4 Reasons Why All-In-One/Automated Penetration Testing is a Fallacy

COMING from the business side, I have met and seen various vendors who promise heaven and earth to answer IT problems in your organization. There are the ‘yes’ guys who will always answer ‘yes’ when you ask if the solution can do this or that. There are the ‘deflectors’ who try to confuse or worse, mislead you when their solution cannot solve your IT issue. Then there are just the plain highfalutin ones who use terms such as AI or ML carelessly just to make a sale.

Now that I am on the side of the vendor, I have also met and seen fellow vendors- ambitious, innovative yet idealistic. For instance, there’s a vendor that sells the-only-anti-malware-that-you-will-need-for-your-organization. You don’t need perimeter security. Just install the solution to all your machines and you’re 100% protected from all attacks. Apparently, there are a lot of disclaimers and caveats in the Terms and Conditions, one is to assume that the attacks are known in their database and another is that the attacks should only be host-based.

I think as IT professionals, we have the responsibility to correct the ‘fake news’ in our own turf, similar to what scientists, doctors, lawyers, and other professions do to protect their respective reputations. As an IT security professional, I am both shocked and amazed at companies that claim that the entire VAPT can be automated and that their tool can do everything that a pen tester can do. I’ve seen a couple of different products on LinkedIn and some I’ve met and had a (heated) discussion.

I have listed 4 reasons why All-In-One/Automated Penetration Testing is a fallacy contrary to the claims of some companies that their solutions will replace actual pen testers.

By the way, one of the common misconceptions is that the Vulnerability Assessment (VA) activities and Penetration Testing (PT) activities are the same. They are not. To cut the story short, VA looks for existing vulnerabilities while PT exploits these vulnerabilities found. Some “self-proclaimed IT pundits” don’t even have a clear understanding of the definitions making the misinformation worse.

Anyway, so here are my reasons:

  • Mens rea of the attacker
    • In the study of law, mens rea is defined as the intention or knowledge of wrongdoing that constitutes part of a crime. An attacker’s mens rea cannot be fully scoped by an automated tool. A tool can scope a certain known part of the assessment. But in the real world, exploits can be done by a gullible legitimate employee who accidentally clicks on a link that triggers the malware or a connivance/inside job to bypass stringent security measures. Scenarios mentioned can only be done by real people, not tools.
  • An attacker’s out of the box perspective or the attack’s art (creativity)
    • The tool is limited by the signatures or known behaviors in its knowledge-based. Hackers/attackers are creative. For example, they will try to scan fast but not too fast so it can evade IDS tools. They will attempt to password guess but not reach the threshold and wait for a reset period before attempting to crack passwords again. The criminal mind is colorful and options are plentiful. Tools may have automating capabilities but limited to their applicability in actual testing.
  • Timing and repetition attacks
    • There are attacks that require timing and repetition to actually exploit certain vulnerabilities. In a way, tools are a good complement for these attacks but it is the strategy of the attacker that dictates the success of the attack. For example, for applications that have so many pages of forms to fill before being allowed to submit, the tool alone cannot automate adding random data in all of these form fields. A human has to analyze and determine which parameters can the application accept and which can be used for automation.
  • Logic attacks
    • Simply put, understanding logic, program flow, and its parameters are things that humans can handle easily compared to automated tools. Imagine if you are browsing an application and you encountered a transaction feature that requires you to input a 6-digit OTP from your registered phone through SMS. You know as a tester that you can automate a test that will input all possible combinations of 6-digits and use it to brute force the transaction. Tools, on the other hand, do not know that by default. Humans must still intervene. And the list goes on…

I think I am obliged to write this blog to emphasize that security testing involves both human testers and tools. They work hand in hand and the tools cannot work alone no matter how big the signature database is. The problem with these predatory solutions is that they promise too much, things that are too good to be true. Imagine if you use their tools and the tool didn’t find anything then you will feel secure. But a week later, you still get defaced through social engineering. So how would you respond?

Another very interesting and important advantage of using pen testers is the human tendency to exhaust all knowledge and techniques to find vulnerabilities. The hunger and desire of pen testers to find vulnerabilities is a big motivation to help the organizations find real security issues.


Proud of my students’ achievements @ UA&P event

Last February 24, 2017, me and my undergraduate students went to the University of Asia and the Pacific (UA&P) in Pasig City to present their project Hydra in a school-initiated research conference.

