GCIA, GSEC, GCIH, CISSP, CEH ???
infol...@gmail.com
I know this is not really a tech-pentest question however I wanted to get some feed back as to what certs/skill set one need to acquire in order to break into the pentest/information assurance/computer forensics job market.
I am a about to graduate with my BA in computer system next semester, and I am tring to get into a security related field, I did very little vul-testing/pentesting for friends, or on a few work servers and wifi network.
And that was very interesting, but with so many certs and paths out there I wanted to know which ones you guys took so I can get an idea.
Thanks in advance.
Sent via BlackBerry from T-Mobile
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
Shenk, Jerry A
friend's web server. The biggest difference is documenting what you're
doing and all the steps that it took to get there so that you can then
write up a report. The pen-test isn't any good to anybody if it doesn't
help them secure their systems. And of course, a report needs to fit
somewhat into the mold of what people expect...a title page, index,
executive summary and then the details of the report.
Of the ones you've named, GCIH probably fits the closest. I guess CEH
does too. The CISSP cert is more of a management-level cert. I think
it's a good one to have and the process of getting it will force you to
go through a lot of things that will help you think about things from a
business standpoint.
Good day all,
http://www.cenzic.com/downloads
------------------------------------------------------------------------
**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
Bryan Pitts
but more of a security analysts. I thought it was an informative and an
interesting read: http://www.securityfocus.com/infocus/1784 ( be sure
to read part two as well )
It gives a slight break down on the certs\skills that would be useful.
-----Original Message-----
From: listb...@securityfocus.com [mailto:listb...@securityfocus.com]
On Behalf Of infol...@gmail.com
Sent: Monday, December 17, 2007 7:45 AM
To: pen-...@securityfocus.com
Subject: GCIA, GSEC, GCIH, CISSP, CEH ???
Cristian Serban
I think CISSP is the strongest but(because?) it requires minimum of 4
years of work experience in the security field.
CEH also requires 2 years.
I have Comptia security+ and i think it is a good start.
I intend to take GWAS and GNET in the near future.
I'm also curious what others have to say.
Cheers,
Cristian
--
Cristian
Jamie Riden
> Good day all,
>
> I know this is not really a tech-pentest question however I wanted to get some feed back as to what certs/skill set one need to acquire in order to break into the pentest/information assurance/computer forensics job market.
>
> I am a about to graduate with my BA in computer system next semester, and I am tring to get into a security related field, I did very little vul-testing/pentesting for friends, or on a few work servers and wifi network.
>
> And that was very interesting, but with so many certs and paths out there I wanted to know which ones you guys took so I can get an idea.
I have a CISSP - it's a general (high level view) security
certification and doesn't really go into pen-tests as such. One less
to worry about :)
cheers,
Jamie
--
Jamie Riden / jam...@europe.com / ja...@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/
Robin Wood
>
> I know this is not really a tech-pentest question however I wanted to get some feed back as to what certs/skill set one need to acquire in order to break into the pentest/information assurance/computer forensics job market.
Hi
I've done two courses with SANS and both have been very good and very
useful. At 6 days long you cover a lot of ground so come out with your
head spinning but if you read up on the stuff afterwards to take the
exam then it does all seem to stick.
If you are paying yourself, the only downside is the price. I don't
know about where you are but in the UK there is a funding body which
will cover 40% of a training course for you so that makes it more
bearable.
Robin
Pete Herzog
The OSSTMM certifications (see www.isecom.org) were designed to prove
ability- working knowledge that lets you hit the ground running. In
Europe, a few colleges and universities offer the training as a means to
give students practical experience. Some of the big consultancies also use
it as part of their new employee training program. If you're looking to
prove yourself, it's a very good way to get hands-on experience and a
certification that proves you know what you're doing. At least check into it.
Sincerely,
-pete.
Danux
forget CEH its for script kiddies, you MUST try - From BackTrack
Creators!!! Offensive-Security Courses.
CEH teach you how to use tools but Offensive Security 101 course teach
you how to think like a hacker developing your own scripts or
exploits, and isc2 gives 40 CPE's for that course. Is excellent, and
the certification is called OCSP - Offensive Security Certified
Professional (you can get it after passing a 24 hour real hacking
test).
