- This topic has 21 replies, 18 voices, and was last updated 11 years, 8 months ago by
.
-
Posts
-
-
Hi,
I’ll be looking for work in the next few weeks (Agilent Tech, major workforce restructuring!) in the UK. I have approx 10 years sys admin and 4 years as System/Security Test, mostly using Nessus, I have recently passed the Security+ (2008) and now looking for a cert which will give me additional practical experience as well as being recognised by an employer, as I’ll be concentrating my job search on Pen Testing oppurtunities. I was looking at either the OffSec or the CEH. Any advice on which would eb the best as well as timescales to study/take. I’m on ‘leave’ as of now so have my days available for study.
Any help appreciated.
Cheers
Worryfree -
-
-
I haven’t taken the OffSec courses, but I have heard nothing but the best about them. I’ve been told that they are challenging and prove your skill. There are a few people here with that cert, perhaps they can speak from personal experience.
I did take the CEH course. It was a good introduction into ethical hacking. It feels like the next step from Security+. It will not teach you how to “hack.” You should be able to pass this from just studying the literature.
The CEH cert has more name recognition from my experience. It will probably open a door or two for you, although not anything like CISSP. OSCP will actually help you do your job when it comes to pentesting. This is only my opinion.
-
-
@worryfree wrote:
I’ll be funding myself and solely based on this I’m inclined to go with OffSec not unless there are any other options, even the material only with cert exam seem expensive for the GPEN.
You can get it at a discounted rate if you do some volunteer work. Only $700 for the class, cert attempt, and OnDemand training.
http://www.sans.org/training/volunteer.php -
-
-
Dont even bother with the CEH its worthless… Useless for getting a job, Useless for learning anything practical… and all around a complete waste of time…
Take the offensive Security 101 training instead.. You will learn much more then the CEH and it will be practical experience not memorizing slides and useless information about trogen passwords from 1995….. man the ceh is useless, note I took that exam back in 2003 and it hasn’t improved much from what i have seen…
Also if you do get a bit of money.. The training from infosec institutes advanced class is very good if you are interested in another certification that will prove that you actually learned something.. CEPT Warning with that cert though… Make sure you go into that class knowing how to use linux… basics of how overflows work.. and at least read up on Assembly and know the basics……
Hmmm GPEN I dont know much about… I know that ed scoudos guy seems to be pretty knowledgeable and he wrote the course and teaches it.. his web casts are great so try for the discounted 700 dollar volunteer work… I dont think you could go wrong with that….. Plus I think with that you get access to the online material for a bit too….
Another great place to learn stuff is on the forums…. This forum.. Learn Security Online’s forum… The backtrack forum… Blogs like carnol0wnage.. etc etc….
-
I’m 100% behind what ficti0n said. Don’t waste your time with the CEH program. It’s best you get what you pay for & in these economical times , the Off Sec course hands down is some of the best training you could pay for , for a damn good price. I hate to rag on the CEH here but I think it’s way over priced and they throw a bunch of worthless tools together to make it look like your picking up on a bunch of knowledge (Come on Neo Trace? Who uses this tool during a penetration test). At least the Off Sec course walks through a hands on demo of exploit development and you walk away having hands on experience of some common attack vectors used by attackers today. I personally think it’s good paying a good price for a course that can teach you a more hands on approach then paying 2 or 3 times as much as walking away having to take a written test to get your certification as oppose to actually proving the skills you learned in a practical lab environment. This to me hands down is the difference between these two courses and I again say , go for the OSCP Cert instead of the CEH!
-
Ok, well, I can’t say that I entirely agree with the two above. But I don’t disagree with everything stated either. Having taken all three of the mentioned courses (CEH, OSCP and GPEN) I can certainly offer comparisons between them.
That being said, the CEH was the first certification I obtained. It did give me some recognition with my employer at the time (quite possibly from just the name), and it definitely came into play shortly after once I started getting security-related tasks. Now, I had prior hobby experience before earning the CEH, and I did further research/testing/etc. on my own during and after the course. What I’m getting at (and I’ve said this in the forums here before – as well as others) is that the CEH can be what you make of it. It’s an introductory certification, not meant to make you an expert. If you take the concepts learned, the tools used and the resourcefulness you should have as an ethical hacker, you can quite easily turn the CEH into a lot more. And this isn’t just for CEH, but for any security certification in general you’re going to need to constantly stay updated.
For the cheapest route, you could do OffSec or CEH courseware. Then of course if you do the volunteer thing for SANS, you can get the GPEN for a great price. Knowing what each includes and that you’re trying to get the most bang for your buck, my suggestion would be this: Do the OffSec course and buy one or two of the CEH prep books (not the official review guide, but the ExamPrep or the Prep Guide. If you decide to take the exam, then purchase the Official Review Guide for studying prior. Since you mentioned doing the volunteer thing with SANS, that’s when you can do the GPEN. They will all certainly complement each other and you’ll learn quite a lot.