The event was not very big but various students from undergrad to PhD were prepared to present their papers. I was really pushy but cautious to my students at the same time- I would like to guide them in their project and prepare them to present it by themselves in front of academicians.

A copy of the Parallel Session schedule and Abstract

And so the day came… my students Kent and Letty created their presentation slides. I told them to limit it to 6-10 slides only and practice explaining their project in the simplest and shortest way possible… which they were able to do very well.

That moment when my student started presenting made me feel proud as their teacher. 🙂

Congrats Kent and Letty for a job well done! Although I still have a lot of waiting to do for the expense reimbursement haha


With my students, Kent Miculob and Letty Laureta

To read the paper we submitted, you may visit this link.


Post statement- Use an old Roman encryption to decrypt the message below

hvq- grfgpbzfrp@tzk.pbz; cjq- Grfgpbzfrp@12345


8 Helpful Things You can do to Prepare and Pass a GIAC exam

Roughly one year after I passed the GIAC Web Application Penetration Tester (GWAPT) exam, I took the GIAC Mobile Device Security Analyst (GMOB). I became one of a less than a thousand professionals who earned the certification. One of the observations that I have is that preparations I did for both exams were pretty much the same- from the length of time I studied and the manner I created the index etc.

I decided to write this article to help those people who are planning or studying for any GIAC exam. I also compared my preparation to others who took a different GIAC exam and the results are pretty much the same.

I am providing exam preparations for those who are taking either the SANS boot camp (live) or a SANS on-demand course. I’m not in the position to provide tips for those taking a challenge exam because I haven’t tried it. (those who don’t have any SANS materials and solely rely on their own resources matching the GIAC exam objectives)

So here it goes…

8.Read all the SANS books at least 3 times .

I know it’s quite lengthy and some people have a tendency to just read the chapter summary. But you have to read the books and its entirety. SANS sticks to its course materials. There will be a lot of trick questions along the way but all the questions will come from the course materials.So if you miss the details, then you miss the opportunity to answer it. Believe me, the summary won’t exactly tell you the specific directory where that certain Trojan hides the file.  You need to have read it.

Also, based on my my experience, almost 50-50 of the questions in exam are theoretical and application questions. The exam won’t only check if you know how to use the tools. It will also check if you understood why, when and where to use them. These things will be explained in the books.

Why read the books at least 3 times? The first time you read the materials, I’m sure it’s going to be information overload. But it will give you a grasp of the width and depth of the exam. You will be able to scope your study. You can start using post-its to mark the chapters of the books. The second time you read, you will give time to understand the lessons in the materials. You may start doing your index that time. The third time you read the materials, you it will refresh you with the things you already know and you can get back to the topics you might have missed.

7.Do all the lab exercises and explore the other functionalities of the tools.

When you go to the SANS training, you will be receiving a USB containing all the tools and lab environment that you need. You need to do all the lab exercises. Some of the tools might be familiar to you like Wireshark, Cain, Whois etc. Do the exercises still because depending on the course, the tools may be used in a different way.

Also, be aware of the tools that are introduced in the book but don’t have any lab exercises. There are questions that will ask you about that tool and you need to have an idea how to use it.

And don’t expect questions that ask for the same commands or actions that were used in the lab exercises. The exam will give a different scenario using different commands and functionalities of the tool. So it’s best to explore the functionalities of the tool other than the things that were given in the exercise.

6.Create your index for the topics.

As you would know, GIAC exams are open notes. And usually in class, the exams that are open notes are not easy exams. haha You might be tempted to skip the study and search the answers in the books during exam. That’s not good at all. You only have approximately 1.5 minutes to answer an item in the exam.

One of the traditional ways to do it is through creating your index of the topics and tools. It can be done in MS Word or MS Excel depending on your need. You can even use a notebook to write down the notes handwritten.

The goal of the index is to help you recall what the specific details in that topic are. There should be a short description about it and a reference on what book, chapter and page you can find more information about it.

The goal of the index is not to copy paste the contents in the book in a different paper. That won’t be helpful. Just summarize the topic and write the reference where you can find it.

Ideally, your index should be around 3-5 pages long.

5.Create another index for the tools.

