lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
020d324edba8c5bab6dfdc9d45b0267059868edd
hpr-knowledge-base/hpr_transcripts/hpr0533.txt

1085 lines
55 KiB
Plaintext
Raw Normal View History

Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00
Episode: 533
Title: HPR0533: Professional Certs versus Hacker Degree
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0533/hpr0533.mp3
Transcribed: 2025-10-07 22:40:12
---
movie.
The interview you're about to hear was originally recorded for the TrackSec podcast.
We can find out more about the TrackSec podcast at www.tracksec.com.
Hello podcast listeners and welcome to the TrackSec technical segment.
We've just had the Pete Wood interview, which you guys know it was the one that stayed on all the way through.
Very, very good interview and once again I'd like to thank Pete Wood for coming on to the line.
Fantastic FM.
What we wanted to do was talk to you guys today about, you know, kind of like an issue that's close to our heart, which is, you know, certainly for half of the hosts on the show have been involved in hacking degrees.
And for the other half, well for Chris, you've done professional qualifications.
So kind of today what we wanted to do was talk about routes of getting into ethical hacking and penetration testing.
And although it's not like aim to be a definitive guide, it's really just kind of a discussion of routes that are available and what choices are for people.
I mean in the UK, a number of universities now are offering a host of degrees that aim to produce graduates for the skills required to be like effective ethical hackers and penetration testers.
And I mean like I say that we've got a list of a Kotler universities in the UK that are offering hacking degrees.
This is not a definitive list and there's always worth you having to check about.
But there's obviously Arbiter University in Dundee, which I was at in Northumbria, which Tom was at and Ryan Duhurst was on, down from the web apps, the Sunderland leads Matt and Coventry.
Now I have to be honest with people on this call, I don't know anything about Sunderland or the leads Matt and the Coventry one.
So what we're going to quickly do is just run across a couple of the professional qualifications that are out there and then just kind of get into a debate about the things that you can learn and the best ways of getting into it.
And like I say, I mean, I've got to clear a bit of an interest in here. I sit a little bit on the fence.
For most parts, I'm self-taught, but I've like to say I've formally received university education for ethical hackers.
Although I didn't do my fourth year, I did three years. I do quite a lot of what I'm able to do now from a time at university.
However, being self-taught before I got to university made it an awful lot easier.
So that side, I suppose, we should really start off with asking the other hosts what their views are about hacking degrees and safe meeting Tom can kind of answer some questions between us.
Well, we've got on the text segment today, Robert Leidman wasn't able to join us, but it is Chris John Reilly and Tom. Chris, what are your views on ethical hacking degrees?
I mean, it's something I've talked previously with Ryan, who is on episode one regarding the university degrees.
I've always seen security qualifications as more of something you kind of grow into.
It's not something that I think people can come out of school age of 16 and go, I want to work in security and go off to university and learn that for four or five years and then come out going, wow, I know everything about security.
A lot of people or at least most of the people who I know in the industry didn't use that method of getting into ethical hacking or working in security.
They moved through network support, server support, desktop support or coming from the other direction from development and then kind of gradually moved more towards security because it's what they wanted to do or they got to that point in their career where it was.
I've done this for so long, I want to do something new and security was that something new for them.
So I mean, I've always seen the university degrees as the university is kind of jumping on the bandwagon saying, yeah, sure, we can do that too.
Get in and get in an instructor who knows something about security and then they spend two years learning every aspect of security and at the end of it, they're suddenly meant to know just as much as someone who's been in the industry for ten years.
I kind of find that hard to understand and not having gone through that university process myself.
The question I have is how deep is that knowledge? Are we creating through these university classes the CISSP of ethical hackers?
An ethical hacker who has a broad knowledge but very, very thin.
If you speak to someone who comes from a university who does ethical hacking and say, what do you know about VoIP?
What do you know about VoIP security? They could probably discuss that with you for a couple of minutes.
But then if you ask them, well, what does the protocol look like?
Do they know to that level of depth really what things look like at a protocol layer, which is what I personally think is required?
The question that would ask at that point, would you expect a professionally certified penetration test or ethical hacker to have that same degree of knowledge as well?
You've gone through some of the professional certifications that certainly that HR departments look at and pick on the certified ethical hacker.
Would you expect someone who has done that course to be able to explain to you a VoIP data bug out?
With C-H, it's kind of different. I mean, people know what my impressions are of C-H. I've written about it previously.
I mean, I'm picking on you slightly, but I think you get my point that...
No, I understand what you mean, but as with everything, with professional qualifications, C-H is what it is.
It's a weak long course where you learn about hacking. You couldn't learn everything you need to know in a week.
With quite a lot of other things as well, a lot of the professional qualifications, they have to be very focused on specific areas.
Two types of professional qualifications. You either get things like the C-H, the security plus, things like the C-SSP, which tend to be very, very broad, but very unspecific in their information.
You spend an hour discussing VoIP because you need to know the basics of it and you need to know what the security issues are, but very, very light.
You probably won't do any hands-on stuff with it because the equipment's not available or the lab's not set up for it, but you'll talk about it for half an hour to an hour.
Maybe you'll look at one or two tools that you could use to test the security of it and then straight onto the next topic.
And then on the other side of it, you've got people like the Sands Institute, who I've done a number of courses with, who take it from the other point of view where they say,
we'll look, people need to know everything about this topic and specifically talking about VoIP. They now have a six-day VoIP security class where you go in on day one and they take it from the point of view, if you know nothing about VoIP at all, they take you through the pros and cons, why it's become so prevalent.
