I have 2 question one of them is malware removal groups . You see time and time again on message boards for PC a section called malware removal , where people go and post a hijackthis log or other log files for the malware experts to look at and they tell them how to remove the malware or other malware remover tools you have run or the way you have to remove it . They have gold star on the profile that only they have the skills and training to help with malware removel.

Yet these same people some of them when you try to talk to them about other stuff they do not understand ? Why is that? I thought they are malware experts ? What kind of certification or degree do they have that they are called malware experts that have gold star but do not know some basic stuff about the OS or security permissions.

The last question is security counsults what certification or degree do they have that gives them the authority to speak out about windwos,OS X or any thing about security ?


What counsults teem allows them to say stuff? How do you know if some of these security counsults just hate Apple or windows where what they saying may not be 100% true?

That's the thing about the quality of advice available through the internet: anyone can set themselves up as an expert.

One thing is fairly certain: if a person consistently gives out good or bad advice, word will get out.

The last question is security counsults what certification or degree do they have that gives them the authority to speak out about windwos,OS X or any thing about security ?


What counsults teem allows them to say stuff? How do you know if some of these security counsults just hate Apple or windows where what they saying may not be 100% true?

There are lots of Certifications some held in high regard, some not so much.

I for example amongst many others am CEH, CISSP, MCSE + Security, Security +, GIAC GSEC

Now CEH is fairly general and entry level, MCSE + Security relates solely to MS networks and the security mechanisms and technologies you are likely to encounter on them.

CISSP is more of a Security management based certification but covers alot of material encompassing all areas or domains within the Security arena.

However a Certification does not make someone an expert, but with alot of them you would hope they are.

MCSE/MCITP and Microsoft certifications in general are infact fairly easy to obtain, and i know people who have them without ever really ever getting much hands on.

CEH requires a fair knowledge of lots of tools and the use of them.

CISSP requires a very broad and deep understanding stemming from Physical security such as Biometrics, through to Encryption and Cryptography through to Risk assessment.

But someone will only be as good as they can show or do, not what is on there wall in the office ;-)

GSEC is extremely hands on and requires in depth technical knowledge.

Security+ from CompTIA is again like all CompTIA and MS certs fairly easy to obtain and doesnt go into too much depth

Malware experts deal with Malware on Windows PCs/laptops. Often for Joe Public ordinary Windows users. They generally are volunteers - don't charge - much like advice/help here.
They aren't Sys Admins or Tech Support necessarily.
They should go through training at a reputable on-line facility and be mentored in their early days either with 'dummy' HJT logs or eventually with 'live' HJT logs.

The idea is they "clean" systems but may not be involved in setting up, maintaining or the many other aspects you mention.

This site is a typical example: http://www.bleepingcomputer.com/forums/topic86678.html

Quote "The Sophomore Center
Upon acceptance to the training program here at Bleeping Computer, you will start in the Sophomore Center where we will test your basic skills and provide you with basic knowledge needed to identify and remove malware.

Junior Class
In this section you will learn about infections that are commonly targeted by today's anti-malware programs. As your studies progress, you will move into the more advanced forms of malware and learn the use of the powerful tools available to remove these infections. This stage employs practice logs as a training tool under the supervision and guidance of our coaches.

Senior Class
Upon your completion of the required logs, you will work here with actual users under the supervision of a coach/teacher. Discussions about current developments and changes in the methods of dealing with malware start here. Once you have demonstrated the capability to effectively resolve problems you will become a staff member, with full rights as a Malware Response Team Member.

Don't be put off by the challenging effort; we will go at your pace and even absolute beginners can give it a go. You are under no obligation to complete the training - if it does not suit your needs then you can drop out at any time."

The idea is they "clean" systems but may not be involved in setting up, maintaining or the many other aspects you mention.

This site is a typical example: http://www.bleepingcomputer.com/forums/topic86678.html (http://www.bleepingcomputer.com/forums/topic86678.html)

Quote "The Sophomore Center
Upon acceptance to the training program here at Bleeping Computer, you will start in the Sophomore Center where we will test your basic skills and provide you with basic knowledge needed to identify and remove malware.



Than would they not have to know how malware spreads and how to lock down your computer so you would not get malware ?

So would they know about Linux and windows ?

How would this get them a job ?

Some sweeping generalisations now follow... apologies to anyone I've overlooked!
A guide to locking down Windows here: http://www.techsupportalert.com/how-to-secure-your-pc.php
but it depends how locked-down you want before it becomes unusable!! There are probably loads of similar guides out there ...

Poss not very familiar with Linux as not prone to same Malware risks as Windows.