When you study for the exam, you will be studying and using around 100+ tools. It’s also best to create index indicating specifically the purpose of the tool is, the known commands, the interface type (GUI or CLI) and for what platform/s it can run.

You can put reference to the page of the book as well if that tool has a lot of notable very long commands.

4.Set a date for your exam so you will be motivated to study.

You have four (4) months  after the training or initial subscription to take the exam. Personally, I think that’s already a long time. With this type of time frame, you might have the notion thinking that you have a lot of time. To avoid this type of thinking, set the exam in advance so that you will be motivated (and forced) to study to meet that deadline.

Also, don’t schedule the exam very late like setting it up on the last day that you can possibly take the exam. Provide a buffer because unavoidable incidents might happen like typhoons or flooding in the Philippines can disrupt the operations of exam centers. (or other personal issues like sickness etc) You will have to pay additional fees if you will take the exam beyond the 4-month period.

Also, GIAC allows rescheduling of exam at least 24-hours prior from the actual date of the exam. Providing a buffer will give you a time to reschedule for free.

3.Treat the Practice Tests like it’s the actual exam.

SANS will provide you two (2) practice tests that simulate the certification exam. The questions there will show you the way they ask questions in the actual exam. Personally, I think the tuning point for your review is when you take the first practice test. It will tell you exactly afterwards in what exam domains you need to improve on.

Important note: Treat the practice tests like the actual tests. In my experience, I took the practice tests free from any work or pressure. I took the practice test after I rested well. I also took the practice test in a closed room with proper ventilation and lighting, similar to the actual testing center.

You can opt to choose to see the explanation of the wrong answers or all the answers. My default choice is to show the explanation of all the answers.

Another important note: Don’t expect that the questions in the practice tests will appear in the exam. These practice tests will only provide you the feeling of taking the exam. You will be disappointed if you will just memorize the questions thinking that these will appear in the actual exam. haha

2.Go to the Exam Center at least an hour early with your books, index and exam permit.

Research very well about the Exam Center where you will be taking your exam. Check the online forum and see what people say about the exam center. Remember, that’s where you will be taking the $1,000 USD exam! It has to be able to provide the best environment for you that day. I have been taking my exam in TrendsNet in Makati. The building is already old and the elevators are slow but the exam center is newly renovated. The exam rooms are comfortable, quiet and clean. There’s no parking area so whenever I take the exam, it’s either I take a taxi, Uber or park the car in the mall. The staff is very accommodating and friendly. They are familiar how to handle GIAC exams.

You need to be in the Exam Center early because they are strict with the time slots you have reserved to. It is better to be early than late. They won’t allow you to take the exam if you’re late and you  need to pay a penalty of around $150.

It pays to be early because it will give you time to relax and take time to go to the restroom and do your last minute preparations. The exam center will also permit you to take the exam early if there are free slots that time.

1.Pray hard and find time to relax.

I’m not religious but I find time to pray, talk to God and ask for guidance. Praying gives me a positive vibe. I also find time to relax after a study time like having a massage, eating ice cream etc. haha These small things help me take things positively. Praying and relaxing surely helped me in passing the exam.

These are some of the things that you can do to prepare for the exam.I hope these tips will help!

Good luck for those who are studying/ will be taking the exam soon.

For those who have taken the exam, what are your exam preparation tips? 🙂

7 reasons why you should take up a Master’s degree

I’m currently preparing for my final term for my Master in Information Systems (MIS) degree. It’s a short break from the stress in school. Looking at what I’ve learned and accomplished so far, I would like to share my top 7 reasons why you should take up a Master’s degree. (I’m not going to discuss what course to take or which school should you go to. That will be in a another blog post. 🙂 )

7. You will meet new friends.

They say that in grad school, having 10 students in a class is already big. In the class, there will be mixed types of people- from young professionals to management-level to self-employed individuals. There will also be returnees or transferees who will join the class. Since a lot of them will be your classmates for a couple of terms, you spend a lot of time with them during and after class.

And you will be friends with them in no time similar to your college experience! This time, you won’t be limited to your age group. You can be a young professional and make friends with a senior manager or even a mother. And that’s fine. 🙂

Our Managerial Accounting class.
My consistent group mates hehe

6. It’s a requirement for you to be able to teach in the Philippines.

It’s a plain and simple requirement in the Philippines. I cannot argue and elaborate more on that. I will write another post about to pros and cons about the vertical articulation by Commission on Higher Education (CHED). Anyway for now, getting a master’s degree will make you qualified to teach.