They take you through the issues that it causes, the environment that it needs to be set up in, whether you're using VLANs, what the supporting infrastructure is, what the packets look like, what SIP is, what RTP is.
What the Cisco skinny protocol looks like, how these things can be exploited, how these things can be secured, but Sands do that in a very, very specific way.
And in six days, you spend a lot of time looking at their technology, but even after six days, you're not going to walk out as an expert.
I've always thought of security as more of something that you, if you go on one of these classes, when you come back, you need to really want to build on that.
You need to really want to go further and look more in depth and really kind of learn more for yourself, because if you're just expecting any class to teach you everything you need to know, then you're not going to spend along in this industry.
So why do we, in this case, expect graduates that have done three years at a university doing just as a wide broad of subjects as well to be able to a certain level.
I mean, I personally, I mean, this is not criticism of the hacking courses, but I think it's unrealistic for us to expect graduates to be anything other than entry, level, and security.
I don't think that I don't think that it's gone under the four-year course because they do honors. And then England, it's a three-year course, isn't it Tom?
Yeah, that's right. I mean, we do have a third year as a place, and if you have that, where you are.
Yeah, yeah. But you're only doing three years of study.
Yeah, three years of study. That's right, yeah.
Yeah, I mean, I think there's no, I mean, anyone that follows us on Twitter or another, I asked the question about what professional qualifications people think takes to be the students.
It takes to be the bare minimum someone needs to get to get into ethical hacking.
And I got a mixed results back, but very few of them actually indicated any qualifications.
A lot of people said that being self-taught, being passionate, being all, you know, expecting hacking not to be a 95 job, being fully committed to it.
That was a prerequisite. I mean, I've been self-taught for a lot of the stuff that I've learned.
And I think it's a key asset that any ethical hacker or penetration tester needs.
I mean, Tom, what are your views on the ethical hacker and degree course now? What are your views on the hacking course?
I think the course in itself is all right. I do find that most of what I learned is from what I've self-taught myself or read, you know, from Twitter or from articles on the internet.
I think it's fair to see what I'm getting at your best is an outline of knowledge. I think what I've learned is more the ethics, especially in my first semester.
It was all ethics before people thought it was about anything else. I mean, I'm pretty sure we're not going to be shown anything that's going to be, you know, that's going to blow my mind too much.
But something that really is, it's not, I'm not supposed to get in on my nerves, but something that is like, there is something that I didn't expect as much as I'm doing all of it.
I think that I didn't really relate packing as much, like at the moment I'm doing a lot of work on computer architecture, so how process of work is going to start and read stuff like that.
That's what I'm doing at the moment. It's quite difficult to get my head around why I'm going to use that, but, you know, I'm just putting it away.
But I think my personal opinion is that the course is good, but only if you're willing to build on it.
I like a lot of people on my course at the moment, if I literally swept the course, did the work and then came home and did nothing, wasn't involved in any security related stuff outside of university.
I wouldn't know half as much as I know now, and probably wouldn't have as much passion as I do for it.
This is one of the big credits that I put to going to university and doing some formal part of ethical hacking was the place of being put in an environment that promotes you to be an ethical hacker.
Most people being self-taught don't have the benefit of that environment. I went to classes with other ethical hackers.
We had a lab where, you know, it was okay to be an ethical hacker. It was okay to have day-to-day people that I met every day that were doing the same things as I was, and I enjoyed that aspect very, very much.
My worry is that if you take someone out of that environment where they don't have class peers to help them get through or to bounce ideas off or for motivation, if that, because I think if you leave university thinking that you don't have to spend any or any qualification for that matter of professional certified or degrees or anything like that, if you leave that qualification,
and don't think that you have to invest any more time in learning, then you're going to be solely disappointed to certainly in our business.
So I just wonder if we have this nice structured, warm learning environment that we then take these people used to that and put them into maybe a hostile, very fast-paced assimilation of data that it might not be so used to.
Do you, I mean, do I sound like I'm talking rubbish or does that make sense?
I do agree with you completely. I mean, I think that's one of the biggest reasons why we do have a place to get is so that you can understand exactly what the industry itself is like.
And another thing that I don't struggle with, but it's on my mind is that obviously we're being taught all about hacking and, you know, we do have the labs and stuff.
But, you know, there are a few people on the course that think, you know, you think a few things about it and maybe, you know, wrongly, but is it right, you know, to let a year-old mess about with,
because they may be not understanding, go home on their own, you know, networks at home, mess about with it, and then suddenly it leaks out.
I mean, for example, we've got to give them a source code to a trojan, to tell how to compile it and stuff.
And, you know, it was like, don't put this on the internet.
We're going to do people on the course that I do believe are probably going to do that.
So, you know, that's the aspect of the ethics as well.
You're always going to get people who are going to abuse things that they learn.
And it's whether you're in a university environment or you're paying for the class or you're learning online, you're doing things yourself in a lab and just downloading things from the web and playing around with them, there's always going to be people who are going to abuse that.
So, I don't think that's something specific to the university hacking courses.
But going back to what you were saying.
Oh, well, it's more dangerous.
A camera store, a hacker.
You know what I mean? Who can do more damage?
I mean, it's irrelevant at the end of the day.
I mean, a rogue can be just as dangerous as a hacker.
I suppose a damage a hacker can do his date or a damage a rogue can do his kill someone.
But what you were saying, Chris, sorry for jumping.
Yeah, I mean, actually, I wanted to go back to what you were saying was about people coming out of university
and from my point of view, university really teaches people the theory of how things should work.
The problem that I know I've fallen into and I'm sure many other people have is if you read a book about hacking, it doesn't mean you know how to hack.