As part of their IT knowledge/skills it may help get a job but it really depends on tons of other factors too - as any job-hunter or recruiter can tell you!

Some sweeping generalisations now follow... apologies to anyone I've overlooked!
A guide to locking down Windows here: http://www.techsupportalert.com/how-to-secure-your-pc.php
but it depends how locked-down you want before it becomes unusable!! There are probably loads of similar guides out there ...

Poss not very familiar with Linux as not prone to same Malware risks as Windows.

As part of their IT knowledge/skills it may help get a job but it really depends on tons of other factors too - as any job-hunter or recruiter can tell you!

I find it strange they so called malware experts they read the HJT logs and come from boot camp training and remove malware.

Would it not be prerequisite that they have know about OS ,how malware spreads ,security permissions and how to lock down your computer.

I find it strange they so called malware experts they read the HJT logs and come from boot camp training and remove malware.

Would it not be prerequisite that they have know about OS ,how malware spreads ,security permissions and how to lock down your computer.

Thats life. Not everyone who fixes your car is a qualified or experienced mechanic. ;-)

It depends on who you talk to as far as qualifications go. I think the largest problem with the consulting industry at the moment is there is no set standard for what is expected. There are some generalities that are expected. Usually (this is speaking from the standpoint of the firm I work for which is based in the US, other countries have different standards)

To be hired to do consulting where I work, the minimum requirements are as follows :

5+ years experience with system administration, and compliance auditing.
CEH, CISSP (CCNE, MSCE is nice to have)
Bachelor's Degree in a computer related field or mathematics.

That is just my company, and that is just a basic level welcome to the company, now you get to learn how WE do it.

That being said, I've seen individuals with no certs and no degree produce amazing things. Those are rare and extremely gifted minds.

So when someone says they are an expert, that doesn't mean anything, you can do something for a living and not be an expert, imo that is something that comes with a lot of dedication and experience. I am decent at my job, however I do not consider myself some kind of master of security kung fu.

I am decent at my job, however I do not consider myself some kind of master of security kung fu.

Neither do the masters. (In all careers.)

Normally they end up shocked at other peoples incompetence more so than they are impressed by their own skills.

Thats life. Not everyone who fixes your car is a qualified or experienced mechanic. ;-)

Don't forget too that not everyone who's a qualified or experienced mechanic fixes your car! :(

This is an interesting topic, but it really doesn't belong here, as it has nothing to do with Ubuntu. Moved to the Cafe.

Thats life. Not everyone who fixes your car is a qualified or experienced mechanic

I'm not sure about the malware experts that read the HJT logs if the boot camp training teaches them or ask that you have a prerequisite of how malware spreads ,security permissions and how to lock down your computer and basic security.

If this will help one get job may be depends on the boot camp training.

I think Dangertux is right about security counsults .Some company may say thay what this and other company may what this and that.

I thought to be security counsults they would have to know basic programming and understanding of OS.

I'm not sure about the malware experts that read the HJT logs if the boot camp training teaches them or ask that you have a prerequisite of how malware spreads ,security permissions and how to lock down your computer and basic security.

If this will help one get job may be depends on the boot camp training.

I think Dangertux is right about security counsults .Some company may say thay what this and other company may what this and that.

I thought to be security counsults they would have to know basic programming and understanding of OS.


People should know alot of things, doesnt mean they always do.

Yuur OP questions has been answered as to what quals are out there and what people should have.

Not every consultant or security expert is gonna be great or qualified...should they be ? then yes, will they be ? then not necessarily.

There is good and bad,, experienced and inexpereienced, qualified and unqualified people in every industry in the world.

As for employability then it is the same thing, the company who employs the inexperienced unqualified might be a cowboy firm themselves just out to make a buck.

like i said thats life. !

Along the lines of what haqking said.

There are really crappy companies out there. You will notice as you get further into the sec field , there has always been a lack of a clearly defined standard on what an audit, consultation or pen test includes. There are a few sets of guidelines out there OSSTMM, some of the Sans and OWASP docs. For the most part policies differ greatly from one company to the next.

Some firms may provide in depth highly skilled penetration testing with months of training and support for clients and their employees. Others may run Nessus and email them the results with a 2 page risk assessment that basically says "you suck". Of course there is everything in between as well.

So just because someone has a job title does not necessarily mean they know what they are doing.

My favorite certificate is:

http://www.offensive-security.com/

Many of the other certifications are more 'management' heavy... ie., a measure of who well you can sell your companies services to the management of another company or how well you can manage to merge the business needs with the security reality in your company. CISSP is a good example of this. They get good fundamental knowledge, but usually do not do much actual penetration testing or malware analysis.

