Your first hacking cert?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- Yeah, I've heard so much negative feedback about it. You guys really bash it. - It's because it's frustrating, right, that is frustrating, our inner person does not enjoy feeling like they have to be a walking and encyclopedia. - So I need to, I need to push you because I've got like this loop that I have to close. What is the number one? What is the, if you could only choose one cert, what would it be? And I'm sorry to push you. It's just your opinion I think. - Yeah just my opinion. - What would you choose? - Man. - You're you stuck on an Island, the only way off is to choose one cert. What would you choose? - If I'm gonna go with one cert I'm gonna go. (upbeat music) - Hey everyone, it's David Bombal back with another interview but in this case, I've got Daniel. Daniel. I could introduce you but it's probably better if you do it yourself. So could you tell everyone a little bit about yourself - Sure David, thanks for having me on this is a real pleasure. Like you've got such a cool podcast or YouTube channel. You get so much great content. So I'm Daniel Lowrie, I work for ITProtv. I'm what we call an edutainer. - [Narrator] You're watching ITProTV. Hopefully that kind of gives away (chuckles) the idea behind what I do. I instruct on cybersecurity. That's my specialty, my silo, as it were. And I try to do that in a way that's fun and engaging instead of I'm sure everybody out there has had to at one point deal with the Voice-over PowerPoint awesomeness that is most online. IT training wasn't a huge fan of that. So my friends got together, they built this little company and asked me to jump on the ship. I said, hey, what the heck? And here I'm and now I try to inform the masses of cool IT training that I can give to you and then get you in there and get you learned up with all the skills that you're gonna need to get into cybersecurity. I know that's a hot thing right now and it's a lot of fun. I know, I enjoy it. So, I totally understand the appeal. - But okay Daniel, now I'm gonna push you. Now you're ready for some fire. - All right, I'm gonna take a sip here, you go for it. - Okay, so you mentioned a bunch of certifications and there are a bunch out there like Security+, there's CEH, you can go through the basic list again but you tell me now, okay, what are the most, sorry what are the entry level certifications and which one would you recommend as the first certification? - That's a, that's a great question, so. - I'm gonna push you, I'm gonna push you now, - You're gonna push me? This is a good push question because it's very relevant, right? And it is, is the probably the question people have on their minds. Okay, tell me I'm wrong, I'm poised to jump. Just tell me where to jump to and I'm gonna go and I'm gonna tackle it, I'm gonna kill it. I'm gonna get that cert so that I can, I can really start making some headway into my career. I get that. The answer to that is my opinion probably the best entry level certification. If you're going toward an offensive security style, you know this would be for a SOC analyst or anything like this, would be, I want to be a Pen Tester one day. I wanna do vulnerability assessments. Ultimately maybe get into real Red Team Engagement kind of things. I would probably start off with, with eLearnSecurity. They have, they have great, great certifications, the certification and here, here's what I would say why I would say that. - Is that the eJPT? - eJPT would be the, the certification, yes. - Okay, so you actually putting that above like Security+ or CEH or PenTest+, yeah? - Yeah, and I can say that now, because after having, I do training for Security+, I think it's, it's great. You gotta understand, like none of these things are, are static. They're they're all dynamic. Everything's always changing Security+ just finished the update to Security+ with another edutainer here West Brian. He is the SMI on that. I'm just kind of there to host and support him and give him that because he, he helps people. (mumbles) - I just wanted to say that for the for people who don't know ITProTV, what's really nice about the way you guys do it was like a lot of training. There's always two of you isn't there? And like one person is like teaching the other which has makes it very interactive is that right? - I feel like we should be like, you know, old style - Like rock them, sock them robots. - Yeah, here we go. Right, cause we're trying to do what we're having right now and then just make that training. Think of how much better you learn just listening to a podcast, to picking up random, you know, pieces of information. We just try to like move that into a very information rich environment. And that becomes your training instead of, okay, let's go through the five phases of pen testing for whatever it is. You know what I mean? It's just that that's not fun. - It gets boring, yeah. - That's not engaging. That is boring. We do, we are not people that like to be bored here and we don't want you to be bored. We want you guys to have fun, we want you to learn. We wanna get our hands into stuff. So we like to show things as often as we possibly can. Of course, there's always gonna be those theory elements to stuff, but when you, I wanna get into that - But I need to, I need to push you, sorry I interrupted you, sorry. So you were saying eJPT is the is the certification of choice. So explain to me why. - I would say, because for two reasons, eJPT is very much a, it basically is kind of like Security+ and CEH kind of wrapped up in a ball, right? Without the filler. Now I'm gonna qualify that, that phrase filler here in just