If you read a book about hacking and you understand how everything functions and you seem quite a lot of time to get it into your head.
Yeah, I can do that. That's not a problem.
But the first time you're actually faced with actually having to do it, it's a very different thing.
You know, reading about it, understanding it and knowing what tools do, what, knowing how to dissect packets in a certain way.
So you can gain information about a remote system or fragment packets to a VAD IDS.
If you understand how it works, that's the first hurdle.
But then when you actually have to sit there and do it, that's a whole different thing.
And it takes a different skill set to be able to translate that from understanding and reading to actually being able to do it.
And there are people who can't translate that from one to the other.
There is some of the people on the crosshair, just as passionate as me, you know, to do a security.
And we do, they probably want every week.
Now we do get together and we've got, we actually set up our own lab.
We've got one of the guys on our course who's really into service.
He's got about five to six different service that he's bought and built.
So what we do is we get together, you know, put a few operating systems on there,
mess about with, you know, some exploits that we've heard about and, you know,
some of the things that we've seen on Twitter or on there in the news and that.
And then we have a look at it and obviously that like what you're saying there Chris is about, you know,
learning as well as just reading.
And that is probably one of the biggest things to do with the cost that, you know,
probably the biggest thing is that it's an ethical hacking cost, but it's the ethical hacking theory.
And it's the ethical hacking ethic.
It isn't, you know, what would not learn is, you know, all this stuff.
I mean, all this stuff that you're saying you would expect professionals to know.
It's like, you know, like you're trying to argue something that I don't know.
So I think I think the, I think the biggest thing here is that, yeah, it might be good, you know,
get socializing and suppose you're in the best ear.
But you are learning.
You are learning.
There's a thing that, that, you know, it's probably worth me pointing out as well Chris,
that certainly in my experience, there is a lot of hands-on practical stuff going on
in ethically.
You know, we have an ethical hacking, you know, there is an ethical hacking lab that's for ethical hacking students
to go into at any time that have lectures and that have lab time performing.
Now, okay, maybe not state that their hearts are hacks, but I don't think,
for you to start understanding certain hacks, it needs to be the latest and greatest.
And when they all just ones are probably the best at understanding principles.
But I think any ethical hacking student needs to be, in my opinion,
or fail with using virtualized technologies so that can virtualize operating systems
and practice, practice, and practice.
In my opinion, you know what I mean?
But it's not like, it's not like an ethical hacker goes to university and they spend
15 hours a week in theory talks about ethical hacking.
It's not as, it's not as content dry as that, you know, there's a lot of,
there's a lot of practical stuff involved in it.
And for me, my criticisms, and I always made them known when I was at university,
was there was a lot of auxiliary stuff that we did that I didn't think was particularly pertinent to ethical hacking.
You know, I did a module in web standards, you know, and I failed to understand,
I failed to understand in any realm why that is relative, why that should take more,
that takes half a term to do in web standards for three hours.
No, I think that comes from universities wanting to run this kind of class,
but not really knowing what they should put into it.
And I've seen it before, I've seen it here in Austria where it becomes very much,
we need to fill this many hours, what do we fill it with?
Well, I don't know, what can you teach?
Instead of what should we teach, it's what can you teach?
The three of us at the end school could talk infinitely about things more important
that could be filled up in that time than web standards.
And that's true.
How wonderful.
But I mean, yeah.
This is something I've been wanting to touch on.
The people that teach at universities, quite a lot.
Sorry, I'm sorry.
The people who teach at universities quite a lot don't,
they're not always the people who are actually doing this for a living.
You do get people who go to universities and teach about ethical hacking,
who do it for a living.
But you also get quite a lot of universities who simply expect someone to learn it so they can teach it.
And I think it's just as hard for a computer to teach it.
Yeah, exactly.
Read a book, teach it.
Yeah, I mean, I have seen people, no criticism here either,
that maybe you've been a lecturer in a particular subject
and we sent off to do a five day course that maybe we referred to early run
and those were qualified to lecture for second and third year old,
third year ethical hackers.
I don't think that that's not my place to say if that's right or wrong,
but you know, you know, sure listeners can take out of that what they want.
I mean, you can't, I mean, I think how you teach ethical hackers.
For me, I've talked about this, you know, with lecturers before.
And the first and foremost, what they do is they do a computer degree
with a special, you know, a speciality on the top of it.
And that's the reality of what ethical hacking degree is,
is that in reality it's a computing degree with a speciality in ethical hacking.
So yeah, but I think academically how you teach ethical hackers
has to be different to how you would teach, you know,
games tech students or, or, you know what I mean?
Or, you know, it's because it reliant on mindsets and stuff like that.
Either that or the entry requirement for them has to be different
and there must be some form of aptitude test as such, which I mean.
And I'm saying that there's no guarantee that I would have got through that way.
So, I mean, I could be cutting my own throat without suggesting.
I mean, go about what you're saying about Web standards.
I prefer to have Web standards.
We did a module on N.
We did a module on writing.
How to write.
Yeah, literally we got told Web to put the postrophy.
And like we were saying before,
the course has literally been given allocated so many hours
and they need to fill this many hours for it to be a competent course.
And they thought, do that.
Yeah, we'll just chuck in.
We'll chuck in how Web for the postrophy.
And then every beginning of the course.
Yeah, I mean, for me, the other thing that for me,
and, you know, I'm sure it'll been shot by class peers who are saying this as well,
I don't think there's a lot of business actionments kind of being taught either.
That it's easy to get caught up on ethical hacker should be this, this, and this.