Check it out:
http://www.offensive-security.com/offsec101.php
Cheers!!!!!
On Dec 17, 2007 12:44 PM, <infol...@gmail.com> wrote:
--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
Terry Cutler
finsihed V5. Now I'm doing the CHFI (Computer Hacking forensic
investigator), and the ECSA / LPT (Licensed Penetration Tester).
The ECSA/LPT is really really good as it shows you how to dig
thoroughly threw log files, and much much more
http://www.eccouncil.org/ECSA.htm
Enjoy and Happy Holidays !
--
./Terry Cutler
Master CNE , CDE, CLP, Certified Ethical Hacker
cwr...@bdosyd.com.au
My vote goes with SANS/GIAC. Take the GSE GIAC Platinum level tests and then you really are being tested.
Having 20 something GIAC certs and most of the major other ones, I think I am rather unique in being able to compare these from experiance.
In this, my money goes to the SANS GIAC ones.
Regards,
Dr Craig S Wright (GSE-Compliance)
Ardian Silvano
You will be introduced to another framework, ISSAF, instead of OSSTMM. This
is new online training and need more review from its participants. It is
more appropriate for new comer in Pentest field instead of OSSTMM. Try this
first before OCSP and/or OPST.
Cheers,
Ardian
-----Original Message-----
From: listb...@securityfocus.com [mailto:listb...@securityfocus.com] On
Cheers!!!!!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
__________ NOD32 2731 (20071218) Information __________
This message was checked by NOD32 antivirus system.
http://www.eset.com
Jason Thompson
You will find that the CISSP is probably the strongest candidate for
serious entry into information security. Is it going to give you
useful technical information? Definitely not. It's one of those
generic certs that looks VERY good on the resume. Yes it requires work
experience but the requirements are so general you could work as an
electrician inside a server room and you would qualify. With a
Bachelor's degree it cuts the required work experience down. It's one
you WILL want to get eventually once you get some experience under
your belt.
I've done the CEH but do the course for sure with the exam... the
instructors teach you the practicality the exam does not. The
certification doesn't stay very current, uses old tools, some of which
are pretty archaic and ineffective on OS's patched beyond 1999. And it
is mostly a tools exam, it's not going to teach you to pen test. I
have the CEH and I will say that. Now I got it in 2006 so maybe
somethings changed but when I did it the course and the exam didn't
sync up much, which was a good thing! The instructors are excellent
and realize the shortfalls of the exam, and they teach you real pen
testing. Don't worry, they spend like 1/2 the last day prepping you
for the tools exam. I will say this, I would never do an EC-Council
exam on its own. Course? YES! Exam? No.
The SANS courses are excellent. Back in the day when GIAC didn't
succumb to whining paper cert kiddies the certifications required
practicals and actual knowledge not memorization, which is what most
other IT certs are. Therefore the courses have been built around
teaching you real world application and proper theory applied to
practical situations. Of all the courses I have done, I found the best
to be the SANS ones. You get your money's worth with them. Your brain
gets a full on assault of information though :) I just renewed my
GCIA, and I did the GWAS certificate. Both were excellent, even though
GWAS was still being developed at the time. There's lots of course
delivery methods too, so if cost is a concern...
You might want to check out the courses offered at Black Hat. They are
$$$ but apparently they are good. I have never been but will be in
2008. But maybe its assumed they are good only because they are
expensive?
CompTIA is VERY basic but might be ok to crack out that first cert...
I can't say anything about it really, I've never thought much of the
'+' exams because its all memorization, and bad experience with A+
(wouldn't trust someone with an A+ with a desktop). Security+ I hope
is different, and I do hear ok things about it.
I help make decisions on hiring for our engineering dept and I will
say SANS impresses me, puts up a flag. This is because you have to be
serious about the material, their exams aren't a walk in the park. You
need to know your stuff. You'd love them, you seem like you're pretty
serious about this field if you've done some work on your own.
Oh, and vendor certifications aren't worth your time... You don't need
to pay Cisco $300 for them to tell you how great they are (there are
literally questions on the CCNA that make you tell Cisco why they have
the best router, I am not kidding). I have vendor certs but only
because I get paid for them. Otherwise I couldn't care less. And I
don't pay attention to them at all when measuring a security
professional, especially the ones who tattoo them after their name
like they are PhD's :)
-J
Erin Carroll
agree with Craig here for the most part. The SANS tests are thorough and
relatively current. However, as another poster pointed out, they used to be
much harder to obtain as in the murky past there was a requirement for the
certs for passing the test *and* publishing a whitepaper for peer review.
