I finally had the chance to sit down today and take stock of what I learned on my travels in India. What I can safely say, is that the last 2 weeks (where I was studying Certified Ethical Hacker and the ECSA courses) didn’t teach me as much as I thought or hoped. This made me both a little concerned, and more than a little disappointed (see my Certified Ethical What ??? post for my views on the course in detail). However I don’t want to talk about the course, or the content directly. What I want to talk about is the issue of a little knowledge being possibly a dangerous thing. This is not to say that people shouldn’t learn how to secure there systems, or how to do penetration testing, which is the whole point of the CEH course after all. However, there is a question over how deep that knowledge is, and how getting security qualifications make you feel. It’s good to keep things in perspective after all.
As an example, I took and passed my CompTIA Security+ exam last month. The course was interesting, however the topics covered, such as PKI, Access control, Firewalls, Honeypots, IDS, IPsec, VPN, and more, were covered in basic detail. Overall the course was good, for what it was. We covered cryptography in around 6 hours, as well as some out of hours study to ensure I knew what needed to be known. However I’m sitting here at home looking at a copy of “Applied Cryptography” by the great Bruce Schneier, that stands at no less than 750 pages. So how much can you learn in 6 hours. How deep can the knowledge be, and more importantly how many people walk out of a training course such as this and think they’re a qualified security expert. I wouldn’t say I’m a cryptography expert, but some would take this qualification as just that.
As another example, and one that makes me a little scared, the “Licensed Penetration Tester” qualification given by EC-Council. To qualify for this title you must take and pass both CEH, and ECSA exams (and then pay $500 for the right to be an LPT, but that’s another story). The LPT isn’t an exam, it’s purely a guideline for testing, like NIST or OSSTMM are. I’ve now done both of these classes, and could qualify to hold an LPT certificate after attending the LPT walkthrough. However, personally I wouldn’t consider anybody as even close to being a penetration tester of reasonable quality after just these exams. These qualifications fill a gap in the market, that’s certain. However the knowledge they provide is a long way shy of what they claim. EC-Council market the LPT qualification as “The Most Prestigious Certification for Penetration Testing Professionals” I have to disagree, as somebody who now qualifies for this, has trained for this, and has decided it would be hypocritical to request the LPT title. LPT is just one of the hundreds of certificates just appearing on the market for technical people to consider. Not all of them can be bad, but sometimes it goes to show that a little knowledge can be a dangerous thing. I could be a Licensed Penetration Tester now, marketing my skills to companies and attempting to prove or disprove their security implementations.
How would you (or I) feel if we trusted our security to somebody who was certified, but not qualified. There is a difference between the two, and it’s a big difference.