a second, I say filler. Okay, it is, is a very point is what I mean. It is saying you want to be a pen tester, let's test you on pen testing things. Right? That's their focus. That's their motivation and the exam, I've never come out of an exam booth before going. That was fun. - That amazing yeah, because normally it's like, thank goodness it's over. - Yeah. I usually come out going, well, that was fun, (chuckles) Same verbiage, different leg, obviously different meanings there. That experience was great, I enjoyed it. I look forward to doing more e-Learn Security certifications for myself personally, just 'cause they have a great track. If you're into pen testing it's a phenomenal track to get into. Does that mean that the only game in town or like CEH is out the window and there, there'll be boarding up shop within six months because eLearnSecurity hit the hit the scene. No, absolutely not. Because there, CEH, has done a great job of marketing themselves and making themselves a certification that has industry recognition. eJPT - It's like a gate, it's a gatekeeper type, so it isn't? I get your point, its the gate keeper. - It's totally yeah. I liked that terminology that this is something that an HR person would probably put in a offensive or even defensive security. And it does have its place. Because if you look at, I would say, most people will say one of the big problems with CEH is how massive it is. So I've got. - I've heard you say previously that the manner you were surprised that there's so much content is that right? - Yes, it's tons and tons of tons of content. So that is, is part of what makes it a difficult certification moderately difficult certification to pass. Because you gotta know a bit about a lot of bit, right? So there's, there's tons of stuff and you gotta know something about everything and they're gonna hammer you on, on minutiae. They're gonna oh, which end maps, which does X, Y, or Z. - Yeah, which kind of seems pointless. 'Cause in the real world, you're not gonna, you gonna, that's why you go Google or you got documentation, yeah. - It's funny you say-- - But I mean Cisco do the same. Well, they used to do the same, yeah sorry, go on. - Yeah, I would love to see the day when certification exams are. Yeah. you can use anything you want, you know and I did see that with e-Learn Security, they use anything you want, use Google, anything you like you don't have an exam proctor because what's the reason of proctoring it. You can use any resource you can get your hands on. - Is it like a practical exam? - Yes it is a practical exam, thank you for that clarification. Whereas CEH is a more traditional exam, based off of a body of knowledge. - It's like, multiple guess. (chuckles) - Right, now we're talking about CEH and if you look up CEH is it worth it, that kind of thing. The exam itself can be a bit of a bear because it's large, you know, I think it's a hundred something 120 something questions or something like that. It's a pretty big exam, it takes time. You gotta know minutiae things that you can't google that you would be like, Oh man if I was in the real world, that'd be googling this. And these are all - Exactly. - These are all the negative feedbacks that you hear about CEH. - Yeah, I've heard so much negative feedback about it. Guys really bash it. - It's because it's frustrating, right. That, is frustrating, our inner person does not enjoy feeling like they to be a walking encyclopedia of, you know a walking body of knowledge. We all have a walking body of knowledge but maybe not to the depth where we outsource a lot of that to the internet, to books, to references instead of keeping it in our head. And that's just, that's just how the world works now that said, if you look at CEH, what do they offer right now? If we're judging CEH based off a CEH v10 and not looking at CEH v11, which is their current standing. - Yeah, I wanted to ask you about 11 because that's a new that got released a few months ago, yeah. - Right, and that would be doing that wouldn't be fair to EC-Council to judge them. Not that it doesn't play a part, but the solely base our, our estimation of what the CEH 11 version is just based off of the prior versions and the prior performances and the prior people's experience with it. That would not be a completely fair thing to do. So ISI Council through their credit has seen their competitors. eLearnSecurity, Offensive security, what's the other, there's, tons of them out there now. There's a lot of, a lot of certifications are starting to pop up. Even CompTIA has gotten in the game, they got PenTest+ So what are they doing that is giving them so much success, and they're starting to emulate that. So if I'm, if I'm looking at CEH v11, I'm looking at the content, I'm now looking at a much more true comparison, a more of an apples to apples, apples to oranges with its competitors out there. Now, maybe not in the way that the exam is administered, right? But they have also come out with a different, this is where people get fun with marketing, they're trying to make more money. I get it here, make more money if you can but they have the CEH practical exam. - Yeah, what is that, what is that? Sorry, what is that? - So that's meant to be the practical performance-based exam that they now offer to say, okay, you know, we see you, we hear you, everybody out there wants to get their hands on something and prove that they can do X, Y, or Z. And probably they were getting slayed by OSCPs ans eJPTs of the world. So they thought, hey, we can do that too. And so they spun that up and now you have the, the CEH practical exam. - So you have , so CEH per se is just a theory based type