Announcement

Collapse
No announcement yet.

Licensing Forensic/Incident Response Experts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Licensing Forensic/Incident Response Experts

    Securityfocus has published an article reporting on the requirement in some of the states that those performing computer forensics for hire and providing expert witness testimony, must be licensed -- in these specific cases, licensed as Private Investigators. It's a possible felony charge if one is not. The requirements are being contested in several cases, but it does appear as if some states are enforcing it. (article mirrored at the Register).

    http://www.securityfocus.com/columnists/399

    http://www.theregister.com/2006/04/2...hange_for_pis/

    What I find interesting about this is that this "licensing" issue was touched on at a BoF discussion at ShmooCon 2006. It was contended that within 5 years, all Information Security Professionals would be required to be licensed similar to some other professions (accountants, doctors, lawyers, etc). This may be a first step along that road.

    Any one else have thoughts on this?

    valkyrie
    ___________________________
    Sapere Aude
    Last edited by valkyrie; April 26, 2006, 18:14. Reason: corrected mispelling in Title

  • #2
    horseshit, plain and simple. unlike other careers where one's "license" is the logical culmination of years of accredited education and so forth (i.e. - doctors, lawyers, accountants) many in the security field are either self-taught or have custom crafted their own study track... a track that often involves a variety of institutions and courses and a lifetime commitment to learning.

    "licenses" are an easy way for people without the time and money to research a person's background (which is most members of the public) to verify a person is not a fraud and make sure they've had the training that their industry recognizes as appropriate for them to do a safe and professional job. (i might also add that improper execution of most of these "jobs" have ramifications that are very severe... fatality, loss of rights, loss of life savings, etc)

    there is no way that such a "license" mechanism appropriately fits into our vocational field since there is no single, solid notion of what constitutes "appropriate tech and security training"... (incidentally, our whole industry is made stronger by the fact that everyone who participates in it has a different background and experience. to insist on homogeneity and conformity of training is to breed in weakness.)

    such licenses are merely ways for established players in the field to make an artificial hold on their slice of the marketplace, in my opinion. legislators who are taken in by these fairy stories have their hearts in the right place but are misguided. anyone who needs evidence of what i am saying should just scan their rolodex of business cards... look for the people who are MCSE or CCNA certified... is it a guarantee that they know what the fuck they're doing? told ya.

    ultimately, if any designations should prevail in our world, they should be professional titles, bestowed by peers and clients. at most, something akin to the manner in which GM dealerships handle their service division... they are "Goodwrench Certified" mechanics... but no laws or oversight bodies are involved. they are an industry-crafted affiliation and their power comes from the fact that they do good work. if they start doing shitty repair jobs, the title becomes meaningless and the marketplace sorts out who gets customers' dollars then.

    for the brief, and very personal, summary to my point here... i've had no formal training to speak of. i'm good at what i do but know my limitations... and there are plenty. if i can't do a job, i turn it down or pass it on to an associate. if i am hired to do a job i do it right. as long as i keep people satisfied i'll keep paying my rent. and legislators can pass all the fucking laws they want, i won't choose to get any certs and i'll keep doing whatever i damn well please because a guy once told me this is a free country.

    just my $0.07
    Last edited by Deviant Ollam; April 26, 2006, 19:20.
    "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
    - Trent Reznor

    Comment


    • #3
      I could see adhering to some code of ethics and getting a surety bond or some sort of insurance if you were going to monkey with a corporation network. Maybe something showing you aren't a convicted computer criminal. Basically a feel good card to show a prospective client.

      Because the security space is so fragmented, it will take years to solidify the bodies of knowledge that would be required. Just like many people build things without an mechanical engineering degree.

      In the programming world you can have all the development and project management certifications in the world, but they don't quantify if you can produce low security bug count code. New classes focusing specifically secure code development were required. This is the direction the industry is moving, though, and I don't expect the trend to reverse itself.
      PGP Key: https://defcon.org/html/links/dtangent.html

      Comment


      • #4
        Quite the interesting article and, I must say, an interesting play by the GA prosecutor. I would love to see the trial transcript to see how badly beaten down he was by the judge and opposing counsel. The argument that expert testimony should be excluded because is completely rediculous. The purpose of the statute has nothing to do with qualification as an expert and clearly the judge agreed.

        The opinion of a PI trade organization that computer forensics experts should get PI licenses clearly shows that they would be more than happy to collect annual dues from a new pool of members.

        Any issue of licensing goes to the weight of the evidence, not whether it will be admitted or not. Here is a rough estimate of how this weak method of impeachment actually plays out in court:

        Direct examination:

        A: What do you do?
        W: I'm an engineer
        A: How did you become qualified as an engineer?
        W: I received a dual major in math and structural engineering from X university, after that I received my PhD in metallurgical engineering from Y university. I've since worked as a metallurgical engineer for 25 years.


        {etc etc}

        Cross Examination:
        A: You are a licensed structural engineer in this state, are you not?
        W: Yes I am.
        A: And you came to your conclusion based on your expertise as an engineer, did you not?
        W: Yes.
        A: But you're not a licensed metallurgical engineer, are you?
        W: No.

