Page 1 of 5 123 ... LastLast
Results 1 to 10 of 42

Thread: Ethical Hacker Certification

  1. #1

    Ethical Hacker Certification

    I was just wondering what kind of certification one would need to be an Ethical Hacker (a hacker who hacks companies to test their systems) I heard something about Security+ and CISSP but not sure where I should begin (such as, should I take a course in school about networking, programming etc, or... ).

    If possible, a Canadian's answer would be much appreciated since everything differs in different countries, lol. But it's not limited to just canadians.. Any help what so ever helps..! :-D

    Thanks guys :-)
    ~Apollovega~
    \"I will control my Destiny Terenica...I\'m not afraid.\"

  2. #2
    well, a nice certificate (you can also test your own skills with it) would be at www.ngsec.com, this is totally free and online.. if you succeed, you get an pdf file on the site as your certificate.

    as for others, i'm looking for it too, but then in the netherlands, and i think that most important would be to have proven experience, not a certificate, since there are so much certificates.. i know there is a hackerschool (in LA i think) but it is too far away for me to study there, but for the rest, perhaps there are more certificates, like ngsec, which can be done online....

    if you come up with more certificates, please let me know, perhaps i want to participate as well

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    There is no such thing as an ethical hacker certificate. Your arrest record is usually a good indication on how you spend your time.

    However, there are certs that the security industry recognizes as an indication that you aren't a black hat. You mentioned the CISSP, which is the most widely recognized certificate but major vendors such as Microsoft and Cisco also have certs that carry some weight. CompTIA offers the Security+ exam. They are most noted for the A+ and Network+ certs. Many junior level professionals have these certs. Personally, if I had a choice, I wouldn't have gotten any of the certs that I have. I don't believe they are a true measure of talent or intent. Also, certs tend to stale over time. Just ask anyone who spent 15,000 US dollars on a Novell cert in the early 1990s.

    Lepricaun mentioned the ngsec cert. The only thing that it measures is your ability to use google and leverage tech forums for the answers. Their site isn't truly about certs, rather, bringing attention to their security services being offered. Now, I'm not trying to take the wind out of his sail for passing, but I also don't want anyone to think that the ngsec folks are out trying to better the industry. They are a business and the only thing they are looking to better is their profit.

    This, of course, is just my opinion. It's based soley on what I have seen and experienced in the industry over the past 15 years.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,024
    There is to!

    Sorry to disagree, but there is a CEH... It is a pretty stupid cert (like most), as all you do is use about 200 out of 500 tools on a cd they give you, like basic security tools, so you don't really learn anything, but I'm sure some companies believe it means something.

    Apollogeva, I would recomend just learning lots and lots, and seeing if you can get a job in IT somewhere and working your way up. The CISSP and CCNP and all the other cisco certifications might actually get you somewhere if you decide to take them, as they still mean something to most corps.
    [H]ard|OCP <--Best hardware/gaming news out there--|
    pwned.nl <--Gamers will love this one --|
    Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    You've taken my statement as "literal". Here is what I mean. I hand you a sheet of paper that says you are an ethical hacker. How does that sheet of paper prevent you from doing something unethical? Another example would be when a cop is handed a badge and takes the oath to serve and protect yet you constantly see abuses of power. There is no way to guarantee ethics, thus, there is no such thing as a "Certified Ethical Hacker". Make sense?

    Yeah, I'm aware of the CEH garbage. Again, it's a ploy to suck cash out of the dum dums who feel they need a sheet of paper to prove their "31337ness".

    Never ever be sorry to disagree. Especially when I post something. I'd rather have you press your case than not.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    You can find a fairly good writeup on the numerous security cert'sHere

    This writeup covers the following:

    Brainbench HIPAA (Security)
    The Brainbench HIPAA (Security) cert deals with topics and requirements that drive the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to help IT professionals understand and implement related information handling and processing requirements.

    Brainbench Information Technology Security Fundamentals
    This Brainbench certification tests basic knowledge of information security concepts, skills and best practices. Topics covered include:
    Attack recognition, prevention and response
    Content security
    Database infrastructure protection
    General concepts
    Network infrastructure protection
    Perimeter and Internet security
    Security management systems and security technologies

    BIS -- Brainbench Internet Security Certification
    The BIS seeks to identify individuals with a good working knowledge of Internet security practices, principles and technologies. It is aimed at full-time network or system administrators who must manage systems with Internet connections or access.