I just have to put my disclaimer right away that I know a lot of people who have graduate degrees but incompetent in their fields (and/or don’t possess the teaching hand). I’m sorry I just have to say it because there are still a lot who pursue the degree for the “title” and “compliance.”

5. You can build your network of professionals that can help you in your career.

One of my professors in the grad school said that with the variety of students who enroll in the class, he can already build a company with all of us have different roles.I agree with him. Your classmates come from different industries and fields. You can help each other out at work. I have classmates who are in banking, government, project management, academe etc. They can help you look for a job or do your job well. haha

My professors helped me link to some consulting opportunities which I won’t be able to find had I not enrolled in grad school. The world in the corporate is quite enclosed that’s why you need an outlet to spread the network.

 4. You get to learn from experiences rather than plain textbooks.

More than the degree, one of the main reasons why I enrolled in grad school is to listen to my classmates and professors’ stories- experiences in work that helped them succeed or even led them to failure. I can read books or Google stuff or even watch tutorials in You Tube. But to listen to the experiences is something you’ll only get if you’re in class.

3. You have something to look forward after your routinary work.

You will have classmates who still slack in some instances and those who are teacher’s pets. haha There are also those who study in advance and submit the deliverable very early. You’ll have classmates who don’t  have anything to submit too! haha In any case, attending the class is something you will look forward after a week of work. For some, attending a class is a challenge. For others, it is a stress reliever.

The class organized a KTV Christmas Party

2. You can get promoted at work after you graduate.

Not an assurance though. In the government, some posts require a Master’s degree to lead a division or a department. In the academe, you can get a higher rank.

In the private sector, I’ve observed some seasoned managers have master’s degrees. Most of them have MBA’s.

1. You learn something new.

Sounds cliché but that’s the truth. You will have classmates who will take the class just to pass and earn a degree. But majority of my classmates attend class to learn something new. I’m not a project manager. I have no project management experience but I am learning now (the hard way haha) for our capstone. I need to sell an IT business idea and make sure that I will gain profit. I learned different IS Policy frameworks and how to use them even if I’m not a manager. And I learned so much more…

Here’s one of the learning logs I wrote in our Human Capital Management class.

If you think these reasons are what you’re looking, then enroll now!

I’m not advertising any school.haha  Just encouraging… 🙂




Presented at the 14th NCITE and toured Dipolog City 2016

It was my first time to submit a research paper in a national conference. In the academe, getting support is a challenging task because you need to convince the admin that the paper you will be presenting is worth the expenses.

I’m happy that my boss, the dean of the school was supportive of this initiative. The research was about how to detect anonymous traffic within a local area network (LAN) using different patterns. You can read my paper here and here.

I submitted the paper twice because of the recommendations given by the reviewers. Overall, the paper got a good rating and was given a go signal for presentation.

Before presenting… Didn’t expect that the PM session will be moved in the auditorium!
While presenting…
With my students and co-authors, Aliana Lachica and Wisdom Abinal; my supportive fiancee, Ashley beside me
With my former professor in PLM, Dr. Neil Balba, who was the session facilitator


The travel time from Manila to Dipolog is around 50 minutes. I stayed in Hotel Camila 1 which is 15 minutes away from the airport. Most of the hotels provide a service from the airport to their place.

The hotel I stayed in was modest but it had the basic amenities in a usual hotel. For the 3 nights I stayed, I only paid around 3,300 pesos, although I had to buy breakfast on my own.

Dipolog is generally safe. The city is not yet fully developed and the mode of commute around the place is through tricycles. I was surprised because majority of the time that I was in the hotel, a lot of the people there were carrying guns. Some of them were in military uniform while others were not.

There were a couple of times too that we (Ashley and I) felt that somebody was following us. That’s why I advise those who plan to visit to remain vigilant and alert always.

The tricycle drivers, waiters and waitresses, vendors, receptionists and majority of those I interacted with were helpful and hospitable. We were able to walk around the famous boardwalk at the Sunset Blvd. and had food trips in different restaurants/cafe such as D’Hotel and Chapters A Book Cafe. One notable thing with their food is that it is cheap but with quality.

