Friday, April 11, 2008

CEH/CPTS Certification != competent pentester

Dean and I have talked about this more times than i can count and finally a discussion has taken place over on the pentest list about automated pentesting and a pentester's experience. The thread is here: "Penetration Testing Techniques" I wont get into all the issues wrong with whats going in the post. I'm going to harp on experience and certifications

from thread:

"Well, the results are definitely verified through nmap as well.OS is
win 2k3 running IIS 6.0 and only 80 being open.Yes indeed the client
has assigned us the job to perform the pen test and knows about it.
I do have the CPTS training dvd and am going through that, but it will
take time to digest that horde of information.Also downloading web
goat to get my hands wet with web app testing."

While the thread is initially about CORE IMPACT not finding any vulnerabilities with this particular server, the underlying issue is the lack of experience someone has and them being hired to do a pentest. Its a reoccurring thread on other sites as well; "Hey, I got my CEH, who wants to hire me to be a pentester" :-(

Bottom line, tools are just tools, they help humans get jobs done. They aren't and shouldn't be the only thing used on a pentest. The other point is experience is king, granted the original poster is getting experience, but giving CORE to a brand new tester is not going to help them get better. there is a reason A LOT of subjects are taught the hard way first then you get taught "the shortcut." Oh, and passing a multiple choice test is not a real demonstrable measure of ability.

Let me also add that if one of my employees posted some crap like that, i'd seriously be considering them finding another place to get their experience.

want to learn the right way? check out LearnSecurityOnline's Learning Model. LSO isnt the end all be all of security, but i think the Learning Model and the Core and Advanced Competencies is a solid foundation for any security professional.

Here are the Core & Advanced Competencies:

Four Core Competencies
• Operating Systems
• Networking
• Programming
• IT/IT Security Resources

Advanced Competencies
• Documentation, Policies, Procedures, Disaster Recovery
• Cryptography
• Forensics
• Penetration Testing
• Security Industry Certifications


dean de beer said...

As Chris said we have had this conversation a LOT. I'm sure others have too. I really don't see anything wrong with certs but they DO NOT make a pentester or [insert career here].

It seems that security in general is 'cool' now and everyone wants to be doing it. This happens in a lot of professions I guess, but the issue is that instead of gaining experience or interning or even understanding that the cert does NOT give then the skills to perform a pentest these folks are heading out and 'performing' these services for clients. Not only does this dilute the quality of professionals in this arena but, and more importantly, it does an incredible disservice to the client. They are approaching us to provide valuable data to them regarding their security posture and are walking instead with a false sense of security.

If a person who is just starting out is able to land a contract then great but rather than do the work alone, hire or contract with someone else with a proven track record to do the work. That person may make less initially but their client will be happy and likely come back again. The novice pentester gains valuable experience and everyone is happy.


Anonymous said...

Amen! Raise the roof!

Anthony Williams said...


Both of you are so right I don't know where to begin! Now that InfoSec is "sexy" everyone with an IT background wants to be doing it. It seems this comes up about once a week when I'm on the phone with Joe McCray talking shop.

What we always are bewildered about is how do these guys find business in the first place? I just can't call it, perhaps someone else can shed a little light on the subject?

Dean, great suggestion concerning if you are light on skills but heavy on ambition then get some assistance from an expert who you can learn from. I would even extend this concept to different disciplines within the field, i.e., wireless, web applications, vpn assessments, etc. If you are skill light in that area don't hesitate to bring in someone with more experience to assist and provide guidance.

Anonymous said...

As much as it pains me, I agree with Dean. I don’t mind agreeing with Chris though :)

If you're under-experienced get someone who isn’t to help. I think that goes for anything, no matter what it is. InfoSec, development, site design, film making, drawing, whatever you're contracted for.

Now the hard part is making people do this. If someone can get a gig doing a pen-test, and then has to get in help his take-home cash goes down. Not everyone is willing to take that hit, just so that the client can get a good job. The client doesn’t know better (generally), that's why you're called in there in the first place. Greed is a good motivator. And if you go to someone and say “I have this and that cert” then they’re going to think that you’re pretty competent. Even if you’re not especially competent, it’s easy enough to throw lots of buzz words at people and blind them with a science they don’t understand – and they think you know exactly what you’re doing.

The problem then is that they can get a service which is unprofessional, but they don’t know any better. Your chosen tool might not be able to find a hole which someone writing their own custom one or doing manually would turn up. So then in that scenario the client thinks that all is well, they had a pen-test and it was fine, no problems, when in actual fact they could be sat on a big hole in their system. A bit extreme I know, but it could happen.

Basically certs just mean you can remember things and write them down in an exam, that doesn’t mean that you can actually do real-world things, or that you can even remember them for a long time. Just that you can cram things in your head to spew out in a few hours’ worth of exams. Unfortunately a lot of people don’t seem to realise this. It doesn’t just cover InfoSec, this is all certs. Just having a computer degree doesn’t mean that I would employ someone in my team, I’d want to check out their skills first. Great you have a degree/cert/whatever you can research and learn stuff, but what can you actually do?

How you can get a client to only employ people who have a proven history, or how you can get every contractor to be professional is a big feat. I cant think of an answer. It’s not like how if you want a tradesmen (plumber, brick layer, plasterer, whatever) you ask your mates or colleagues who they used for their jobs and if they were any good. Companies generally don’t talk between themselves to recommend things. If they did you’d have to be a little suspicious of whether or not your competitor was trying to stitch you up, this could be the competitive edge between companies.