Certified Ethical Hacker, or Offensive Security

Discussion in 'Networking, Telephony & Internet' started by Yoodaa, Oct 19, 2009.

  1. Yoodaa

    Yoodaa Member

    Joined:
    Sep 25, 2003
    Messages:
    1,653
    Location:
    Melbourne
    Hey all,

    So I am currently studying for my CCIE security which my work is supporting me on, however another need has arisen that then want me to take on. They are saying, have a break from the Cisco world, and help us out. Fair enough I say, my head is going to explode!

    They need penetration testing done and have offered me the opportunity to do the training and then conduct the testing. This serves them the benefit that the person who finds the holes, etc will also be the one fixing them....

    So form my research I have found 2 courses that essentially start me down this path.

    The first is the Certified Ethical Hacker, by EC-Council

    http://www.eccouncil.org/ceh.htm

    The second is Penetration Testing, by Offensive security (child training group of makers of backtrack)

    http://www.offensive-security.com/penetration-testing-backtrack-online-training.php

    I personally find security interesting obviously, so I will thoroughly enjoy ether of these, however i was wondering if anyone here has done either of these, or both and can make any recommendations?

    I have the choice, and I wish to gain from whatever training I do personally so that it can be added to my current certification list. If following the EC-Council path, I would like to go on and do the Certified Security Analyst, and the licensed Penetration Tester.

    If following the Offensive Security path, I would like to do all the courses they offer.

    Any one had experience here?
     
  2. joyufat

    joyufat Member

    Joined:
    Jun 27, 2001
    Messages:
    1,015
    Location:
    Moral High Ground
    What certs do you have already? Have you done any on the ISC2 track (SSCP, CISSP)?
     
  3. OP
    OP
    Yoodaa

    Yoodaa Member

    Joined:
    Sep 25, 2003
    Messages:
    1,653
    Location:
    Melbourne
    I have my CCNA, NET+, SEC+, CCSP, ITIL, VCP, studying for CCIE-sec, and a few others that I cannot think of right now! To many damn acronyms!

    I saw the CISSP as something I may want to do when I want to be less technically involved down the track.
     
  4. Primüs

    Primüs Member

    Joined:
    Apr 1, 2003
    Messages:
    3,354
    Location:
    CFS
    Hey Yodaa

    Security is also something that greatly interests me, although it is not much of my line of work at the moment. I would like to study it but right now just start studying so cheap/free is good, would you have a good place to start? Don't worry i want to learn to prevent, not exploit :).

    Good luck with whichever course you choose :thumbup:
     
  5. OP
    OP
    Yoodaa

    Yoodaa Member

    Joined:
    Sep 25, 2003
    Messages:
    1,653
    Location:
    Melbourne
    Well I am lucky in a sense that I like security, and I work in security. That said I think one of the above streams would definitely take my knowledge to a new level .
     
  6. Heywood

    Heywood Member

    Joined:
    Dec 25, 2001
    Messages:
    457
    What about a GIAC (Global Information Assurance Certification) like GPEN from the security admin stream? (http://giac.org/certifications/security/GPEN.php) The SANS institude originally set GIAC up.

    Cant say that I know anything about the cert but I've liked some of the papers that come from SANS - the cert is supposed to be vendor neutral... Looks like there's a SANS conf in Sydney in November as well if that's of any help.
     
  7. Paul Warren

    Paul Warren Member

    Joined:
    Jul 15, 2002
    Messages:
    2,901
    Location:
    Melbourne, Victoria
    If you want to get into penetration testing, you'll need to start mingling with the right crowds.

    You won't learn anything overly useful out of a text book...

    Do you reads any of the security sites around the net, that 'half' publish vulnerabilities, etc?
     
  8. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,493
    Location:
    Brisbane
    /me follows with interest, exactly the sort of career i'm interested in, I'm guessing getting cisco certification is a good start?
    What other types of knowledge would be recommended?
     
  9. malloc

    malloc Member

    Joined:
    Dec 15, 2005
    Messages:
    529
    Location:
    Adelaide
    I have a GIAC certification through SANS - I'd definitely recommed it.