My favorite certificate is:

http://www.offensive-security.com/

Many of the other certifications are more 'management' heavy... ie., a measure of who well you can sell your companies services to the management of another company or how well you can manage to merge the business needs with the security reality in your company. CISSP is a good example of this. They get good fundamental knowledge, but usually do not do much actual penetration testing or malware analysis.


Thats because CISSP is not supposed to certify the person as a pen tester or malware analyst and it not markted or advertised as such ;)

There are specific certs for various areas. I am CISSP amongst others but wouldnt present it as a basis for Pen testing

For pentesting you also have certs like gpen, ceh and cpt. As well as the offensive security certs which are newer and shockingly haven't taken hold on a wide basis. The company I work for has expressed interest in seeing some of us get them but they arent what I would call an industry standard if there even were such a thing.

But no CISSP is not a cert that qualifies one to pentest although it seems in city I work in pentesting firms like to see it. Then again there is a lot of the "everybody can and should be a pentester" idea going around.

Personally I avoid pen testing like the plague it's by and large extremely boring, frustrating and leads to long hours and infighting between employees. I think I had this discussion with haqking before lol.

About the oscp and osce if you want a very hands on experience those courses can be a lot of fun and great learning experience. Although I heard waifu was a complete waste of time from some who took it. The advantage of those certs is you don't have to constantly accumulate ceu's to keep your cert current though.

So wait is this a discussion about certs or learning about sec cause those are two very different things lol.

For pentesting you also have certs like gpen, ceh and cpt. As well as the offensive security certs which are newer and shockingly haven't taken hold on a wide basis. The company I work for has expressed interest in seeing some of us get them but they arent what I would call an industry standard if there even were such a thing.

But no CISSP is not a cert that qualifies one to pentest although it seems in city I work in pentesting firms like to see it. Then again there is a lot of the "everybody can and should be a pentester" idea going around.

Personally I avoid pen testing like the plague it's by and large extremely boring, frustrating and leads to long hours and infighting between employees. I think I had this discussion with haqking before lol.

About the oscp and osce if you want a very hands on experience those courses can be a lot of fun and great learning experience. Although I heard waifu was a complete waste of time from some who took it. The advantage of those certs is you don't have to constantly accumulate ceu's to keep your cert current though.

So wait is this a discussion about certs or learning about sec cause those are two very different things lol.

+1

and to be honest i dont think i have ever known what this thread was about...LOL

I think its about the OP not being impressed by someone or something and wandered why they werent better than they were ?

Lke i said...thats life ;-)

Another thing I thought of... This is just a spitball idea :-P I do think that CISSP can benefit pen-testers slightly. Not so much directly, however in my opinion (and probably the client's as well) one of the most important parts of a pen test is the report. You need to be able to categorize, prioritize and bullet your information , so that the executives with the big check books can make the necessary changes to their infrastructure. This is where CISSP can come in handy, since it puts you on a path to understanding corporate needs and constraints when it comes to implementing security changes. Just a thought :-/

Another thing I thought of... This is just a spitball idea :-P I do think that CISSP can benefit pen-testers slightly. Not so much directly, however in my opinion (and probably the client's as well) one of the most important parts of a pen test is the report. You need to be able to categorize, prioritize and bullet your information , so that the executives with the big check books can make the necessary changes to their infrastructure. This is where CISSP can come in handy, since it puts you on a path to understanding corporate needs and constraints when it comes to implementing security changes. Just a thought :-/

Exactly, i have CEH and LPT etc and have done Pen tests, but i now work as a IS Security Manager and utilise my CISSP. I recently received a Pen Test report and assessment as part of a compliance project and through my down and dirty techie skills i could understand what they were talking about as well as being able to integrate it into the overall scheme of the compliance issue and relate it from the floor to the board etc.

Everthing has its place. CISSP is about security management, part of which will likely include a Pen test at some stage, but then it will also likely include the height requirement for the fence on the perimeter of the building and how HR conduct background checks ;-)

+1

Definitely agree there. IMO this thread is all over the place, and I think the TS is trying to put the cart before the horse.

My closing sentiment on working in the info sec industry is this. It is not as glamorous as it seems from the outside. It is long hours, continuing education that is always present, and takes a lot of motivation and self education. I think my biggest pet peave is when people come to the industry with the idea they are going to make six figures for being a super elite hacker. Those days are gone in most situations. Same suit, different grind; so make sure it's what you really want before jumping into it.

+1

Definitely agree there. IMO this thread is all over the place, and I think the TS is trying to put the cart before the horse.