of exam, yeah? - Yeah. - Like the typical theory, you know I always say multiple guess as a joke. So one of those type of exams, and then the practical is kind of like eJPT or OSCP. Obviously not the same level as OSCP but it's a practical topic exam. Is that right? - Yes It is a practical non-stop exam. You're gonna log into some lab environments. I think it might be done via like a web browser kind of thing. I've taken some exams that are like that where you get a web browser you go to the link, you get a basic, like, well, it looks like an RDP session via the web. - Yeah like a Jump Post hosting there - Yeah, there you go. And, they're gonna give you some, some tasks to perform and you fill them out, you do that and there you go, you get your certification if you're able to actually complete the task they ask you to complete. Which is great, good for them. They saw that, hey, we're not strong in this. We need to, we need to come up in the world and show that we are still a competitor in this space and they're trying to be competitive by offering those things. It's a bolt-on solution but it's still a solution. They haven't not heard the voices crying in the darkness saying, hey you know, I got the CEH thing and people are making fun of me, you know, they're like, okay, yeah, no, let's help you out with that. Let's get that. - That is to their credit. - Yeah so, I feel like we do tend to get a bit tribalistic. Maybe, if that's a good word to use about, you know CEH bad, you know. Oh not my tribe you know, cause-- - People get very black and white and get very vocal about what they believe, yeah. - You also have to understand what CEH has meant to do. I don't believe that, maybe it was when it began but at this point, the CEH the regular CEH exam is meant to kind of give you that. That's why it's such a large body of knowledge. You need to know a bit about everything if you're gonna be that security person that wears that hat plus a system administrator, you're trying to do that. It can be a really good certification for that, where-- - To give you like a foundation of knowledge. - Yeah, I don't have to get Security+, right? I do need to have some understanding of how certain technologies work. There is some pre-work requisite knowledge there where I need to understand Windows operating systems. I do need to understand even some Linux operating system I need to understand mobile technology, maybe some cloud and, and things of that nature. But now I'm just starting to, once I go from there I start to dive into the idea of, okay what does security governance look like? 'Cause they, they talk about that kind of stuff inside the training. They talk about standard vulnerability assessment and risk management. All part of standard security stuff that you would learn in in Security+. And, so maybe you're like, yeah, I want that Security+ experience but I'm really interested in the more offensive side of things, maybe learn a bit more about that world CEH is a great certification for that. 'Cause it does have a ton of stuff and you've got this, these huge books that they give you because I think it's like over 3000 pages of information. And now you've got a set of references that sit on your shelf as they should. Again, we're outsourcing that knowledge. Is it a bear to go in and take that test and try to remember all those things? Yeah, but you can think of it as a challenge. Gamify that, right? And, and right, go back to our previous part of the conversation. It's HR gatekeeper. There is value to that exam. There is value to that certification. There are people out there and let me put it in these terms. If I go to a job board and I see on a job that I think is perfect for me and their qualifications are includes certifications such as CEH, PenTest+ OSCP eJPT or you know, whatever. And I've got a CEH in my pocket. I will tell you CEH is an easier exam than OSCP. And if it gets me past the same wall, right? You start to see. We're hackers, right? Gamify this, it's a game. - I wanna push you, sorry, man. I wanna to push you now, so first cert eJPT, yeah? - Yeah. Then you're recommending a look at CEH to get past the gatekeepers because from what I've seen the problem with eJPT it's a great cert but it's not well known enough to get past a lot of gatekeeper type stuff, even though, you know perhaps you can, you can talk to them and get past it but if you just want to you know, get past the check boxes and stuff and the recruitment agency CEH is a great way to get past that. Okay so are you saying do those two and then what would you do? Or are you saying, do eJPT and then go to OSCP, sorry, Daniel, to push you on those. I just wanna try and get a nice path for people to follow. Like, what would you do today? You know, if you're starting out or I was starting out, what would you do? So eJPT then CEH, is that right? And then maybe OSCP or what would you say? - So, depending on what I wanna do, if you're saying, see this is where it starts to get down into the minutiae where it starts to deviate from a here is the way to here is here is a way, okay. If you're saying, I wanna be a pen tester then I would push you eJPT. If you're saying, I wanna be a general security practitioner with an emphasis in the offensive side of security then I would say go a CEH. Right? - Oh, okay. So are you saying, so let me just clarify that 'cause that's a great way to put it. So if I want to be Red Team pen tester eJPT is your first cert. But if you wanna be like blue team or just have general knowledge, then CEH, is that what you're saying? - Right or maybe if you're running like purple team where you're, you're kind of doing blue team and Red Team