But we did a law module when I first started and they pulled the law module out of the ethical hacking degree.
And for that, for me, I think being able to read and understand non disclosure agreements,
being able to look at master service agreements and project specs.
And as a professional and being able to assemble that information and know the boundaries
and the legal requirements and so on and so forth.
And not just that, but how to write a business report for, you know,
and I know that that maybe sounds dull and boring.
But for some of us, that's the face of what we have to do in business as well.
Certainly, if you're, certainly, if you're going to be looking at yourself contracting,
you need to be able to hold yourself up against two or three businesses in that partnership.
I think, you know, if you were doing an accountancy degree,
there might equate that you're going to be functioning in a professional business environment.
I don't think the same respect is maybe given for ethical hacking,
that, you know, penetration testers have to work in professional environments.
And that's another concern that I may have.
I mean, Chris, in your time, I mean, would you say that you've had to be able to deal with
a vast array of customers and clients and have a, almost be professional?
I know that's a strange question asked someone,
but do you get the drift of what I'm trying to ask you?
Oh, yeah. I mean, I mean, I've always said that if you can't write and communicate your findings,
you can't present your findings in a way where people have not only understand what you're trying to say,
but also respect what you're trying to say, then there is no point in doing the test at all.
I mean, I've seen presentations that are technically perfect.
Everything that the person has said has been 100% technical.
Yet, they make, you know, some key flaws.
They're talking to management people and they're talking about packet captures
and they're talking about how this reset packet was sent and this and that.
And for me, that was fine because I'm on a technical level.
I understand what the guy's saying.
I really want to hear that technical level, but he just didn't take into consideration
that he's talking to three management people who are just nodding and going,
I have no idea what this idea is saying.
He's doing the right thing, but at the wrong time.
And it's very easy to do and it's something you have to learn.
And if someone doesn't come to you and say, look, you know,
that was a great presentation, but you should do this and this and this.
You really don't realize it because you just think, well, if he's too stupid to understand it's his fault.
Problem is, if that's a client, if they're too stupid to understand,
they're not going to come back to you because they're the ones who are right.
They're the client.
If you present a two technical level or you present a two, not enough technical level
or your report is too technical, not technical enough, too long, too short,
or as you were saying Tom, full of punctuation and spelling mistakes,
some people in management would take that as a bad sign.
If you write a report and there's punctuation and there's spelling mistakes,
then even though the technical people could be very happy with your work,
they're not the ones who paid the bill.
The ones who paid the bill is the guy further up the chain who just wants to read the management summary.
And they want to read just the management summary
and quite a lot of people who I've met who do ethical hacking and pen testing,
they don't know how to write a management summary.
They're just, well, I just write technical stuff.
Yeah, to be fair, at the moment, what we're actually doing,
all of our projects at the minute in ethical, in our ethical hacking module,
is we're working forward constantly and doing some not information gathering.
It's basically like passive testing, so you know, right?
And how, what we can do with the URL,
and if we can find, you know, FTP also,
ever in the website, you know, if indexing is allowed,
stuff like that.
And I mean, we're actually presenting that to them at the end of our life findings.
I think it's in April.
So the company's actually coming in and we have to address it smart
and do this presentation for them,
to make sure you know that obviously well-earned in our opinion,
and we do a module called consultancy,
which is, we actually team up with the business students.
And we do, we get given a fake company,
and we get given, you know, all getting given roles within that company to do,
so like, one of the business students,
a project manager,
and we're at the web field and we actually make sure it's also secure.
And at the end, we have to present it to them,
and we're going to be able to do that.
So we're going to be able to make sure it's also secure.
And at the end, we have to present it to our tutors,
and then I'll find out.
The first section of that I was sitting there seeing,
that sounds absolutely awesome.
And then you've got kind of, we'll do different roles,
and you know, we'll be the web designer.
And it reminded me so much of a module that I had,
which was called keen-based problem solving,
which apparently was, you know, another thing that ethical hacker should have,
you know, being elder to working multi-disciplinary teams.
And absolutely, I couldn't agree with, I couldn't agree anymore with that.
But with it being completely lack of realism,
like, you know, being asked to be a web developer,
when you're an ethical hacker.
You know what I mean?
That the project should relate the skill sets of the people being involved.
You know what I mean?
So that was my criticism of it, but, you know,
who am I to judge on these things?
I mean, what I want to do is just run down kind of like
a couple of the professional qualifications,
and see what people say, you know,
if you think that this is a good route or a good qualification to go through,
have a quick talk about them.
I mean, we'll start off with, we've already touched on this one before,
but the CEH, the Certified Ethical Hacker,
I haven't done it.
I know Chris has done it.
I've heard Chris talk about it.
And...
Do I make you bluff?
I, my ear was sore for a couple of days.
Yeah.
I mean, I think one thing we need to make perfectly clear
with anything we're going to talk about here in regards to qualifications and certifications,
it depends who's teaching the class.
I've heard a lot of people talk about CEH very badly,
and I've heard a lot of people talk about CEH and say it was very, very good,
and it's very much dependent on what the teacher does,
how a teacher runs the class,
and what you do over and above what the CEH requires you to learn.
And I would just like to say,
my findings with CEH and EC Council in general were on the worst side,
it could well be that there's been at least one version upgrade since I took the class,
maybe they've brought it back into line,
and maybe it's a bit better than it was previously.
Yeah.
This is just in reality,
the Certified Ethical Hacker is just really...
It's not really supposed to act as kind of like a seal of approval
that you have a base level of understanding,
and it's not supposed to,
it's not being any more than that.
It's just this person has, in our opinion,
the required skillset to do ethical hacking.
