What is the best group of letters to have after your name as a security professional?
I thought I would write a brief account of my experience with three of such certifications. Certified Ethical Hacker (CEH), GIAC Certified Penetration Tester (GPEN) and Offensive Security Certified Professional (OSCP).
CEH
My experience with the CEH certification started with a one week boot-camp type training session through a training center in Plano, TX. The training was very “by the book” and when I say that I mean “books”. During the first day we were given three large red books for a total of 2300+ pages of information AND a 500 page lab manual. In the classroom each had a small satellite desktop system loaded with WinXP-pro, win2000 and a BackTrack partition. The trainer we had was actually a very good trainer but the training lacked something. At the time I really couldn't put my finger on it due to my lack of experience with training sessions. More on that later as you will see.
During the training we were told several times that EVERYONE here WILL pass the exam. This made me feel as if the whole purpose of this training was ONLY to pass the exam and get that little piece of paper and those three letters after our name. The books mainly focus on the use of windows/linux based programs and utilities that are already made for a specific task. Very little practical knowledge or challenging exercises. For example a typical day session would be like this; “hello class, open to page such-n-such , we are going to see how to use wireshark to sniff packets.” Following 5-8 slides on the projector explaining what the ins and outs were, we would open the program and start sniffing. “Ok, any questions? Good, moving on to our next tool.....” Was this a Ethical Hacking course or a discussion of man pages?
Overall I am glad I took the class, 7 day session included the CEH and CHFI exam which was a breeze. I'm happy I have the certs because it does show a degree of knowledge in the field of security and penetration testing. But, in the list of security certifications I think the CEH is quickly loosing credibility due to the fact that very little security experience is needed to pass this exam. It is very close to MS certifications in that, a simple memorization of material will allow you to pass the exam. If you can memorize some command line switches for Nmap and Netcat, you can pass this.
GPEN
The GIAC Certified Penetration Tester certification is relatively new to the arena. Approximately 350 certified at the time I received mine last month. From the GIAC website: “The GPEN certification is for security personnel whose job duties involve assessing target networks and systems to find security vulnerabilities. Certification objectives include penetration-testing methodologies, the legal issues surrounding penetration testing and how to properly conduct a penetration test as well as best practice technical and non-technical techniques specific to conduct a penetration test.” The certification is based on the SANS 560 course material.
I did not attend any training for this exam and did not pay for it either. I received this certification basically on a dare :) Let me explain. GIAC decided that their certification didn't have enough publicity or wasn't being recognized so they decided to offer the $900 exam for free to people who had passed one of the rival certifications CEH & OSCP recently. I had just completed my OSCP as I will explain later and I decided to give it a whirl. The test was a 4hr 150 question multiple choice test that needed to be proctored at a testing center. Along with the exam I was given two free practice tests to take ahead of time. I passed those and scheduled my exam. Granted I didn't really study or prepare too much but I was able to pass.
With this certification I only have the exam to compare to the other two, so based on that, the exam still lacked something. I mean, could a person with a tech support level 1 have passed this exam. Well, multiple choice questions, 4 hours, I think so. This is really my point, where is the practicality of the exam? Does it show actual REAL working knowledge. If I can answer a question like; “Which of the following tools would be used to create a Reverse Bind TCP shell?”, does that make me a security professional? Um, no.
Now, let's talk about the last certification.
OSCP
The Offensive Security Certified Professional certification is also relatively new. It's a certification that proves that the individual has a real working knowledge of a real-world penetration testing environment. The training, a lab testing environment and Exam is included in a package. The training is called “Pen testing with backtrack”, instead of “Ofsec 101” as it was called previously. From their website: “an on-line course designed for network administrators and security professionals who need to get acquainted with the world of offensive security. The course introduces the latest hacking tools and techniques, and includes remote live labs for exercising the material presented to the students.”
So, the course is on-line and tremendously cheaper than other certifications. Is it any good? Thats a big NO! Its way way better. Its AWESOME. With the lab time you receive with your training, you get VPN access to a real-world pen-testing lab environment with several target machines and objectives and exercises throughout the training. This in itself is an amazing learning tool. You also have a dedicated windows system within the lab with several tools installed including Core Impact which most people haven't had access to due to the cost.
The training itself is CBT based using video and also you receive a very well written training manual that goes along with the training. Each section ends with an exercise and a “extra mile” type exercise that you can preform and document for extra points at the end of your course. All in all the training is A+! Since the pre-reqs for taking this training requires a previous understanding of TCP, network admin, etc. There isn't time wasted on very basic networking concepts. The training is by Mati Aharoni of offensive-security, a seasoned security professional with google being his resume'. He is also the main developer of the BackTrack security Linux distribution. So the training focuses on using BackTrack as the platform for pen testing. If you opt to get the lab time, which again I will say GET IT, If you sign up for the “Pen testing with backtrack” you will have the opportunity at the end of the training to attempt final challenges that have been designed to test all aspects of the training you went through. I give credit to the excellent training I received as being the reason I was able to blast through the GPEN exam. It is unlike previous technical training I have had in that it teaches you how to reason and think, not just fill your head with man pages from hacker tools. But enough about the training. Since we are mainly comparing the exams for the certifications. How did the OSCP fair?
This was no Q&A exam. The OSCP exam is designed to test you as a Penetration Tester. Last time I checked when you were testing a company's network they don't hand you a test with multiple choice questions. So this is where the OSCP, in its awesome practicality, stands above the rest. (The exam is 24 hours, yes that's right, 24 hours to complete.) You are given VPN access to a separate and dedicated only to you specially designed lab for your exam. You are then given objectives to complete. Basically you are told to find, exploit, document and prove exploitation of several systems in the exam lab. Hence the need for 24 hours, and I tell you I almost used all of the exam time (thank you red bull). The system could really be any operating system and you have no prior information regarding what is in the lab you are connected to. It truly is a test of EVERYTHING you were trained on in the course. It will test you to the very limits of what you are capable of and it is a true challenge. Following the exam, you submit your notes and proof of exploits and your are then graded.
Conclusion
With so many people passing themselves off as “Security Professionals”, I think more than ever it is imperative that the individual show practical real-world knowledge of Penetration testing. For instance, do you only take a written test for your drivers license? Of course not. So why do some of the so called “best” security certifications not test REAL working knowledge? Many certifications test the individual on book knowledge and totally ignore the fact that when you are preforming a penetration test you are in essence a malicious hacker for that project, so you in turn need to think like one. You have to think offensively from a black box perspective and the OSCP nails that in all aspects of the training and exam. In my opinion this certification & training should be mandatory for anyone looking to break into the field of penetration testing. Yes other certifications look great on a resume' but as time goes on and the OSCP becomes more well known I think you will see more and more companies looking at this setting the bar for security certifications.
Posts
