I hang mine around my neck like Flavor Flav.  Then I put the logos in all my emails and letter head.  And I have copies in different frames, next to pictures of me, through out my office and house.  Depending on the conversation I start every sentance with "As a (Insert cert here - CISSP - CHFI, Sec+ETC) I see it like this...."

Ok I lied.  I really have no idea what happened to them after they came in the mail.

so so so true.  I run into this every single day.  It makes no sense.  but really it is just ignorance.  If you dont understand the digital world it is hrd to understand the threat.  Most people think "I have no idea how to do that or why you would do that, so I bet prety much everyone else is in my shoes."  But those same people would never say "I like to leave my doors and windows open when I leave the house.  Ive never had an issue with burglary, so..."  that is because they can feel see and touch the issue.  I think:)

Ive seen this happen when scsanning an ISA box.  It showed almost all ports opened.  They were false positives that I think were due to how it was proxying.

Thanks!  The good thing is the errors are very obvious:)  Overall it is fine.  I just like to gripe.

I just passed the CHFI and wanted to write out a couple general thoughts before I forgot them.

Study references:
The Official CHFI Study Guide from Syngress.
I took the 1 week class at New Horizons.  They loaded me up with 4 books.

Opinion on study guides and class:
If you have any security experience and understand it, I would go with the Syngress Study guide.  My company paid for the class (and I am very grateful for that.  It is a good company!), but you can pass without it.  Although the class did reinforce some major concepts and the discussions help out in the real world.  Overall I am glad I took it.   

The test:
The test isnt too hard.  But there is so much information it is difficult to understand how in depth it will be.  There will be questions that make no sense and that didn’t show up in any reference books.  Some are very “in depth” while some are surface and basic concept.  I found that the ones I didn’t recognize were easy to guess or logically eliminate the wrong answers.

What I liked about the experience:
I think it is a good balance of technical information (what certain logs mean, how to use certain tools) and administrative information(Chain of custody, laws etc). 

What I didn’t like:
The Syngress book and in the books handed out in class had so many factual, grammatical and logic errors it was almost difficult to read.  Even the sample tests that come with the book had errors.  The other thing that bothered me was the concentration on tools.  It seems like it should be more concept based with a couple tools.  Every reference book was page after page of tools.  I think the tools should be a side item.  It is great that they include them, but you should not be required to memorize a million shareware and pay tools when they change all the time. 

what are your thoughts on the test?  I am taking it in about 2 or 3 weeks.  What did you do to prepare?

I have not taken it yet.  I will be in a class on the week of the 16th.  then I think I will take it that friday or the following monday.  I will let you guy sknow ho wif went!

hmmm.  I have a "friend" that really put some thought into that.  Actually this friend thought about setting up a repository that all of these emails can be looked at and recorded...then sent a friendly example of an exploit.

But then I realized I would be breaking the law.  I lost my anger.  and then the reality of it sank in.  then it naturally goes to "why dont the cops do something like that?"  and all the arguments of boundries and ....ugh. 

I enjoyed listening to this.  I listened while I was in traffic.  I really enjoy MP3s of this stuff to listen to while driving.  If only all of the study guides were like this.  I liked the stories and the idea of @%$it, just get out there and do it.  But my favorite part of the presentation is that you are not looking at is as a "punching the clock" JOB.  You seem to look at it as a grass roots way of life that you can happen to make money in.  so many folks base these conversations on how to wait for the right job, line youself up for the right position and all of the other variables that you may not have control over.  You seem to emphisise making it happen then letting those pieces fall together.

My grandfather also had a life changing affect on me.  He said "if you cant buy it, you cant afford it" damn he was ahead of his time:) And he said "just do what you love and I am sure you will make money at some point.  Unless you are horrible, then just do something you are OK at but dont suck at."

I am officially going with "Bit Pimp"

I know all fields suffer from identity issues.  No one that understands the nuance of any career can be satisfied with a simplified title.  But I don’t see it doing us any justice to just say we are techies, geeks or what ever just to get a simple point across.  But I truly believe we should have that simple thing that relates to ethical hacking/pen-testing or the whole security career with out a dissertation.  That would not only raise awareness but it would help with marketing and job growth.  

“So what do you do?”  
“I am a homicide detective”
“oh so your like an ethical murderer?”
“No! I just study them and understand them so I can help defend against them and help solve crimes.”
“But you probably do know how to kill someone and minimize the risk of getting caught, right?”
“Never mind.  I’m a cop.”

I know its apples and oranges in comparison to our world, but it isn’t too different.  I think there are so many psychological things going on here to.  So many of us are introverts.  So many of us go along with careers as long as we get to enjoy it and have fun.  But I really don’t want HR in charge of my career mold and public perception.

I may sound bitter about this, but I am not.  I just think it is really interesting to see an entire industry forming right under our nose.  What are the possibilities!  Exciting.  Were will it be in 20 years?  

Blah blah rant rant…ok I am off my soap box.

Here are two random thoughts Ive had about pen testing in general.  I think I spoke about them before…but oh well, you guys get what you pay for:)

One of the biggest things that can happen is to form a comfortable name for the profession with an identifiable purpose.  Meaning, if I talk about Hacking to my 10 year old nephew he thinks “cool, you get to be a clever bad guy!  Neat!”  And he knows exactly what that word means.  If I talk about security analysis or penetration testing his eyes glaze over and he giggles at the word penetration.  So what happens when you try to sell to a CEO and add words like Ethical Hacker.  It is just plain difficult to explain our world.  But if we had some type of easily identifiable person, organization or something that is identifiable in pop culture, it would be so much easier.  The mafia has Elliot Ness and the FBI.  Cops have Robbers.  Yin has Yang.  Hackers have “well were kinda like hackers, but don’t call us hackers we are info sec professionals and kinda….blah” 

And what does this have to do with this post?  Who knows…I just felt a rant coming along.  But one thing I think would be interesting is to set up a sales section that can define who needs what types of testing (PCI needs….HIPPA needs….), ideas and other things surround how to approach these companies.  And maybe even a reference part were companies that are doing research can find people they are looking for.  This site may already have these things, I just don’t remember seeing them…sorry if it is here:)

I think this is a good post.  All to often people dont like to explain the details of what they go through.  And sometimes the business side of it is shrouded in secrecy.  In reality, the profession is so new that ANYONE that can get out there and make some type of change, build process, get the word out, for a group (like this site) can change what pen testing will be like in 10 or 20 years.  Its all the little things.  Sharing honest info like this can help refine the profession that needs some serious refining:)

Spelling and attention to detail is extremely important.

Has anyone taken the CHFI recently?  I am going to take a week long class then take the test.  I am wondering if anyone has any insight pertaining to difficulty, tone of the test or other general insight.

Thanks!