Pablo Endres’s Blog

So the last couple of days I was at the IT-SA a new security fair in Nürnberg (Germany).  This is / was the first edition but it is a attempt to make a security oriented fair out of the security section of the Systems in München which should take place 21-24th October 2009.

On Tuesday I was really disapointed with the fair, because I was expecting a conference RSA style.  But after taking the right perspective I think it was good,  most of the big players in the security field were there:  AV companies, the big firewall companies and of course your share of UTM and service providers.  They organized a speaking trend in each of the 2 exibition halls: a technical and a managment.  Most of the talks were short and white paper like and they had the usual “hacking live” talks that serve as “eye openers”.  They are fun to see but people should know that the pentesting or crackers job is normally not that easy, they don’t know exactlly what you are going to do in order to install a Trojan or what drivers you have install in oder to escalate privileges.

Today the BSI had it’s own embebed conference (3. BSI Grundschutztag) in the event.  The talks where OK, they presented the new changes that can be expected it in the next version of the IT-Grundschutz Katalog and their standards.

OWAP hat their share yesturday, I didn’t get the chance to attend but if someone got to go I would appreciate a link to the slides and/or the content of the sessions.

I’ve been living in Germany for a little more than a year now, and since then lots of things have really impressed me in the way privacy, digital rights, data collection, infomation security are managed in politics.

There have been some major attempts to create a state of surveillance protect the people and the institutions from hackers, terrorists in exchange for freedom and civil liberties.  Let’s take for example the Skype Trojan they intented to create and use out in the wild without warrants, the prohibition of “hacker tools” or the data collection law.

After giving a big fight, last week the court in Karlsruhe ruled that:

Data can only be collected when the stability or security of Germany or another country need to be defended and “life, limb, and freedom of German citizens” need to be protected (The Register)

I think this is a mayor advance, and I really hope this will be followed by action in the other controversial laws.

Well after postponing it for quite a while I finally decided it was time to go down the certification path.  So there are a couple of questions that came to mind, I think I did my homework and these were my answers:

Why get certified?

Well it’s a way of proving that you know something to other people, in particular to potential new employers.  It is said that certs are a great way to boost your career or at least make a statement on where you want to steer yours to, i.e. if you take some CISCO certs, you probably what to pursue a the networking path; or if you take a security cert you’re showing that’s the way you want to go.

What certification should I get?

This was a hard one, there are lots of them out there.  So I took some notes and talked to people last year when I attended the RSA Conference 2007.  I also found a great website where they did some comparisons on with a lot of different variables.  After some thinking around I decided to start with Security+ and after that pursue OPSE and / or the well known CISSP.  So step 1 is done.

Other thoughts

A cert alone doesn’t make a good or complete professional, I know a couple of cert holders that don’t know squat and can’t solve a problem in their “area of expertise” even if their life depended on it.  One of those was and old colleague, he had a couple of the CISCO certs and said that he was an expert in networking but couldn’t understand the difference in the use of the POP3 (TCP 110) and webmail or HTTP (tcp 80), after that we just labeled him port 80.

Well officially as of last week I approved my Security+ exam and should continue down the cert road to get a couple more.