    BNS -- Brainbench Network Security Certification
    The BNS seeks to identify individuals with a good working knowledge of network security practices, principles and technologies. This cert is aimed at full-time network administrators who must deal with external threats through boundary devices like routers, firewalls or intrusion-detection systems, as well as more typical internal threats.

    C3C -- Certified Cyber-Crime Expert
    The C3C identifies computer forensics investigators, information technology and security personnel, law enforcement officials, lawyers and others, who must have the knowledge and tools to effectively collect, handle, process and preserve computer forensic evidence. The certification requires successful completion of the Computer Forensic and Cyber Investigation course, and a practical and written exam.

    CCCI -- Certified Computer Crime Investigator (Basic and Advanced)
    The CCCI is one of two computer forensic certifications aimed at law enforcement and private IT professionals seeking to specialize in the investigative side of the field. Basic requirements include two years of experience (or a college degree, plus one year of experience), 18 months of investigations experience, 40 hours of computer crimes training and documented experience from at least 10 cases investigated. Advanced requirements bump experience to three years, four years of investigations, 80 hours of training and involvement as a lead investigator in 20 cases, with involvement in over 60 cases overall.

    CCE -- Certified Computer Examiner
    The CCE, offered by the Southeast Cybercrime Institute at Kennesaw State University in partnership with Key Computer Service, seeks to identify individuals with appropriate computer forensics training or experience, which includes evidence gathering, handling and storage, and no criminal record. In addition, candidates must pass an online examination and successfully perform a hands-on examination on three test media.

    CCFT -- Certified Computer Forensic Technician (Basic and Advanced)
    The CCFT is one of two computer forensic certifications aimed at law enforcement and private IT professionals seeking to specialize in the investigative side of the field. Basic requirements include three years of experience (or a college degree, plus one year of experience), 18 months of forensics experience, 40 hours of computer forensics training and documented experience from at least 10 cases investigated. Advanced requirements include three years of experience (or a college degree, plus two years of experience), four years of investigations and 80 hours of training and involvement as a lead investigator in 20 cases with involvement in over 60 cases overall.

    CCISM -- Certified Counterespionage and Information Security Manager
    The purpose of CCISM is to prepare individuals to study potential sources of threat, defeat attacks and manage information security at an organizational level. CCISM is a management-level certification, where CCISMs generally manage, work with or consult IT organizations, technical specialists and other IT security professionals.

    CCSA -- Certification in Control Self-Assessment
    The CCSA demonstrates knowledge of internal control self-assessment procedures, primarily aimed at financial and records controls. This cert is of primary interest to those professionals who must evaluate IT infrastructures for possible threats to financial integrity, legal requirements for confidentiality and regulatory requirements for privacy.

    CEECS -- Certified Electronic Evidence Collection Specialist Certification
    The CEECS identifies individuals who successfully complete the CEECS certification course. No prerequisites are required to attend the course, which covers the basics of evidence collection in addition to highly technical terminology, theories and techniques.

    CEH -- Certified Ethical Hacker
    The CEH identifies security professionals capable of finding and detecting weaknesses and vulnerabilities in computer systems and networks by using the same tools and applying the same knowledge as a malicious hacker. Candidates must pass a single exam and prove knowledge of tools used both by hackers and security professionals.

    CERI-ACFE -- Advanced Computer Forensic Examination
    The CERI-ACFE seeks to identify law enforcement officials with advanced computer crime investigation experience and training. Basic requirements include two years of computer investigation/debugging, two years of Microsoft platform analysis, two years of non-Microsoft platform analysis, 80 hours of approved training, a written exam and successful completion of hands-on exercises.

    CERI-ACSS -- Advanced Computer System Security
    The CERI-ACSS seeks to identify law enforcement officials with advanced computer crime investigation experience and training. Basic requirements include two years of computer investigation/debugging, three years of Microsoft platform analysis, one year of non-Microsoft platform analysis, 40 hours of approved training, a written exam and successful completion of hands-on exercises.