From the airport
At Sunset Blvd.
Selfie with Ashley en route to the Dipolog airport c/o Hotel Camila’s service
One of Dipolog’s Modern malls. 🙂 
Our Lady of the Most Holy Rosary Cathedral

A Primer on Ethical Hacking & Information Security for Senior High

In partnership with the Admissions and Marketing office of Asia Pacific College (APC), I was invited to give a short talk on Information Security education to incoming Senior High students. Students from different schools attended the seminar.

Slides used in the seminar can be downloaded here: A Primer on Ethical Hacking & Information Security

Ethical Hacking & Information Security for PATTS faculty

Last Feb 25, 2016, I was invited by PATTS to give a talk for their faculty members about Ethical Hacking and Information Security. I would like to thank their VP for Academic Affairs, Engr. Lorenzo Naval and VP for Student Affairs Dr. Emelita Javier for the heartwarming accommodation in your school.

To view my presentation for the event, you may see it here: PATTS_Ethical Hacking & Information Security

Vulnerability Proof-of-Concept and Analysis

The objective of this activity is to simulate and existing vulnerability (it can be an application, network, etc.) and create an analysis based on research. The ultimate goal is for the students to come up with an outlook of the vulnerability on how it has affected and will affect the computing world in the future.

For instance, there Vulnerability X works on Platform Y.1. Computers need to update to Platform Y.2 to become protected. However, a lot of computers didn’t update because of compatibility issues. What will happen to these “unpatched computers?” How many of them are found in critical data centers etc? Will Vulnerability X evolve into a more complex and more dangerous vulnerability?

Sample works:

Android Rooting Vulnerability – Android Rooting

iOs Jailbreak Vulnerability – iOS Jailbreak

Heartbleed Vulnerability – Heartbleed

Shellshock Vulnerability – Shellshock Vulnerability

Remote Desktop Protocol Vulnerability – RDP

Adobe Flash Vulnerability – Adobe Flash



Machine Project in Infosec


■To be able to configure, implement an open-source security tool.

■To simulate a real-world attack scenario where the security tool can be used.

■To show how to configure necessary functionalities of the security tool.


■Each group will be assigned a specific security tool. Each group will research about the topic and download an open-source version of the tool.

■The group can use a recommended tool or look for a preferred application as long as it is open source.

■The group will configure and deploy a working prototype and simulate the functionalities of the tool with the prescribed test/s in a lab environment.

■The group will demonstrate the output in the 12th week of the term.


■Network Firewall (PFSense)

■NIDS- Network Intrusion Detection System (Snort)

■HIDS- Host Intrusion Detection System (OSSEC)

■WAF- Web Application Firewall (Iron Bee)

■Honeypot (Honeyd)

■DLP- Data Loss Prevention (OpenDLP)

■Anti Spam (SpamAssassin)


Tool Test
Firewall Allow/Block Website based on IP/hostname

Allow/Block Website based on Category

NIDS Detect a port scan

Detect a backdoor connection

HIDS Detect a keylogger

Detect a port scan

WAF Prevent a SQLi attack.

Prevent a port scan.

Honeypot Log port scan to server.

Log remote access to server.

DLP Prevent sending of email based on message

Prevent sending of email based on file type

Anti-Spam Detect SPAM based on message

Detect SPAM based on quantity


■Week 3 – Finalization of security tool

■Week 6 – Security tool configured

■Week 7- 10 – Testing

■Week 12/13 – Project Demo + Documentation Submission

Deliverables & Grading

■Working prototype 40%

■Tests completed 40%

■Documentation 20%

Paper Format

■Abstract – Summary of your project

■Introduction – Discuss what the tool is all about

■Results and Discussion – Discuss the tests done (include screen shots)

■Conclusion – Lessons learned

Sample Projects:

Video Links

IDS- SnortV1, SnortV2, SnortV3

Honeypot – Honeybot, KFSensor

Firewall – PFSense


NIDS (Snort, Snorby and Barnyard Installation & Configuration) – comsecinstallation

HIDS (OSSEC Installation, Configuration & Testing) – USER MANUAL OF OSSEC

SPAM Filter (MailWasher) – INFOSEC_MachineProject_MailWasher

Honeypot (Honeybot) – INFOSEC_MachineProject_Honeypot

Research Paper on Emerging Technologies


A Case Study will be held as an academic symposium during the midterms week to discuss various emerging technologies in the field of information security. Each group will be tasked to research on a specified topic, explore and answer key issues about the subject.

