It's been an interesting few months for me, I moved to Manila, attended BlackHat 2012 in Vegas and I've completed my CEH, OSCP and GPEN certs. Time just seems to have flown by.
Anyhow, today I wanted to compare and contrast the CEH, OSCP and GPEN certifications. Hopefully it might provide some guidance to those folks interested in qualifications but don't know what to go for, what content is covered by each and whether its ultimately worth doing or not.
So first up Certified Ethical Hacker (version 7) by EC-Council. http://www.eccouncil.org/courses/certified_ethical_hacker.aspx
I completed this back in May and from what I remember it was heavily theory based (and at times not even the most relevant theory). The cert quite often focused on the basics, for example, what is DNS, what is a virus/worm/rootkit, the in's and outs of WPA/WEP, symmetric vs asymmetric encryption and key lengths and block sizes. Now while this is all excellent information I couldn't help wonder how useful this would actually be for most people on a day to day basis. So good information that's worth knowing, but maybe not all that relevant. And the one big thing missing from the CEH is some decent hands-on activities. They do give you a disc with some crappy windows tools and some simple exercises but it would be better just to have some exercises using the more powerful (and more relevant) tools in BackTrack.
For someone starting out in security this is a great introduction, they cover the basics as well as the most commonly used attack vectors. For me personally though, I found the material too dated, too high level and without good quality practical exercises at times I found myself bored and unmotivated.
Cost: $500 for exam only ($1000+ for course materials)
Next up is the Offensive Security Certified Professional course offered by Offensive Security (the makers of BackTrack). http://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/
Wow, what a course. I started this back in October 2011 and after months of reviewing the material and working through the lab, i finally passed the exam in May 2012. This course is not for the faint hearted! There are two components, the study materials (videos/pdf textbook) and the lab. The course materials are very practical, every concept and activity is accompanied and demonstrated by a real example. And you are given exercises to complete for each section. The course covers what you actually need to be a certified ethical hacker (unlike the CEH!). It follows the usual attack methodology, recon/scanning/exploitation/persistance/pivoting and for each step you're guided through the theory, which tools to use and how to use the information you gain.
The lab is where the OSCP really shines. You are thrown into a virtual lab environment with 50 machines situated on different networks all with various vulnerabilities and hidden surprises. Your challenge is to hack your way through to the admin machines deep in the network. Putting theory into practice was such a great learning experience and I learnt that knowing theory and putting theory into practice are two very different things. A lot of what you need for the lab is not covered in the course material and you are forced to do background reading and research. It's this which separates the OSCP from other certifications. The OSCP motto - "Try Harder".
The exam is the icing on the cake. Instead of the usual multiple choice exam bullshit, you are challenged to hack a series of machines within 24 hours. Its pretty crazy but a hell of a lot of fun. Oh and you are required to submit a real life pentest report of all your activities in the lab!
Cost: ~$1500 (I extended my lab time a few times)
And last but not least, SANS 560 - Network Penetration Testing and Ethical Hacking (GPEN). http://www.sans.org/course/network-penetration-testing-ethical-hacking
I completed the multiple choice exam for this last week and after the OSCP I felt a little let down by this course. The material was decent, I completed the OnDemand version which was a series of powerpoint slides with narration by Ed Skoudis. Ed was really entertaining and did a great job of keeping the material interesting and relevant. My issue with this course was the depth. Whilst the content they covered was spot on, I felt they could have gone into more detail, in fact I wanted them to go into more detail. Its a shame that the material is written to fit in with the 6 day course because they ultimately have to compromise on the quality of the course. Ed, if you reading this, why not offer an online version that is twice as long and covers everything?
My favorite aspect of the course was the emphasis on providing business value. Logistically what is the best way to perform a penetration test? There's a lot to consider and Ed does a great job of breaking the tasks down and showing you how to effectively structure a full penetration test. He gives plenty of useful tips as well, for example, for large networks only scanning a subset of representative machines or obtaining firewall rules to reduce the time/cost of the test. And he gives a great overview of how to write an awesome final report.
Perhaps the biggest issue with this course is the price. For the course and exam it costs just under $5000 which for a set of online videos (only valid for 3 months) and a pile of books is a little overpriced to say the least.
Certs are cool, its great to learn new things and brush up on the old. (And its cool to have some new letters after my name) Employers like certs, it shows that you know stuff and they will be more likely to choose you over someone with no certs. I learnt a lot doing all three certs, the OSCP was my favorite by far but it really is a baptism of fire and you need to be dedicated to it. The others were useful but more as a CV filler.
It was interesting at BlackHat and Defcon how a lot of people frowned on certs and tbh I do agree with them. For example both the CEH and GPEN used relatively easy 150 question multiple choice exams and the GPEN was open book. Realistically they aren't that hard to pass. So should you employ someone with these certs? Yes of course! Should you expect them to be super 1337? No. But how else can you judge if someone knows their shit? Experience alone?
I think what people don't like is these certs and others (I'm looking at you CISSP) are a convenient way for non-security and even non-IT folks to get into IT security when they have no real experience. More people working in security is great but in-experienced people deploying security in Fortune500 companies is probably not a good idea.
OSCP's (and OSCE's) are the exception to the rule, if you ever meet one of this rare breed, give them a pat on the back, they earned it.
This is pwndizzle, over and out.