    CERI-CFE -- Computer Forensic Examination
    The CERI-CFE seeks to identify law enforcement officials with basic computer crime investigation experience and training. Basic requirements include two years of computer investigation/debugging, one year of Microsoft platform analysis, six months of non-Microsoft platform analysis, 40 hours of approved training, a written exam and successful completion of hands-on exercises.

    CFCE -- Computer Forensic Computer Examiner
    One of a growing number of law enforcement related forensic IT credentials, the International Association of Computer Investigative Specialists (IACIS) offers this credential to law enforcement and private industry personnel alike. Candidates must have broad knowledge, training or experience in computer forensics, including forensic procedures and standards, as well as ethical, legal and privacy issues. Certification includes both hands-on performance-based testing as well as a written exam.

    CFE -- Certified Fraud Examiner
    The CFE demonstrates ability to detect financial fraud and other white-collar crimes. This cert is of primary interest to full-time security professionals in law, law enforcement or those who work in organizations (such as banking, securities trading or classified operations) with legal mandates to audit for possible fraudulent or illegal transactions and activities.

    CHFI -- Computer Hacking Forensic Investigator
    The CHFI is geared toward personnel in law enforcement, defense, military, information technology, law, banking and insurance, among others. To obtain CHFI certification, a candidate needs to successfully complete one exam.

    CIA -- Certified Internal Auditor
    The Certified Internal Auditor demonstrates knowledge of professional financial auditing practices. The cert is of primary interest to financial professionals responsible for auditing IT practices and procedures, as well as standard accounting practices and procedures to insure the integrity and correctness of financial records, transaction logs and other records relevant to commercial activities.

    CIFI -- Certified Information Forensics Investigator
    Obtaining the credential of Certified Information Forensics Investigator requires adherence to a code of ethics, successful completion of a rigorous exam and fulfilling specific experience requirements. Aimed at full-time professional practitioners, this certification is vendor-neutral and devoid of sponsored training requirements, or the use or purchase of specific products.
    Source: International Information Systems Forensics Association

    CISA -- Certified Information Systems Auditor
    The CISA demonstrates knowledge of IS auditing for control and security purposes. This cert is of primary interest to IT security professionals responsible for auditing IT systems, practices and procedures to make sure organizational security policies meet governmental and regulatory requirements, conform to best security practices and principles, and meet or exceed requirements stated in an organization's security policy.

    CISM -- Certified Information Security Manager
    The CISM demonstrates knowledge of information security for IT professionals responsible for handling security matters, issues and technologies. This cert is of primary interest to IT professionals responsible for managing IT systems, networks, policies, practices and procedures to make sure organizational security policies meet governmental and regulatory requirements, conform to best security practices and principles, and meet or exceed requirements stated in an organization's security policy.

    CISSP -- Certified Information Systems Security Professional
    The CISSP demonstrates knowledge of network and system security principles, safeguards and practices. Of primary interest to full-time IT security professionals who work in internal security positions or who consult with third parties on security matters. CISSPs are capable of analyzing security requirements, auditing security practices and procedures, designing and implementing security policies, and managing and maintaining an ongoing and effective security infrastructure. CISSP candidates must have four years of experience (or a college degree plus three years of experience).

    CIW Security Analyst
    Individuals who take and pass the CIW-Security Professional (CIW-SP) exam, and who hold one of the following certifications qualify as a CIW Security Analyst (CIW-SA):

    Microsoft Certified Systems Administrator (MCSA)
    Microsoft Certified Systems Engineer (MCSE) 4
    Microsoft Certified Systems Engineer (MCSE) 2000
    Certified Novell Engineer (CNE) 4
    Certified Novell Engineer (CNE) 5
    Cisco Certified Network Associate (CCNA)
    Cisco Certified Network Professional (CCNP)
    Cisco Certified Internetwork Expert (CCIE)
    Linux Professional Institute (LPI) Level 2
    Individuals who hold this credential can carry out security policy, identify and handle security threats, and apply countermeasures using firewalls, intrusion detection and related systems. The program's Web focus also includes coverage of online payments, transaction processing and related security matters.

    CIW-SP -- Certified Internet Webmaster-Security Professional
    The CIW-SP demonstrates knowledge of Web- and e-commerce-related security principles and practices. It is of primary interest to Web administrators who must implement and manage a secure and working Web presence that may also include e-commerce capabilities.