Nowadays that's a platinum level cert.
However, the majority of the more well-known certifications aren't exactly
shabby either, it just depends on what you want to get out of your time.
Each have their strengths in terms of subject matter taught or concepts
explored. Focus on the courses/certs that place greater importance in the
"hands-on show me what you've learned" aspect. I haven't had the chance to
try the OSSTMM tests from isecom but I've heard some good things about the
work Pete et al are doing. When it comes down to it, find something that
lights your fire and pursue it. The best training course or certificate in
the universe isn't going to help you if the material bores you out of your
mind and you don't constantly use what you've learned :)
> -----Original Message-----
> From: listb...@securityfocus.com
> [mailto:listb...@securityfocus.com] On Behalf Of
cwr...@bdosyd.com.au
Platinum is another thing with multiple Golds and then several days and nights of sadistic torture. Having done this I will state it as such. (Hi Charles: and co.:)
Other then this I do agree. I think that there needs to be a differntiator in the acronim. Maybe GSEC-S for silver and GSEC for Gold? I know that this would make it easier to get my staff to complete their paper submissions (they get time off with pay, so there is little to stop them in my oppinion). However, they still mostly stop at silver and I would have to say from the giac site that most people stop at silver. The odds seem to be distributed arround 1 in 6 people going to Gold last I checked.
OSSTMM tests are the only ones I would put on a par with SANS/GIAC. They are more focuced though, whereas SANS have a wider range. Pete's offering makes a good counterpoint to GIAC and if you have the money OSSTMM and GIAC Gold are a strong pair.
CISSP/is management. CEH is intro or beginner level.
Regards,
Dr Craig Wright (GSE-Compliance)
________________________________________
From: Erin Carroll [amo...@amoebazone.com]
Sent: Wednesday, 19 December 2007 5:23 PM
To: Craig Wright; pen-...@securityfocus.com
Subject: RE: Re: GCIA, GSEC, GCIH, CISSP, CEH ???
> -----Original Message-----
> From: listb...@securityfocus.com
> To: pen-...@securityfocus.com
>
> Hi,
>
> these from experiance.
>
>
> Regards,
>
> --------------------------------------------------------------
> ----------
------------------------------------------------------------------------
infol...@gmail.com
Sent via BlackBerry from T-Mobile
From: "Erin Carroll" <amo...@amoebazone.com>
Date: Tue, 18 Dec 2007 22:23:49
To:<cwr...@bdosyd.com.au>, <pen-...@securityfocus.com>
Subject: RE: Re: GCIA, GSEC, GCIH, CISSP, CEH ???
xelerated
Like it was stated before the CISSP really is more of a manager
cert.
The OPST was alot of fun, and so far has been most valuable in
my current career. The test is hands on, you cant memorize your way
through it like some other certs.
I have also taken the CEH, but id rather not go there ;)
Just my 2 cents.
mgk.mailing
Have been playing with back track for a while but i didnt realise they
did certificated courses as well. Thanks for the info
mgk
Erin Carroll
referring to very early on when there was no Silver/Gold/Platinum for SANS
certifications, just a single cert level. Unless I'm confusing SANS with
another one of the old-school security certs... This is why I should avoid
posting or moderating the list after midnight. I knew our resident aussie
would chime in with a correction :P
While I'm not exactly an old-timer yet, I've been in the IT industry for
over 20 years now and it's amazing to me just how far we've come in some
respects and how some things still remain the same. Despite the maturation
of some security niches and the heightened awareness of security in general,
it's still almost as easy to penetrate systems as it was back in the early
(to me) days... only the viable vectors have changed. Sometimes I miss
remote fingerd exploits. Now get off my lawn you danged kids!
--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"
Walter Cuestas
versiones previous to 5 (some comments seems based on books from EC
Council and 2 others that are so far from current EC Council
material).
Today, CEH is the start point and next steps for people who wants to
demonstrate their knowledge and expertise, thtrough certifications,
are ECSA and finally get LPT (if you need this one).
