From: Mario Guerrero (mguerrero@anewbroadband.net)
Date: Sun Mar 07 2004 - 22:06:55 EST
James, I believe the OPST course as presented by Revolution Technologies is
very technical and complete with regards to your questions. Below are
additional comments I have prepared for submittal to Pen-Test mailing list.
To: Pen-test mailing list
I took Feb. 2-6, 2004, the OPST Certification course offered in Ft.
Lauderdale, FL by www.thinkingred.com (Revolution Technologies). I became
aware of the OPST / OSSTMM course at a local meeting of ISSA (www.issa.org)
where I met the Sales Director. Here are my constructive comments on my
experience.
** The instructors were Taylor Banks and Ralph Echemendia, owners of
Revolution Technologies. Very professional, clear in presentation. The
first hour of class was spent in giving autobiographies of themselves and
those in class. This set a good tone for the class since the backgrounds
given were impressive and varied.
** It is an excellent course. In addition to the OSSTMM methodology
presentation, ThinkingRed has added additional material based on a course
they were teaching on Applied Penetration Testing which is very complete
with LOTS of material on Ethical Hacking techniques.
** The OSSTMM gives you guidelines for security testing when dealing with
customers (called clients after they sign a formal contract with you). It
covers the period BEFORE, DURING, and AFTER the security testing is
finished.
** BEFORE the security testing, "Rules of Engagement" are presented. These
rules stress the importance of a written contract and ethical and logical
rules to follow. Compliance with standards and legal issues are presented.
Rules for estimating time for testing are also presented, of course with a
caveat for taking into account complexities in the network that should be
compensated with additional time. Whereas CISSP has 10 domains for
information security (www.isc2.org), Isecom's (www.isecom.com) OSSTMM has
areas broken down as 6 "Viewpoints" for security testing.....Information,
Internet, Wireless, Physical, Process or Social Engineering.
** During - it provides the OSSTMM checklists or guidelines for each
viewpoint, templates, risk assessment values, etc. The methodology gives you
tips on what to do if certain vulnerabilities are discovered - how to
present to the client, and discusses progress reports etc.
** After - it makes suggestions on how to present the results (including
data logged) of your security test to your client.
*****************************************
ThinkingRed's OSSTMM / OPST class has many labs during the course where you
run practices sessions with a simulated real network environment. You get
to run security tools in LINUX or WINDOWS on the same laptop. Tools such as
NMAP, TCPDUMP, SING, TCPDUMP etc. Hosts on their network include Linux and
Windows clients that you can footprint / enumerate. Even ran vulnerability
programs (Nessus)...
The course work essentially covers the OSSTMM methodology plus all of the
Hacking subject areas mentioned in the HACKING EXPOSED set of books
(www.hackingexposed.com).
In deciding to take the course, I did review the other offerings at Intense
School (CEH) (www.intenseschool.com) and SANS (GCIH) (www.sans.org). It was
convenient for me that I did not have to travel to take it. I also reviewed
the OPST certification goals and background and details of the OSSTMM at the
ISECOM web site. I even downloaded the OSSTMM V2.1 available on the web
site. Google was also very helpful (it always finds some good links).
The OSSTMM course complemented security issues I had covered 14 months ago
in self-studying for the CISSP certification using Vines and Krutz's s THE
CISSP Prep Guide.
With the CISSP I became aware of the many aspects of information security
that I never knew existed, but well supported by many professionals and
corporations. It is a big world out there. The OSSTMM / OPST enlightened
me on how to approach, prepare, exercise, and carry through the area of
security testing.
What I have found existing prior to he OSSTMM were checklist or verification
points to perform security evaluations...but not a complete clear process.
as provided by the OSSTMM. It will surely be valuable to me as I deal with
my current network customers and potential new customers / clients in the
future.
*************************
Bad news!
I took the OPST test right atter the class and failed it, unfortunately. It
relies on knowing many technologies and tests you on them. I normally
self-study for my certifications and the exercise of taking a test right
after a course was not my norm, but that is what happens today. I look
forward to retaking it in the future.
On the positive side, I look at the value I derived from the OSSTMM and
Applied Penetration material that was presented. I am looking at becoming
more familiar with Linux (RedHat / SUSE ) as additional valuepoint I can add
to myself and for my customers / clients. My strategies and awareness for
Windows has definitely been affected. The fact that I learned techniques or
the "WHY" many items you take for granted are not really secure (NAT
firewall with information leakage etc, for instance) was really worth
knowing.
*****************************
Hope the above comments are helpful for anyone else looking to attend a
security course. I believe any one that I have mentioned above, including
the CISSP offering, would help anyone as a step to upgrade your skills.
Mario I. Guerrero, P.E., MSEE
MCSE, MCNE, CISSP
mario.guerrero@ieee.org
-----Original Message-----
From: ucanbreached [mailto:ucanbreached@cox.net]
Sent: Friday, March 05, 2004 8:09 PM
To: pen-test@securityfocus.com
Subject: OPST and CEH
I know this has been on the list before but I never read where someone
actually stated which was more technical in nature, OPST or CEH. If there
are individuals out there that have some knowledge on both can you please
help me. Currently, my outlook is that OPST has some technical but mostly
provides a business structure and the OSSTMM methodology and the CEH is way
more technical and provides training that somewhat follows the OSSTMM. I am
more interested in the one that is more technical, I can develop my own
methodology (although I do realize that could be a very daunting task).
Comments please
James
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT