|
Accipiter posted:The CISSP is good for managers that want to pretend they're technical. Any certification not backed by relevant experience is useless. CISSP is no different. I've had a CISSP since 2001 and it has been *very* useful in showing employers I am broadly well informed on InfoSec. I am not now, and never have been, a manager. I am a Unix admin/architect who went into security because OS admin got boring. In other words, you have no idea what you're talking about.
|
# ? Apr 24, 2024 07:43 |
|
|
# ? May 8, 2024 05:34 |
|
every single person that i've worked with with a CISSP, bar none, is an annoyingly stupid dipshit who shouldn't be allowed access to a computer
|
# ? Apr 24, 2024 07:46 |
|
sounds like you need a new job. perhaps a cissp would help
|
# ? Apr 24, 2024 09:15 |
|
Took the example quiz on the CISSP website and got 11/16 correct. I think I might have a new career ahead of me (I’ve never worked with or in tech)
|
# ? Apr 24, 2024 10:41 |
|
I work with hundreds of Information Security Professionals. None of them know poo poo about computers.
|
# ? Apr 24, 2024 11:30 |
|
That’s like 95% of people anyways. Selling your time and labor for more money is a good thing. Get the checkmark cert that helps you do so.
|
# ? Apr 24, 2024 11:36 |
|
Diva Cupcake posted:That’s like 95% of people anyways. This. There are good people with CISSPs, there are bad people with CISSPs, its more coincidence that its a cert that gets aimed at managers and above, doesn't make it useless or people having it useless. Like anything - judge them based on their works and actual knowledge than the sheet of paper.
|
# ? Apr 24, 2024 13:00 |
|
quote:someone who's got a CISSP but can't or won't run an incident response exercise. lmao I have a CISSP but if you need me to run an incident response exercise I suggest you sell tickets because that is not going to be a comedy. e: I mean it'll probably go better than letting some rando do it, just because of the years of experience, but like.. if there's a CISSP way to run it, I sure as hell forgot what that is by now
|
# ? Apr 24, 2024 13:39 |
|
some kinda jackal posted:lmao I have a CISSP but if you need me to run an incident response exercise I suggest you sell tickets because that is not going to be a comedy. That's be more ITIL anyhow, no? Plus remembering contain, eradicate, etc. The hallmark of a paper CISSP is still the drat CIA triangle, I'll admit that Rust Martialis fucked around with this message at 18:23 on Apr 24, 2024 |
# ? Apr 24, 2024 18:21 |
|
OTOH our incident response processes are all executable playbooks so I guess arguably being a CISSP proves I am at least literate, so maybe I do stand a fighting chance.
|
# ? Apr 24, 2024 19:05 |
|
Hey remember that Palo vuln? https://www.cisa.gov/news-events/al...ewall-platforms
|
# ? Apr 24, 2024 19:23 |
|
cissp is a huge door opener, who is ragging on it that hard it's battering ram. accept that and wield it if it helps you collect more money from employers who are already exploiting your labor value
|
# ? Apr 24, 2024 20:10 |
|
It would be nice if the thing that formally qualified you for job also gave you some kind of actual skills that would make you better at your job. It feels a bit inefficient to have a whole lot of studying plus an ecosystem of study help just to have a piece of paper saying "this guy passed our test I guess". But that's hardly unique to cissp
|
# ? Apr 24, 2024 20:28 |
|
BonHair posted:It would be nice if the thing that formally qualified you for job also gave you some kind of actual skills that would make you better at your job. It feels a bit inefficient to have a whole lot of studying plus an ecosystem of study help just to have a piece of paper saying "this guy passed our test I guess". But that's hardly unique to cissp It costs a thousand dollars, requires a specific kind of degree, and 5 years experience. It also require CE's to upkeep. The test is just a front for the club fee and the rest is suppose to gatekeep the non-desirables.
|
# ? Apr 24, 2024 20:47 |
|
Sickening posted:It costs a thousand dollars, requires a specific kind of degree, and 5 years experience. It also require CE's to upkeep. The test is just a front for the club fee and the rest is suppose to gatekeep the non-desirables. They didn't offer to pay for your retake? I mean seriously, you've had several people tell you how valuable they find it, so just move on. Complaining it takes CE's to upkeep when you can read a book, or attend a vendor presentation, or a webinar - yeah, you have to actually try to stay SOMEWHAT updated on modern tech. For example, I did the Stanford crypto course on Coursera, which gave me dozens of hours in return for an annual Coursera fee, but there's free options. pre:Rollover - Term ending 2025-06-30 CPE Rollover 07/01/2022 07/01/2022 4.25 A Accepted Cryptography I Courses and Seminars - Other 08/05/2022 09/02/2022 23 A Accepted Enterprise Management and Security Courses and Seminars - Other 01/01/2024 01/03/2024 12 A Accepted Coursera - Linux Server Management and Security Online webinars, podcasts and other online materials 01/01/2024 01/08/2024 13 A Accepted There's TONS of free stuff you can do to earn CPEs. And my CISSP CPE can be used for my CRISC or CISM to boot, or other certs I might get. Having spoken to Cisco about this ASA/FTD issue: - if your ASA or FTD VPN gateway hasn't been rebooting spontaneously in the last weeks, you're probably not hit. - the Cisco "enter your OS version and we'll tell you what version you need to upgrade to" is a PoS pre:Hi Rust, If you haven’t seen any spontaneous reboot in the last couple of weeks, it is unlikely you will see more tonight. The exploit details are not widely available and I would expect reverse-engineering the patch would take a bit of time… In addition, this vulnerability alone shouldn’t do much: it’s “just” a DoS. The two other ones require admin access as pointed by (colleague). HTH, (Cisco Firewall SME) pre:# ./arcane_check.py Opened /logdata/2024-04-24/10.xxx.yyy.zzz-2024-04-24.log Slurping... Read in 52556917 lines... Scanning... 100.0% # Rust Martialis fucked around with this message at 21:13 on Apr 24, 2024 |
# ? Apr 24, 2024 21:10 |
|
Rust Martialis posted:They didn't offer to pay for your retake? You and I aren't having an argument on if its valuable.
|
# ? Apr 24, 2024 21:13 |
|
Mustache Ride posted:Hey remember that Palo vuln? although i have mixed feelings about the way a lot of 'ZTNA' poo poo actually works (lots of them doing layer 7 proxy stuff instead of working on layer 3 like a traditional vpn) i'm ready to see running stuff like vpn on your edge die. use tailscale or something if ztna is too stupid for your use case. too bad prisma just piggybacks on GP infra/your edge firewalls iirc. Sickening posted:It costs a thousand dollars, requires a specific kind of degree, and 5 years experience. It also require CE's to upkeep. The test is just a front for the club fee and the rest is suppose to gatekeep the non-desirables. cissp requires a specific kind of degree? do you mean in lieu of work experience? post hole digger fucked around with this message at 23:02 on Apr 24, 2024 |
# ? Apr 24, 2024 22:59 |
|
Speaking as someone who has problems staying motivated in learning specific stuff on my personal time for more than a month at a time, the CISSP feels like it exists specifically to block my advancement because it requires a lot of very specific niche knowledge but very little real world knowledge. But holy crap is it hard to get past doors without it or a college degree to my name.
|
# ? Apr 24, 2024 23:24 |
|
Sickening posted:requires a specific kind of degree gently caress, don't tell ISC(2) that I majored in English, they'll have me flogged and send me to McDonalds (no it does not lol)
|
# ? Apr 24, 2024 23:38 |
|
chin up everything sucks posted:Speaking as someone who has problems staying motivated in learning specific stuff on my personal time for more than a month at a time, the CISSP feels like it exists specifically to block my advancement because it requires a lot of very specific niche knowledge but very little real world knowledge. But holy crap is it hard to get past doors without it or a college degree to my name. I didn't find it required niche knowledge, it requires broad knowledge of many distinct areas in IT security. If you only know Windows desktop security and never looked at crypto, physical security, or anything else, you probably won't pass. Most of us don't "do" physical security for instance, but physical security isn't a niche, knowing how to build physically secure locations to perform data processing - including resiliency - is a core part of InfoSec. Badge access, man traps, cameras, breakage sensors, water underfloor sensors, etc. That's all "real world" stuff. You may just not care about it. Or you may! Either way it's part of the CISSP. (Or it was in 2001 when I took it.) If you only want to do l33t h4kk3r stuff, get a CEH or something. One "trivial" question I tripped over was "what of the following is not a type of covert channel" question I still recall from 23 years ago. I could argue that knowing every type of covert channel shouldn't be relevant to the CISSP, I suppose. I did blue-slip one question. Never heard back.
|
# ? Apr 25, 2024 10:21 |
|
Mustache Ride posted:Hey remember that Palo vuln? The first vuln they list is definitely a gnarly one. The other two however seem like cases of "it rather involved being on the other side of this airtight hatchway"; if you can write to flash0:, you've already won.
|
# ? Apr 25, 2024 10:42 |
|
Kazinsal posted:The first vuln they list is definitely a gnarly one. The other two however seem like cases of "it rather involved being on the other side of this airtight hatchway"; if you can write to flash0:, you've already won. The comment "the original vector is unknown" or some such
|
# ? Apr 25, 2024 13:57 |
|
I did a bunch of security work for years in my primarily network focused job, but could never get my foot in the door in the industry. Then I bought a 12th hour CISSP book and one other and studied for a few months and got my CISSP. It immediately opened a ton of doors for me. I was getting calls back left and right for interviews and thats how I got started. 10/10 would recommend. Its an easy test and most companies pay the renewal fee anyway.
|
# ? Apr 25, 2024 19:02 |
|
Is CISSP the one where you have to learn risk management formulas? That's basically the only reason I haven't shot for it is because my greatest weakness is remembering formulas I literally never use.