I don't think it doesn't really do anything else, does it?
Well, when I took it...
When I took it, it was purely tools.
You pretty much end up with huge volumes of books,
with screenshots on every tool that does every single thing.
There's very little focus on understanding
what these tools actually do in the background,
and how they really function.
It's purely...
If you want to do this, this tool does it.
If you want to do that, then use this tool.
And I go in completely the other direction,
is in my personal opinion,
there's always been, and I've said it before,
probably on this podcast and others,
but if you get a tool,
then the first thing you should do is run in a wire shark,
and learn how it really works, and what it's really doing.
I'm one of these sad people who,
if I can do it manually,
with using Skape,
or using some other kind of things like TCP trace route,
instead of Firewalk, things like that,
I'd rather do it manually,
so that I have as much control over what I'm doing as possible.
And CEH goes in the direction of,
you don't need to know what it does,
you just need to know how to get the results out.
And that's where I disagree with what they do.
So...
So I'm back for what you said before,
and I've had a basic understanding
of our ethical hacking program leader.
He's actually wanting to get his certificate
put in at the end of our course,
so that not only have we got the degree,
but we've also got the certificate as well.
And then he actually doesn't want to incorporate
the Firewalk hack in.
He wants to try and get something out of him,
because he says that he doesn't mind personally himself either.
Yeah, so our opinions...
I mean, do we think that the CEH would help anyone
trying to get into ethical hacking?
I imagine the CEH is probably somewhere
on some HR gateway keeper for business.
So in my book,
do we think it's critical
for getting into the business,
you know, from what I've heard of it
and from what certainly you do
have said about it,
probably not the most critical qualification
to go out and get in your life.
I mean, it does hold a place,
but it's not first on my list.
I think it's one of those qualifications
you can probably do if you've been working
in network support
or any kind of highly technical discipline
for five, six years,
and you want to take from supports
or management.
Yeah, it's really kind of a gateway.
I want to move from this into security.
Maybe I'll do a CEH
so that I have something on my CV
that says I now do security as well.
But even then, it's a tentative at best.
I mean, it's never seen
over to your qualification that was paid for me.
So, you know,
if anybody wants to pay for it,
I'll definitely do it.
But it depends on which it costs, doesn't it?
I mean, how much do you have to pay for yours for it?
Oh, I did a lot of training altogether
and it was all bundled together
and I can't remember how much it was now,
but I mean, it's not cheap.
You know, CEH,
depending on where you do it,
it could be anything between you.
You know, 1,500 pounds,
2,000, 2,500,
it's not cheap.
Yeah, that doesn't really get you a lot.
Neither is four years at university either.
I mean, four years at university is not particularly cheap.
Well,
if you invested that sort of money into your professional career,
I mean, let me know if you think about what,
what would you be telling me,
maybe 20,000 pounds in debt
by the time you finish your qualification?
If you had 20,000,
of course, if you had 20,000 pounds
to put into professional certification,
you'd expect to fare a whack for that actually.
Oh, yeah, yeah, you would.
And there's actually some universities in the UK
that are teaming with the Sands Institute.
I can't remember them off-hand,
which ones they are,
but they're actually doing university training in the UK
where you will learn to the Sands curriculum.
And at the end of the university,
you'll get a degree,
as well as a number of Sands certificates.
That's the question.
Why did you just try to do?
Yeah.
But it's very hard.
Oh, yeah.
The next one I wanted to talk about was the OACP,
the Offensive Security Certified Professional.
It's basically done by the Offensive Security Guys.
And that's using back,
that's basically kind of understanding,
like, concepts to pen testing with backtrack.
And it's a totally online qualification,
and I think, am I right, Chris?
It's done online, isn't it?
It's not like that.
There's two ways where they run it.
They run an actual actual class at events
like Black Hat Europe, Black Hat US.
And I think they're doing a few others now as well.
But I mean, a couple of times a year,
they do an actual hands-on class.
But most of the time,
this is a distance learning thing.
You'll get obviously the software backtracked to free,
so just go and download it.
But you're also getting videos, flash videos,
and PDF, and various.
You also get access to forums and email support and things like that.
So it's very much, kind of, do it yourself, hands off.
Here's the information, go away,
and learn that, practice yourself.
But at the end of it, the exam isn't your typical standard,
multiple-toist question that most people go with.
It's a 24-hour hack challenge.
You have to hack a system.
They give you access through VPN to a testing system.
And you have to exploit the system.
Download the hashes from the box, export, crack the hashes,
log into the second box.
And basically, I haven't actually gone through the exam personally,
but I know some people who have,
and they say it's a very, very realistic test.
Basically, if you come out having this qualification,
and it's something you can say that this person can actually do
what they say they can do.
They can't just answer questions.
They can really actually do it.
I mean, I've not done it either,
but it's that sometimes actually on my list of things to do.
I think you've said the same to me prior to the call start,
as well, didn't you, Chris, that this is?
Yeah, I mean, what I like about it is add it to do it yourself thing.
I think it's 500 euros.
I think it's 500 euros, 500 pounds,
for the do it yourself.
That's a third of the cost of C-E-H at its cheapest.
And I personally think it's at least three times more popular.
However, with that said, if you go up to anyone who works for HR
and say, I'm O-S-C-P, they'll look at you blankly and go,
is that anything like a C-E-H?
Which is depressing.
That's more of a, if you're in the industry,
and you've got that qualification,
and if people know what it is, then it means something.
But if you go to your average HR, they're not going to know what it is.
