INFOSEC

CERTIFICATIONS
THE VERY GOOD, THE ALMOST
GOOD AND THE REALLY UGLY
18-Jun-2014
Lucian Corlan lucian.corlan@owasp.org
MSc InfoSec CISSP OSCP CISA SABSA CCNA Security CISM CSSLP(a) CEH
Cristian Serban cristian@appsec.ro
SABSA OSCP CEH OSWP Security+ ISO27001 Auditor GIAC MCAD

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
DISCLAIMER

- From experience (and a bit of informed gossip) only

- Membership of some of the organisations (paying annual fees), nothing
more
- Not representing a professional services or training company
- Didn’t find any good, independent and impartial studies / comparisons of
security certifications
Agenda

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
3
Top Charts

#1 CompTIA SECURITY+
#2 CRISC
#3 CISM
#4 CISSP
#5 OSCE
#6 LPT
#7 CREST ACE/ICE
#8 GIAC Security Essentials
#9 CEH
#10 OSCP

https://www.linkedin.com/pulse/top-10-cyber-security-certifications-2015-sid-vanderloot

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
4
CompTIA
Security+

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
5
EC-Council
CEH – Certified Ethical Hacker

Ethical Hacking & Information Systems Security Auditing

◦ latest security threats
◦ advanced attack vectors
◦ practical real time demonstration of latest hacking techniques
◦ training with hands-on labs
◦ signed agreement stating the info will not be used for illegal or malicious attacks
◦ not anyone can be a student – screening process beforehand

Exam Details
◦ 125 multiple choice questions
◦ duration 4 hours
◦ passing score 70%

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
6
EC-Council
Other Certifications

CONFIDENTIAL and not for reproduction without prior written consent. © of The Sporting Exchange Limited. 7
CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN
CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
7
ISECOM
Institute for Security and Open Methodologies
began with the release of the OSSTMM, the Open Source Security
Testing Methodology Manual

8
Silensec

9
OFFENSIVE security
OSCP & OSCE

Penetration Testing with Kali Linux (PWK)

◦ Information Gathering Passive/Active
◦ Vulnerability Scanning
◦ Buffer Overflows (Windows and Linux)
◦ Working with Exploits
◦ Privilege Escalation
◦ Client Side Attacks
◦ Web Application Attacks
◦ Password Attacks
◦ Port Redirection and Tunneling
◦ The Metasploit Framework
◦ Bypassing Antivirus Software

Cracking the Perimeter

◦ Advanced Exploitation Techniques
◦ The Web Application angle
◦ The Backdoor angle
◦ The 0Day angle
◦ The Networking Angle - Attacking the Infrastructure

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
10
OFFENSIVE security
OSCP & OSCE

Offensive Security Certified Professional

◦ world’s first completely hands on offensive information security certification
◦ OSCP exam provides access to a dedicated vulnerable network
◦ designed to be compromised within a 24-hour time period
◦ entirely hands-on
◦ awarded to students who successfully gain administrative access to systems
◦ completed with the examinee submitting an in-depth penetration test report

Offensive Security Certified Expert

◦ next level after OSCP
◦ 48-hour certification exam

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
11
 CREST

CREST is a
not for profit
organisation
that serves the
needs of a
technical
information
security
marketplace
that requires
the services of
a regulated
professional
services
industry.

CESG (Penetration Testing) 12

CREST + OSCP

Leading UK and US penetration testing certification bodies join forces in

global drive to professionalise cyber security sector.

CREST Registered Tester (CRT)

Offensive Security Certified Professional

13
14
SANS
Information Security

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
15
GIAC
Global Information Assurance Certification

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
16
Information Systems Audit and Control Association
CISM - Certified Information Security Manager

CISM requires demonstrated knowledge in four functional areas of information security 

◦ Information Security Governance (24%)
◦ Information Risk Management and Compliance (33%)
◦ Information Security Program Development and Management (25%)
◦ Information Security Incident Management (18%)

Exam
◦ administered biannually (June & December)
◦ in limited locations worldwide (only in Bucharest for Romania)
◦ 200 questions multiple choice – four hours
◦ submit verified evidence of five (5) years of work experience in the field of information security
◦ 3 of the 5 years of work experience must be gained performing the role of an information security manager

Maintain CISM
◦ annual maintenance fee
◦ annual minimum of 20 CPE hours
◦ minimum of 120 CPE hours for a three-year reporting period

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
17
Information Systems Audit and Control Association
CISA & CRISC

CISA – Certified Information Systems Auditor

◦ audit, control and security of information systems
◦ high degree of visibility and recognition in the fields of IT security
◦ certification is extremely challenging and is associated with a high failure rate

CISA certificate can be applied for if the following conditions are met + passed the CISA exam
◦ experience as an auditor of information systems
◦ compliance with Code of Ethics
◦ continuous training - CPE
◦ compliance with the standards for audits of information systems

CRISC – Certified in Risk and Information Systems Control

◦ experience in managing IT risks
◦ knowledge in five functional areas of IT risk management:
◦ Risk identification, assessment and evaluation
◦ Risk response
◦ Risk monitoring
◦ Information systems control, design and implementation
◦ IS control, monitoring and maintenance

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
18
CISCO Security Track

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
19
SABSA
Sherwood Applied Business Security
Architecture
SABSA is a framework and methodology for enterprise security architecture and
service management.

SABSA is a model and a methodology for developing risk-driven

enterprise information security architectures and for delivering security
infrastructure solutions that support critical business initiatives.

5 day course for Foundations

48 + 48 (really abstract!) questions

Sample question:
A security domain X comprises a set of security elements. All of these elements are also security elements of domain Y, but Y
also contains other additional security elements. Which ONE of the following statements is TRUE?
A. Y is a subdomain of X
B. X is a subdomain of Y
C. X and Y are equivalent domains
D. X is a subdomain of Y

20
CISSP
Certified Information Systems Security Professional
International Information Systems Security Certification Consortium
◦ vendor-neutral certification

Common Body of Knowledge

◦ Access control
◦ Telecommunications and network security
◦ Information security governance and risk management
◦ Software development security
◦ Cryptography
◦ Security architecture and design
◦ Operations security
◦ Business continuity and disaster recovery planning
◦ Legal, regulations, investigations and compliance
◦ Physical (environmental) security

Requirements
◦ five years of direct full-time security work experience in at least two CBK domains
◦ accept the CISSP Code of Ethics
◦ criminal history and related background
◦ pass multiple choice exam, 250 questions, six hours, 700/1000 possible points
◦ endorsed by another CISSP
◦ annual fee 85$ + renew by submitting Continuing Professional Education (CPE) credits

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
21
CISSP
Certified Information Systems Security Professional

Host Unknown presents: I'm a C I Double S P (CISSP Parody)

https://www.youtube.com/watch?v=whEWE6WC1Ew

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
22
Other certs

Cloud Security Alliance CCSK™ - Certificate of Cloud Security Knowledge

CGEIT (Governance of IT)
CRISC (focus on risk)
ISO 27001 Lead Auditor
ISO 27001 Lead Implementer
PRINCE2 (Project Management)
ITIL (not security)
COBIT (focus on risk)
Certified Secure Web Application Engineer (CSWAE) Mile2
Certified Penetration Testing Engineer (CPTE) Mile2
Certifications on specific product or technologies …Lots & Lots
….
….

23
 Q&A

CONFIDENTIAL AND NOT FOR REPRODUCTION WITHOUT PRIOR WRITTEN

CONSENT. © OF THE SPORTING EXCHANGE LIMITED.
24