    CPP -- Certified Protection Professional
    The CPP demonstrates a thorough understanding of physical, human and information security principles and practices. The most senior and prestigious IT security professional certification covered in this article, the CPP requires extensive on-the-job experience (nine years or seven years with a college degree), as well as a profound knowledge of technical and procedural security topics and technologies. Only those who have worked with and around security for some time are able to qualify for this credential.

    CSFA -- CyberSecurity Forensic Analyst
    The CSFA aims to identify individuals who are interested in information technology security issues, especially at the hardware level. Prerequisites include at least one certification in computer and software support, networking or security (such as CompTIA's A+, Microsoft's MCSA or MCSE, or Cisco's CCNA), successful completion of an introductory and an advanced computer forensics course offered through the CyberSecurity Institute and no criminal record.

    Certified Web Professional (CWP) Security Specialist
    Obtaining this credential requires passing the CIW Security Professional exam and meeting additional work experience requirements. Please see the CIW-SP listing for more information.

    FCSS -- Field Certified Security Specialist
    This certification permits individuals to specialize in Cisco, Check Point or cross-platform topics (which is why we list it in both the vendor-specific -- although the parent organization points out that these certs are "vendor-independent" -- and vendor-neutral surveys). Candidates must pass a hands-on, performance-based test to obtain FCSS certification. This credential is still under development and should be ready some time in 2004.

    GIAC -- Global Information Assurance Certification
    This cert demonstrates knowledge of and the ability to manage and protect important information systems and networks. The SANS organization is well known for its timely, focused and useful security information and certification program. A shining star on this landscape, the GIAC is aimed at serious, full-time security professionals responsible for designing, implementing and maintaining a state-of-the-art security infrastructure that may include incident handling and emergency response team management. Two new credentials have been added to this program since the last update. Certifications available include the following:

    Entry-level/basic pre-requisite:

    GIAC Information Security Fundamentals (GISF)
    GIAC Security Essentials Certification (GSEC)

    Mid-level specializations:

    GIAC Certified Firewall Analyst (GCFW)
    GIAC Certified Intrusion Analyst (GCIA)
    GIAC Certified Incident Handler (GCIH)
    GIAC Certified Windows Security Administrator (GCWN)
    GIAC Certified UNIX Security Administrator (GCUX)
    GIAC Certified Forensic Analyst (GCFA)
    GIAC IT Security Audit Essentials (GSAE)
    GIAC Systems and Network Auditor (GSNA)
    GIAC Certified Security Consultant (GCSC)

    Senior-level (all specializations, plus additional exams and work):

    GIAC Security Engineer (GSE) track

    Role-oriented credentials:

    GIAC HIPAA Security Certificate (GHSC)
    GIAC Certified ISO-17799 Specialist (G7799)
    GIAC Certified Security Leadership Certificate (GSLC)
    GIAC Solaris Gold Standard Certificate (GGSC-0200)GIAC Systems and Network Auditor (GSNA)
    GIAC Windows 2000 Gold Standard Certificate (GGSC-0100)

    ISSAP -- Information Systems Security Architecture Professional
    The ISSAP permits CISSPs to concentrate further in information security architecture and stresses the following elements of the CBK:

    Access control systems and methodologies
    Telecommunications and network security
    Cryptography
    Requirements analysis and security standards, guidelines and criteria
    Technology-related business continuity and disaster recovery planning (BCP and DRP).

    ISSEP -- Information Systems Security Engineering Professional
    The ISSEP permits CISSPs who work in areas related to national security to concentrate further in security engineering, in cooperation with the NSA. The ISSEP stresses the following elements of the CBK:

    Systems security engineering
    Certification and accreditation
    Technical management
    Plus, it adds profound coverage of U.S. Government information assurance regulations.

    ISSMP -- Information Systems Security Management Professional
    The ISSMP permits CISSPs to concentrate further in security management areas and stresses the following elements of the CBK:

    Enterprise security management practices
    Enterprise-wide system development security
    Overseeing compliance of operations security
    Understanding BCP, DRP and continuity of operations planning (COOP)
    Law, investigations, forensics and ethics.

    NSCP -- Network Security Certified Professional
    The NSCP demonstrates the ability to design and implement organizational security strategies, and secure the network perimeter and component systems. It is an intermediate-level IT security certification aimed at network or systems administrators with heavy security responsibilities or those who work full-time on IT security matters.