But for entry level, for getting yourself ready,
and if you want, looking for a career and penetration testing,
if you can get that, that will be agreed that it's at least a beginning,
probably better for someone wanting to get in with that HR problem.
But the reality, I would also say,
from what I know, the O-S-C-P is not an entry level qualification.
It's, I mean, I've had that.
You've got to have a fair bit of experience before you start doing this.
I mean, the prerequisites is you should know Windows,
you should know Linux, you should be able to run standard penetration testing,
ethical hacking tools, before you even start doing the class,
whereas other entry level staff says you know how to use a mouse.
It's pretty much the prerequisite, so.
The other one is, we see this a lot,
and this is certainly not an entry level qualification by any chance here.
But the CISSP, the Certified Information System Security Professional,
which is basically almost like a defact
of certain industries involved in security,
I certainly don't have one.
Pete, with the interviewee from this episode, he's TISSP.
I mean, I really absolutely know nothing about it,
because it just seems such a distant thing for me to be able to get.
I think even if you do have an ethical hacking degree or any,
you know, you need to be in the business for five years to get one,
and you know, even if you have a degree,
it's only knocking a year off that.
So I'm not sure if it really should be an analyst of things to talk about today,
but, you know, I mean, it should be because you can't talk about these things
with that talking about CISSP.
I mean, it's not really an ethical hacking degree,
and I would also say this isn't a technical degree.
This isn't, sorry, it isn't a technical qualification.
This is a management level, an overview qualification.
You know, you're touched on a number of subjects,
and part of that would be ethical hacking and understanding, you know,
some basics about it, but if you talk to a CISSP
and start talking about anything highly technical,
if he's able to converse with you on that technical level,
it's not because he's done a CISSP.
The CISSP is very much access control, policymaking,
this 10 domains, as far as I remember,
and they're very kind of high level overview,
very, very wide knowledge base, but very, very thin.
So you can talk about the number of things,
but you couldn't talk about them in depth.
Yeah, I like it.
At the moment.
Yeah, I like to say, I mean,
it seems that that's, when you need to be a manager,
there seem to look for that in job descriptions quite a little bit,
when you're dealing with high ends, you know,
when you're dealing with, you know,
something that the high end security and, you know,
it seems to be a de facto requirement for jobs there,
and I can understand why, but as I say,
I know very little about it.
The next one I wanted to talk about was Sans.
I really like Sans.
There's no two ways about it, but Sans is,
it's not a qualification per se.
It's a body that gives out creditations,
and they have lots of different courses.
Chris, you've done some Sans as well, haven't you?
Yeah, you know, I've been working together with Sans
for a couple of years now, so.
Sans is actually the training body.
They have a, the certification body is called GIAC.
The difference between, between Sans and pretty much everyone else,
what we're going to talk about today is that they,
they focus very heavily on specific areas.
You know, for example, they will have, you know,
we talked about briefly before, Sans will have a course six day long class
that talks about voice security,
whereas in most other classes, CIS, PC, EH,
and everything else, that will be a half an hour,
our segment of your training.
So they take areas of training and really focus very, very heavily on,
exactly what you need to know to really test those kind of things,
really secure those kind of things,
and they take it from both the attack and defense standpoints.
I mean, there's penetration testing,
there's web application penetration testing,
which they split out into a separate class,
but there's also interesting detection classes,
incident handling classes, so you can spend six days learning about,
an intrusion detection, how IDS is, IPS is work,
and it kind of really, really dives into a very, very deep level.
I mean, what I really, really like about the Sans classes
is that their teachers are very, very good,
and they're very, very knowledgeable,
because they don't have teachers who just teach everyone who works for Sans,
does that for a living.
You know, if you go and you learn from someone,
for example, John Strand from pool.com,
does a lot of training for Sans.
He actually does it for a living,
and then teaches about it as well,
and what I really like is they can actually stand there
and talk about how it really works,
and how it really functions,
and what they've come across in their jobs,
and what they've been doing these things,
whereas quite a lot of other teachers are just,
well, three years ago,
when I last actually did something other than teach,
this is what I saw.
I mean, I didn't agree more.
I've always loved the stuff that I see come out of Sans.
I've been, I'm not sure if you saw that,
come up on Twitter recently,
but I've bounced my knowledge, his name wrong,
because this is a tradition of mine.
David Holitzer, or he's the Sans ID,
he does like IT auditing stuff,
but he did a webcast on training,
Metasploit, Exploit,
Exploit modules step by step,
and it's absolutely fantastic,
and I mean, he's a teacher over at Sans as well,
and I mean, he's the quality of the webcast
that he's done is fantastic.
I actually link to it in the show notes,
or something like that.
Did any of you guys see that come off on Twitter?
No, I did that, I don't know.
Yeah, no, I saw it.
I have no chance to look at it fully,
but what really interested me is
I know there's a lot of people that work for Sans
that do a lot of exploit writing.
They actually have, I think, a five-day class
purely on writing exploits and doing security research,
but what interests me was,
this video was so well done,
and it comes with someone who teaches auditing,
which is auditing for me is very much in the direction of
where you don't actually need to do anything technical.
You just need to know which questions to ask,
which systems to verify,
and it's very much a non-technical training
and a non-technical role.
He's done a fantastic job on this video,
to be honest with you.
It's a very good job of,
a very good basic, basic crush course,
and buffer overflows,
and how to explain them,
and how them act exploit,
and the framework,
how you can get them in there,
and stuff like that.
It's a very interesting one.
Anyone listening should definitely,
I think it's actually four YouTube videos,
all in all of something like that,
but it's very, very good.
