Domain: isaca.org
Stories and comments across the archive that link to isaca.org.
Comments · 13
-
Quit fooling yourself
They didn't dance along the edge of legality. They danced over and never looked back. Legitimate pen test services are painfully aware of this and have the paperwork to prove it.
Ars should have enough sense to check things out for the sake of their own credibility. If Ars Technica bothered to ask anybody who's ever worked in the security industry they would have quickly learned the indemnification is taken very seriously.
http://www.isaca.org/chapters3...
https://pen-testing.sans.org/b...Hell, even metasploit has been talked about this for years!
https://dev.metasploit.com/pip...The only people fooled by Gizmodo's phishing logic were the editors who signed off on this to begin with. Next time ask a pro before you publish, it will help you avoid looking the fool.
-
Ethics?
Ethics is an interesting concept - first thing that may come a person's mind
:
"good and bad"
"wrong or right"
"black and white"
Personally, when one finds themselves in IT related predicaments, I'm guessing it's not that usual to land in a black or white situation, but one of a million shades of gray.
A few more:
"the way one lives"
"actions that land you on the right (good?) side of the fence"
"oath"
"creed"
etc . . .
What is a creed? One definition in an online dictionary defines it as ( http://dictionary.reference.com/browse/creed ) : " . . .any system or codification of belief or of opinion. . ."
eek . . . the entertainment industry (I'm guessing a person can come up with centuries or more worth of examples there) would have us believe in "good" creeds or "bad" creeds - religions, knights, assassins and more.
One might also ask - will your ethics lead you to copy chunks of the comments to the slashdot article above? Ethics in research and writing papers - that's a fought over issue as well. (people often hate to look in this mirror :)
Several professional groups have published "ethics" . . .
American Chemical Society ( http://pubs.acs.org/meetingpreprints/ethics.html )
American Institute of Aeronautics and Astronautics ( http://www.aiaa.org/content.cfm?pageid=198 )
American Institute of Architects ( http://www.aia.org/about_ethics )
American Institute of Chemical Engineers ( http://www.aiche.org/About/Code.aspx )
American Society of Landscape Architects ( http://www.asla.org/about/codepro.htm )
Instutute of Electronics and Electrical Engineers ( http://www.ieee.org/portal/pages/iportals/aboutus/ethics/code.html )
To pick a few. Look kind of like science/fantasy fans might see as guild rules :)
IT is no different.
People who strive for SANS/GIAC certification agree to their ethics as part of completing the certification process. ( http://www.giac.org/overview/ethics.php )
SAGE, LOPSA & USNIX share the same code of ethics - http://lopsa.org/CodeOfEthics
ACM - http://www.acm.org/about/se-code
CISA, CISM, CGEIT - ( http://www.isaca.org/Template.cfm?Section=Code_of_Professional_Ethics&Template=/ContentManagement/ContentDisplay.cfm&ContentID=20454
)
SSCP, CAP & CISSP (certification) ethics - ( https://www.isc2.org/cgi-bin/content.cgi?category=12 )
I'm sure there are plenty more.
I'm guessing there are very few if any CS or IT related courses that don't include some kind of ethics class or section.
Personally - when I was growing up - with a lot of computer enthusiasts in the neighborhood - some slided one way or the other (ethics wise) and some stood fairly firmly on one side or the other (usually the "old guys").
I've been in the professional IT industry for several years - and doing semi-professional IT stuff on and off years before that. Seeing I'm still there - I hope I'm on the an acceptable side of the fence :)
I've been involved in a few ethics dust-ups over the years . . . never got a horrible -
Three words
-
CEH vs OPST (from pen-test)For me, the value of a class is not in the test or even the certification at the end. The lasting value is in the knowledge and skill set that you refine and take with you back to your job. I also have made lasting relationships from the classmates, students, and instructors that I've met over the years. All of these mean a lot more to me than the "e-i-e-i-o" at the end of my name.
