Penetration Testing mailing list archives
RE: OPST and CEH
From: "Mario Guerrero" <mguerrero () anewbroadband net>
Date: Sun, 7 Mar 2004 22:06:55 -0500
James, I believe the OPST course as presented by Revolution Technologies is very technical and complete with regards to your questions. Below are additional comments I have prepared for submittal to Pen-Test mailing list. To: Pen-test mailing list I took Feb. 2-6, 2004, the OPST Certification course offered in Ft. Lauderdale, FL by www.thinkingred.com (Revolution Technologies). I became aware of the OPST / OSSTMM course at a local meeting of ISSA (www.issa.org) where I met the Sales Director. Here are my constructive comments on my experience. ** The instructors were Taylor Banks and Ralph Echemendia, owners of Revolution Technologies. Very professional, clear in presentation. The first hour of class was spent in giving autobiographies of themselves and those in class. This set a good tone for the class since the backgrounds given were impressive and varied. ** It is an excellent course. In addition to the OSSTMM methodology presentation, ThinkingRed has added additional material based on a course they were teaching on Applied Penetration Testing which is very complete with LOTS of material on Ethical Hacking techniques. ** The OSSTMM gives you guidelines for security testing when dealing with customers (called clients after they sign a formal contract with you). It covers the period BEFORE, DURING, and AFTER the security testing is finished. ** BEFORE the security testing, "Rules of Engagement" are presented. These rules stress the importance of a written contract and ethical and logical rules to follow. Compliance with standards and legal issues are presented. Rules for estimating time for testing are also presented, of course with a caveat for taking into account complexities in the network that should be compensated with additional time. Whereas CISSP has 10 domains for information security (www.isc2.org), Isecom's (www.isecom.com) OSSTMM has areas broken down as 6 "Viewpoints" for security testing.....Information, Internet, Wireless, Physical, Process or Social Engineering. ** During - it provides the OSSTMM checklists or guidelines for each viewpoint, templates, risk assessment values, etc. The methodology gives you tips on what to do if certain vulnerabilities are discovered - how to present to the client, and discusses progress reports etc. ** After - it makes suggestions on how to present the results (including data logged) of your security test to your client. ***************************************** ThinkingRed's OSSTMM / OPST class has many labs during the course where you run practices sessions with a simulated real network environment. You get to run security tools in LINUX or WINDOWS on the same laptop. Tools such as NMAP, TCPDUMP, SING, TCPDUMP etc. Hosts on their network include Linux and Windows clients that you can footprint / enumerate. Even ran vulnerability programs (Nessus)... The course work essentially covers the OSSTMM methodology plus all of the Hacking subject areas mentioned in the HACKING EXPOSED set of books (www.hackingexposed.com). In deciding to take the course, I did review the other offerings at Intense School (CEH) (www.intenseschool.com) and SANS (GCIH) (www.sans.org). It was convenient for me that I did not have to travel to take it. I also reviewed the OPST certification goals and background and details of the OSSTMM at the ISECOM web site. I even downloaded the OSSTMM V2.1 available on the web site. Google was also very helpful (it always finds some good links). The OSSTMM course complemented security issues I had covered 14 months ago in self-studying for the CISSP certification using Vines and Krutz's s THE CISSP Prep Guide. With the CISSP I became aware of the many aspects of information security that I never knew existed, but well supported by many professionals and corporations. It is a big world out there. The OSSTMM / OPST enlightened me on how to approach, prepare, exercise, and carry through the area of security testing. What I have found existing prior to he OSSTMM were checklist or verification points to perform security evaluations...but not a complete clear process. as provided by the OSSTMM. It will surely be valuable to me as I deal with my current network customers and potential new customers / clients in the future. ************************* Bad news! I took the OPST test right atter the class and failed it, unfortunately. It relies on knowing many technologies and tests you on them. I normally self-study for my certifications and the exercise of taking a test right after a course was not my norm, but that is what happens today. I look forward to retaking it in the future. On the positive side, I look at the value I derived from the OSSTMM and Applied Penetration material that was presented. I am looking at becoming more familiar with Linux (RedHat / SUSE ) as additional valuepoint I can add to myself and for my customers / clients. My strategies and awareness for Windows has definitely been affected. The fact that I learned techniques or the "WHY" many items you take for granted are not really secure (NAT firewall with information leakage etc, for instance) was really worth knowing. ***************************** Hope the above comments are helpful for anyone else looking to attend a security course. I believe any one that I have mentioned above, including the CISSP offering, would help anyone as a step to upgrade your skills. Mario I. Guerrero, P.E., MSEE MCSE, MCNE, CISSP mario.guerrero () ieee org -----Original Message----- From: ucanbreached [mailto:ucanbreached () cox net] Sent: Friday, March 05, 2004 8:09 PM To: pen-test () securityfocus com Subject: OPST and CEH I know this has been on the list before but I never read where someone actually stated which was more technical in nature, OPST or CEH. If there are individuals out there that have some knowledge on both can you please help me. Currently, my outlook is that OPST has some technical but mostly provides a business structure and the OSSTMM methodology and the CEH is way more technical and provides training that somewhat follows the OSSTMM. I am more interested in the one that is more technical, I can develop my own methodology (although I do realize that could be a very daunting task). Comments please James --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Exchange 2003 xterrabart (Mar 03)
- <Possible follow-ups>
- RE: Exchange 2003 Meidinger Chris (Mar 04)
- RE: Exchange 2003 Ward, Jon (Mar 05)
- OPST and CEH ucanbreached (Mar 07)
- RE: OPST and CEH Mario Guerrero (Mar 08)
- RE: Exchange 2003 Ward, Jon (Mar 05)