Security Certification

Shad0r

Just curious to see if anyone here has got any security certifications and whether their company paid for them.

Specifically I'm talking about either CEH (Certified Ethical Hacker) or CPTS (Certified Penetration Testing Specialist)

Martyr

how much do they cost?

Cake Fiend

I was looking into security certs a while back - there's not much out there that seems to be both widely recognized and of any real value. There are the like of Cisco's CCSP cert, but the entry-level stuff is thin on the ground. I'd probably go with CompTIA's Security+ exam (which can be used as an elective in an MCSE+ security IIRC), but that's purely on the name of CompTIA - the exam content is nothing special. Something like the CEH mightn't get the right kind of attention in an ignorant HR dept :eek: It's also fairly basic.

The pen-testing cert looks interesting, providing it's getting some industry recognition.

Shad0r

Average Joe wrote:

how much do they cost?

I started this thread out of curiosity because the training company I just started working for sells the course and I'm trying to get a read on public opinion about it.

I dont want this to turn into an advertisement cause that would be bold and no doubt I'd get spanked for it PM me if your interested in the specifics.

I'm guessing by the lack of replies that ethical hacking isnt a hugely certified area...wondering why?

Shad0r

Sico wrote:

The pen-testing cert looks interesting, providing it's getting some industry recognition.

Well "Mile2" the company that run it are consultants as well as trainers and have clients such as the CIA and the U.S. Department of Justice.

WizZard

I have the CPTS, going for the CEH later this year.
Paid for it myself, career advancement

hmmm

Those ethical hacker certifications are regarded as mostly bollox by those who work in security, it seems that every week we get some new never heard of before training organisation pushing their "Certified Ethical Pentesting Intrusion Leet Hacker certification". Security+ is relatively better known but seen as very much entry level, if you want a technical cert the Cisco stuff looks like it could become well regarded. Go for a SANS cert if you can get someone else to pay for it.

WizZard

hmmm wrote:

Those ethical hacker certifications are regarded as mostly bollox by those who work in security, it seems that every week we get some new never heard of before training organisation pushing their "Certified Ethical Pentesting Intrusion Leet Hacker certification". Security+ is relatively better known but seen as very much entry level, if you want a technical cert the Cisco stuff looks like it could become well regarded. Go for a SANS cert if you can get someone else to pay for it.

TBQH most certifications are regarded as pretty much [strike]useless[/strike] supplementary by most experienced pro's. It's what you can do, and not what you (or your certificates) say you can do.

However, it's not the techies/pro's that are going to be reviewing your CV :rolleyes:

Shad0r

WizZard wrote:

I have the CPTS, going for the CEH later this year.
Paid for it myself, career advancement

Thought you should be able to sit the CEH exam and pass it no probs with the info gleaned from CPTS course?

Cake Fiend

hmmm wrote:

it seems that every week we get some new never heard of before training organisation pushing their "Certified Ethical Pentesting Intrusion Leet Hacker certification"

Yup, that's the kind of thing I'm worried about. The same thing seems to be going on with Linux certification.

WizZard wrote:

I have the CPTS, going for the CEH later this year.
Paid for it myself, career advancement

How well-received were these by relevant folks? How would you say they compare to the Security+ cert?

I'm looking for something I can throw on a CV to fill the blank space - I have x amount of experience and skill, but zero formal security-related qualification

Static M.e.

Sico.

I do the same thing get certs for Cv fiillers + as a contractor its makes it alot easier for my employer to "sell" me if I have a bunch of certs.

Took the Sec + last Friday for that reason, also it does count as an MCSE elective which is good too. (Have resources for that if you need it, drop PM).

However if I wanted to get a real cert, more for the knowledge that the space filler I would definatly go for SANS. Great stuff. The main reason I havent gone for one yet is the cost factor and the fact that most companies in Ireland wont recognise it.

Looked into the CISSP but found it more for consultants that technical people.. just my opinion.

WizZard

Shad0r wrote:

Thought you should be able to sit the CEH exam and pass it no probs with the info gleaned from CPTS course?

Yes you can - I just haven't had time!

Sico wrote:

How well-received were these by relevant folks? How would you say they compare to the Security+ cert?

IMHO the Security+ is gone the way of the A+/Network+. It just means you have basic security knowledge. I found the CPTS to be quite well received, especially if you do want to get into the PT side of things. If not I would prob recommend a broader cert, such as the Cisco CCNA and then onwards on the Cisco security side of things. I would rate that more than a Security+.

In the PT industry the CPTS is recognised, more so than the CEH. Plus the CEH has the "hacker" moniker which some people can't see past. Not necessarily a bad thing, but I've seen some raised eyebrows .
I found that if you want to work in the Uk in the security side of things, the Mile2 certs are recognised much more than in Ireland.

My goals for this year are to finish my MCSE and start the CCNA.

Shad0r

WizZard wrote:

IMHO the Security+ is gone the way of the A+/Network+.

Yeah its a very basic certification. As are all the compTIA certs afaik.