So is it fair to say that,
you know, you could look at Sans,
if you want to specialize in a particular subject like,
you know, you want to do VoIP penetration testing?
Is Sans a pretty good starting point for that then?
Yeah, I mean,
they do do generalistic courses as well,
but the ones I'm particularly interested in,
the most specialist ones,
what I would say,
there's some good points about Sans,
and there's some bad points.
The good points are,
you can do it live,
that they do a variety of live training offerings.
You can also do home training,
you know, they do an on-demand thing,
where you get videos, audio,
and the books,
and then there's another offering,
I think V Live is the new one,
where there's a live trainer doing the class,
but everyone's connecting through computers.
So as a live,
you do this class every Monday night for a month,
you know, for three hours or whatever,
but there's actually a real live teacher there.
On the bad side of it,
Sans is not cheap.
You know, you're looking at,
for a six day class,
three and a half thousand euros for a six day class.
They've got what's there?
If they got this,
I'm right in thinking they've got this,
entry level,
but this kind of blanket sort of,
this is a web application,
and penetration cost that they do as well,
isn't it?
Am I thinking of the wrong people?
No, no, they have a web application,
penetration test to class,
which I've done recently,
in the last year.
Is there any good?
Yeah, it was really good.
It was written by Kevin Johnson from Mean Guardians,
who's a very smart guy.
And quite a lot of the Sans instructors,
very approachable.
If you have a question about the material,
or if you find a problem with the material,
you find a spelling mistake,
or there's something in there that's outdated or something,
if you send them an email,
they'll reply.
They're really, really engaged with the student students,
and Kevin's a really friendly guy,
and he really knows his stuff as well.
And they're constantly updating,
I think four times a year,
or three or four times a year,
they update their material.
So it's not like some other qualifications,
where, well, this got written in 2004,
and we're still going to teach it.
Every couple of months, it's updated.
And the other one that I wanted to ask you about,
as well, was security plus as well.
Did you do that?
Yeah, I did it a couple of years back.
Security plus from Comp Tier.
They do quite a lot of these qualifications,
network plus, A plus, server plus,
things like that.
That's what I consider as entry level,
these kinds of things.
Security plus is,
I equate it to the CISSP,
but the CISSP light.
It's really kind of a more focused downward of the CISSP
with less domains,
but it really does give you kind of the base knowledge
for you to know where you want to go in security,
mostly because quite a lot of people still tend to think,
I see that you do computer security,
but people don't really realize
computer security isn't just one thing.
You could be a penetration tester,
you could be an auditor,
you could be a PCI quality.
If someone works to QSA,
you could be an IDS expert,
you could do firewall configurations,
you could do server hardening,
you could do incident handling,
there's so many different facets of security,
but one of the things that really ties them together
is if you do the security plus,
it really does give you a good grounding,
so you really know you've got a good base
to kind of grow on from that point,
and you can focus off into more specific areas.
I mean, is there any other particular qualifications
that you think people should know about
and in line with the ones that I've mentioned?
It really depends where you want to go with it.
I mean, personally, I started off,
and I did network and server support for 10 years,
and the first thing I wanted to do
is get my Microsoft qualifications,
because I was so busy with work for these 10 years,
I was behind the grade,
as Windows 2003 was coming out,
I was finally finishing my Windows 2000 exams,
because I had another chance to do them,
and it finally got to the point where I was,
okay, I'm just going to go on,
I'm going to upgrade all my Microsoft certs,
and then while I was doing that,
I really started looking at the Microsoft security stuff,
and people give it a bit of a bashing
the Microsoft security stuff,
because it's not the best material in the world,
but Microsoft stuff is so prevalent nowadays,
that those kind of Microsoft security glasses
are interesting to do,
especially if you're going to be working
in a Microsoft heavy environment.
I mean, I don't work as a network technician anymore,
but just to be able to write in a report,
we found this issue,
and this is because this setting in Microsoft's DNS configuration
is misconfigured,
and it should be configured so and so and so.
To be able to add extra materials to your reports,
and to be able to give that added benefit
of not only we found a problem going fix it,
it's we found a problem because of this,
and this is how you can fix it,
and that's what customers are really looking for,
is that helping hand,
we've not just find where we have security issues,
but they want to know how we can,
how they can make it better,
and some of the Microsoft qualifications
really give you that level of knowledge.
Well, I believe I'll have to get a pitch for Kambanya, Chris.
Sorry. Well, on the flip side,
you could also get that certified engineer,
which is going to do the same for Linux.
Does that help?
That's more like it.
I mean, is there any,
I mean, what kind of,
what do you think we should be looking for from graduates?
What do you hope that you'll understand
when you leave university
from ethical hacking anyway?
I hope I understand,
and what I will understand will probably be two different things.
I hope to have,
I hope to have,
I've got knowledge in networks,
I'm doing my CCNAC at this moment,
and by the time I finish university,
I will receive CCNACs for,
so hopefully I really won't have a,
I've got a lot of understanding in networking,
but I say ethical hacking wise,
I think to be fair,
most of what I'm going to learn
is going to be,
more going to be about the,
you know, the theoretical side,
than having any hands on.
I think as soon as I finish university,
I think it's going to be the case of finding the job
and trying to get some certificates back up.
You know, what I've learned,
theoretically.
I mean, what do we,
I suppose we should really
do the touch on the self-taught side of it,
but I think what I'm,
the question I'm going to ask is probably related to all of them.
I'd like to get both of your opinions on it.
What do you think is the bare minimum
someone needs to,
if they decide,
the bare minimum they need to possess
before they get into ethical hacking?
And I'm not talking about professional qualifications
and A levels,
GCCs,
and O grades,
and whatever.
