I decided to make a build based of Linux Mint of which I will streamline. So far this is my line-up:

Asteroid (listed first cause I wrote it ) XTest - w/Sample PCAPS, SIPFun VoIP Hopper, SIP Flanker, SIP Viscious, sip-proxy-kill.pl, rtp-proxy.pl, sip-redirect.pl, sip-kill.pl, sip-scan.pl, SIPSAK, PCAPSIPDump, Ork Audio, Oreka, ARPWatch, RTP Insert Sound, RTP Mix Sound, SIP Rouge, Spitter, Authtool, Erase Registrations, Redirect Poison, SIP Teardown, UDP Flood, VLAN Ping, Add Registrations, Check Sync Reboot, IAX Flood, Invite Flood, Reg Hijacker, RTP Flood, Netdude, Scapy, IAX Brute, IAX Auth Jack, IAX Hangup, RTP Inject, SIP Tastic, VSAP, h225 RegReject, VNAK, Seagull, ILTY, SIPp, SIP Crack, SIP Bomber, Enum IAX, OhrWurm, Wist, IWAR, TFTP Bruteforce, Fragrouter

I need to sort out how to position tools, e.g. Pentesting, DoS, Hijacking, etc., VoIP pentesting is a little different from the typical Application level pentesting since there is a little more involvement in different protocols, e.g., SIP vs. IAX. So hopefully I can lay out a framework for this. e.g, IAX Testing, SIP testing, h323 testing or something.

My feelings are, some will definitely find some of the stuff I can throw together useful, but the last thing I need are dozens of emails a-la "how can I hax0rfy my girlfriend's Vonage account". Anyhow, I will try to mimic (to a degree) what Backtrack has done without anyone claiming "clone". I'd like to keep things specific to VoIP, but the fact is, I will have to add a variety of scanners and other non VoIP specific tools (e.g. Scapy for packet injection, fragrouter).

I will also attempt to email the authors of tools I select to make sure they're fine with the use of their tools. Outside of the whole spectrum of open source licenses, I think back to the days of asking for permission to mirror/use someone elses work....

Any thoughts on names? VD sounds catchy But... If it were to evolve into something people on the corporate level would want, I know I would have a difficult time keeping a straight face while explaining to management why I have a "VD server"

Your perception is yours alone. You asked, I told. I offered an opinion on certs that mean little in the sense that anyone and I mean anyone can read a book, memorize what is in it, pass a test and not have a shred of knowledge on a CBK. I offered an opinion based on my REAL WORLD experience of interviewing people who hold all sorts of certs and have INKLINGS of a clue when it comes to real world experience.

You have every right to state the CCIE means nothing, it means technically a lot more than any of the paper certs since there is no input validation (real world testing) to prove that not only does one posses a good memory, but one has applicable knowledge. That is what separates the CCIE from other exams.

So while your opinion is your opinion, mines is mines and I offered it with REAL WORLD applied experience, REAL WORLD applicable writings and teachings for some of these same certifications. Think of the irony... Myself being mentioned in about 4 different certification tests of which NONE I care about... Having tools I've written thrown into lab exams and books. Having "securing x distro/technology" used by PhD professors in Columbia, Purdue, Washington University and Carnegie Mellon since 1997...

You asked, I told, so I have every right to throw my opinion around, it is after all my opinion. Its what makes the world a great thing. People agree, people disagree, its what makes great discourse, and I've had them with the best of them Bruce Schneier, Marcus Ranum, Theo DeRaadt, RFP and the list of course goes on and on.

I think I will flowchart something tonight and ask around the VoIPSA crew on their thoughts as well. We have some great and talented individuals there including David Endler (Hacking VoIP), Dan York, Dustin Trammell, etc., I'll attempt to lay some form of foundation out. I thought about it before, but I've been tied up with life, studies, and helping formulate the OWASP certification to say the least.

Perhaps I'll take a look at how Helix and Backtrack are laid out and go from there. Will be a little difficult since I prefer to use Solaris and any of the BSD's while most distributions are based on a variation of Linux. I think I can make something worthwhile - a-la Linux with Wine or something.