As its culminating activity, an academic paper with a required format will be submitted and a 15-minute presentation will be presentation will be presented with the classmates and special faculty and industry guests. Question and answer will be followed after the presentation.


  1. Security in Social Networking Sites
    1. Cite current issues pertaining to crimes/violations in social networking sites. Describe the usual scenarios.
    2. Show some statistics on social networking related crimes.
    3. What are the actions taken by social networking organizations and government agencies?
    4. How do you see the future of social networking sites? Future attacks and remedy?
  2. Mobile Malware
    1. Can mobile devices get infected by malware?
    2. State news about devices getting infected. What happens to these devices?
    3. Show statistics on mobile malware.
    4. Is there an initiative from AV companies and government about it?
    5. How do you prevent mobile devices from getting infected?
  3. Business Continuity Planning (BCP) for Disaster Prone Areas
    1. Cite news of business disruption due to a disaster and its effects on the business.
    2. Show statistics of business losses due to either natural or man-made disasters.
    3. Are there initiatives/laws that require businesses for BCP?
    4. Discuss usual business continuity planning and disaster management and recovery plans.
    5. Discuss any standard/template regarding BCP.
  4. Internet Surveillance
    1. Is Internet surveillance possible?
    2. What are ways to conduct Internet surveillance?
    3. What are limitations of current security capabilities?
    4. What are solutions for existing Internet surveillance?
  5. Cybercrime Laws and Issues (choose scope)
    1. Discuss current cybercrime laws. (if there are any)
    2. Discuss issues that warrant cybercrime laws. Prove that there is a need for these laws.
    3. Discuss limitations and or threats of these cybercrime laws.
    4. Discuss if there is a need for more laws.
  6. Security in Automated Controlled Vehicles
    1. What are automated controlled vehicles?
    2. Why is there a need for automated controlled vehicles?
    3. Research companies that are utilizing these types of vehicles.
    4. Research for news that show threats on automated controlled vehicles.
    5. Discuss solutions for automated controlled vehicles.
  7. Drones
    1. History on the implementation of drones.
    2. News and development on drones.
    3. What are positive and negative issues (factual) on drones?
    4. Do drones bypass due process?
    5. Do drones violate privacy and freedom?


The Case Study is 10% of your final grade.

Group Grade is 70% (to be given by the professor)

Individual Grade is 30% (to be given by the group leader; leader gets 100% in the individual grade)


Content (Paper) – 50%

Is the paper complete and comprehensive?

Mastery – 30%

Is the group knowledgeable on the topic?

Did the group have the ability to analyze related real-world problems?

Did the group answer the related questions?

Delivery – 10%

Did the group communicate the message properly?

Presentation – 10%

Did the presentation contain creative and comprehensible visuals?

Required Sections in the Paper

Section Description


Abstract Your abstract is a maximum of 200-word summary of your case study. It describes briefly about your topic and what you intend to research further. You are establishing the boundaries of your study in the abstract.


Introduction The introduction is a maximum of 300-word overview of the topic. This means you need to discuss the current technology of your topic. Discuss the features, benefits and limitations of the current technology.


Problem Statement Based on your introduction, you have to establish your problem statement. What are the problems or issues that the current technology is facing? You have to state that piece by piece and justify why it has to be resolved.


Results and Discussion Research and establish the solutions for the problems found in the problem statement. Explain processes and procedures of the solutions that you recommend and how it can be done.


Conclusion and Recommendation Provide a conclusion of the case study that you have conducted. Based on your study, will your solutions be helpful in resolving the issues in the problem statement? Give recommendations that can be further investigated and researched in the future to strengthen your study. Make sure the recommendation is out of the scope of your study.


References List all the references for your case study. You need to follow the IEEE reference format. For your guidance, you need to have at least:

Five (5) technical references related to the topic (journal, scientific publication, conference proceeding)

Five (5) news article reference related to the topic (newspaper, magazine)

Three (3) books related to the topic.

Note: Never plagiarize. It’s equivalent to cheating.


