Gotta Catch ‘Em All – Cybersecurity Certificates

BY PATRICK SHEEHAN

There’s a saying in martial arts, “the black belt is just the beginning of the journey”. I believe the same can be applied to cybersecurity certifications; the OSCP (as an example) is equivalent to a black belt, and while many view it as the end of the journey, arguably it is just the beginning.

Similar to different martial arts styles, each conferring their certifications (belts), so too is the case in the cyber world. Paul Jerimy maintains a security certification roadmap, showing 399 security certifications, broken out by category and difficulty. Within the Security Operations section, there are over fifty penetration test certifications.

So, what have I obtained?

• EC-Council: CEH (Certified Ethical Hacker), CEH Practical (add-on component to CEH), and CHFI* (Computer Hacking Forensic Investigator)

• IACRB (Information Assurance Certification Review Board): CPT (Certified Penetration Tester) and CEPT (Certified Expert Penetration Tester)

• CompTIA: Security+*, CySA+* (Cybersecurity Analyst Certification), PenTest+, and CASP+* (CompTIA Advanced Security Practitioner)

• Offensive Security: OSCP (Offensive Security Certified Professional)

• eLearnSecurity: eCPPT (eLearnSecurity Certified Professional Penetration Tester)

* All certifications with the asterisk are not in the penetration testing section of the roadmap*

When it comes to martial arts, it’s a battle between legitimate studios, where the focus is on skill vs. a cash grab (McDojo). The same is the case within the cyber security certification industry. Receiving a black belt from a McDojo, or cyber security certification equivalent should be celebrated, but realize that the tested level of knowledge isn’t there.

My opinion is that EC-Council epitomizes the McDojo. CEH was my first certification, and upon passing, I felt like I was ready to take on the world! Numerous job postings include CEH in their list of desired/required certifications. So it must be great, right? No. CEH (and EC-Council as a whole) is a marketing machine, getting people energized over buzzwords that provide minimal (at best) return on investment. While CEH (and other EC-Council certifications) check off some DoD 8570 baseline criteria, there are better alternatives (more on that below).

The two certifications I received from IACRB were from boot camps. They were both multiple-choice exams, similar to CEH, and arguably provide no gauge of one’s ability to pentest. The instructor told me there used to be an additional practical component. Nevertheless, at the time I tested for and received both certifications, they were purely multiple-choice exams.

CompTIA is an interesting dichotomy. Security+ is a good baseline of security concepts. Passing Security+ will not make you a security engineer but helps confirm you can talk the talk (but does not validate that you can walk the walk). The value of their more advanced certifications is questionable. Working as a pentester, I cannot speak to the validity of CySA+ or CASP+ (except to say that the CASP+ recommends ten years in IT administration – of which I was nowhere near that when I took the exam). However, I do believe CompTIA’s advanced certs can provide some (limited) value. Looking at DoD 8570 baseline certifications, CySA+ checks all the same boxes as CEH (and then some), and CASP+ covers nearly all the boxes that CISSP does. (Eligibility requirements to get CISSP are very strict, so CASP+ may be a viable option for someone needing to meet DoD requirements). Concerning PenTest+, much like CEH, it boosts your confidence in knowing the names of various tools that may be used but does not determine your qualifications as a pentester.

Offensive Security’s OSCP is viewed by many as the gold standard of pentesting. Following the philosophy that a black belt is just the beginning, I would classify OSCP in the same vein. To pass, you have to have a baseline set of skills as it is a 24-hour hands-on exam, but there is so much more to learn. Passing OSCP does not necessarily mean you are ready to become a junior pentester but demonstrates you have the potential and aptitude. And being the gold standard, it is the certification that is likely to open the most doors in the quest for landing a junior pentest role.

Similar to OSCP, eLearnSecurity’s eCPPT requires a hands-on exam to pass, with a twist. eCPPT is more representative of a real pentest than OSCP. Why? Networked machines that require an attack chain, identifying additional vulnerabilities that are not part of the attack chain, and a more thorough report). Unfortunately, it lacks the recognition of OSCP, so it may be more challenging for an aspiring junior pentester to land an interview with eCPPT instead of OSCP.

I couldn’t find the origin of the saying “Hindsight is 20/20”, and while I do not fully believe it (as you may be aware of the mistakes you made, but unaware of the mistakes you alternatively didn’t make), it nevertheless is applicable here. If I knew then what I know now, would I have taken the same certifications? Absolutely NOT! I do believe Security+, OSCP, and eCPPT provided a good ROI, but definitely not the others. In their place, I wish I had taken eJPT (eLearnSecurity Junior Penetration Tester from eLearnSecurity), and PNPT (Practical Network Penetration Tester from TCM Security Academy), along with more lab time (HTB [Hack The Box], THM [Try Hack Me], VHL [Virtual Hacking Labs], Proving Grounds, and a plethora of others).

Again, this reflects my completed certification journey to date (with far more learnings to come, from certifications and more). Whether you wish to become a pentester or work on the defensive side of the house, I encourage you to determine your goal, and with that goal in mind, explore what’s out there, and will help you to best achieve your goal within the confines of your personal and professional situation.