Since the first mail of this thread, I have reviewed every syllabus,
exam topics, exam and labs demos, training videos and so on.
IMHO, there are just three sources for pen test related certifications
: EC Council, ISECOM and Mile2 (based on CEH).
SANS has a lot of certifications that are good complement for CEH,
OPST, OPSA, CPTS and CPTE, but, I can't find an specific pen test
certification from SANS.
Also, as all of you know, there is no certification neither a set of
exams that really demonstrate the actual knowledge of people.
These certifications are just a complement for a professional career.
BTW, I have reviewed some of the recommended training based on videos
and they seem to be just BackTrack courses.
>
> Regards,
> --
> Walter Cuestas
>
--
Walter Cuestas Agramonte, CEH
Gerente General
Phone : 511-97926168
ASEGURAR, SIMPLIFICAR, ACELERAR
http://www.open-sec.com
http://www.voip-sec.com
Ferris, Joe
certifications." I have taken SANS courses with Ed Skoudis (GCIH) and
Chris Brenton (GCFW) and they both cover in-depth pen testing ideas,
concepts, examples, strategies and much more. I have reviewed the CEH
course and believe that the GCIH covers all of that material and more.
The GCFW course covers portions of the CEH course (GCIH as well) and
then issues, configurations, ideas, concerns that are outside of CEH
scope but still critical for pen testing. Learning from the authors of
the actual course material is another added credible benefit to the SANS
courses that is hard to duplicate.
Security 560 :: Network Penetration Testing and Ethical Hacking
"When teaching the class, I particularly enjoy the numerous hands-on
exercises culminated with a final pen-testing extravaganza lab. -Ed
Skoudis"
It looks like GCEH is offered in 2008.
Joe Ferris
> http://www.cenzic.com/downloads
>
-----------------------------------------------------------------------
> -
Cristian Serban
http://www.sans.org/training/description.php?tid=1722&portal=de3d570830816b8b870310d573d332c0
--
Cristian
cwr...@bdosyd.com.au
The SANS GCIH has much of this. However, if you want a pure Pen Test = course (with all the negatives as well as the positives) then SANS have = SEC 560.
If you go to:
http://www.sans.org/tysonscorner08/description.php?tid=3D1717
You will get a description. Ed is finishing up the course material now, = so the course description will flesh out more as time passes and before = this starts in the new year. So there is a focused SANS Course.
To take a quote:
"Successful penetration testers don't just throw a bunch of hacks = against an organization and regurgitate the output of their tools. = Instead, they need to understand how these tools work in-depth, and = conduct their test in a careful, professional manner. This course = explains the inner workings of numerous tools and their use in effective = penetration testing. When teaching the class, I particularly enjoy the = numerous hands-on exercises culminated with a final pen-testing = extravaganza lab". -Ed Skoudis
There are also specialised Advanced database and web testing courses.
Regards,
Dr Craig Wright (GSE-Compliance)
Craig Wright
Manager of Information Systems
Direct : +61 2 9286 5497
-----Original Message-----
From: listb...@securityfocus.com [mailto:listb...@securityfocus.com] = On Behalf Of Walter Cuestas
Sent: Thursday, 20 December 2007 4:21 PM
Subject: Re: GCIA, GSEC, GCIH, CISSP, CEH ???
Just to say that every comment about CEH seems to be based on versiones previous to 5 (some comments seems based on books from EC Council and 2 others that are so far from current EC Council material).
Today, CEH is the start point and next steps for people who wants to demonstrate their knowledge and expertise, thtrough certifications, are ECSA and finally get LPT (if you need this one).
Since the first mail of this thread, I have reviewed every syllabus, exam topics, exam and labs demos, training videos and so on.
IMHO, there are just three sources for pen test related certifications
: EC Council, ISECOM and Mile2 (based on CEH).
SANS has a lot of certifications that are good complement for CEH, OPST, OPSA, CPTS and CPTE, but, I can't find an specific pen test certification from SANS.
Also, as all of you know, there is no certification neither a set of exams that really demonstrate the actual knowledge of people.
These certifications are just a complement for a professional career.
BTW, I have reviewed some of the recommended training based on videos and they seem to be just BackTrack courses.