    PCI -- Professional Certified Investigator
    This is a high-level certification from the American Society for Industrial Security (ASIS is also home to the CPP and PSP certifications) for those who specialize in investigating potential cybercrimes. Thus, in addition to technical skills, this certification concentrates on testing individuals' knowledge of legal and evidentiary matters required to present investigations in a court of law, including case management, evidence collection and case presentation. This cert requires seven to nine years of investigation experience, with at least three years in case management (a bachelor's degree or higher counts for up to two years of such experience) and a clean legal record for candidates.

    PSP -- Physical Security Professional
    Another high-level security certification from ASIS, this program focuses on matters relevant to maintaining security and integrity of the premises, and access controls over the devices and components of an IT infrastructure. Key topics covered include physical security assessment, and selection and implementation of appropriate integrated physical security measures. Requirements include five years of experience in physical security, a high school diploma (or GED) and a clean criminal record.

    SCNA -- Security Certified Network Architect
    This is a mid- to senior-level security certification that focuses on concepts, planning and implementation of Private Key Infrastructure and biometric authentication and identification systems. Individuals who attain this certification will be able to implement either or both of these technologies within organizations or as consultants to such organizations.

    SCNP -- Security Certified Network Professional
    This is an entry- to mid-level security certification that focuses on two primary topics: firewalls and intrusion detection. Related curriculum and exams cover network security fundamentals, and network defense and countermeasures. Individuals who attain this certification will be able to work as full-time IT security professionals with an operations focus.

    Security+
    This is an entry-level security certification that focuses on important security fundamentals related to security concepts and theory, as well as best operational practices. In addition to functioning as a standalone exam for CompTIA, Microsoft accepts the Security+ as an alternative to one of the specialization exams for the MCSA and MCSE Messaging and Security specializations.

    SSCP -- Systems Security Certified Practitioner
    The entry-level precursor to the ISC-squared's CISSP covered previously in this survey, the SSCP exam covers seven of the 10 domains in the CISSP Common Body of Knowledge. The exam focuses more on operational and administrative issues relevant to information security and less on information policy design, risk assessment details and other business analysis skills that more germane to a senior IT security professional (and less so to a day-to-day security administrator, which is where the SSCP is really focused).

    TICSA -- TruSecure ICSA Certified Security Associate
    TICSA demonstrates basic familiarity with vendor-neutral system- and network-security principles, practices and technologies. It is an entry-level security certification for network or system administrations and for those interested in climbing the first rung in a security certification ladder suitable for full-time IT security work.
    Cheers:
    DjM

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    For more detailed look at various certs (some listed above) might want to visit GoCertify. This has been one of the places I look for both security and non-security specific certs.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Junior Member
    Join Date
    Jul 2004
    Posts
    12
    For all the "newbies" in security. ISC2 also offers the SSCP which is a down-scale version of the CISSP. It is geared more toward people with limited security experience and requires 1 year in a security related field. The CISSP requires four but its cummaltive, which means that the virus that you took off of your mom's computer in the 9th grade can count as security experience. check them out.

    www.isc2.org

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    It is geared more toward people with limited security experience and requires 1 year in a security related field.
    Don't forgot the Associates option. That is, pass the exam even if you don't have the experience. You'll become an Associate CISSP or SSCP and once you have the experience it becomes the full version.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,024
    Originally posted here by thehorse13
    You've taken my statement as "literal". Here is what I mean. I hand you a sheet of paper that says you are an ethical hacker. How does that sheet of paper prevent you from doing something unethical? Another example would be when a cop is handed a badge and takes the oath to serve and protect yet you constantly see abuses of power. There is no way to guarantee ethics, thus, there is no such thing as a "Certified Ethical Hacker". Make sense?

    Yeah, I'm aware of the CEH garbage. Again, it's a ploy to suck cash out of the dum dums who feel they need a sheet of paper to prove their "31337ness".

    Never ever be sorry to disagree. Especially when I post something. I'd rather have you press your case than not.

    --TH13
    Ahh, I get what you mean. Nothing can keep anyone from being unethical, espcially not a piece of paper.
    [H]ard|OCP <--Best hardware/gaming news out there--|
    pwned.nl <--Gamers will love this one --|
    Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •