Pentesting with Backtrack and the OSCP certification vs more theoretical courses

I am a firm believer that IT Security certification should have a big element of practical and real-world training and testing.

Having studied and passed the CISSP and CISM certifications, I can speak from experience that these don't really teach someone how to defend a company from malicious attack, nor do they cover any detail of the techniques that modern attackers will use to penetrate networks.

It looks to me that CISSP, CISM, and even CEH (Certified Ethical Hacker) are a class of exam that teach "information" rather than "knowledge". I feel that true knowledge comes from real experience, and the practical application of information and techniques.

I am not knocking CISSP, CISM, or CEH, these certification are great, and give a very good background in IT Security from either a management or technical perspective. In addition, these certifications require you to submit proof of a level of work experience in IT Security.

What I am saying, is that I feel security experts need real world "offensive" experience to truly understand threats. I also feel that it is important for exams to prove practical skills, which is why I would recommend the Offensive Security courses.


A comparison theoretical vs practical exams

CISSP is a 6 hour exam of multiple choice questions. Read the question (several times) and then tick box A, B, C or D - for 6 hours.

It's a tough certification, and some of the questions are worded in an awkward way. It covers an extremely broad field of IT Security, so it proves you can memorize and recall lots of information, but I feel it does not prove what you can do, or what you truly know.

Compare that to an exam like OSWP (which I passed earlier this year) in which you have 4 hours to break into several secured wireless access points, and write a report to prove what you have found and how - It's a different ball game altogether, and I have to say, it was the most enjoyable exam I have ever taken!

I am currently in the process of studying Pentesting with Backtrack, which culminates in a 24 hour live pentest exam, where you have to break into various systems.

You then have a further 24 hours to write-up and submit your results in a professional penetration test report. (apparently most students stay awake and work for the full 24 hours of the pentest, so it's no walk in the park)

What are the benefits of practical exams?

Clearly, if you are looking to be a real-world penetration tester, there is no better training, or proof that you know what you know, than practical courses and exams like the ones offered by Offensive Security.

If you are a network defender, the techniques learned on a course like PwB are invaluable in teaching you the importance of patch management, secure coding, secure configurations, the dangers information leakage and poor passwords. It will also likely give you an improvement in your general networking knowhow for Linux and Windows systems.

For example; In my view, there is nothing like the experience of cracking a file full of password hashes, in a few seconds, to make you have a much better appreciation of what makes passwords secure, and to change your behavior to choose better passwords.

I certainly choose better passwords now ;o)

My recommendation

To be a well rounded and knowledgable IT Security professional, you need a mix of training and certifications, some theoretical, and some very practical.