>
> Regards,
>
>
> On Dec 19, 2007 11:49 AM, mgk.mailing < mgk.m...@googlemail.com> =
wrote:
>
> > wow,
> >
> > Have been playing with back track for a while but i didnt realise =
they
> > did certificated courses as well. Thanks for the info
> >
> > mgk
> >
> > Danux wrote:
> > > If you really wanna start understanding how to PenTest you should
> > > forget CEH its for script kiddies, you MUST try - From BackTrack
> > > Creators!!! Offensive-Security Courses.
> > >
> > > CEH teach you how to use tools but Offensive Security 101 course =
teach
> > > you how to think like a hacker developing your own scripts or
> > > exploits, and isc2 gives 40 CPE's for that course. Is excellent, =
and
> > > the certification is called OCSP - Offensive Security Certified
> > > Professional (you can get it after passing a 24 hour real hacking
> > > test).
> > >
> > > Check it out:
> > > http://www.offensive-security.com/offsec101.php
> > >
> > > Cheers!!!!!
> > >
> > >
> > > On Dec 17, 2007 12:44 PM, <infol...@gmail.com> wrote:
> > >
> > >> Good day all,
> > >>
> > >> I know this is not really a tech-pentest question however I =
wanted to get some feed back as to what certs/skill set one need to = acquire in order to break into the pentest/information = assurance/computer forensics job market.
> > >>
> > >> I am a about to graduate with my BA in computer system next =
semester, and I am tring to get into a security related field, I did = very little vul-testing/pentesting for friends, or on a few work servers = and wifi network.
> > >>
> > >> And that was very interesting, but with so many certs and paths =
out there I wanted to know which ones you guys took so I can get an = idea.
> > >>
> > >> Thanks in advance.
> >
> > >> Sent via BlackBerry from T-Mobile
> > >>
> > >>
> > >> =
------------------------------------------------------------------------
> >
> >
> >
> > >> This list is sponsored by: Cenzic
> > >>
> > >> Need to secure your web apps NOW?
> > >> Cenzic finds more, "real" vulnerabilities fast.
> > >> Click to try it, buy it or download a solution FREE today!
> > >>
> > >> http://www.cenzic.com/downloads
> > >> =
------------------------------------------------------------------------
> > >>
> > >>
> > >>
> > >
> > >
> > >
> > >
> >
> >
> > =
------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > =
------------------------------------------------------------------------
> >
> >
>
>
>
> --
> Walter Cuestas
>
--
Walter Cuestas Agramonte, CEH
Gerente General
Phone : 511-97926168
ASEGURAR, SIMPLIFICAR, ACELERAR
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
--------------------------------------------------------------------
Jim Clausing
pen-test track that will be debuting in March, see
http://www.sans.org/training/description.php?tid=1717
---Jim
On or about Thu, 20 Dec 2007, Walter Cuestas pontificated thusly:
Chadha, Sachin
excellent books.
Please read Hacking Exposed BOOKSsssss from Found Stone.
You can begin your journey from these books.
Regards
Sachin
-----Original Message-----
From: listb...@securityfocus.com [mailto:listb...@securityfocus.com]
On Behalf Of Jim Clausing
Sent: Friday, December 21, 2007 4:29 AM
To: Walter Cuestas
Cc: pen-...@securityfocus.com
Subject: Re: GCIA, GSEC, GCIH, CISSP, CEH ???
---Jim
http://www.cenzic.com/downloads
------------------------------------------------------------------------
*******************************************************************************************************
This E-mail message and its attachments, if any are intended solely for the use of the addressee hereof. In addition, this message and the attachments, if any may contain information that is confidential, privileged and exempt from disclosure under applicable law. If you are not the intended recipient of this message, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission.
Delivery of this message to any person other than the intended recipient is not intended to waive any right or privilege. If you have received this message in error, please promptly notify the sender by reply E-mail and immediately delete this message from your system. Instructions transmitted over this system are not binding on us until they are confirmed by us. Message transmission is not guaranteed to be secure or free of software virus. While Ocwen Financial Corporation and its subsidiaries collectively "Ocwen" takes every reasonable precaution to minimize such risks, Ocwen cannot accept liability for any damage sustained by you or any third party as a result of software viruses.
*******************************************************************************************************