaulDotCom sec podcast on Thursday.

SANS Network Security 2007 is almost upon us! It’s been over 18 months since I’ve been to SANS so I’m really looking forward to going to the Vegas conference this year, even if it is a management track. I’ll be doing the MGMT411 track this time, covering the ISO 17799/27001. It’s a good overview to refresh my memory on the “official” security framework in my new role, but I would be much more excited about the malware or forensics tracks. I guess it can’t alway be fun and games… =)

If anyone reading this (all 2 of you…) is going to the Vegas conference and would like to get together, be sure to drop me a line and we can schedule a night. I always like meeting fellow netsec geeks for food and fun!

With my recent focus on career, job search and subsequent employer change the past few months, I’ve been wanting to post some of my recent thoughts on certifications but just haven’t had the time. So it was with interest (and some amusement) that I was following the recent comments between Daniel Miessler (original post and followup) and Marty McKeay (here and here) in regards to the comparisons/differences between the CISSP and GSEC. They have some opposing viewpoints on the subject, although I think they are closer than they think and sum up my thoughts pretty succinctly. Some of my favorite quotes from the discussion:

[MM] When you’re interviewing for a position, you’re interviewing a person, not a certificate. If you’re interviewing a CISSP to be a router jockey, you better hope they have a couple of other certs to back up their claims of knowledge. Or you better have some really good questions for them, preferably both. By definition, the CISSP shows no in depth knowledge of any particular aspect of security.

That’s one of the things that really bugs me about certs in general, the attitude of some (both cert holders and employers) that just because they hold a CISSP or GSEC, they have reached some pinnacle and know all they need to know about security. The attitude always astounds me! =) I’ve been in IT for about 15 years and yet I feel like I learn something new every day. In fact, that’s one of the main reasons I love the security field so much, the constant challenge to stay current, to learn and grow. =)

[MM] The CISSP certificate is useful setting a baseline of the person’s overall knowledge of security. And if it’s treated as nothing more than a simple measuring stick, it works well. But it’s not meant to measure someone’s networking knowledge and using it do so won’t work.

Marty pegs it here. Certs are (IMHO) a simple baseline that employers can use to assess that we in the security arena have a minimum “baseline” of security knowledge, but it is not the end-all be-all of measuring the skill of a person. We’ve all met loads of IT people with a bucketful of certs who could not troubleshoot their way out of a wet paper bag. So I thing Marty’s point is valid here, we cannot assume that a CISSP knows about things not covered in the official study guide. In a perfect world that foundation knowledge would be there, but this is not a perfect world. =) That’s where Daniel’s point rings true:

[DM] It’s simply absurd to claim that people in “management” roles don’t need to be versed in technology. Chefs learn about food. Architects learn about the structural integrity of their building materials. Physicists learn math. Why should information security experts not have to learn the building blocks of their discipline like everyone else?

I’ve held off taking the CISSP for years, but not for the reasons you might suspect. I guess it was the rebel in me, but as someone who was “in the trenches” for years I didn’t see the need to take a cert that did not (IMHO) add much to my knowledge base and was more of a resume checkbox.

This past year I think I’ve finally made peace with myself on this whole cert subject and have come to the conclusion that it’s part of the resume game we all must play sooner or later. I’ve changed the way I look at these certs and have even come to see the advantage of going through the motions, and will even admit to learning a thing or two in studying for the CISSP and CISA tests this year. I guess you can teach an old dog at least a few new tricks… =)

Update 9/7/07: This exchange has sparked some great comments around the web this week. Mike Rothman over at SecurityIncite.com wrote a great blurb on the issue. Marty also talks more about the issue in Episode 75 of his great podcast.