        The fact that the guy doesn't have a license doesn't matter a diddly poo to the jury, who knows the expert is more than qualified and the cross examining attorney had better have something better in his arsenel than that for cross examination.

        License or not, what determines the quality of the forensics work is the method the expert employed which is where the rubber hits the road in these situations.

        Every state (and every judge for that matter) deals with evidence differently, and courts should err on the side of admitting more evidence...not excluding it because of an administrative licensing requirement.

        end of rant.
        jur1st, esq.

        Comment


        • #5
          Thank you

          Originally posted by jur1st
          Quite the interesting article and, I must say, an interesting play by the GA prosecutor. I would love to see the trial transcript to see how badly beaten down he was by the judge and opposing counsel. The argument that expert testimony should be excluded because is completely rediculous. The purpose of the statute has nothing to do with qualification as an expert and clearly the judge agreed.

          I was so hoping you would ring in on this.

          The opinion of a PI trade organization that computer forensics experts should get PI licenses clearly shows that they would be more than happy to collect annual dues from a new pool of members.

          Then, so not that it matters so much except for my thirst for knowledge, that very may well be a driver for this.

          Any issue of licensing goes to the weight of the evidence, not whether it will be admitted or not. Here is a rough estimate of how this weak method of impeachment actually plays out in court:

          Or in deposition, yes?

          Direct examination:

          A: What do you do?
          W: I'm an engineer
          A: How did you become qualified as an engineer?
          W: I received a dual major in math and structural engineering from X university, after that I received my PhD in metallurgical engineering from Y university. I've since worked as a metallurgical engineer for 25 years.


          {etc etc}

          Cross Examination:
          A: You are a licensed structural engineer in this state, are you not?
          W: Yes I am.
          A: And you came to your conclusion based on your expertise as an engineer, did you not?
          W: Yes.
          A: But you're not a licensed metallurgical engineer, are you?
          W: No.

          The fact that the guy doesn't have a license doesn't matter a diddly poo to the jury, who knows the expert is more than qualified and the cross examining attorney had better have something better in his arsenel than that for cross examination.

          Oh my. This gets better.

          License or not, what determines the quality of the forensics work is the method the expert employed which is where the rubber hits the road in these situations.

          Every state (and every judge for that matter) deals with evidence differently, and courts should err on the side of admitting more evidence...not excluding it because of an administrative licensing requirement.

          end of rant.
          Thank you. You answered questions I had hanging out there.

          Comment


          • #6
            When someone wants to be a stickler about having a license, just remind them that Wilbur Wright never had a pilot's license, but he signed many of other pilot licenses. It's like asking if Bill Gates has his MCSE. Come on.

            Comment


            • #7
              Originally posted by astcell
              When someone wants to be a stickler about having a license, just remind them that Wilbur Wright never had a pilot's license, but he signed many of other pilot licenses. It's like asking if Bill Gates has his MCSE. Come on.
              Whenever someone asks if there should be a licensing scheme for <insert technical position here>, I ask them one simple question: have you ever driven on the Los Angeles freeway system, and, if so, what has licensing drivers done for the standard of driving there?

              They usually get the parallel and shut up pretty rapidly after that.

              Comment


              • #8
                rant on

                Thank you all for your comments. They have prodded me to think further through this topic. I have been following security/privacy-centric legislation for several years. I have also been following legislation that appears to errode one's personal freedom.

                I see this particular legislation as erroding a personal freedom: i.e., my freedom to practice my craft without someone breathing down my neck. I already have SOX, GLBA and HIPAA requirements hanging over my head. I don't want some oversight committee telling me what I may and may not do during the course of an forensics or assessment gig.

                I do believe that Dark Tangents comment was extremely measured and cogent to this conversation:

                "...This is the direction the industry is moving, though, and I don't expect the trend to reverse itself."

                Now, you may note I left off his earlier comment about this field being so diverse it will take years to solidify the body of knowledge. Yes, that is true if the community were to do that. But NOT if legislature mandates what it will be. I think that was where I was attempting to go, without going there. If we do NOT self police ourselves, we will go the same way as SOX, GLBA, and HIPAA.

                To wit: SOX happened because of the irresponsibility of the publically traded communities BoD and executives and their auditors. They did not self-police.

                To wit: GLBA happened because of the irresponsibility of organizations managing or processing personally identifiable financial information to keep that PIF confidential. They did not self-police.

                To wit: HIPAA happened because those who have possession of personal healthcare information didn't protect it appropriately. They shared it with all and sundry, causing a gentle but gathering storm of outrage that culminated in this law. They did not self-police.

                I am by no means attempting FUD here. I hate that type of drama. What I am saying is that it is my mission to make my community aware of these things as food for thought. I do not wish my work to be regulated by someone who has no clue about what it is that I do.

                Again, I thank all of you for your thoughts and feedback. If I wish to quote you, I hope I may contact you via PM.

                Everyone else's comments have knocked up my brain and I appreciate them. Thany you. would call you friends, but I don'tKnow many of you.... goddess blessings on you all! :-)

                /rant off

                Regards,

                V

                Comment

                Working...
                X