Getting Certified (Part II): Security Certs
Well what about security certifications? There are useful guides to certifications at about.com and dmiessler.com. Arguably, the better internationally known certifications listed are CISSP and SCNP. One recent addition into this arena is the Certified Ethical Hacker (CEH). Their course outline provides a very good background on what you should know as a security tester. Whether the content is any good is another thing.
Also have a look at Bruce Schneier’s thoughts on security certifications, along with Marcus Rankum’s counterpoint.
Then there are government certifications. In the UK, they apply to security companies and personnel that may work on government projects, which usually are not for public consumption. These accreditation allow cleared companies to work on these projects whilst adhering to some stringent rules. The thought process for this is that the government get an independent review of their systems from their pool of accredited testers. The Communications-Electronics Security Group (CESG) set the precedence for security of communications and data. They have a number accreditation schemes for companies. They include CESG Listed Adviser Scheme (CLAS), which focuses in the audit and policy side of security and CHECK which provides a more technical audit and healthcheck of systems. Although the latter is being phased out by Council of Registered Ethical Security Testers (CREST)
On the other side of the pond, it is a bit unclear who would be allowed to work on government projects but it appears they have agencies just for that very thing. For example, the states have National Institute of Standards and Technology (NIST) who offer services including Federal Information Processing Standard Publications. Canada have a similar agency setup in Communications Security Establishment Canada (CSEC).
I have a lot of certifications including the CISSP, and have had to hire people where I get over a hundred resumes for a single position. Education, experience, and certifications matter.
The few times I’ve brought on board folks who give the “certifications are useless, I won’t take them myself” line always proved they couldn’t pass the tests because they didn’t have the knowledge. Certs are a fact of life in this career. They shouldn’t take a year of hard study to pass if you know the material. They should take a few days of review, maybe a quick class.
Even though CREST is replacing the CHECK technical exam, it is an accredited standard for everyone. Meaning anyone can take it including foreign nationals. Of course sensitive work from government and banks then require additional security clearances. But what Im saying is that its open to everyone.
Also the exams are modular. So far there is 1x application, and 1x network. CHECK did not assess peoples web app skills, so CREST will cover all bases. Rumor is there will also be a wirless module, covering wifi,rfid,bluetooth etc.
Thanks for the comments, guys!
Chad - I am guessing you are from either USA or Canada with the use of the word ‘resume’. Very eye-opening to hear from an employer’s point of view in terms of certification. I think North America are more focused on certifications after all, sans and eccouncil are based from America (if I not mistaken). Maybe it is because you get many resumes for jobs. Happy Independence Day too.
I’d be curious to see how you guys rate different certifications, which one stand out more.
Tiger - Interesting points raised there. The way CREST is going with web app and possibly wireless testing is a step forward. I presume having a more open accreditation like CREST is possibly going to make it more recognisable internationally? Would Americans recognise it? who knows?