Sscp

harney

Hi all

I was wondering if anyone has done the SSCP exam, or taken a course in it? I have had it on the long finger for almost a year now, but am thinking to try and do it this year by going through a book/DVD I got on amazon some time ago.

Anyone got any thoughts on the exam? It is, I think, a 3 hour multiple choice exam - so I am guessing it migh be somewhat difficult

https://www.isc2.org/cgi-bin/content.cgi?category=1332

mick.fr

I did not take this exam because this exam is more for project managers to create awareness of security and good practices.
It does not really go deeply in security stuffs like tools, their use etc...
But if you want to provide general services such as Project Manager that is good.

harney

Thanks for the reply Mick.

I thought that this exam was a more hands on / technical version of the CISSP - aimed at those with less years in the information security field.

Has anyone out there taken the exam? I am moving into consultancy and it looks like an interesting certificate to have under my belt.

mick.fr

If you want to provide technical advices and Pen tests something like Ethical Hacker from EC-Council or Mile2.com is more appropirate.

rooker7

The CISSP is more theory based, I found that having a good technical background helped me to pass it.

All depends on your goals and knowledge to begin with I would suggest.

I would advise against the ethical hacking exams, the stuff in them is massively out of date and if your aiming to do security consulting/pen testing work then it's not going to help at all.

mick.fr

rooker7 wrote:

The CISSP is more theory based, I found that having a good technical background helped me to pass it.

All depends on your goals and knowledge to begin with I would suggest.

I would advise against the ethical hacking exams, the stuff in them is massively out of date and if your aiming to do security consulting/pen testing work then it's not going to help at all.

Ethical Hacking exams or Mile2 exams have never been designed to learn the latest technologies and hacking tools. They give you a broad range of tools to know, explain hacking processes and technics, and also give you a very good overview of the hacking process in order to help you to fight against it by tempting to put you in a hacker's head.

Any official study material is very clear about this. They are suggesting to do your own searches to get the latests information and updates about such an such technologies and tools.

It is almost impossible to maintain such study material and extra online ressources is the only way to keep yourself well aware of the latests stuffs.

But still those providers and exams are the industry references in term of consulting. And they are required most of the time for Pen testing.

rooker7

But still those providers and exams are the industry references in term of consulting. And they are required most of the time for Pen testing.

I guess you and I would differ when we were hiring a pen tester then, I do pen testing as part of my job and I've learnt a lot more by knowing the OS's and kit in depth and writing my own vulnerabilities than doing an exam. I took a look at the exams mentioned and for me there was no benefit at all in doing them.

I'd suggest visiting sites such as milw0rm and igniteds and readign material there, perhaps look over the exploit code and learn why that exploit code actually works.

I've so called Ethical Hackers who tout themselves as pen testers because they have passed these exams and can run 2 year old exploit code.

mick.fr

rooker7 wrote:

But still those providers and exams are the industry references in term of consulting. And they are required most of the time for Pen testing.

I guess you and I would differ when we were hiring a pen tester then, I do pen testing as part of my job and I've learnt a lot more by knowing the OS's and kit in depth and writing my own vulnerabilities than doing an exam. I took a look at the exams mentioned and for me there was no benefit at all in doing them.

I'd suggest visiting sites such as milw0rm and igniteds and readign material there, perhaps look over the exploit code and learn why that exploit code actually works.

I've so called Ethical Hackers who tout themselves as pen testers because they have passed these exams and can run 2 year old exploit code.

I never said because you are certified you know your stuffs...

But you made a wrong statement about the relevance of the content of a course, I just wanted to correct it.
Plus the material you have might be a bit obsolete. Mine is from 2006 and is still very ok.

Even if exams, especially nowadays, are not proving anything about your skills, it actually makes a difference in your daily rates and credibibility. If you have one or some.

After that usually we are cleaver enough to make the difference between a skilled candidate and not, certification or not, but surely between 2 candidates with the same tech level , I will take the one who is certified. This is the way it is working as far as I can see.

I am sure you will agree on this :-)

rooker7

Don't get me wrong as I hold many cert's and I don't doubt they have helped me at times in getting the interviews, but if I were hiring a pen tester I'd be looking for things like how many bugtraq vuln's were acredited to them, could them write exploit code etc

The course material I don't think is ok, I had 2006 material and I was far from impressed - thats just my opinion of course, other people may feel it is very good, I assume that depends on prior knowledge of the subject.

mick.fr

rooker7 wrote:

The course material I don't think is ok, I had 2006 material and I was far from impressed - thats just my opinion of course, other people may feel it is very good, I assume that depends on prior knowledge of the subject.

Yeah I have checked the latest Ethical Hacker course, this is version 4, released in 2005. So for sure they are new stuffs available.

Shad0r

rooker7 wrote:

I would advise against the ethical hacking exams, the stuff in them is massively out of date and if your aiming to do security consulting/pen testing work then it's not going to help at all.

mick.fr wrote:

Yeah I have checked the latest Ethical Hacker course, this is version 4, released in 2005. So for sure they are new stuffs available.

I'd like to just offer my interpretation on this. Although the content would be sort of similar between the EC-Councils CEH cert and the Mile2 CPTS cert there are a number of big differences between the two.

Most relevantly to the current discussion, Mile2's course (CPTS) is updated a number of times a year, or much more frequently than the CEH. I think the last update to the CPTS was at the end of 2006.

The CPTS course is taught by consultants who as well as teaching penetration testing techniques also spend their time consulting with companies all over the world on their information security. As such they should be as in touch with the changes in the industry as is possible.

With other (more weighty) courses available like the CPTS, I dont really see the value in doing the CEH course but like every IT cert, both have a value dependant on your skillset going in to the course.

I take your point rooker7, but I dont believe that education is a waste of time even if you do already know some of the stuff on the course.

Fair enough with courses of that nature, and the speed at which exploits and fixes come out its impossible to keep training of that nature 100% up to date but that doesnt render it complete invalid.

Particularly if its being undertaken in conjunction with industry experience.

mick.fr

Yeah Mile2 is overtaking the market in the US and Europe.
CIA, FBI, Army is not doing EC anymore they do Mile2 now.

Plus this is a pain to work with EC, I want to be a trainer, but I have to follow the course, but there is no course here, plus if you want to be a trainer you have to be a Training Center employee, so it means you do training all the day long and end of story. This is completely silly, the best trainers, are actually not trainers, but consultant, with production experience etc...

So definitely I will throw my EC material away and go with Mile2 who are much better and more flexible.

Shad0r

mick.fr wrote:

So definitely I will throw my EC material away and go with Mile2 who are much better and more flexible.

I think I may have one EU grant for the CPTS available mick.fr if you are interested in doing that course.

Even if they are all gone I can offer you a preferential rate for being a boards.ie user.

Email/PM me if you would like more information.

mick.fr

Shad0r wrote:

I think I may have one EU grant for the CPTS available mick.fr if you are interested in doing that course.

Even if they are all gone I can offer you a preferential rate for being a boards.ie user.

Email/PM me if you would like more information.

Yeah I know.
End of February is too short for me, I have no choice to do it next time, hopefully you will have a new one organized in April/May max.

Shad0r

I just got this back from my contact in Mile2:

The CPTS is updated every 2 months, due to the constant changes and updates in Technology.
We will be launching the version 7, in Dublin on the 19th Feb.

rooker7

I wonder if that launch date is anything to do with Mile2's Advanced Pen Testing Seminar at New Horizons on the 21st February ;-)

I'm going along, be nice to see a few other guys off here to!