Slashdot Mirror

← Back to Stories (view on slashdot.org)

GIAC/SANS Certification Changes?

Posted by Cliff on from the values-in-practicality dept.

venom600 wonders: "SANS and GIAC have recently changed their certification requirements, no longer requiring a practical assignment be completed in order to be certified. This has created some discussion around the value of their certifications moving forward. In addition, SANS recently asked current certified individuals (in an email) to provide quotes about the value of their certifications for an upcoming brochure. Since the requirements have changed, the value of the certification has changed as well, making any quotes an unfair assessment of value. This brings me to my question: What IT security certifications are left (if any) that actually provide value to you?"

27 comments

  1. CISSP by n8y · · Score: 3, Informative

    My CISSP...while not a good indication of technical skill, still seems to provide the ooohs and aaahs necessary from management and customers to be worthwhile. Although I have met plenty of CISSPs who wouldn't know any of the 10 domains from a hole in the ground...it seems to be the "cert du jour" to have. My $0.02 ...from the real world.

    1. Re:CISSP by Mattcelt · · Score: 2, Insightful

      I have to second this... The CISSP is becoming the de facto certification for infosec folks to have. I think a large part of the perceived value is the time requirement (3+ years and a B.S./B.A. or 4+ years) for hands-on security work before you can even apply for the certification.

      I always thought of the GIAC as the gold standard for security, but when getting a complete credential set costs tens of thousands of dollars just to take the classes, it seems a little extreme compared to the CISSP, which can be done in a single course (or if you're brave, just by taking the test).

      I also think the practical part was a good thing for the GIAC, and something the CISSP could benefit from. There are too many people out there with "book smarts" and no practical knowledge, and they dilute the certification and its value to those of us who really know the ins and outs of the subject matter.

    2. Re:CISSP by Anonymous Coward · · Score: 0
      I think a large part of the perceived value is the time requirement (3+ years and a B.S./B.A. or 4+ years) for hands-on security work before you can even apply for the certification.
      Which is a bullshit requirement. Anybody can check that easily enough themselves. The certification should consider things that employers/customers/etc. can't easily check out for themselves. The time requirement is just an effort to artificially limit the number of cert holders to prevent flooding the market and devaluing the cert. Of course, if the cert wasn't bullshit in the first place they wouldn't need to do this, now would they?

      More commentary on the CISSP.
  2. None. by CDarklock · · Score: 2, Insightful

    When hiring, I'm not really impressed by certifications. To me, a certification means you stopped working long enough to play games with an authority figure -- usually in the hopes of getting more money -- and that authority figure may or may not have given you a rigorous testing to determine your eligibility for the certification. It's not just the certification that matters, it's where you got it.

    Essentially, I judge applicants based on how I perceive their level of talent during the interview. I'm more interested in the flavor of a resume than I am in the experience and skills listed on it; I can *get* you experience and skills, but I can't get you talent -- let alone the basic ability to "fit in" at my company.

    --
    Microsoft cheerleader, blue flag waving, you got a problem with that?
    1. Re:None. by Jeremiah+Cornelius · · Score: 1
      So. You are the least fallible instrument in the arsenal? :-)

      Can I hire you? (insert more grins here)

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    2. Re:None. by jessecurry · · Score: 2, Interesting

      I'd love if more bosses were like this. It seems that often times an extremely bright, competent, and talented prospect will get passed over for someone who has a certification.
      The last degree that I completed was for a computer graphics and design program and I found that without any certifications I was able to troubleshoot and repair the lab computers that the "IT Specialist/MIS Department" was just going to reclone or send in for replacement.
      Solid problem solving skills seem to be something that quite a few certified technicians seem to lack these days.

      --
      Those who know, do not speak. Those who speak, do not know. ~Lao Tzu
    3. Re:None. by Anonymous Coward · · Score: 0

      Except that for most Win32-related issues in ghost or autobuild enviroments (ie: most Corp or Edu IT worlds), it's usally cheaper in man-hours to just rebuild/reghost the thing, than pay to have a tech diagnose a one-time, or rarely encountered issue.

    4. Re:None. by hdparm · · Score: 2, Insightful
      Trouble with this is that most jobs these days are advertised through agencies, exclusivelly. To get the interview alone, you need at least few acronyms after your name.

      However, not all IT certifications should be treated the same - to acquire some of them you must practically prove your expertise and that alone gives better indication of the person's suitability for particular job. Therefore this (GIAC/SANS decision) can't be a good thing.

    5. Re:None. by CDarklock · · Score: 2, Interesting

      > You are the least fallible
      > instrument in the arsenal?

      Well, I don't know that I'd put it THAT way. ;)

      I know some very bright people who just don't get along well with testing environments. These people are simply never going to be certified as anything, but it takes about five minutes of conversation to figure out that they really do know their stuff.

