EH-Net

Hi All,

I am trying to break into Penetration testing. I am currently studying for CISSP and doing the Hackingdojo classes too I have just passed OSWP exam. I am trying to take my next step but I am not sure what course would be best.

So my question is what certification do UK companies look for more ECH or Security + or would I be better off doing OSPC?

And what course would be more beneficial for a pen tester? Looking at security + it looks more about general security then pen testing. But they are bringing a new version out in May.

Thanks

We've got some people here from the UK that should be able to give you some solid advice but I believe the ones that are respected (or required?) are CREST, CHECK and TIGER Scheme.

CREST is my main aim but I lack the expierence at the moment. So I am looking to do courses that will appeal to companies. Then I hope they will take me on as junior so I can gain expirence and do CREST. As I dont think there is any training material for CREST

You may want to enter the UK Cyber Challenge thats starting up at the end of this month.  There are quite a few UK companies going to be paying attention to whats happening after last years competition and it's a way of getting your face seen and known.  If you show you're keen, have some skill and are willing to learn then you can still get your foot in the door even if you don't win one of the big prizes

If you can, it's also worth going down to things like the european infosecurity expo in london next month (3 day event, 19-21 Apr).  You can do some serious networking there and get to talk through things with people in the trade.

I'd be going but i'm already going to B-Sides in london on the 20th and work won't let me skive off two days in a row to go on the lash in london!

Hi Andy,

Thanks for the reply. I took part in the UK cyber challenge last year but I only really had a look at it so will be taking part this year.

I am doing everything I can to get my face seen and know and already have my ticket for Info-sec Europe.

And I am in the situation where I do know some of the tools and in the right environment I know it would not take me long to pick things up.

What I am trying to do is train my self as best as I can, by doing security courses that will bring value to my CV. The main problem is knowing what UK companies see as worth while certificates. I know CISSP and CREST are most requirements for Pen testers and they are on my list but I don't really have the experience yet.

So was looking at Security + or ECH but not sure how much they would help me I have covered the security + and ECH material and felt I knew most of it already. So dont know if to go for OSPC but how recognized is this in the UK?

Have a look at http://blog.jabawoki.com/ and look at his @Security section.  If you look at some of his comments in 08 (page 3 & 4), that may give you some of an idea.  If not, drop him a line and say that I sent you (Andy Baker) and he should be able to point you in the right direction.

If you look Jay up on linkedin - http://www.linkedin.com/in/jayabbott you'll see he's fairly well informed!!!

As far as I can tell the offensive security is recognised by the 'serious' security professionals but i'm not sure how well the HR people look at it yet?  Ask me in 15 months when I start job hunting!

Thanks Andy, I just had a look and was helpful I may contact him also and see if he has any more advice. Thanks for help mate

What about the 7Safe stuff? They do courses on ethical hacking, forensics, etc., and their classes are CREST appoved.

I also know that the people at CREST are looking to go more global instead of just in the UK. So if they succeed, you would then have something required in the UK but also valued elsewhere.

Don

Hi Don,

I have look seen there stuff and would love to do it. However I only work part time so cant really afford the £1500 for the course. So trying any course that don't break the bank at the moment.

Know where you're coming from on that one millwalll.

I'm just lucky that i've got a training grant from work to use over the next two years. 

Going to start with the backtrack wifu as a 'fairly' easy (and cheap) warmup.  Looking at doing the CompTIA Sec+ in october to broaden my Sec knowledge then hit C|EH around spring after a winter of heavy reading/ playing with backtrack. 

WIFU should only cost me about £100 and Sec+ will cost me about £600 including exam, accomodation and food.  Should leave me with about £2k of my grant towards my C|EH so should only cost me a few hundred out of my own pocket!

Have to try plan my training round the horses and my son at the minute.  Try get it so my son is on school hols (otherwise we don't have enough leave to cover all his holidays).  Also need to plan for horses still being on 24hr turnout and wife not competing!!  Pain in the ass to juggle it all!

In same sort of boat Andy trying to get as many security certificates as I can.  I started off with OSWP and not sure what one is next but funds are a big problem for me.

I only work part time 16 hours a week so don't have the funds for most of the courses. I do want a full time job but rather it was as junior pen tester than anything else.

But would love to work my way to CREST certificate I thinking about doing ECH and Security + too. CISSP dont really want to do as its boring but maybe forced into it.

£600 for Security+? This is something easily done with self-study, so no need to spend $$$ on a course/bootcamp. Buy a book with some sample questions and do the exam.

Don

I think Andy was buying the courseware. But as Don said it really not needed exam is £191 and self study I am thinking about doing it in April so 3 weeks self study then exam to keep cost down.

I'm doing a 'taught' course with a tutor (not boot camp) as self study at the moment is very difficult. 

My wifew works shifts, son has a lot of things he needs taxi of dad for and we have two horses.  Spare time is at a premium and it can be 9pm or later before I sit down at the pc some nights.

Anyway, when I say that the Sec+ should cost me 600, I should qualify that it's work paying for that so all it will cost me is a few beers and my evening meals.

Sounds like you're in much the same boat as most of us, in the IT world.  I have a wife (in RN school) and 4 kids, so add those to my full-time gig, and any part-time security stuff, or study I'm doing, and I understand, completely!  Balance of time, work and family is always a big task, but you kind of get used to it, and learn to satisfy all sides, as you move forward.  If you're not willing to work all of that out, and find some $$ to work with, to boot, security is definitely NOT a good field to get into, as things are ALWAYS changing, updating, etc, and continued research and study time are a necessity.

With my engineering background, I tend to work best if i've someone to bounce ideas off and I tend to learn better with a subject matter expert in front of me that I can try ferret all the niggly bits of info out of.

I do enjoy learning new stuff and have an ability to soak info up when i'm hands on (hence the amount of IT experience/knowledge and the minimal no of courses). 

If I can get into the security 'profession' and start doing the job with experienced guys then i'll be laughing and enjoying my job to boot (something i've not been doing for the last 2-3 years).

Also if I can get into security then there's a good chance of a pay rise which will mean my wife can cut back her hours and give me a bit more 'learning' time at home!

CREST CCT and CHECK TL status is certainly what you want to aim for in the UK.  CREST actually do a CRT course that is classed as "intermediate" level and only costs £395 + VAT. Its an exam that CREST recommend taking before the CCT exam. This could be an option for you as having this is more than likely to get you a junior role as a Pen Tester in the UK and if you do the CISSP you should be well away.

http://www.crest-approved.org/registered_tester.html
http://www.crest-approved.org/assessment_costs.html

Just had a read through the syllabus and looks interesting.  May need to pencil that one in for early next year as well.