things, that's, that all of that is encompassed under your job description or that's your role in some way, shape or form. where you are, the person that is not only responsible. Well, ultimately people have to understand that Red Team's job is to, what's the word I'm looking for? To make the blue team capabilities more robust, right? Help them, help them find the flaws and what they're doing so that they can shore those up, make it stronger, make it faster, make it leaner, meaner, and tougher for the adversaries out there that are looking to get into their systems. It's fun to pop shells. It's fun to hack through a system, but at the end of the day, that's not my job as a Red Teamer. As an offensive, as a pen tester, as a vulnerability assessor, that's not my job. My job is to find the weaknesses in a system, find out whether or not they're exploitable. Then go back to the people that built that system and say, hey man, I've some found some weakness in your fence here. Let me show you some ways in which we can make that work a whole lot better. So the guys like me, can't fire (mumbles) maybe, might find their way through that at the end of the day. And I've said this in conferences, I've said this on countless different ways. At the end of the day, Red Team's job is to make blue team win. Blue team eventually should be winning the game. Because if its not-- - I like what you said there. - We have to think about these things more philosophically than we do - Because everyone's like, I wanna hack, I wanna hack but I mean, end of the day what pays the bills or get you a job is to protect a company in a lot of care. I mean, obviously there are exceptions but most jobs are protecting companies. I liked the way you put that down. - What is the value that you bring to the company? I always tell people like, if you're going Red Team side of things, what is the deliverable? The thing that the company let's say, you're a, let's say you're a pen tester and you've been hired to do an engagement. What's the deliverable at the end of that engagement? It's a report or what's in that report. Here's your weaknesses, here's how we did it. Here's how you fix it. If you need help. You know, maybe that was a part of our agreement. If it's not, we can bolt that on and come in and help at the end. Maybe even do a reassessment to verify that those security controls are now working, right. This is the job of a pen tester, this is what they do. This is their purpose in life. Red Team, real true Red Team engagements are to kind of even go further than that as far as like, we are going to be basically become a specific type of threats. We're gonna model ourselves after base off of your organization. And we are gonna act as a true APT against your company and see if we can't make some way so that you can better threat model what might actually come down your way, your way, and again for the sole purpose of the blue team eventually winning the game. So if you think, if you think that, Oh I'm gonna get into Red Team 'cause I like hacking. Yeah, it's super awesome. and it is fun to do but that is a small subset of what you. what you do in the entirety of the business. So do you need to know hacking stuff? Do you need to learn those hacking skills? Absolutely, is that fun? Absolutely, it is so much fun, but if you just want to have a good time and know some hacking stuff, cool, welcome to the community. You'll grab a CTF, sign up for Hack The Box and have a good time and enjoy hacking and popping shells. You can just totally do that. And then maybe as you mature in your understanding of what that does and how you can play that, maybe you then start to move toward that side of things. And as you see, I go, Oh, you know what? I think I could be a real asset to a company. If I was employing these skills that I've learned or these certifications that I've gained you guys. I always think of them as a challenge, right? I wanna challenge myself. Let me take, let me take some training. Let me see if I can get a cert. If I didn't at the very end of the day, did I'll at least learn something? Did I take something away from that? Did I improve myself? Did I make myself more marketable if that's what I'm trying to do? So I didn't gain the certification, I gained a lot of experience. I can make that experience a part of my resume. I need to be doing things that aren't certification related as well. Like Hack The Box. - I wanna push on that. 'Cause you mentioned Hack The Box and stuff. So what's your opinion on cert versus Hack The Box and you know, TryHackMe stuff like that. Some people are like really focused on certs. Are you saying like you should do certs and that all, how would you spend your time basically? - Yeah it is a both end I would say , A because you can get burned out when you're working on certifications you're gonna kind of bounce in and out of either side of that coin, where you're going to be like, okay, I gotta work on my certification. So I gotta carve some time out. I wanna get this cert, it has some value in the in the industry. So I wanna do this as a profession. So I'm gonna get that cert. So I'm gonna spend some time working on gaining the knowledge I need to gain that cert. Depending on the certification you're working on, doing things like Hack The Box TryHackMe, VulnHub whatever, can help make that learning experience a true practicum, something that I've not only engaged in with my head but with my person, I've done it. I've got experience in it. It might not be a true representation of a real world but it was challenged. I had to apply the knowledge in a real way and use that. So they can definitely bolster themselves out. A lot of times