I suggest you contact Lisa Lukas @ SANS, Dr. Eric Cole @ SANS for my credentials on authoring VoIP Security - thank you. You can freely see my information on OWASP, Hackproofing Your Network which I've been mentioned and a slew of other books. So the short answer is - as a matter of fact, YES I have authored a lot more than I care to mention about - do I need to prove this, not at any point, but feel free to peruse around and ask perhaps Henning Schulzrinne @ Columbia who uses my VoIP Security tools to teach security... I could go on and on throwing out names at all of the SIRTs (Cisco, Juniper, Foundry, Microsoft) but it would mean little to me. On the flip side, how long have YOU been in the industry... What have YOU authored? I can give you ISBN's for my information and the public domain can surely weed you enough information to see who I am and where I come from.

I contemplated making a security bootable distro, but so many variations of "security" are involved. Since I work in the VoIP arena, most of the tools I would need wouldn't do much for the information security pentester. I believe throwing one too many tools leads to bloat as well.

What are your thoughts on a variety of BT like pentesting USB's... Do you perceive the need for one, say a WebApplication pentesting USB, VoIP security testing USB... I could try to throw something together, but again, industries differ, testing differs, my opinions of tools would vary from the norm....

You're absolutely right, and I find it absolutely amazing that these certification holders have often used works of mines for their books, courses, teachings. I've schooled plenty of certified individuals and have had the honor to being humbled my some as well. I speak from experience and real world where I've dealt with so many throughout my time. From 1997 on through, my history goes back a while specifically on the technical side of systems administration, network administration, network forensics, denial of service attack mitigation and strategies, you name it. I'm no stranger to this arena so feel free to Google away.

Encrypting the data then wiping it sets you up for a cold boot attack if done improperly (http://en.wikipedia.org/wiki/Cold_boot_attack) the proper method to destroy data would be to degauss the drive however, this would make the drive unusable. Anyhow, you can check out the following document on data sanitization: http://cmrr.ucsd.edu/people/Hughes/DataSanitizationTutorial.pdf

So you want to be a security superstar and are asking questions like: "Which cert!@ CISSP, CISM, CISA, OSCP, C|EH, CHFI, NSA IAM!" In an effort to explain it all to those new to the industry, I will offer some detail about the pros and cons of security "certifications". Take it with a grain of salt, your mileage may vary.

What exactly is it you want to focus on. Security is a broad field and there is no one all inclusive security certification to "prove your worth". There is experience, intuition, know how, broad knowledge, but no one certification will make you a security guru period. If you think the CISSP will make you a star, an OPST, a GPEN, you're wrong. One hundred percent wrong.

Let me start with a primer for the beginner... Five year plan

Study
A+
Network+
Security+
MCSA
RHEL
CCNA

What the hell? A+ gives you a good understanding of computers. You will HAVE TO KNOW about how the hardware involved if you ever wanted to move into the forensics arena. Aside from this, its best to understand it all from the ground up.

Network+ and CCNA!@ You must be smoking... Understanding networking is a MUST period. In order to understand security, you MUST understand how networks connect on all levels. I threw the CCNA into the mix since it offers a comprehensive overview into routing, the OSI layer, and how networks mingle with each other.

Security+!@!@ That's for newbies!@... Security+ is a primer, enough to give you a kickstart into information security. It will allow you to learn and apply some core fundamentals of security. Nothing spectular, and surely nothing simplistic as some may think.

MCSA and RHEL studied for two years... This does not imply become a Microsoft Systems admin or Redhat admin. Its thrown in to give you experience on the Microsoft side of things and a primer into Linux. Forget about Ubuntu, forget Debian, forget about Linux zealotry altogether. Think about this for a second... Do you think someone in say 80% of the Fortune 500's will know what Ubuntu is as opposed to Redhat Enterprise Linux? Let's be realistic and keep the trolling for kids.

If I had to give say a relative advice, this would be the advice I would give them. Understanding the fundamentals of computing - hardware and software will certainly make learning easier down the road.

Intermediate Plan...

This is where we make huge decision. Which route do we want to go. Since security is so broad, ask yourself, what do you envision yourself doing. Pushing papers, reading and writing policies, understanding regulatory controls and governance. Do you see yourself doing penetration testing, cryptography, forensics. You have to make this decision. Here is my breakdown for various fields...