My closing sentiment on working in the info sec industry is this. It is not as glamorous as it seems from the outside. It is long hours, continuing education that is always present, and takes a lot of motivation and self education. I think my biggest pet peave is when people come to the industry with the idea they are going to make six figures for being a super elite hacker. Those days are gone in most situations. Same suit, different grind; so make sure it's what you really want before jumping into it.

+1 back at ya.

I know loads of people who thinks it exciting or glamorous...if you want excitement or glamour then hack into NASA and prove the existence of UFO's and leak it to the media, cause pen testing a Corporate network is like washing soil to make it clean LOL ;-)

Thats because CISSP is not supposed to certify the person as a pen tester or malware analyst and it not markted or advertised as such ;)

There are specific certs for various areas. I am CISSP amongst others but wouldnt present it as a basis for Pen testing

I am glad we agree; CISSP is definitely a less technical info sec certification and I have had some CISSP folks attempt to sell themselves as pen testers.

I am glad we agree; CISSP is definitely a less technical info sec certification and I have had some CISSP folks attempt to sell themselves as pen testers.

I wouldnt say it is less technical, howeveri would say it is not geared towards Pen testing.

There is alot more broader material covered in CISSP domains some of which are technical like cryptography, and some not so much like Physical security. BUt lime i said it is apples and oranges IMO

He is just saying to be a malware removal or those malware experts that read HJT logs and say run this scan than do this than post this log than do this and so on :mad:do not have to understand how malware spreads ,security permissions and how to lock down your computer or basic security or OS.

All they have to know is just how to use the OS and remove malware and what is malware and what is not malware .How to read the logs.There is no prerequisite other than just how o use the OS.

Same for the malware specialist that work for a company that remove malware.The only people that would understand how malware spreads ,security permissions and how to lock down your computer or basic security or OS is some one that works for a anti-virus company like Norton or Kaspersky.


To be a malware removal or those malware experts all you have to know is how to read the logs and remove malware and what is malware or not malware.You do not have to understand how malware spreads ,security permissions and how to lock down your computer or basic security or OS .

He is just saying to be a malware removal or those malware experts that read HJT logs and say run this scan than do this than post this log than do this and so on :mad:do not have to understand how malware spreads ,security permissions and how to lock down your computer or basic security or OS.

All they have to know is just how to use the OS and remove malware and what is malware and what is not malware .How to read the logs.There is no prerequisite other than just how o use the OS.

Same for the malware specialist that work for a company that remove malware.The only people that would understand how malware spreads ,security permissions and how to lock down your computer or basic security or OS is some one that works for a anti-virus company like Norton or Kaspersky.


To be a malware removal or those malware experts all you have to know is how to read the logs and remove malware and what is malware or not malware.You do not have to understand how malware spreads ,security permissions and how to lock down your computer or basic security or OS .

Umm ... I'm not sure that Anti-Virus companies are the only one who hire IS professionals.

Also , I'm not sure that I agree that having a true understanding of how malware spreads and basic system security can even be mutually exclusive of eachother.

On a side note back to the CISSP thing, why would they try to sell themselves as pen testers instead of what they were more qualified for? Assuming CISSP was the only certification they held (unlikely since your rep has to be in good standing and you need referrals to even get it). Generally speaking at least in the job market around here CISSP demands a higher level of respect and thusly monetary compensation than say GPEN or LPT.

On another interesting side note : Rsnake is a CISSP, and I'm fairly certain that his credentials in the info sec community are very well established.

In any case my point being : certifications regardless of what they are have never been a definitive summary of someone's qualifications, or abilities. I think that if you are looking at that for anything more than scheduling a job interview you are selling yourself short...Massively. (I know if I judged myself only on the certs, and level of education I held I would have little confidence in my own abilities. Then again, I don't consider certs that important)

Just my opinion though.

Umm ... I'm not sure that Anti-Virus companies are the only one who hire IS professionals.

Also , I'm not sure that I agree that having a true understanding of how malware spreads and basic system security can even be mutually exclusive of eachother.

On a side note back to the CISSP thing, why would they try to sell themselves as pen testers instead of what they were more qualified for? Assuming CISSP was the only certification they held (unlikely since your rep has to be in good standing and you need referrals to even get it). Generally speaking at least in the job market around here CISSP demands a higher level of respect and thusly monetary compensation than say GPEN or LPT.

On another interesting side note : Rsnake is a CISSP, and I'm fairly certain that his credentials in the info sec community are very well established.

In any case my point being : certifications regardless of what they are have never been a definitive summary of someone's qualifications, or abilities. I think that if you are looking at that for anything more than scheduling a job interview you are selling yourself short...Massively.

Just my opinion though.


+1
this thread still alive ? LOL

ok thread off to sleep now...zzzzzzzzzzzzzz ;-)