, ,

Insider’s View of Certified Expert Penetration Tester (CEPT)

,

iacrb_logo.jpgWhen approaching security industry luminaries over the course of the last year about the CEPT certification, the typical first response I have received is usually quite blunt: “Oh great”, “YET ANOTHER CERTIFICATION. Just what the security industry needs”.  And, to this point, I do have to agree, the security industry does not need another certification that:

  • Tests a basic level of knowledge of INFOSEC subjects (ala the CISSP, SECURITY+, SCNP, ad infinitum.)
  • Only tests the ability to regurgitate memorized information over a 2-6 hour time period
  • Is easily compromised by cheaters downloading actual exam questions for $59.90 from “teh interwebs”
  • Or, even worse, cheaters that cheat the exam cheater companies by pirating a copy of exam questions from bittorrent

All of this results in a large group of people that have achieved a specific certification, but, in reality, have no real understanding of the subjects tested OR, more importantly, the ability to perform job duties that the certification is CERTIFYING in the first place!

The only way to fix this problem, is to offer a certification that not only tests book knowledge, but also tests the candidate’s ability to PERFORM a specific job duty. Or, better yet, perform the task multiple times under heavy scrutiny. When a medical doctor gets attempts to get a medical license, they have to go through 3 exams, one of which involves actually diagnosing a sick patient (actually, it’s a paid actor simulating a disease process, but you get the idea). Because this process is difficult, and requires more than l33t bitorrent skillz, the M.D. actually means something. Would you see a medical “doctor” without an M.D. when you are sick?

The idea of the Certified Expert Penetration Tester (CEPT) offered by the IACRB is to establish a meaningful certification for expert-level penetration testers (or ethical hackers, red teamers, tiger teams, etc. whatever marketing term you want to use for legal hacking).The CEPT consists of two phases or parts. The first phase (usually delivered onsite at a training company or via the internet) is your standard multiple choice, true/false exam. The exam covers the following subject areas:

  • Penetration Testing Methodologies
  • Network Attacks
  • Windows Shellcode
  • Linux & Unix Shellcode
  • Reverse Engineering
  • Memory Corruption/Buffer Overflow Vulnerabilities
  • Exploit Creation – Windows Architecture
  • Exploit Creation – Linux/Unix Architecture
  • Web Application Vulnerabilities

This first phase serves a very simple purpose, to weed candidates out of the process that don’t belong there in the first place. If you can’t pass this multiple choice exam, we don’t want you advancing to the next phase, which takes up the valuable time of our volunteer exam proctors (such as myself) and is costly to our non-profit organization.If you pass the first phase (70% correct), you are then delivered the second phase of the exam, which currently consists of three challenges. . They are as follows:Challenge #1: Discover and create a working exploit for Microsoft Windows Vulnerability.
Challenge #2: Discover and create a working exploit for Linux Vulnerability.

Challenge #3: Reverse engineer a Windows Binary.You get it now? Why our industry NEEDS this certification? In order to be an “expert penetration tester”, we believe you should be able to find vulnerabilities and write exploits. So, in order to get the Certified Expert Penetration Tester, you have to find vulnerabilities and write exploits. Makes sense to me: candidates are certified that they can do a job-relevant task, and THEY CAN ACTUALLY DO WHAT THEY ARE CERTIFIED TO DO!  That’s the CEPT. If you have it, you know pen testing in and out. Backwards and forwards. No doubt about it.Here is an email I received from a candidate that recently passed the CEPT process:

Sir,
The certification package has arrived and thank you very much for ensuring that it got here.  I must say that the CEPT was the most challenging test/practical I’ve had to take for a long time.  In all honesty, I will respect anyone who has this certification.

Respectfully,
Alan Orlikoski, CEPT, CISSP, CEH, ECSA
Booz Allen Hamilton

If you are interested in learning more about the IACRB CEPT process, visit our home in the internet:http://www.iacertification.org/cept_certified_expert_penetration_tester.htmlIf you are looking for training to prepare for the CEPT, you can attend ChicagoCon 2008s, or an InfoSec Institute Advanced Ethical Hacking Course:http://www.chicagocon.com/http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.htmlIf you would like to host the CEPT exam, or work for a training company and would like to become a training partner, contact us at exams at iacertification dot org.

David Renwald
Senior Volunteer Exam Proctor

Information Assurance Certification Review BoardIn the interest of full disclosure, ChicagoCon is presented by The Ethical Hacker Network. The IACRB is an educational sponsor and the InfoSec Institute is a Partner of the event.

Tags:

This topic contains 5 replies, has 5 voices, and was last updated by  mad_irish 10 years, 9 months ago.

