The Black Hat 2009 Sneak Peek is this Thursday. Black Hat is going to be giving a sneak peek of talks that they feel are interesting from their 2009 lineup. We are glad, once again, they have found one of our talks interesting enough to include in their sneak peek, especially given the lineup. Not sure why they picked our talk, but we will do our best not to let them down 
We will be discussing our talk called Weaponizing the Web: More Attacks on User-Generated Content. If you would like more information or would like to register for the webcast you can do so here
Jun 16
May 22
Hello Everyone. I just thought I would drop a quick note. Shawn Moyer and I are speaking at Black Hat US 2009. Our talk is called Weaponizing the Web: More Attacks on User Generated Content. We are going to be talking about attacking sites with user controlled content. In the modern web environment, that’s a whole lot of sites. This content can be turned around and used against the site, the user, or other sites.
If you are going to be out at Black Hat this year also check out Michael Murphy and Aaron LeMasters’ talk Rapid Enterprise Triaging(RETRI). Mike and Aaron are fellow members of Hexsec. Anyway, that’s all for now.
Nov 24
I really hate AT&T sometimes. Not having the iPhone do MMS messages is about the dumbest thing they could have done. Not that MMS messages are something I do everyday, but on occasion it happens. AT&T has this stupid website that you have to go to retrieve your MMS messages called www.viewmymessage.com/1. Then you have to type in some random username and password all to get some picture you probably didn’t want in the first place. Not to mention you can’t copy and paste crap either, way to go Apple. Copy and Paste, who does that? Now I realize that this is old news to everyone, I just needed to vent for a second. I thought I would share an error that I got when trying to receive a picture from the wonderful www.viewmymessage.com.
The url location is:
http://www.viewmymessage.com/en/webnonsubscriber/viewmessage.do
The content of the page displays:
Invalid path /1en/en1/en/1en/en/1en/en/1/en/1en/en/1en/en/1en/en/1en/en/1/en/1en/en/1en/en/1en/en/1en/en/1n/en/1en/en/1en/en/1en/en/1en/en/1en/en/1en/en/1en/en/2en/en/2en/en/webnonsubscriber/actualviewmessage was requested
Nice directory structure, is that some attempt at obfuscation? This site sucks so bad, who knows what the intent of having a structure like this is. This is the first error I have seen from this page. I have had it just not work, but never give back any errors. I know other people have had errors on this site, so I am adding to the stack. For people who may stumble across this post, it isn’t an Apple issue, well maybe indirectly due to the fact the iPhone doesn’t support MMS. This is an AT&T site, so the error belongs to them. Anyway, just wanted to share something stupid for the day.
Sep 18
Hello Everyone. I just wanted everyone to know that Shawn Moyer and I will be speaking at PhreakNIC 12. We are going to do the Satan is on my Friends List talk again. There were people who didn’t get to see it out in Las Vegas, and well, since BHJP is in a different part of the world we figured if people still wanted to see it we would do it again in the United States. We will have some updates so it won’t totally be the same talk we did in Vegas.
If you aren’t familiar with PhreakNIC it is a small conference in Nashville, TN. It’s loads of fun, there is great people, great conversation, and no vendor overload. I highly encourage people to go.
Sep 10
This topic is one that I have had plenty of conversations with people about, but have not spent much time writing about. What got me thinking about this topic again was Seth Hardy recently requested to be added to the ballot for the ISC2 board. More information can be found on www.sethforisc2board.org. What’s great about Seth is he sees problems and wants to do something about it. I think sometimes we often resort to just complaining about issues rather than doing something about them. I say bravo to Seth. Even if Seth gets elected, I am not sure anyone would listen to him, but I like the idea that they would. I strongly urge ISC2 certified individuals to sign his ballot.
I am going to be as objective as possible in this post. People who know me know that I have a distaste for some of these certification vendors due to their deception and motives. I hold quite a few certifications myself going back to the 1990′s and have dealt with many of these organizations first hand. I have had plenty of time to hone my opinions and in the end that is all they are, my opinions. Feel free to agree or disagree.
What is Certification Supposed to be About?
The world of information security tends to be quite a bit different than other professions. Other disciplines may live and die by certifications and licensure. For example, in the medical field you want licensed physicians who are possibly board certified for their specialties. Additionally stenographers, interpreters, and many other professions have national certifications that open up great opportunities for their individuals following certification. The bodies that handle these certs in other disciplines are much different than those in the information security world. Other disciplines typically have certifications issued by national associations or other recognized industry body. In the information security world it is typically done by private business and masked bodies. I will get in to this more later.
