Student insight, A decade of information security certificates and training


~ 8 minute read
Crafted : 2 months ago Updated : 2 months ago
Tags:
#information-security #cybersecurity #oscp #ceh #chfi #course #training #awae #cissp #certification #offensive-security

Hello, luvs, information security training, and certificates have been a lengthy debate over the years. In this post, I like to take you with me to my journey around this subject, it's been almost over a decade.  

Contents 

 

Introduction

The techworld is moving amazingly fast. A few years ago we didn't have smartphones very a few decades ago even we didn't have internet. Still, we did change everything, and people will keep being amazing and inventing even years after this writing. I spend more than a decade following infosec, and it did change my life, and I owe this community everything and in every aspect. When I start my career as a teenager, even though I was good at my job, sometimes, I had a difficult time dealing with my colleagues and managers because they had a degree and a few certificates from Microsoft or Cisco, IC2, EC-Council, etc. and I had none. And still have almost none! Time passes by, and I meet a fantastic CEO, which lets me work as a junior pentester; Boom! landed first job in infosec in return, I worked so hard met some more amazing people and learnt a lot more .I thought by myself soon as I had enough money, I will take all the certifications in the world, so I did. Or did I?

 

From the very beginning 

I took many courses during the past decade, and I believably will enroll in some in the future as well. I love learning! I'm not going to review them one by one because it will take ages, and some of the courses I took almost a decade ago are irrelevant today. For updated information, you have google their name visited their website. 

But I briefly review those I remember (only infosec related ones)  

 

Advanced ethical hacking 

  • An ancient version. It was from infosec institute If I'm not mistaken, thought by Jack Koziol, one of the original authors of the magic shellcoders handbook
  • Develiry method: Slides and videos 
  • Practice method: virtual machines
  • What I learned: a lot generally about penetration testing at that time, it was full of forgotten networks attack vectors with a tremendous focus on classic Linux strcpy() overflows. 
  • Do I have its cert: I don't think so. (I think i got one by email )

Penetration testing with backtrack

  • the world's famous OSCP from offensive security. An excellent generic penetration testing course for anyone who wants to get into red teaming, penetration testing, etc. 
  • Delivery method: EBook and videos
  • Practice method: online Labs (using VPN)
  • Do I have its cert: 403 Forbidden.

 

CEH

  • I think CEH is the first generation of ethical hacking training. I went to a local Bootcamp to meet an excellent teacher who had all the certs, yet he didn't think the cert is a big of a deal but the knowledge. EC-Council efforts to make hacking moral is very remarkable. He also let me sit in his other classes for free because he sees I was so passionate and well who doesn't like free training?
  • What I learned: besides, I learned NC is not a microwave \lol/, but seriously, it just helped me to see how broad are the attack surfaces and what are available tools to make things easier. After so many years, I'm still in no way expert in all individual modules mentioned in CEH. Too broad always means less detailed, though. 
  • Delivery method: On-site training
  • Practice: on-site training
  • Do I have its cert: Sorry. 

 

CHFI 

  • with the same teacher on a 5-day Bootcamp. A very first practical introduction to forensics. At that time, because I focused on penetration testing, it was relatively new to me.
  • What I learned:the exciting world of data recovery, forensics, and being sherlock holmes with files. I learned about recovering data, some intriguing concepts of disk encryption attacks, and defenses. Even though I barely revisit the subject during the following years still was pretty helpful!
  •  
  • Delivery method: On-site training
  • Practice: on-site training
  • Do I have its cert: Where is my magnifier?

 

CISSP 

  • with the same teacher on a 5-day Bootcamp. A very original introduction to information security scale and management. At that time, because I focused on penetration testing, I just learned so much, and a lot of its topics were very novel to me. Just like CHFI, I hardly revisit for years, so I have no idea about its contents now. 
  • What I learned:
  • As an offensive security boy, I did not focus intensely on defenses, so this course taught me a lot of stuff, from physical security to Iris scan security and even about life and living!
  • Delivery method:On-site training
  • Practice: on-site training
  • cer... Do I even think about it? 

Advanced software exploitation from practice security 

  • I took this last year for such a price, need a total revision; but who am i to complain?
  • What I learned: revisited classic fuzing, java core (in)security, and revisited windows exploitation tricks.
  • Delivery method: Online Text only  
  • Practice: Virtual Machines 
  • Who? Me take this?

 

Advanced web attacks and exploitation

  • This is the latest course I've taken from offensive security. Just last month an intense course around one of my favorite topics, code auditing.  
  • What I learned: Various helpful tips and tricks on security code auditing. a lof real world senarios.
  • Delivery method: Ebook + Videos 
  • Practice: Online lab (VPN)
  • Will I take the certificate this time? Hmm, I think I'll pass.

