RE: OPST vs. CEH

["Pete Herzog" <pete () isecom org>]

William,

I'm glad to hear you are interested in taking the OPST.
However, after you take the exam, you will see they are not
similar at all.

> test taker. I have chosen to
> take both exams. You will need knowledge from
> both to become well rounded.

CEH 3.0 just recently got announced (for example at January
18, 2004 at http://www.eccouncil.org/312-50.htm) so I am
fairly unfamiliar with this new one however I do know the
OPST and OPSA well.

To be OPST or OPSA certified applies mainly to OSSTMM
testing and using ISECOM Audit Reports but is relevent for
any type of security testing.  Additionally, if you want to
use the OSSTMM to perform certified OSSTMM tests because
your insurance company, business partners, corporate
governance laws, privacy laws, etc. require it, then you
should consider taking the tests because no other
certification can accredit you for this.

The OPST and OPSA were developed to be skills tests.  This
means you can take whatever books you want into the test.
The OPST actually requires you test against test servers
which are located at La Salle University, Barcelona.  No
tricks to the tests- you can either do it or you can't.
Since these tests are about being able to do problem solving
and analysis more than say, running tools, it is not about
what you know but if you can apply what you know.  You run
any tools you want, use scripting or programming skills to
verify and simplify, and most of all, know if a server
response is real or an error in your network or test setup.
For this reason they are taught in the Masters program at La
Salle (www.salleurl.edu) and many other universities and
trade schools will offer them through 2004.  Any school who
wants to offer it can for free under the Academic Alliance
program.

Most of all, if you want to be a great ethical hacker or pen
tester then get experience.  I recommend you read, attend
presentations, forums, classes, find a mentor, and volunteer
in projects involving whitepapers, tool making, and sec
research.  You can also provide tests for free to
non-profits, schools, colleges, churches, etc. who all would
be likely to work with you to improve their security and
give you experience.

Sincerely,
-pete.

Pete Herzog, Managing Director
Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org



> -----Original Message-----
> From: Craig, William (Atlanta, GA)
> [mailto:craigw01 () unisourcelink com]
> Sent: Friday, February 06, 2004 17:35 PM
> To: 'kenzo'; pen-test () securityfocus com
> Cc: 'John Lampe'
> Subject: RE: OPST vs. CEH
>
>
>       Yes, the CEH or Certified Ethical Hacker is
> similar to the OSSTMM
> cert. It dos not cover the business side of pen
> testing and the OSSTMM dos
> not teach you enough to become a good pen tester
> ether. However the CEH
> version 3 is far more superior in measuring the
> true skills of a Pen tester.
> You are required to now and understand some form
> of computer language such
> as Cxxx / Perl / visual basic etc. You are
> required to understand how buffer
> overflow works and be able to reverse engineer
> code to find the line where
> the overflow took place. You are required to be
> able to look at some code
> and be able to identify what exploit it is etc.
> You are required to know and
> understand all forms of viruses and worms along
> with the standard components
> of pen testing. You are required to understand
> hashing of password. And be
> able to use a calculator to break down passwords.
> You are required to have
> performed and understand the following techniques
> session hijacking,
> spoofing, dll injections etc. The old version of
> CEH 2.3 was pretty easy.
> However the version 3.0 is not for the fly bye
> test taker. I have chosen to
> take both exams. You will need knowledge from
> both to become well rounded.
> My 2 cents come from experience only. I'm not
> part of any of the two groups.
> Good luck with your choice
>
> -----Original Message-----
> From: kenzo [mailto:kenzo_chin () hotmail com]
> Sent: Thursday, February 05, 2004 12:54 AM
> To: pen-test () securityfocus com
> Subject: OPST vs CEH
>
> I'm thinking about taking one of these certs.
> OPST (OSSTMM PROFESSIONAL
> SECURITY TESTER)
>  or CEH (certified ethical hacker)
> I've read about the two, and they seem to be kind
> of the same thing.
> I know that some people in here were talking
> about the opst, but what about
> the ceh?
> Has anyone taking the CEH or both?
> Please let me know.
>
> thanks.
>
> --------------------------------------------------
> -------------------------
> --------------------------------------------------
> --------------------------
>
> --------------------------------------------------
> -------------------------
> --------------------------------------------------
> --------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------