Certification is supposed to be about demonstrating a baseline level of knowledge for a particular area. Licensure, as I see it, granting of a license based on a certain set of baseline qualifications. The way you go about demonstrating competency can range from certification to certification.
What You Look for in Security People
What do you look for in security personnel? Most likely there are no objectives of a certification that cover that. Often the number one thing people look for is experience. Nothing trumps experience even certification vendors know that. Along with experience is depth of knowledge. If someone doesn’t have experience you at least want people who can find answers, who have a genuine interest in the security field, and who can think critically. I haven’t seen a Certified Information Security Googling Professional certification yet What about soft skills? Writing skills? There are many factors about the people you wish to hire that are well beyond the scope of a security certification.
Three general areas that people look in to when hiring information technology people are experience, education, and certification. They may throw these areas around and substitute them, but the requirements are going to be there. Once the gatekeepers are passed it is up to the interviewee and the impression they make to land the job.
All About the Benjamins
Certification in the infosec world is typically handled by private companies and are either vendor specific or vendor neutral. Sometimes these companies will masquerade as an org, but when you pay them for training or certification watch where your money goes. It’s not the org front 
It’s in the best interest of these companies to draw blurry lines between their different parts. You may hear things like, “No this company provides the training, the certification is from this other organization”. Who do they think they are fooling? It is the same people working at both organizations and proctoring the tests.
More benjamins equals more win for the companies providing the security certifications, training, or CPE style credits. Or maybe you can just take the road that SANS does and just charge and outrageous price for your certification challenges right off the bat. Yes, Yes, I know. I called GIAC SANS. Same thing They are counting on people with security training budgets and certification reimbursement and saying “screw you” to the little guy. Certification vs value, make the decision for yourself. I personally think they are pricing themselves out of the running to do any competition with the big dogs ISC2 and ISACA but, oh well. I am entitled to my opinion. Not saying they are trying to do direct competition with them, but there are more people looking for CISSPs than there are GIAC certified individuals.
Why Security Certification is hard to make
There are certain roadblocks to certs in the information security space. This is because everyone from the person that deploys anti-virus software to the individual reverse engineering software is considered a “security person”. These are wide and varied disciplines that take a greatly differing skills to perform. So from a certification perspective you either have to specialize or generalize. When generalizing you have to be very broad and lose depth. When you specialize you lose overall market appeal. It’s hard to draw that line. This may be important when you are considering certification. If you are a specialist and there is a certification that fits your particular specialty, then there may be some additional appeal.
Perception is Everything
Certification value is pretty much all about market perception, regardless of the actual value of the certification to you personally or your peers. The greatest, most perfect security certification in the world can come along, but if it has no market value then there is pretty much no value in getting it. One way to gauge how well perceived the certification may be is by going to job search sites and looking for job positions in which you are interested. You will see how many mention the certification you are considering. The business side of security likes the thought of certification. It gives them a nice warm feeling inside. Hiring people in any profession is a gamble. You never really know if someone is going to work out or not. The thought of having an additional assurance that they are getting a decent individual is very appealing to them, regardless of how valid the certification is.
There seems to be a perception of certifications such as the CISSP, CISA, etc as being technical. This perception is incorrect. I split security certifications in to two different categories: Functional and Awareness. I consider certifications such as CISSP, CISA, Security +, etc as awareness based certifications. These certifications do not go particularly deep in to each of their domains but provide awareness in all of their domains. Functional certifications are ones that are more vendor specific and / or cover the functional aspects of particular items or domains.
Certification (may) = Win
Let’s take a look at some of the advantages of certification in the information security field. Certifications in the security field are all about your professional life. They are about your job and your future job prospects. Certifications aren’t good for much else unless you just like framing them and putting them on your wall Keep in mind all of these potential win situations for certifications are all based on someone else’s perceptions at a given time.
The biggest advantage of a certification is that it allows you to display the designation. This means you can say you are certified, display it on your resume, put it in your email signature, etc. Certifications are sometimes used as filtering mechanisms to weed through potential candidates. The person in recruiting or HR may not even forward your resume on to a decision maker because they do not see the certification. The whole goal of submitting a resume is to get your foot in the door for an interview. If you can’t make it that far then it is a fail situation. Displaying the designation allows you to meet the perceived expectations of someone looking for that particular designation.