|
# ? Apr 25, 2024 21:22 |
|
Its like two if I remember right, and they werent hard. Something about mean time to recovery and business loss or some such. Anyway its a trivial amount to memorize before the test and shouldnt dissuade you in the least.
|
# ? Apr 25, 2024 21:38 |
|
Sickening posted:These titles are loving killing me. I don't even know what this person would even loving do. Security, devops, and engineering. Duh!
|
# ? Apr 26, 2024 07:35 |
|
I'm sure the real answer is they do absolutely loving nothing.
|
# ? Apr 26, 2024 17:41 |
|
ChubbyThePhat posted:I'm sure the real answer is they do absolutely loving nothing. Maybe they run the source code vulnerability scanner? Secure coding practices are a thing, SDLC yada yada
|
# ? Apr 26, 2024 18:49 |
Rust Martialis posted:Maybe they run the source code vulnerability scanner? Secure coding practices are a thing, SDLC yada yada Someone who doesn't know what a private IP address space wouldn't even know how to look up any of those.
|
|
# ? Apr 26, 2024 23:02 |
|
BlankSystemDaemon posted:You need a whole testing harness with static analysis, address-/memory/concurrency-/undefined behaviour-sanitizers with coverage integration so you can run them all individually and in combination and across the whole codebase with and without fuzzing, and definitely a few more things I'm forgetting, not to mention the dozen other forms of testing that isn't covered by the above. He paid the consultants to set up whatever sounded good, and now he forwards the results to you randomly, sometimes with cryptic/moronic notes, and makes it your problem to remediate CVE 16-5316464: SMB vuln in Windows ME that is pointing to the RedHat build server.
|
# ? Apr 27, 2024 00:27 |
|
Potato Salad posted:cissp is a huge door opener, who is ragging on it that hard Do what I did instead and get a PhD, which simultaneously closes doors and sucks up prime career advancement years (and you will still get screened on certs)
|
# ? Apr 27, 2024 03:50 |
|
Methylethylaldehyde posted:He paid the consultants to set up whatever sounded good, and now he forwards the results to you randomly, sometimes with cryptic/moronic notes, and makes it your problem to remediate CVE 16-5316464: SMB vuln in Windows ME that is pointing to the RedHat build server. Okay, *that* got a rough chuckle from years of explaining "false positive"
|
# ? Apr 27, 2024 06:23 |
Methylethylaldehyde posted:He paid the consultants to set up whatever sounded good, and now he forwards the results to you randomly, sometimes with cryptic/moronic notes, and makes it your problem to remediate CVE 16-5316464: SMB vuln in Windows ME that is pointing to the RedHat build server.
|
|
# ? Apr 27, 2024 11:54 |
|
Ellipson posted:Do what I did instead and get a PhD, which simultaneously closes doors and sucks up prime career advancement years (and you will still get screened on certs) Guy applied to a web dev position at work with a Ph.D. Disqualified for being over qualified.
|
# ? Apr 27, 2024 20:07 |
|
Last day at my current job, 2 weeks before my new job is going to start.... Got a phonecall with an offer for the job I really wanted, better pay, benefits, better work.... Everything. loving taking it. ISSO here I go.
|
# ? May 3, 2024 17:05 |
|
chin up everything sucks posted:Last day at my current job, 2 weeks before my new job is going to start.... Got a phonecall with an offer for the job I really wanted, better pay, benefits, better work.... Everything. loving taking it. ISSO here I go. yeah baby get paid
|
# ? May 3, 2024 18:06 |
|
I've recently stumbled rear end-backwards into a digital forensics gig. I've received some in-house training and can hopefully attend SANS FOR508 later this year. Any recommendations on DFIR practice labs or exercises? I'm willing to shell out a little (company) money if there are reputable blue team sites similar to TryHackMe. I'm mainly looking to learn more about digital forensics and threat hunting by actually working scenarios or simulations. chin up everything sucks posted:Last day at my current job, 2 weeks before my new job is going to start.... Got a phonecall with an offer for the job I really wanted, better pay, benefits, better work.... Everything. loving taking it. ISSO here I go. Get that money!
|
# ? May 3, 2024 22:30 |
|
I'm not a fan of Oracle, atlassian, or loving Palo Alto right now
|
# ? May 4, 2024 03:41 |
|
Cannon_Fodder posted:I'm not a fan of Oracle, atlassian, or loving Palo Alto right now I love how smug I feel when I don't get an interview for an infosec job I applied for and then the company has a huge information security issue. There's probably no difference I would have made, but they don't know that
|
# ? May 6, 2024 13:56 |
|
|
# ? May 8, 2024 05:34 |
|
Hughmoris posted:
I haven't vetted these myself but the folks behind the DFIR Report have started offering a few hands-on labs which might be good: https://the-dfir-report-store.myshopify.com/collections/dfir-labs Considering the quality of their writeups, I'd wager they will be pretty good.
|
# ? May 6, 2024 15:21 |