Penetration Testing...
1) C|EH - Love it or hate it, the C|EH will give you a primer on what tools to use, how they work.
2) OSCP - Offensive Security Certified Professional... Your exam... Own the box. And its not easy I can tell you firsthand.
3) OPST - This to me is the grandfather/Masters Degree of Pentesting related certifications
4) GPEN - Another value added certification from SANS

The C|EH was very introductory for me as was the CHFI. However, I'd already had years of experience prior to taking them both. I finished them both in about an hour and a half (yes I said both). I was disappointed, but understood what they were trying to accomplish. For the beginner to mid level pentester, you may learn a thing or two from this exam. Aside from that, browse over to Dice and you will see that there are companies slowly demanding C|EH/CNDA, CHFI certifications including IBM.

OSCP. If you truly want to understand penetration testing, shoot for this exam. Either purchase the lab time and exam online, or attend a class in person. Its definitely worth having an explanation on subjects you might not know about. It will give you a thorough understanding of buffer overflows, SQL injection, ARP spoofing, etc., however, its mainly geared towards users of Backtrack, in fact, your exam will be based off of the tools used on Backtrack. I personally created my personal scripts for the exam, but you will need to know enough about a variety of tools, exploits, and definitely buffer overflows to pass this exam. It is NOT an easy exam.

OPST. Good old Pete Herzog. I'd read so many things from Pete over the years and ISECOM hits an exam right on the nose of "knowing your stuff". For the OPST, you should have minimum - 3 to 5 years doing penetration testing however, verification is key. It's one thing to say you know of a Proof of Concept, even running one once upon a time. Double checking and verifying this will be the key here. You should have a sound understanding of enumeration, applications, networking, etc.

GPEN... SANS has been around for a while and I hear sensational stories about GPEN. Since I've never taken the exam, I cannot state nothing other than, I know some seriously talented individuals who've told me this exam is not a walk in the park.

Forensics...
CCE (period...) http://www.certified-computer-examiner.com/ Having the CHFI to me doesn't mean I can qualify as an outright "Forensics Investigator" at least not by my standards. The Certified Computer Examiner (CCE) is the certification of choice. EnCE is nothing more than a vendor specific certification. So unless you plan on using EnCase for the rest of your forensic career - which in that case won't be too long, you want to maybe start with the CHFI to understand the different tools, arenas of information security/carving, etc., then follow it off with the CCE

Intro to management
SSCP - ISC2's mini CISSP. This cert will give you a thorough into the realm of information security management.

Mid-Experienced manager
CISSP, CISM, NSA IAM/IEM - All certifications mentioned are managerial and are for experienced security individuals. I don't want to troll about any specific cert, but take note, holding any one of these certs will not make you a security expert as anyone can memorize from a book to pass an exam.

Others worth mentioning... CISA if you'd like to spend your time auditing information security policies, procedures, etc.. A CISA is not a "uber hacker investigator" so if you're confused about this cert, I suggest you read up more about it on ISACA's website.

Bottom line...
Its up to you to determine what you want to do in life. If you envision yourself being responsible for the security mechanisms of a company, you'd want to shoot for the CISM, CISSP. Want to do a bit of high level auditing, NSA IAM complements any of the pentesting certs.

If you truly want to be impressive from my perspective... Shoot for the CCIE-Security. You need to understand a heapload about security and prove it in a lab. While tailored for Cisco based products, studying at the CCIE Security level introduces a lot more than meets the eye. I've studied for the CCIE Security for some time now and have learned extensively about VPN's, IPSec, IKE, RADIUS, connectivity as a whole, LDAP, Windows networking, Unix networking, network forensics. It definitely helps to understand these concepts from the RFC level up. Do I want to become a CCIE, not really, I just like learning. Take note, to fully grasp it all, you'd want to set up a decent lab... (http://www.infiltrated.net/AugDeskPix/)

