Over the past few months, work generously paid for me to take a SANS course online. I opted to take "SEC503: Intrusion Detection In-Depth." This was my first "certification" type course, and overall I was pleased. The course was on-target and wasted no time getting dirty into the nuts and bolts of the topic. It was very well done and despite me knowing a bunch of the basics, more often then not it was new territory for me and I had a ball learning it. There were areas which I wondered how useful they were going to be (Attacks against rsh? Really?) but I'd say 95% of the material was relevant to me in dealing with my day-to-day tasks. On the exam, I kicked ass and took names. So now, I am a GIAC Certified Intrusion Analyst. Bow before me.

I've always wondered about certifications. While there are people who have them that are very clueful, there is a sizable group who are certified who I often wonder if they really know how to use it. Now that I've gone through the process, I still wonder. I now have a sheet of paper that says I can be given a packet dump and tell you if you are doomed or not. While I feel that I am reasonably adept in studying IDS alerts and getting a reasonably good idea as to what is going on, I don't think I should be put in charge of a large IDS system any time soon.

I'm not knocking ceritifcations. They are a good thing and I believe it does show that I do (partially) know what I am talking about when it comes to these things. More then anything, it shows that I know the basics, I can sit down and field questions tossed at me, and I can answer a 150 question exam. Nothing more, nothing less. What worries me that people take these certifications as gospel and are ready to proclaim people experts by the amount of letters after their name rather then they experience on the ground.