Friday, June 20, 2008

For The Love Of God -- CISA != Pentester Either

I wasnt going to post about my CISA exam, but Dre's post on the CISSP got me motivated to do it even though its not really related.

Why CISA you ask? We'll they made me.

I'm not going to bitch and moan about the test (much). I took a whopping one question on the OSI model, alot of IT governance, and several on a dumbed down version of how PKI works. Dumbed down so much and with terms that made no sense that I had to sit there for a minute trying to figure out what they heck they were asking and I KNOW how PKI works. It was also poorly written, which I found surprising given the cert being around as long as it has. For the life of me I'll never understand why asking me a simple question in some obscure way makes me prove I know the material better. I understand that with math that might be the case but not with IT. Overall I felt it was very low tech, yet the CISA certification is now required for anyone doing CNA.

Work did send us to a 1 week bootcamp on the CISA, where my favorite quote of the class was "CISA, A technical certification for accountants"...yea! After a week of talking about it I would sum it up to say that the Auditor goes back and checks to see if the CISSP did his/her job properly and if their processes are meeting whatever requirements are required for that particular business.

Anyway, nothing in the course, books, or test helped me get or be better at the real duties of my job, I guess we could argue management and professional development but when you are talking a level 3 certification I want experience that helps me do my real job better not something that makes people that stopped being good at technical stuff long ago feel better about themselves.

Now let me cut the 8570 folks some slack, CNA is huge and pentesting is a small part of it. I can see that if you do IA inspections, blue teaming, or that kind of go through your checklists run a gazillion scanners vulnerability assessment stuff, the CISA is at least in your domain. Would having the CISA certification help them do their job better or prove that someone could do that job? I don't think so but its in their domain.

On a positive note, I was asked to think about a certification for pentesters for DoD for yet another update in the distant future. I personally don't have any experience with any (meaning I haven't taken the training or the test) that I would recommend. I think CEH & LPT is out, just ask an LPT and they'll tell you why. I will be looking in to the SANS GPEN or possibly the CEPT Link1 & Link2.

If anyone has any suggestions for certs to look into please post up. The "you don't need a certification" debate we can keep on another thread, we wont get be getting away from the need for certification in this case.


Anonymous said...

OSCP cert from offensive security would be a good one for a level 1 or 2 pentester (Since it's hands on like cept)

Anonymous said...

My favourites:
- GCIH (SANS/GIAC): Hacking concepts + incident handing
- GPEN (SANS/GIAC): core pentesting skills
- GSE (SANS/GIAC): summum of the technical security certs