Along with the previously mentioned, certifications give you some “flare” for your resume. It allows you to add a section to your resume called “Professional Certifications”. Now, you may have more than enough content for your resume due to your experience, but for people with less experience it helps fill out a resume.
During the study process for a certification there is the possibility of learning something. Now this probably isn’t going to be some earth shattering revelation, but the more you know the better off you are. It may force you to look at concepts that you haven’t taken the time to look at previously. So there is the potential that horizons may be broadened.
Vendor specific certifications demonstrate that you are at least familiar with the interface to a particular product. The world is much better off now that you know where that check box is It may give people a sense that you have actually seen the interface before.
Certifications can prove that you have the ability to start something and see it through. Much like education, some certifications take some effort to study for and complete. It can display a certain amount of determination on the part of a potential candidate. It shows that you have not remained stagnant in your career. I know the actuality is stupid, but remember we are talking about perceptions.
Certifications are rarely something that you get looked down upon for. If you are applying for a job or have a job interview I have never heard of a case where someone didn’t get a job because of a certification they held. I file this under the “it couldn’t hurt” column.
Certification (may) = Fail
Security certifications won’t help you do your job better, lift a car, or save a baby from a burning building. Security certifications in their current iteration seem to be very poor at proving people have baseline competencies, which is what certification is all about. This is something that the business side has not really caught on to yet and probably won’t.
Certification can be a pain to get. Some certifications require a healthy dose of time dedicated to studying, practice exams, and whatever other resources are required to pass the exam. Even if you are already familiar with the material, it takes time to learn how to answer the questions the way the certification vendor wants them answered.
Certifications can be a pain to maintain. Some security certifications require maintenance. This maintenance includes either re-certifying periodically or the submitting of credits. The credit based systems require that you get so many credits per year and per certification cycle. For the ISC2 certifications these are called CPEs (continuing professional education).
The benjamins are here to stay, certification costs money up front. This is your initial buy-in to the certification. Certification costs typically range anywhere from 150 dollars to as much as a few thousand depending on what the certification is and what is required.
Oh no, the benjamins are back! Of course everything from re-certification to annual maintenance requires money. Fees, fees, and more fees. Needless to say unless it is a perpetual certification you are no doubt going to have to pay money to the vendor periodically.
You really don’t get anything from certification vendors in return for your time, effort, and money. I think this is the part about certification that irritates me the most. After you have spent the time and effort to get a certification, you really receive nothing useful from them. You may receive notifications about items from the vendor, but it is typically “who cares” communication.
You may have ethical issues with certification vendors in which you don’t want to give them your money. In this case I am right there with you. This could actually be a big turn off in your decision making process.
The Certified Conclusion
There are probably valid points that I left out, sorry, but the post is getting long I don’t know if anyone will read it anyway. I am sorry if there is anything that I have left out. I also really didn’t want to talk about particular certifications, so I didn’t really list any. They are easy enough to find though.
There is really no right or wrong answer about whether to obtain a security certification. All you can do is take the data you have and make a decision for yourself. Visit job search sites and search for jobs with that particular certification. Weigh the time, effort, and expense that you will have to endure to get and maintain the certification. See what other people are saying about the certification. If it makes sense and you think that it will help, then go for it. If it doesn’t seem worth it, then don’t. It’s really hard to judge the future and where security certification vendors are going, so all you can do is make the best decision for yourself in the present.
Sep 03
I am just finishing up a post on certification, but I thought this needs it’s own post… and well… I am taking too long. Seth Hardy has requested to be put on the ballot of the ISC2 Board. He needs 591 signatures on his petition in order to be put on the ballot. From his site:
Send an email to me: shardy@aculei.net using your email address on record with (ISC)2, including your member number, stating that you are signing my petition!
Signing the petition doesn’t mean you’re voting for me; it just means that you’re supporting my inclusion on the ballot. I’ll be hitting you up for votes later.
Rather than just complain about issues Seth wants to do something about them. That is something I totally support. If you have an ISC2 certification please visit his site and sign his petition. www.sethforisc2board.org
More to come on the value / lack of value in security certification. I promise I will finish it soon.
Feb 27
I am speaking at Outerz0ne 4 in Atlanta GA. My topic is called Information Security: Something Has Got To Give. The talk covers the topic of dealing with common issues in the security world. The talk also spends a good deal of time talking about the individuals you run in to how to deal with them. I will spend a good deal of time talking about some of my experiences dealing with individuals and issues. It sounds a lot more boring and useless that it is actually going to be. I promise. The issues I will be discussing will be common ones that people will have to deal with in the future.