I gravitated towards ISECOM's OPST/OPSA classes because they fill a role I felt was missing in the security class space. Many non-vendor specific security classes have a very narrow tools based focus. While I agree that knowing how to use your tools in a test is important, I feel knowing why and when to use them is far more important. Knowing the politics involved in testing, going over internationally accepted testing practices, and reviewing regional and national legal regulations are just as much part of the job. These things are not merely important, but are required to be successful in your role as a security tester. In addition to the intensely technical aspects of the testing process, this is what the OPST represents; the "professional" side of security testing. Also, the ISECOM classes teach from ISECOM's Open Source Security Testing Methodology Manual (OSSTMM) which provides a much needed methodical framework to bring a scientific method style to the chaotic world of security testing.
The CEH class represents the other kind of class. One that is "flashy", "fun", "exciting", but not overly useful to the serious professional. While I have a lot of respect for Clément (one of the instructors for Intense School), I have very little respect for any organization that markets "hacker" classes. This includes the so-called ethical hacking, applied hacking, exposed hacking, grandmother hacking, squirrel hacking, super-duper 3y3 4m 31337 hacking, or any other fancy way of saying "Learn how to think and act like the bad guys".
While choosing where to spend your time and money, consider the community you are aligning with. If you look at ISACA, SANS, ISC2, ISECOM, etc.. they all have a true dedication to security and the betterment of the global information security community. Contrast the value of being affiliated (via education/certification) with any of those organizations over a piece of paper and a cd of toys.
-
Impaired Independence
As an InfoSec auditor it appears that this company has seriously impaired independence in this case. An auditor must (to quote the ISACA Code of Professional Ethics):
Perform their duties in an independent and objective manner and avoid activities that impair, or may appear to impair, their independence or objectivity.
-- ISACA Code of Professional Ethics (Links to a Word Document)
If the same company is both providing audit or assessment services and offering outsource services to the same client then there is a serious breach of professional objectivity. -
Re:It might get just like accounting...
-
Re:It might get just like accounting...
-
Sounds like COBIT rehashedWhy not download it all for free - seems to me like they're just presenting a dumbed down Capability Maturity Matrix concept.
To achieve the highest levels of profitability, the authors say, IT organizations must be well-tuned and in alignment with the goals of the enterprise to which they belong. Who'd have thought, eh?
-
They've been in bed together for a whileFrom a March 2000 press release:
The Information Systems Audit and Control Association (ISACA) has been invited and has agreed to serve as a member of a newly created public-private initiative, the Partnership for Critical Infrastructure Security.
This has been in the works for over two years. Schmidt was involved from the beginning in defining the scope and purpose of the position he now holds. Microsoft has been involved in the process throughout the time they were responsible for the most disruptive, expensive virus/worm attacks in history. ...
An initial, formative meeting of the Partnership was held in December 1999 in New York City. The meeting was hosted by [list of names] and Howard Schmidt, Chief Security Officer, Microsoft. -
The ICCP is dead
-
Age requirements
The CISSP requires a minimum of three years professional security experience. The SSCP (Systems Security Certified Professional), sort of an entry-level CISSP, requires only one. The CISA (Certified Information Systems Auditor, IMHO the most respected security cert) requires four. IIRC, at least one of these may also require you to be 18, so be careful about age requirements. You might also look at the GIAC (Global Information Assurance Certification) family of certifications, which doesn't appear to have any experience requirements.
-
Age requirements
The CISSP requires a minimum of three years professional security experience. The SSCP (Systems Security Certified Professional), sort of an entry-level CISSP, requires only one. The CISA (Certified Information Systems Auditor, IMHO the most respected security cert) requires four. IIRC, at least one of these may also require you to be 18, so be careful about age requirements. You might also look at the GIAC (Global Information Assurance Certification) family of certifications, which doesn't appear to have any experience requirements.
-
Security certs
This article missed all the certs in the security field.
CISSP
CISA
SANS GIAC
In general, CISSP and CISA are more heavy on theory and SANS GIAC are more on practical knowledge (hands-on). Notice that GIAC actually offers many different certs in different area.
They are all hard to get. For example, CISSP requires a 6 hours exams (which isn't easy at all). GIAC requires a practical assignment (to show hands-on knownledge - require real world experience) as well as one or two 2 hours exam.