      On the other hand, I also know a few people with stacks of certifications that... well, let's just say I wouldn't hire them, or recommend that anyone else hire them either. Again, it takes about five minutes of conversation to figure this out.

      So I consider that five minutes of conversation to be the real dividing line. I'm lucky enough to get reasonable numbers of resumes, so I can usually afford to go through them all by hand and bring in over half of the applicants for an interview. If my company ever gets to the point that this isn't really an option, I'll have to reexamine my methodology.

      --
      Microsoft cheerleader, blue flag waving, you got a problem with that?
    6. Re:None. by jschottm · · Score: 1

      To me, a certification means you stopped working long enough to play games with an authority figure -- usually in the hopes of getting more money

      Perhaps I'm misreading you, but it seems like you may almost have some bias against people with certs. There's plenty of people out there who have certs because their management instructed sent them off for the training/certification, so it's not always a plot to get cash.

      that authority figure may or may not have given you a rigorous testing to determine your eligibility for the certification.

      Up until this change, the great thing about the GIAC certification process was that getting one required a substantial hands-on project and paper that was published online. That's what set it apart from the majority of the certifications, which can generally be passed by memorizing answers from a book or boot camp. So if you saw GCIA on someone's resume, you could hit the SANS website and read their report showing analysis of several day's worth of packets. You could ask someone to analyze a few samples in an interview, but it's much harder to see someone look at an extended period of time.

    7. Re:None. by CDarklock · · Score: 1

      > it seems like you may almost have
      > some bias against people with certs.

      A bit. A bit. Just a bit.

      Seriously, it's not the certification I have trouble with; it's the sort of person who waves it around. I think a certification is the sort of thing you pull out when you need it, not something you stick at the end of your name for brownie points.

      Unfortunately, that's what you have to do for a lot of employers, and there's no way for the applicant to know I'm actually put off by certifications... so I'm forgiving of it on a resume. It's the people who start every other sentence with "well I'm a CCNA, and..." that bother me.

      --
      Microsoft cheerleader, blue flag waving, you got a problem with that?
  3. Easy... by Anonymous Coward · · Score: 1, Funny

    MCSEs are making all the money these days :p

  4. CISSP - GIAC by Jeremiah+Cornelius · · Score: 2, Funny
    CISSP
    Set the bar. "You must be this tall to ride the Giant Dipper".

    GIAC
    Demonstrated application. "Your stuff could be safe with me.

    A Harvard MBA doesn't translate into a tier-1 CEO. There are no guarantees. But CISSP and GIAC are decent evaluation tools for assessing candidates and associates.

    Security+ shows someone is looking in the right direction.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  5. TheRegister... by 0x461FAB0BD7D2 · · Score: 1

    has an informative article outlining the value of several of the IT security certifications. Read it here

  6. Certs by dacoto · · Score: 2, Interesting

    I rank real world experience and self-taught knowledge 100 times higher than certs or degree's from some big name school or college.

    Real world exp. is the real certification in my book, show me someone who has been up for 72 hours working on team or alone to fix a server or network issue who resolves the issue. That individual or team that tackles problems like that will get a job working with me before anyone who has a degree or cert.

    Self-taught knowledge shows me that the person took on the challenge of learning on there own and did not require someone to hold their hand and teach them stuff from a book that is so far off the day to day path that its a waste of a good tree.

    Don't get me wrong, I applaud anyone who has successfully completed any certs or degrees, it takes a lot of time and effort to do that. I just don't feel that the weight that seems to be put on them is justified.

    My 2 pennies, now all the folks with degrees and certs can assault me. :)

    --
    Open Source, Open Formats, Open Doors, Open Your Mind "Break On Through to the Other Side" The Doors
  7. Theory and practical need to go hand in hand by FidelCatsro · · Score: 1
    "ANS recently asked current certified individuals (in an email) to provide quotes about the value of their certifications for an upcoming brochure. Since the requirements have changed, the value of the certification has changed as well, making any quotes an unfair assessment of value"
    This is a rather underhand unless they make it perfectly open that the degree has changed in this way , to use a crude example its like using a rave review of crunchynut conrflakes to describe cornflakes(my imagination is aprently not here tonight)....

    Personaly i have always found practical tests to be some of the most valuable in the IT field , Theory is wonderufll but it needs to be backed up by a solid foundation of workable skill . to use another example I could explain to you how a car engine works in some detail but dammed if i could build one .
    Testing to see for both theoretical knowlidge and practical skill is important for a well rounded education ( well testing is important to check your educating properly, but the most important is practical education and lab work)
    --
    The only things certain in war are Propaganda and Death. You can never be sure which is which though
  8. No more certs for me... by itwerx · · Score: 2, Interesting

    ...or tic-tacs for that matter. :)

    But seriously.
    I used to have a good half-dozen certifications active at any given time ("real" ones, not just the generic A+ crap). But after awhile I began to notice that people were much more impressed by what I'd done in the real world and I slowly started letting them lapse. The last one expired about four years ago and to be quite honest I don't think a single customer has noticed or cared. And it sure saves me a lot of time and hassle!
    But then again I suppose it depends on your background. If you're fresh out of college then they would be a Very Good Thing to have for at least some number of years.

