Penetration Testing mailing list archives
Re: InfoSec certification EC/BackTrack?
From: Joseph McCray <joe () learnsecurityonline com>
Date: Tue, 04 Mar 2008 19:18:46 -0500
No this is not a shameless plug from a guy that runs a security training company. I would say that you want to make sure that you have the background for the job more so than the certs. I'm not saying that you shouldn't get them - they do have quite a bit of merit especially considering that people often doing the hiring really aren't very technical so the certs will definitely get you an interview. Speaking for myself when I'm looking at hiring new testers the things I look for are: 1. Solid background in Operating Systems (Admin level experience in Windows/*nix - preferably with some certs in this area such as an MCSE, RHCE, SCSA, etc) 2. Solid background in Networking (Admin level experience - preferably with some certs in this area such as a CCNA/CCNP) 3. Solid background in Programming (comfortable with languages like C, Perl, Python, Ruby, SQL, etc - some documented work on an open source project might be a good resume stuffer for this) I just taught a CEH class last week and I had student that had worked as a PC tech, Network Tech, and had a few years of programming under her belt. She knew her TCP/IP pretty well, she was really familiar with DB connection stuff, and dynamic web content so even though she really didn't have the "HACKING" background per se should could read the source code of exploits and tools, or read a packet capture and figure out what was going on. She understood session management, and SQL so cross-site scripting and sql injection made sense to her. So I'm not saying that any of the certs are bad, but I think it's way more important to have that background, and the certs to back up your experience. At the end of the day you are interfacing with customers that are help desk techs, system admins, network admins, DBAs, and programmers - and your job is to tell them how to do their job better. So it really does help if you have a solid background in their jobs. How are you going to tell a CCNP with 3 years experience how to secure his network without a really strong understanding of network protocols and common configurations? How are you going to tell a system admin with 5 or 6 years of experience about the security of his workstations and what GPOs he should be applying if you don't have that background? How are you going to tell a web developer about writing secure queries, and filtering HTML and script injection without that kind of background? If you have 2 of the 3 (OS, Network, Programming) skillsets then you are well on your way into our field. You don't have to be mad kung fu in all 3, but you really need to be able to comfortably interface with Admins, and developers. That's the job... As far as Offensive-Security's courses even though they are a competitor I can honestly say - I've met muts, and I've seen his training materials. It's not bad - put together pretty well, and if you really understand and can literally DO all of the stuff in his courses then you are at a good point by most pentester's standards. I've seen the SANS stuff - it's not bad. SANS GIAC certs are pretty well accepted in the Government, and Military security worlds. So although they are expensive you do have the benefit that they are recognized. Nothing is going to help you like having both the skill-set and the certs though. What I'd recommend that you do a site like dice.com and search for "penetration test", and have a look at the skill-sets that employers are looking for. I think you'll find that what I've said above will be confirmed there in the job descriptions. I hope this helps.... -- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access "The only thing worse than training good employees and losing them is NOT training your employees and keeping them." - Zig Ziglar
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- InfoSec certification EC/BackTrack? 11ack3r (Mar 04)
- Re: InfoSec certification EC/BackTrack? Danux (Mar 04)
- Re: InfoSec certification EC/BackTrack? Peter Manis (Mar 04)
- Re: InfoSec certification EC/BackTrack? Terry Cutler (Mar 05)
- Re: InfoSec certification EC/BackTrack? Nibin (Mar 05)
- Re: InfoSec certification EC/BackTrack? Joseph McCray (Mar 05)
- Re: InfoSec certification EC/BackTrack? Pete Herzog (Mar 06)