QOTD on Certifications

Certifications mark you as a serious and committed part of the IT arena who is willing to learn new technologies and keep current in an industry that is forever changing. [...] Certifications help set the person that possesses them apart from those who don’t, as a professional who should be respected and sought after.

Src: Vincent Martin, Senior Network Administrator & Owner, Martin Consulting Group, in a LinkedIn discussion post. Used with permission.

The End of the University as We Know It

Graduate education is the Detroit of higher learning. Most graduate programs in American universities produce a product for which there is no market (candidates for teaching positions that do not exist) and develop skills for which there is diminishing demand (research in subfields within subfields and publication in journals read by no one other than a few like-minded colleagues), all at a rapidly rising cost (sometimes well over $100,000 in student loans).

I agree wholeheartedly. Traditional academia is a dinosaur on its way towards extinction. If you were to look around various institutions, you would find that most faculty are incapable of functioning outside of the bubble of the ivory tower as they often lack "real-world skills" that the marketplace requires.

What's this gotta do with Information Security you may ask? In areas such as Computer Science and Information Technology, faculty often teach classes without spending much time (if any) discussing the implications of writing insecure code. How could they since they themselves lack the interest and/or motivation to embrace information security.

Once tenure has been granted, there is no leverage to encourage a professor to continue to develop professionally or to require him or her to assume responsibilities like administration and student advising...
Colleges and universities should be able to reward researchers, scholars and teachers who continue to evolve and remain productive while also making room for young people with new ideas and skills.

My own career path has been markedly different from that of the traditional faculty. I consider myself a hybrid, one equally at ease talking with ivory-tower colleagues, but also very much at ease interacting with fellow information security practitioners or business executives. I do not view my Ph.D. as a "terminal degree." Instead, I view it as a lifelong commitment to learning, as evidenced by my later accomplishments including several leading certifications and engagements within the field of InfoSec.

Src: Op-Ed Contributor - End the University as We Know It | NYTimes.com [tx to the other Dr. Veltsos for this link]

QOTD on Knowledge vs Training

Knowledge without training is like driving a standard (i.e. manual transmission) without practice - you generate a lot of sputtering noises but achieve little forward motion. -- Dr. Christophe Veltsos, Dr. InfoSec™

This quote is written in response to comments exchanged on the Security Metrics mailing list regarding the value of certifications (which were deemed to be "training").

ISACA - Do as I say, not as I do

Updated on 12/17/2008:

ISACA's reply (paraphrased, emphasis is mine) is that the password management system will change with the next update to their web site and that users can choose to have a password hint displayed or whether they want to have their old password sent back to their email address on record.

My reply to ISACA's

The problem with being able to send one's old password back to them is that it implies the password is stored in a form that can be retrieved. This can be achieved by storing the password in plaintext in the database, or via some (often home-grown) reversible encryption (such as ROT-13, XOR, etc).

This also implies that people who maintain the DB (and possibly the site) can have access to that data. Of course, I expect ISACA to have procedures in place to review access privileges and log all access attempts. Still, I would rather know that my password is stored in a one-way hash that cannot be reversed.

Original post:

In the current threat environment, best practices for web sites mandate that when a user has forgotten his/her password, a new one be created for them and sent to the address on record. It is disappointing to see a giant of security like ISACA.org not follow that advice with their own web site.