  9. SANS certifications? by Triumph+The+Insult+C · · Score: 0, Flamebait

    since when were SANS certifcations considered, uh, respectable?

    nevermind their certifications ... when was SANS considered respectable?

    --
    vodka, straight up, thank you!
  10. As practically everyone else has observed... by jd · · Score: 1
    ...certifications are utterly useless. Especially in security, where anything that's been around long enough to train wannabe teachers, print course texts, get the courses promoted, persuade the PHBs to send people to get trained, have the people trained and THEN have them re-trained because so many failed the exam the first two or three times, is certainly old enough for Black Hat websites to have published exploits that circumvent the techniques taught.


    Most janitor get paid for picking up paper. How come techs are supposed to pay others so they can do that?


    Havig said that, I'm willing to write a security course and exam for anyone interested in such rip-offs. I can guarantee it'll be as good as anything GIAC or SANS can do, because I can afford to be current. They can't. It might not be recognised by anyone worth a damn, but at least you'll know how to actually do meaningful security.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:As practically everyone else has observed... by Anonymous Coward · · Score: 0

      Where do I sign up for your course?

      I've been out of college for a couple of years and haven't been able to land a security/networking job yet. I am at least working with computers, unlike most of my friends with the same networking degree, but I'd like to move on to what I want to be doing, network support or network security. The only problem is most employers still list that cert as something they want. I've got my Network+ and a bachelors in Network Modeling and Simulation, how do I show someone I've got the tallent, and some skills too?

    2. Re:As practically everyone else has observed... by jschottm · · Score: 1

      where anything that's been around long enough ... is certainly old enough for Black Hat websites to have published exploits that circumvent the techniques taught.

      That's why you teach the skills to analyze and find the latest blackhat stuff, not how to find specific attacks. If you know how to look at packets at the hex level and know how to write your own snort (or IDS of choice) rules, then you have the skills to cope with the new threats that emerge.

  11. The only thing that matters by Anonymous Coward · · Score: 0
    What IT security certifications are left (if any) that actually provide value to you?
    I'd have to say the size of my wang. With the hiring freezes, then the outsourcing, then the layoffs - and don't even get me started about the current job market - it's about all I've got left. Some guy in Bangalore may have taken my job, but I have a bigger penis, and no amount of certifications will ever change that.
  12. Thats not the half of it by patio11 · · Score: 0, Offtopic
    Given that they can use Javascript to grab repeated 10k chunks from the memory allocated to Firefox, you could easily conduct a super-phising attack by embedding a javascript loop which started when the target page was loaded, and then used simple heuristics to find personal information (I'm thinking "credit card number" is the obvious chioce -- and even worse, credit card numbers will be stored RIGHT NEXT to the other information filled in the same form due to locality of reference) on the client side. Then, after you use the *client's* processing power to data-mine THEIR OWN memory for you, you transfer the 500 bytes of valuable data you get back to the server via, say, a GET request, and laugh all the way to the bank. Or, if you want to be a REAL bastard, you have the client send a get request to an unprotected comment script somewhere on the internet on a server which is not controlled by you, and then you just look up all the credit card numbers applied in the comments to "Grandma Ester's Fried Chicken Recipe".

    On a scale of one to ten I'd put this vulnerability as an eight if anyone bothers to exploit it intelligently. This is very, very, very close to the relative badness of arbitrary code execution.

    --
    Help poke pirates in the eyepatch, arr.
  13. Followup paperwork too time consuming... by sakshale · · Score: 1

    I took the SANS security boot camp when they first started. I found it valuable and very well done. A solid week of good, well presented, stuff that you won't find anywhere else.

    However, even though I passed all the exams needed for GIAC certification, the follow on requirement to submit papers simply did not fit my work schedule. As the only system administrator for a small startup, I simply did not have time to write papers. So, the requirement they appear to be dropping was the requirement that blocked my certification.

    Writing a good paper takes time and focus. Something that working system administrators often find short in supply.

    --
    For every problem there is a solution that is simple, obvious and wrong.
    1. Re:Followup paperwork too time consuming... by chill · · Score: 1

      You basically just described the difference between a Bachelor degree and an advanced degree like a Master or Doctorate.

      See how far taking graduate level classes at a decent University gets you if you don't do the dissertation. [Hint: It won't get you an advanced degree.]

      They could just make an Apprentice, Journeyman and Master certificate if they wanted, with the Apprentice not needing to publish. Instead they are caving.

      -Charles

      --
      Learning HOW to think is more important than learning WHAT to think.