My lab's hardware
2 Juniper SSG 350M's, Cisco 3620 w/VIC 2XS, Cisco 3640, Cisco 3620, Cisco 3620, Cisco 4500-M, Cisco 2511 term, Cisco 2524, Cisco MCS-3810-V, Cisco MCS-3810-V 6 port FXS, Sonicwall 2040 paperholder, Cisco MCS-3810-V 6 port FXS, 4 Cisco 2610's with assorted WIC's, Netscout Fiber taps, Mercury M5 RFID voodoo gizmo, Cisco 35xx switch, Marconi Fore ATM switch, Dinosaur Sun U1, ISDN simulator, Sparc 10, Netscout ETHERNET tap, Sun Netra, Cisco Pix 506e, Juniper Netscreen 5XT, 4 Stonegate SG1100's, 2 Sun 280's, 3 Cisco 4500m's, 1 Cisco LS1010, 2 Juniper EX switches (shh), Foundry BigIron

Mu current study path... CISM, NSA IAM, JNCIA, CCIE Security... All at the same time. Will I take the certs... Unsure yet. I just like learning For those wondering - "Well who the hell are you..." ... Just me

"Cyberwarfare" is such an old concept I don't even know why someone bothered wasting time. The USAF has had cyberwarfare concepts in place since the mid 90's and no one mumbled anything about it. Most that do mumble, repeat the same old - same old.

E.g.: The internet's imperfect design allows hackers to surreptitiously read, delete, and/or modify information stored on or traveling between computers. I wrote about this in 2000 (http://www.dsinet.net/?id=337 http://web.archive.org/web/20001019032900/http://antioffline.com/ ctrl-f) Back then it was "conspiratorial" for any government to do such a thing but anyone knowing enough about networking can intercept and modify on the fly using something as trivial as netsed (http://www.mirrors.wiretapped.net/security/packet-construction/netsed/netsed-README.txt)

Creating a USB bootable distribution isn't anything new. I have 3 1Gb keys one with OpenBSD (http://www.azbsd.org/~marco/openbsd/flashkeyinstaller/) , one with Linux loaded with an assortment of tools similar to Backtrack but with different tools I found more useful then those on BT, e.g, W3AF, Webscarab, and a variety of self created VoIP testing tools.

Don't take this the wrong way (anyone for that matter)... A Master's in Information Security doesn't help much in the real world - real world meaning real work. So you study for 4-5 years and by the time you graduate, the information you studied on (concepts) are old and outdated and have real little value where it counts.

Information Security Management - whether you're aiming for the CISSP or CISM or any other of the managerial certs is a broad and bloated arena. There is so much overlap and a lot of (pardon the term but we're all adults) industry ass kissing.

Wait... Did you say CoBIT!? But SABSA, ISO17799, NIST, ITIL, CRAMM, OCTAVE is where it's at!@ Are you ready for terms like Business Impact Analysis, Strategic Alignment, Performance Measurement, Assurance Process Integration? Convergence? Governance Implementation Metrics? Sound sexy? Quantitative or Qualitative... Hrmm... I wonder which fuzzy math vector to abuse first.

Information Security Management is a broad task and requires years of hands on experience, insight, intuition, hands on knowledge, you name it. Successful Information Security Managers are really hard to come by, certified individuals a dime a dozen, no matter what the cert. How do you propose to stand out? In all honesty, if you're coming in with under 10 years experience, you're setting yourself up for a fall.

I will tell you a briefer of my history, where I've been and where I'm at...

I've been working in IT since 1992 professionally. I've worked on Everything from AS/400, Solaris, Trusted Solaris, BSDi, Free|Open|NetBSD (in professional environments), Linux (all flavors), QNX (professionally) on the systems side. On the networking side, Cisco, Juniper, Foundry, Redback, Sycamore, Bay Networks, Alcatel, Lucent, Nokia and enough to make some shed tears at retro equipment.. Security... I've written my own VoIP IDS/IPS, Enough tools to fill two to three Wikis

I'm currently assisting in creating the OWASP certification (http://www.owasp.org/index.php/Category:OWASP_Certification_Requirements) ctrl-f Oquendo

Anyhow... Intermediate means nothing really... What is it you REALLY want to do? Regardless of a commercial firewall, no matter the brand, a firewall is a firewall is a firewall. I've used everything from TIS FWTK, Netscreens, Checkpoint, Sidewinders, and again, enough to make people puke from so many names... Understanding a protocol means a lot more than understanding a specific. For example, waste one year of your life studying for the CCSA/E and what do you have...? Wow... Checkpoint Certified blah blah,... Will mean nothing if you don't understand the mechanisms of how the firewall itself is blocking on the OSI layer.

