Security certs, vampires and dumpster diving

During a live Network World chat, expert Adam Gordon discussed the best security certifications, the tricky aspects of gaining real-world hacking experience and why our government should get with the program of ethical hacking. Gordon is the CTO and CISO for computer training firm New Horizons CLC of South Florida. He has personally completed most of the major security certifications (he's got over a dozen including MCSE + Security, CISSP, ISSAP, SCNP, CWSP, CEH and Security + CompTIA) and has been an IT trainer for over 20 years. What follows is a full transcript of the chat.

Moderator-Julie: Welcome and thank you for coming.

Adam_Gordon: Hello everyone, happy to be here, let's do some talking, or chatting anyway.

Moderator-Julie: While Adam types up his answer to his first question, here's a pre-submitted one: I have limited time and want to update my resume for the job market. Which is better to pursue a vendor-specific security training cert (Cisco, Microsoft) or a more general one?

Adam_Gordon: (SANs, CompTIA etc.) You should view your resume as a pyramid. What is at the base provides the foundation for you to build on as you add more layers, and complexity. If your base is not broad and deep, then your additions will not survive and help you to thrive professionally. Add the basics to prove your desire and ability to be in the field, Security+ and SSCP for instance, and then create additions carefully based on your area of professional interest such as CWSP, or CISM.

Wasup: What kind of demand is there by employers for CompTIA's Security+? A recruiter told me there is no demand for it at all. What's the truth?

Adam_Gordon: Employers will look at certs that are "in demand" and "in alignment" with the current needs of the workplace. Keep looking, as Security+ is in demand and it is a good baseline to present yourself with.

Steven: What is the most popular certificate required for a network security career?
Adam_Gordon: Depends on what area of security you are looking to focus on. If you are looking to be in forensics, then CISA, or CHFI are a good bet. If you want to do wireless, then CWNA, CWSP are good. Overall security, then Security+, CEH, SSCP, and MCSE + SEC are all good as well. [See also: Josh Wright chat: Wireless security foiled by new exploits ]

Nobledc: The government and large U.S.-based corporations face real cyberthreats daily. The federal government has proposed to hire expert hackers who don't fit the government security mold. Will classes taught by these hackers help one become a hacker in order to fight hackers?

Adam_Gordon: The best defense is a great offense, and lots and lots of ice... Let me explain. Real world experience and knowledge are what will carry the day. The best hackers are not the certified ones, but are the ones that are doing it for real and normally do not poke their heads up too often. Be practical, not certified. The ice is for all the bumps and bruises that you will get along the way.

Extreme: So by having a great offense, do you mean that the government or businesses should encourage hacking?

Adam_Gordon: I think that it should be the business of any and all interested and LEGITIMATE players in the security field to pursue solutions that encourage a better defensive solution for all. Let's face it, almost every other government and major corporate and military installation in the world has engaged in this behavior at some point, and/or is actively doing so now. Why should we bury our heads in the sand and pretend that it is not happening? Google TITAN RAIN, or Chinese Military/government hacking vs. US government and see for yourself.

Moderator-Julie: Pre-submitted question: What are your thoughts about ethical hacking? Should people be paid for finding vulnerabilities?

Adam_Gordon: Let me give you the standard disclaimer, which is that I am a CEH,[Certified Ethical Hacker] as well as a CEI [Certified EC-Council Instructor]. Now, having said that, I believe that Ethical Hacking has a valuable place in the community for a set of professionals that use their skills for the betterment of the communities that they serve. Should people be paid to do it? If you can get paid to do it would you turn down the money? People should be paid to do what they are good at, and what their employer hired them to do. It comes down to being honest with yourself, your community, and your employer about your skills and your career path.

Extreme: How do you get real world hacking experience without getting in trouble with the law?

Adam_Gordon: VERY, VERY CAREFULLY! Seriously though, it can be hard and is a challenge. When I was starting out in this business over 20 years ago, it was a whole different world, the rules were different, the people and the times were different, and so was technology. Today, If I had to do it from scratch, I would virtualize the technologies that I wanted to figure out, and do all of my research and hacking there. Once I had figured it out, I would then seek to transfer that knowledge into the real world through engagement in my place of employment if that was possible. If not, I would seek to connect the dots with others that had similar interests through user groups and trade groups, and see if you could put together a "hackers' challenge" of some sort that is sponsored and public.

Nobledc: So this outlawed art is wanted -- a professional gunslinger -- but in this day and age nobody wants you to practice or train. The corporations and the government needs those strange vampire-like people that start work around midnight or dumpster dive a target or cold call for inside help ... but they don't have a means to train "straight" folks to be as good or better than the backroom people. Is anyone out there offering this special training?

Adam_Gordon: I am not aware of any classes that focus on being a vampire or a dumpster diver specifically, but I am open to a new twist on the "practical" aspects of learning. I believe that there are many, many ways to acquire skills, training is just one. Look outside yourself, what do you do? What do those around you do? What resources exist at an arm's length from you that you can leverage? BE CREATIVE and BE FEARLESS... DO NOT BE COWED, and DO NOT BE A SHEEP. THINK OUTSIDE THE BOXES.