    The course material is excellent, up-to-date and platform independent.

    The sessions I attended were very much hands on (although this depends on the instructor to some degree). There's no substitute for actually trying out the techniques as you go.
     
  10. zer0sum

    zer0sum Member

    Joined:
    Aug 20, 2001
    Messages:
    785
    Location:
    New York/Melbourne
    Man, forget the certs for a while :)
    Get your hands dirty...really dirty and then think about the certs maybe one day when you are really bored.

    I have zero certs and do security consulting work for the largest corporations in Aus and the world.
    Essentially you need to become a networking grand master...then learn how to apply that to security.

    Do you need to do pen tests or vulnerability assessments?
    There is a MASSIVE difference!

    After you are all learned up do some courses to feel good about your m4d skillz :D

    One thing most people overlook is actually your non-technical skills.
    Can you be put in front of a client?
    How do you handle pressure in extreme situations?
    Can you present your point of view to anyone at any level?
    Sit in a boardroom full of "experts" and shoot them down :)

    Check out the OSSTMM- http://www.isecom.org/osstmm/
    Grab metasploit, visit milw0rm, offensivecomputing, etc. grab every security tool you can lay your hands on for windows, nix, os x, bsd
    Set up a test environment and play and play and play...
     
  11. samus

    samus Member

    Joined:
    Jun 3, 2002
    Messages:
    1,157
    Location:
    Baulkham Hills, Sydney.
    I'm not sure about the other certs, but don't do the CEH course. It was fun, and you do learn some techniques, but overall I wouldn't recommend it.

    Like IACSecurity said, it is very US centric, and the support for it is in Singapore.
     
  12. subinacls

    subinacls New Member

    Joined:
    Oct 25, 2009
    Messages:
    1
    Offensive Security Hands Down

    I recently was privy to trying two different security certifications and as with all security certs they have their ups and downs.

    Many focus mostly on theory and very little practical use of the tools of the trade.

    As with other certification exams they tend to be as easy as doing the old "ABBACADABBA" trick you may have done in school.

    This is not the case with certs from OFFSEC. Their PWB - "Pentesting With Backtrack", is also a challenge to many seasoned professionals and a eye opener for the next generation of security professionals.

    The other certification I took was SANS 560, GPEN. This is also a challenging certification in the essence I did this with out using any class materials and was still able to pass this certification exam in 56 min. The exam allots you 4 hrs!

    I acquired my PWB certification and have gone back for more pain and sufferance by continuing with their certification suite. Currently I am in CTP - "Cracking The Perimeter" class for OSCE "Offensive Security Certified Expert"

    My recommendation is to consider http://offensive-security.com over other certifications.

    I only wished more certifications were based on practical knowledge....

    Certifications are an investment in your career! Invest wisely.

    Thank you and Good Luck with your career path!
     
  13. OP
    OP
    Yoodaa

    Yoodaa Member

    Joined:
    Sep 25, 2003
    Messages:
    1,653
    Location:
    Melbourne
    Thanks subinacls.

    I'm have applied for the WiFi cert as a taste of what the courses are like. It sounds impressive so far.

    I will then move on to PTwB and CTP.
     
  14. OP
    OP
    Yoodaa

    Yoodaa Member

    Joined:
    Sep 25, 2003
    Messages:
    1,653
    Location:
    Melbourne
    I want to gear myself towards penetration testing and exploitation techniques. The aim at the moment is external pen testing techniques.

    OffSec seems to offer this line of training.

    Also IACSecurity, no offense but who said I have accepted the advice that i want to hear? And how do you even come to a judgment like that? Lets not make accusations regards what I am and am not doing. Do you have any idea how much research I have done regards this issue? In a sense your comments have made me lead towards the OFFSEC stuff as you have made some comments warning to steer clear of CEH, so in respect to the OP, that's helped me make a decision so I dont quite know what you are getting at with your above comment....

    I will take whatever advice I want to take as that's a decision I make based on the kind folk in this thread, you being one of them, that have contributed their opinions in this field. Whilst it may not appeal to some, it does to me.
     

Share This Page