Learn for the sake of learning, understand as much as you can with a focus on what YOU WANT TO LEARN, not with what cert is popular. I've seen far too many a certified individual without a clue, and have seen uncertified insanely smart/scary people... As someone who interviews others constantly, I don't care about certs, I care more about experience someone has, how much they understand...

Let me give you one of my favorite questions I ALWAYS ask *nix based "experts"... "You're being attacked by a machine at 10.10.20.5 how would you block them on Linux without using a firewall" ... Most don't even understand the concept of why I ask them this and have YET to find someone I've interviewed give the correct answer... How about... nullrouting them, hosts.deny, there are other ways of doing things, and this is what truly makes someone stand out - versatility.

I currently am on vacation from working since I need a break from things... I've had the opportunity to work at an ISP, a University, the banking industry, contracting @ Big Blue, a VoIP provider, to name a few. I never tell myself "I don't know" and spend far too much time learning whatever it is I can... I could really care less about certs since I'm comfortably experienced. Currently I'm entertaining an offer from BT for pentesting, but I truly feel I need a year break from the industry...

I've gotten offers from Google, Yahoo, and who knows how many security companies WITHOUT having uber CISSP, CISM, CISA certs and have only started getting certs since the company I was recently at wanted me to get them.... So again... Why ask others to make up your mind for you... What is it YOU WANT to do... Make that choice on your own, and focus on it.... Right now I could move to any industry as a network engineer - I've 10+ years professional of Cisco, etc., as a systems engineer - +14 years various OS experience, as a security engineer +10 years PROFESSIONAL experience pentesting, firewall engineering, implementation, administration... As a security manager - been there done that...

Versatility is key... What DO YOU want to do... Not "what should I do... make up my mind for me..." The key is to enjoy doing what you want to do, figure out what you enjoy more, write them down (literally on a paper) and determine in order which is best/fun, from first to last. Make the pros and cons, and go from there. I can tell you straight up, money isn't everything and I've taken less to stay happier. Do what makes you feel better, what feels right to you... My advice

Firstly, what is it you intend on doing in the long run. A CISM is a managerial cert while the C|EH is geared towards (wants to be) a pentesting like certification which introduces you to tools used in hacking/pentesting.

Its akin to you asking "I want to be a Registered Nurse should I take a nurses assistant class" if you will. CISM's differ from those who possess the C|EH, OSCP, OPST, etc., in the sense it tends to be more hands on with a lot of emphasis on "hacking" ethical for corporations/business. While the CISM, CISSP is geared more towards managing the information policies, etc.

SSCP is nothing more than a mini CISSP for those who don't really have enough years of experience, or enough knowledge of all CBK's to complete the SSCP. It's more of an associates with the CISM being more of a masters.

My advice, determine what it is you want to do. Want to push papers, read, tell others what to do, focus on the CISSP, CISM, CISA. Want to play with tools, do penetration testing, I would go with the following:

Pentester / Master Hacker route
Security+ (for starters)
CCNA - to learn / understand networking
Do a SANS course if you can, focusing on a specific, e.g., GPEN for Pentesting, GCIH for Incident Handling, etc.
OSCP - for a thorough overview of penetration testing
OPST - For expert level pentesting

Security Manager
CISA + CISM studies (they both can be done, they're both different certs though)
CISSP
CISSP - ISSEM
NSA IAM/IEM

Super Network Ninja / Pentester
Wait for us to finish the OWASP cert http://www.owasp.org/index.php/Category:OWASP_Certification_Requirements
OSCP
OPST
CCNP

Again, there seems to be a lot of misinformation/clarity between what certs will get you to which route you want to be at the end of the day. You mention two completely separate scenarions (CEH of SSCP) so figure out what you want to do and maybe re-ask the question.

J. Oquendo
sil at infiltrated dot net