I'm actually talking about the skill set that that individual needs,
if being, you know,
a motivated individual,
or being able to assimilate information,
what do you think you need to have yourself before you decide
that you should go for a career
in ethical hacking or penetration testing?
For me,
I think that the minimum someone needs to have is the ability to,
to get themselves motivated to learn, you know,
that's for me,
the big requirement.
And then on top of that,
I think that there needs to be a commitment
and understanding that,
regardless,
that you don't know at all,
and that you'll have a lifetime of learning,
just to not be treading water,
basically, you know,
to be making a step forward.
What do you think,
Tom, what do you think the bare minimum person should have
for getting into ethical hacking?
I definitely agree with motivation,
but I think one of the biggest things that somebody really needs,
really needs to have,
like, you know what I understand is that,
I do say,
that they need,
that it is a lifetime of learning,
is it just you learn it once,
and then that's it,
because, you know,
the news,
the UX points coming out,
you know,
something different happens every day,
and there's some new technology you arrive,
or new technology that's what it is.
I think it's a good ethical hacker
to get into the industry,
you need to be interested,
definitely interested in what's happening in the world.
Okay, and Chris, what do you think?
I mean, I agree with Tom,
and this is a lifetime of learning.
I mean, this is why I moved into security in the first place,
because I don't like to learn one thing,
and then just use that for the next five years.
I want to be learning something new every day,
and security really offers that,
but it's kind of a double-edged sword.
It's really nice,
if you can keep up with it all,
but you can't,
and that's one thing,
as a security professional,
quite a lot of people have to learn,
and I mean, I still have to learn it,
as always,
at some point,
you can't keep up with it all.
You know, you can't-
That's a bit like that,
every single thing.
Exactly, is that like-
Every time,
every time I think I'm catching up with it all,
a whole load of new stuff comes out,
and you just can't do it all,
and at some point,
you just have to let it go,
and say, look, you know,
I can't do everything there,
I'm just going to do what I can.
But I think one thing that,
that people who do ethical hacking,
in particular penetration testing,
quite a lot of people overlook this,
is you really need to be able to take in information,
and understand things very, very quickly.
And the reason for that is,
because in your typical penetration test,
you go to a client site,
they give you a diagram
of how their network looks like,
which is probably outdated,
and information about what all these systems do,
and you, in the best case,
you know, they've given you maybe,
there's 20 servers on the network,
and you go and test these systems,
and they're all individual,
and they all do one thing,
and you're like,
okay, that's pretty easy,
not a problem,
I can test your mail server,
because all it does is do mail,
I can test your internet,
because all it does is have one application on it.
But on the flip side is,
you go and test a large organization,
a large corporate of bank.
They give you a very, very detailed,
visual diagram,
and say, you know,
this is our sand structure,
this is how our fiber channel fits together,
and you have to be able to sit there,
and within a half an hour,
kick off meeting with someone,
fully understand exactly how that entire infrastructure works,
and that's a very, very hard thing to do.
You know, especially if you, you know,
and I hate to harp on people
who come out of university,
and I'm really sorry, Tom,
but if you come out of university,
and the only thing you've done is learn at university,
the first time someone in a large corporate
dumps a three piece of paper on your desk,
with this huge, great big,
sand-nast environment using,
you know, virtualized systems on blade frames,
with, you know, 30 VLANs,
and, you know, two, three fall-over connections,
and, you know, an entire dark site,
across town,
and the other side of town is a dark site,
and they basically say,
how can you paint us that?
You know, the look on some people's faces is,
oh my god,
this could take me a month to understand how this works,
and you have to physically be able to take all that information
in, process it,
and come up with a realistic testing scenario
within half an hour to an hour sometimes,
and that's something that people really,
you know, don't tend to think about very much,
but I think it's a skill that,
that people working in ethical hacking
and penetration testing really need.
Well, if Chris doesn't schedule off from getting into ethical hacking,
there's lots of different routes.
Some of the qualifications that you could speak about,
and then that we spoke about that,
they're all pretty easy to find,
but they will be available in the show notes.
Finally, University or Professional Qualifications, Tom.
Which one?
Professional Qualifications.
University or Professional Qualifications?
Chris?
Yeah, as a person who didn't go to university,
I'd actually say,
take your time and learn it yourself.
I'm professional qualifications have their place,
but I don't think university route offers everything it should yet.
I think it's getting there,
but I don't think it's there yet,
and I don't think professional qualifications
are worth the price at the moment.
I think, you know,
spending a couple of months learning it yourself,
you're going to learn more,
and you're going to learn more about yourself,
which is an important thing.
You're going to learn how motivated you really are,
because you're not sitting in a class,
you have to get off your ass and do it yourself.
I think that's the best way to go,
at least, to start with.
And for me,
not going to look good on your CV, is it?
For me, if, for me,
I think certainly in the UK,
choosing a university is probably a good entry
for getting it, if I'm honest with you.
Just because of funding,
and it's very hard to find businesses
that will accept you behind pay for your training,
if you have nothing to show them.
So, if there's no other bad solution,
but I also think as well that
the solutions should fit the need,
and maybe a mixture of some time at university
doing a couple of different things,
and doing professional qualifications
might be a better route.
So, yeah, I mean,
if you're interested to speak to the university,
I'm sure to answer any of your questions.
That's all for this tech segment.
Thank you for listening to Hack with Public Radio.
HPR is sponsored by Pharaoh.net,
so head on over to C-A-R-O-DOT-18
for all of us in need.
Thank you.
Reference in New Issue Copy Permalink