  • Author
    Posts
  • #1983
     Don Donzal 
    Keymaster

    Interesting points made in this opinion piece as the IACRB insiders give you a view of how their ethical hacking credential differs from the rest.

    Permanent Link: [Article]-Insider`s View of Certified Expert Penetration Tester (CEPT)

    When approaching security industry luminaries over the course of the last year about the CEPT certification, the typical first response I have received is usually quite blunt: “Oh great”, “YET ANOTHER CERTIFICATION. Just what the security industry needs”.  And, to this point, I do have to agree, the security industry does not need another certification that:

    – Tests a basic level of knowledge of INFOSEC subjects (ala the CISSP, SECURITY+, SCNP, ad infinitum.)
    – Only tests the ability to regurgitate memorized information over a 2-6 hour time period
    – Is easily compromised by cheaters downloading actual exam questions for $59.90 from “teh interwebs”
    – Or, even worse, cheaters that cheat the exam cheater companies by pirating a copy of exam questions from bittorrent

    All of this results in a large group of people that have achieved a specific certification, but, in reality, have no real understanding of the subjects tested OR, more importantly, the ability to perform job duties that the certification is CERTIFYING in the first place!

    Add your thoughts about the CEPT certification and its examination process,
    Don

    NOTE: In the interest of full disclosure, ChicagoCon, presented by The Ethical Hacker Network, is offering this course for the 2008s event. The IACRB is an educational sponsor and the InfoSec Institute is a Partner of the event.

    • This topic was modified 9 months, 1 week ago by  Don Donzal.
  • #15484
     BillV 
    Participant

    I’ve never heard of the IACRB before ???

    I know that InfoSec Institute has been teaching the course for CEPT for a while. Was the IACRB just recently formed and taken responsibility for governing this certification now?

    It’s a good idea though, one that’s been brought up in the past in many different places.

  • #15485
     Anonymous 
    Participant

    That’s the CEPT. If you have it, you know pen testing in and out. Backwards and forwards. No doubt about it.

    thats a very very bold statement.  i know a couple of people that have taken the course, i’ll have to get them to validate that.

  • #15486
     oleDB 
    Participant

    I would be interested in learning more about the constraints of phase 2. Does this need to be a previously undiscovered vulnerability or is this in some kind of lab environment with plenty of vulnerabilities to choose from? How would they guard against plagiarism if the practical is take home? I would feel more comfortable with their bold statement that Chris mentioned if the work was done in a lab with a proctor versus someone at home with access to other people and the “interweb”

  • #15487
     Anonymous 
    Participant

    its known vulnerable (to them) binaries, i think 1 or 2 windows and at least 1 linux and you have to reverse a binary. unproctored.

  • #15488
     mad_irish 
    Participant

    I’ve recently completed the CEPT certification and I’ll say that it takes far too long to complete to be able to proctor it.

    One of the vulns that you had to discover in a Windows app was actually pretty well documented online (IIRC there’s a metasploit module).  I ended up finding and writing a custom exploit, but it would be possible to crib something from an external stie.  The other two were programs custom written and provided by IACRB so there wasn’t any direct help available online.  One was source code for an app that had to be installed on a Linux host then you had to write an exploit (so you had access to the source and the running service).  That program had a string format vulnerability, but the program was sufficiently complex that the straightforward tutorials on exploiting string format vulns were pretty useless in terms of cut-and-paste code development.  The other was a compiled Windows binary that was a simple program that didn’t really do anything (it asked for registration credentials).  You had to reverse engineer the application and modify it so it would accept any credentials as valid.  I don’t think you could get any help for that exercise from teh interwebs.

    I suppose you could collaborate with someone else on the practical, but someone would still have to do the legwork so I think the exercise would still be valuable in that case.  Spotting collaborators or someone who got the answers from another individual would probably be pretty easy given the nature of the exercises though (the possibility of two people turning in identical exploit code is pretty low if both copies were developed independently).

    I would heartily agree with statement that anyone with this certification really knows their stuff.  You have to be comfortable with C/C++, debuggers as well as with x86 memory architecture and assembly in order to complete the exercises (in addition to understanding the security concepts).  The certification demonstrates the holder not only understands the security concepts but can discover and apply their knowledge successfully.

    My only concern with the certification is that the IACRB isn’t very transparent and there isn’t much information about the organization available.  One can easily uncover it’s association with the InfoSec Institute, but beyond that it’s rather opaque.  For instance, there’s no way to know how many people the IACRB certifies or to easily verify a certification holder.

    http://www.MadIrish.net

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?