BillV
-
Hi Worryfree
I am in a similar situation as yourself as in i have been in sysadmin for a while but not quite as long as you and want to get into the Security industry as a Pen Tester. I have also completed the Security+ exam but have a very low budget to go towards courses and have been looking at the OSCP. I have noticed that in the UK the required certifications are either CHECK or CREST but you have to be very competent before you can even think about taking on these qualifications and are still a couple of grand to do. I have mentioned on the site a few times about the Tigerscheme but no one seems to really know of it and are therefore hesistant to go into that direction, as they provide courses followed by an exam but are unfortunately still very expensive :'(
-
-
-
-
Hello,
I have a question related to the same subject.
I want to take a certification to help me doing vulnerability assessment, not necessary penetration testing. I still can’t decide between CEH and OSCP. I already am CISSP and CISM, but I want something more hands-on.
What do you suggest??
Thanks! -
For ‘hands on’, I would say offsec, then GPEN. I am not a CEH so I can not comment on the hand on element (there are plenty of CEH members that can). However, the exam for the OSCP is 100% pure, unadulterated, mind blowing hands on!!
However, this is a pent testing course, with little ‘pure’ vulnerability scanning, so with this in mind, you might be better off with GPEN which includes pen testing and vulnerability scanning.
Hope that helps.
-
@Orhan wrote:
For ‘hands on’, I would say offsec, then GPEN. I am not a CEH so I can not comment on the hand on element (there are plenty of CEH members that can). However, the exam for the OSCP is 100% pure, unadulterated, mind blowing hands on!!
However, this is a pent testing course, with little ‘pure’ vulnerability scanning, so with this in mind, you might be better off with GPEN which includes pen testing and vulnerability scanning.
Hope that helps.
From all I’ve heard, OSCP is the way to go for more hands on. I know the class I had with Infosec Institute that happened to include CEH testing was also very hands on, but I’m not confident you’ll find that across the board. There were some folks in my class who passed the test who weren’t… um.. so good. There were also some bad ones who did fail too, which gave a person some faith as well. But, by all accounts, OSCP is the cert associated with more hand-on stuff than a CEH.
On the other hand, I actually have gotten recruiter emails simply because their hiring client mentioned CEH specifically in requirements, and I bubbled up on top of others for that reason. CEH definitely has the more accessible and better known name of the two to the broader public.
I never even saw a study guide or knew of the official coursewhere for the CEH by the way, and rocked the hell out of that test, but this also wasn’t my first security course ever, I came in quite comfy with linux and windows, and had been doing vulnerability assessment as a job for a year or so when I took it.
-
I’ve always been interested in computer security. My daily job is an IT administrator for SMB clients running SBS 2003/2008 boxes + terminal server environments and small vmware deployments.
Last year I decided to take a dive into some serious infosec study.
I initially had my eyes set on the CEH but I decided to do OSCP after two things. Firstly I looked at the back track distro and thought it was very well done. Secondly I found out that the exam was completely practical based and I have very fond memories of doing my RHCT exam. (To this day I think that practical based exams are not only challenging and rewarding but FUN!)
So I signed up to OffSec101. I fully enjoyed the course even though I have not sat the exam yet for personal reasons. I firmly believe that if you have a solid understanding of linux, networking and basic scripting skills OffSec101 is the best starting course.
The format is good, the videos are clear and the labs are interesting.
I’m currently finishing up ethical hacking online from InfoSec Institute (the training is for CPT and CEH exams). A lot of the stuff being covered I have learnt already from OffSec101. However gained a lot more value because i did OffSec101 first. I chose to do this course because the CPT exam was part practical and it included CEH training as a bonus.
My recommendation for anyone who is getting into this is to.
Doing a basic networking course first to ground yourself in the OSI model and understand networking principles. It is very important.
Train up on linux use and administration.
Once these foundation items are set sign up for OSPWB.
Do a InfoSec Institute ethical hacking course. I can’t recommend the online one though because I have found it to be of poor quality, if I hadn’t done OS101 first I don’t think I would have learnt anything. I have only heard of great things about the instructor led courses.
From there branch out into the InfoSec Insitute advanced ethical hacking class or OSCTP or why not do both?
From that you should have seriously solid base of building a future in security. These classes don’t make you a pentester they prepare you to be one.
In terms of certs you should be able to walk away with OSCP, CPT, CEH, CEPT, OSCE, ESCA, LPT.
In that mix there is clearly a mix of “business recognised certs” (EC-Council ones) and proven hands on training (OffSec, IACRB certs).
-
@alucian wrote:
I still can’t decide between CEH and OSCP. I already am CISSP and CISM, but I want something more hands-on.
What do you suggest??
Thanks!When your options are CEH or OSCP I would go for the OSCP. I am not certified for either (yet) but depending on all the posts and reviews I have read so far, OSCP should be more hands on and cover the things better. CEH may teach more different things but only on the surface and not really deep enough as I have often read. As you are already CISSP and CISM certified I assume that you have a good knowledge and a good base to go for OSCP.
-
-
-
- You must be logged in to reply to this topic.