 

I even went to college and recently finished my major. Not for a "certificate," but to learn, I made lifetime friends, I learned discipline and dedication. It just leads me to better "me."

 

Before I continue, I like to thank all of the companies named or not named here. I learned a lot, and I'm thankful. You are pioneer In the information security training, and what I'm going to suggest next it's just matters of somebody who loves this community. but I suggest to change for a better good. 

 

What's wrong with the current training model 

 

 

 

1- Most of the course materials are outdated because of its delivery method: the very top many courses in information security used to be a few hours of video content plus some documents. The amount of time it takes for the creator to protect and DRM materials makes it very hard to update materials frequently, for example, most of this training has not updated during past two years, in case of information security we live in the minutes and two years is too long of a gap. 

 

2-Most of the labs are on old infrastructure: Classic infrastructure and VPNs are not sufficient for toady's worlds. They are generally slow, expensive, and hard to use in case of pentest labs.  

 

3-Certificates. In the end, it is a piece of paper which we should avoid because we are killing trees to make one. I believe in this concept as much as my little startup is all about being paperless. Let's harm nature less! While admiring someone's achievements is fantastic, and the right thing to do. The way we handle a certificate isn't flawless. Think about someone who is passionate about infosec and wants to land a very first career in infosec but can't afford certifications, or even a degree. and you just cut them out. It's wrong and unfair. Luckily it's getting a lot better, and even big companies changed their culture and talent management idea. But still, we have a way to go.

 

Considerations for new training

If you are going to release next generation infosec training, following paragraphs are few things you can consider. 

Infosec is all about struggles: what's with all the courses, why always give the perfect state of how to solve a problem to the trainee? The recent wave of live stream related to infosec is a good example; a person who wants to learn can simply see how the instructor is struggling and how they tackle variously related and unrelated issues — a part of the information which is too valuable to ignore.  

 

Infrastructure change: thanks to awsome DevOps, cloud, and virtualisation guys, you can almost run all your previous labs on a browser, safer, cheaper, and faster. It can avoid various kinds of problems. You can start with:

 docker --help

Make it affordable: as much as doing business is understandable, an average online training between 2 to 8 hours, and an average live training is around three days. Now a single stream of someone working on a single CTF task can take that long. So if you want to put a high price that it should be far more sophisticated than this. 

 

Make it up to date: Infosec is about minutes; by changing your DRM model, lab infrastructure and content delivery model, you can deliver frequent updates to users. 

 

The change has already begun.

The speed of information technology evolution always fascinates me. We already have some excellent examples of suggested model . website academy, exploit education , pentesterlab  are few examples. I'm not affiliated with any of these entities, and you can find more examples by googling around. these entities leveraged a more modern tech stack, which helps them to deal with the issues we mentioned.

 

Takeaways 

If you are new to into infosec. 

As you may guess, I spend a lot of time and money in many courses. But  it doesn't mean you have to take the same path. It's alot easier and cheaper now. honestly it has never been easier. just do it o_O ! you want to be a bug bounty hunter, red teamer, security researcher, infosec pro, or you name it. And you were thinking about taking certs or even getting a degree. If you don't have much disposable money to spend, then don't, Instead, spend your time reading and practicing the niche (for example, mobile security) you like, for more read my first post.

Infosec managers  

Sir,  If you in Techworld and certificates and degrees are is the most important item in your checklist. I suggest you to re-define your hiring idea, or you may just lose the chance to work with some brilliant people. For instance, just like the information security training model, thanks to technologies like cloud computing, you can make your very own CTF on the weekend (with the exact skill set you need) and examine your candidate skills deeply and accurately. Case solved. No certification of any kind ever required. 

Infosec professionals 

If you work in the infosec industry, kindly spread the word and share this post (or at least its idea) with your colleagues for a better good. Also let me know what do you think ? here

 

Conclusion 

Here I'm, A decade later, still enjoy making and breaking it. Yet with almost no certificate and no regrets so ever.

If you still love to take one, there is nothing wrong about it. Go for it and enjoy; the point of this post is to think about the ways it can go wrong morally and ethically; in the end, most of these materials are labeled "ethical." and "moral." right? 

Luckily the cultural change has already begun. And we see recruitment departments when it comes to general information technology are making it a lot easier than before for new talents to take their shot. Keep it up!

I wish you a "2020" with cheaper, more accessible information security training and awesome managers who give a chance to yet to discover brilliant talents.

PS: how lucky I'm I can share this with you.

Till then luvs

Assist me:
Buy Me a Coffee at ko-fi.com