Format of paperMSW_A4_format

For the presentation:
1. Create a presentation of your paper. It should be a summary of all sections: Abstract, Introduction, Problem Statement, Discussion, Conclusion.
2. Follow the 6×6 rule. Each slide should have a maximum of 6 bullet points with maximum of 6 words per bullet point.
3. Use interesting font/colors. Use images that will help explain your paper.
4. Everybody should have a part in the presentation.
5. You have 15 minutes to present your paper followed by Q&A.
6. Wear business attire for the presentation.

1. Send a PDF copy of your final paper and PPT presentation to justinp@apc.edu.ph & pineda.justin@rocketmail.com with Subject- Case Study Final Deliverable – (Case topic) by Group (Group Name)
2. Print a hard copy of the paper.
3. Submit (1) & (2) requirements before the class.

Sample papers:

On Social Networking: Online Peers Can Mean Offline PerilsOnline Peers Can Mean Offline Perils-Presentation

On Mobile Malware: Prevalence of Malware in Mobiles (1)Prevalence of Malware in Mobiles

On Internet Surveillance: Internet Surveilance by Team ZAFT_presentInternet Surveilance by Team ZAFT draft 4

On Social Networking: Using Facebook in TOR, INFOSEC PDF

On Internet Surveillance: Internet Surveillance

On Drones: Drones Case Study (1), Drones

On Cybercrime Law: Revised-Cybercrime

On Mobile Malware: Mobile-Malware-A-Case-Study-in-Information-Security-1


Is there really value in an IT Certification?

What is the real validation that you are knowledgeable in a field you’re claiming to be an expert in? Expert is a very dangerous and overrated term and usually lambasted by Powerpoint consultants. I agree that experience is the best teacher but it becomes helpful if the experience is ‘fruitful’. I had a conversation with a former colleague of mine who told me that it doesn’t matter if you have 10 years of experience if the function is just the same. You become knowledgeable about this specific work in the first year and repeat it in the next 9 years. Is that 10-year experience then significant? Or this experience only has the same weight as an employee in its second year doing the same job?

There is a perpetual debate whether there is value in an IT certification. Some say that certification validates your knowledge of the subject matter while others say that it is just a marketing strategy of vendors. Some say that you can pass certification by just memorizing stuff or worse, cheat to pass. However, I think we have to put into perspective the reason why these certifications are created.

I think the reasons why certifications exist are to standardize, validate and educate. Now, I know for a fact that nothing beats experience. It invalidates, however, this fact if you just ping the servers, assign IPs to computers and create an Excel report using the Pivot table for the next 20 years. Certification is a qualification. If you say in an HR interview, “I’m an expert in database management.” but you don’t have any certification to support that, then how can you claim this assertion? Probably you will answer, “My peers, friends, and parents can vouch for me.” Unfortunately, HR won’t take your parents’ word for your skill something objective. Looking at the other side, the good question could be, “If you are good in Database, why don’t you just take a DB2 exam to validate it?”

Lastly, I think certifications try to cover all the topics, not just some points you’re expert in. Because it is a standard, it teaches you how to, for example, program properly and efficiently. It teaches you other techniques that you may not have known or tried yet.
Experience and certification complement each other. However, you cannot discredit the benefits of having a certification. Similarly, most IT jobs require that you are a graduate of a 4-year course. That is the first qualification. Regardless of whether you have 10 years of experience, you need to be a graduate to be qualified. It might just be a piece of paper, but that is the qualification.

I encourage my students in college to take certification exams as early as possible if they think they are ready and prepared. This helps them build their confidence and portfolio. Once they graduate, probably tens of thousands of IT graduates will be competing for jobs available. How will you stand out if you’re competing with students from top schools or those who graduated with honors? I strongly believe certifications will be of great value.

Admittedly, I had horrible experiences with “certified professionals” who are incompetent with their areas of expertise. I had an experience where I asked what protocol is ICMP (ping) and he insisted that it is using TCP. He was a Cisco Certified Networking Professional (intermediate certification). Of course, he didn’t get the job. But these scenarios happen in different venues. In the academe, there are Ph.D.’s who ironically don’t know how to cite sources properly. I mean there are good and bad apples. At the end of the day, the first question is, are you qualified? And the second is, can you verify that you are qualified?

It’s like, you claim you know how to drive because you know how to drive. But no matter how good your driving skills are, you cannot drive without a license.

Similarly… some very bad drivers have licenses.