In the PT industry the CPTS is recognised, more so than the CEH. Plus the CEH has the "hacker" moniker which some people can't see past. Not necessarily a bad thing, but I've seen some raised eyebrows .
I found that if you want to work in the Uk in the security side of things, the Mile2 certs are recognised much more than in Ireland.

Mile2 is recognised globally but obviously depending on the size of the security industry in any given country will determine the size of the market for the cert, which in turn will determine the scope of its recognition. I've been reading up on it and its a "Prometric" certificate as well as being much more advanced than the CEH. Its a five day full time course that includes practical labs afaik.

conor-mr2

Ive got a CISA and CISSP. Bith paid for thank god.

CISA is more for Auditing and CISSP certainly is a more managerial cert but is very good to have nonetheless.
In security everything boils down to policies and procedures and the implementation of said.

Few colleagues have SANS certs. Id rather and am looking into doing a CCNA next. I beleive that is very worthwhile to do.

WizZard

Shad0r wrote:

Its a five day full time course that includes practical labs afaik.

TBH it's quite hard to fit into 5 days. There's a lot of extra study involved, and coursework, but if you're interested in the area it doesn't feel like too much.

The practical labs were quite good, but they also included some flashy stuff like breaking WEP in under 30 seconds - nice for some of the admins in the group who thought WEP was relatively secure.

Zoned

Justa hack in to their database, put your details in and ask for your cert to be sent out to you...:D

Cake Fiend

Zoned wrote:

Justa hack in to their database, put your details in and ask for your cert to be sent out to you...:D

Good plan, but for the Ethical Hacker cert you'll have to mail them afterward and tell them how you cracked the DB

Shad0r

lol.

NutJob

Sico wrote:

Good plan, but for the Ethical Hacker cert you'll have to mail them afterward and tell them how you cracked the DB

I can see it now ur a sleep and 4 guards rush into ur house take ur pc + all ur toys interview you overnight and all because you e-mailed an admin he had a flaw and needed to patch it.

Pen testing tools could be counted as hacking tools which are illegal to posess under irish law.

Pen testing someone without there permission is going to be a great one to try and explain(wouldnt try to drum up business like that).

Having a cert saying ur ethical in the words of master card Priceless.


But seriously would look good on a C.V. but may also scare off some HR departments who watched Hackers the movie (though i did like the soundrack). Though the portrayel of Emmanuel Goldstein did keep me laughing for a day (im easily amused google for a pic if u havnt done it before or know what Emmanuel looks like).

Ill be keeping my copy of nessus running only on my lan for a while

Cake Fiend

NutJob wrote:

Pen testing tools could be counted as hacking tools which are illegal to posess under irish law.

Can you provide a bit of background on this? It's something I would find quite surprising if true.

NutJob

I need to dig out my law notes but it was covered in the following book
http://www.amazon.co.uk/exec/obidos/ASIN/0717137015/qid=1148429327/sr=8-1/ref=sr_8_xs_ap_i1_xgl/026-5636102-3174053

iv lent the thing to my cousin and i wont seee it again if i know my cousin but its due back to me this month.

quinta

I have the CISSP, CISA, CISM, also pursued a Dip. in ECommerce Law as it's very useful nowadays. Just finishing my MSc in Infosec aswell.

Re: Hacking tools, they are not illegal to have, using them is a whole other story, I'm not even getting into it. Most of you know the score.

NutJob

quinta wrote:

I have the CISSP, CISA, CISM, also pursued a Dip. in ECommerce Law as it's very useful nowadays. Just finishing my MSc in Infosec aswell.

Re: Hacking tools, they are not illegal to have, using them is a whole other story, I'm not even getting into it. Most of you know the score.

Thanks for the clarification all i could find online was the English Compuer Misuse Act.

jockstrap001

I heard if you join OWASP, newhorizons will give 200 off the CPTS course.

Shad0r

jockstrap001 wrote:

I heard if you join OWASP, newhorizons will give 200 off the CPTS course.

That's true. Although you could alternatively phone new horizons, ask for me (Neil!) and tell me that you're a boards.ie member. I'll get you the discount.

Spear

Shad0r wrote:

That's true. Although you could alternatively phone new horizons, ask for me (Neil!) and tell me that you're a boards.ie member. I'll get you the discount.

Is that retroactive? Since I just booked my Security+ and Linux+ last week.

Shad0r

Spear wrote:

Is that retroactive? Since I just booked my Security+ and Linux+ last week.

In this case I was speaking specifically about the CPTS.

I dont want to break any of the rules here so check your PM's for more info about your situation.

Shad0r

Found this when I was trying to find out the quality of the various security certs out and about atm:

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1044613,00.html#admin

gline

WizZard wrote:

TBQH most certifications are regarded as pretty much [strike]useless[/strike] supplementary by most experienced pro's. It's what you can do, and not what you (or your certificates) say you can do.

However, it's not the techies/pro's that are going to be reviewing your CV :rolleyes:

this is true.. experience is the most important imho, but you wont get as far as to show the company what you can do if you dont have any certs

when they look at a cv and see all the experience they just take that as a load of crap sometimes, but a good starting point for them is to look for any certs and it might just manage your cv to be kept after the 1st initial "binning cv" phase when they go from a few hundred cvs to 10