I find myself jumping back over to doing things like TryHackMe or whatever because it's fun. Right? It's, it's kind of a go back to the idea. I like hacking 'cause it's fun and let's just have a good time. And you know what I find what happens is I learn a ton of stuff out. I do a new challenge, the new, maybe a new box drops on Hack The Box. And I go, oh, I gotta do some google in here and all of a sudden I'm taking all those methods that I learned in a maybe a certification training and I'm applying it to trying to hack to this. And now I'm taking the experience that I learned there, I'm going back to my certification goal, Oh that's where this okay. And everything starts to work together. So a lot of times, again, going back to the Red Team idea that yeah, these things are great partners that they go together like chocolate and peanut butter a lot of times. There are so many of these great resources where you're able to take that-- - You must be an American. - Oh yeah. - Chocolate and peanut butter. - Have you had it? It's awesome. - No, no, no I'm just kidding but I mean, that's great. So I mean you basically, those two go together, yeah? - Yeah. Like certs and the practical stuff. - And not only that. - Sorry I interrupted you. Go on - No, I was gonna say, well, I like where you're going with that because it brings us back around to the idea of it's let me put this way. I'm, I go for a job, right? I apply, I've got a cert. Put the cert of choice in that ball. They go, cool, that's great. What else you got? Well, I got the cert. - Okay, but you know, what are you doing to show me that-- - You can actually do it. - Right, this is something that you're engaged in. Something that, like a lot of people can just hunker down and go I'm gonna go get a cert. Ingest that information, go take the certification, get the cert and now, now what? You know, the people out there that I'm seeing are like, before COVID hit and we were able to actually go face to face and conferences and do some meet and greet and talk, And even still now, in the digital way in which we interact, you see the people, they like certs. It helps with, like you say the HR gatekeeping to get the right people in front of the right people. But at the end of the day they wanna see the aptitude. They want to see the passion because they know - Yeah, the passion the love for it. - Right, that person is gonna be a phenomenal employee. All you gotta do is give them the resources that they need and get out of their way and let them do the job and you're going to be so happy that's what you did. So put them with somebody that's been doing it for a hot minute. They know the ins and outs of the work. Hey, here's the new person they're gonna shadow you for the next month. And you're gonna help them get up to speed. And that's honestly that should be just about any job, right? You need to work under someone that knows what they're doing because everything's new to us at one point in time. But understand the concept. You might've even done some of it before but it doesn't mean that's necessarily how we do it here, right? You might need to just understand their workflow and do it what they say that's how they like it done. That's cool, go get that done. Work under somebody, I like that mentorship model even if you're trying to just learn. Somebody that has walked those steps ahead of you is you'll come to find most people are more than happy to share that knowledge with anybody that is passionate, shows a true interest and willingness to do the hard work that's and that's another really great-- - But you make a good point about, you know you mustn't just take any job. I mean, unless you have to, I like that thing about, you don't wanna be the cleverest guy in the room. - Oh no. - Or goal in the room. You wanna be the person that's a few steps below so that you can learn from others around you. - Yeah, I wanna grow myself. - By mentorship yeah, - Yeah, no you're fine. I wanna grow myself. I'm not the smartest guy in the room in a lot of places. Sometimes I am, sometimes I'm not. And when I am, I'm trying to give that knowledge to other people. Like if you come to ITProTV-- - Sorry Daniel, I wanna take you back to the certs 'cause you, you gave us like sort of two parts like eJPT for Red Team, CEH is like gatekeepers slash you know more generalist type of knowledge. Are there any other certs? 'Cause I also wanna push you on Security+ and PenTest+ but I mean what would you, so let's start with that. What about those certs? Would you recommend not doing those and just going straight to eJPT, CEH and then what comes after like OSCP perhaps but let's start with, you know, Security+ PenTest+. Sorry, I wanna push you because it's nice to get someone of your knowledge and like put you in the hot seat if you like. - Oh yeah, yeah, yeah, heat it up. Light the fire, right? So I think that we find ourselves trying to focus in and say, which one it's not which one, right? It's how do I get all this? Because Security+ has like Security+ is an 80 8570 compliant for the DOD in the United States government. That will get you in the door of a lot of government work. Just having Security+, if you're in the military and you need to be able to do X, Y, or Z job, that is a KSA. Right? - And it's cheaper than in CEH isn't it? - Yeah by far, oh my goodness. - And it's easier, I suppose, because you don't have to, like 3000 pages or whatever you have to learn - Yeah it's still pretty good body of knowledge but yeah. It's nowhere near the tome. That is CEH but I don't just want security. I want Security+, I want PenTest+ I want CEH, I want eJPT, I want them all right? They're like Pokemon to me. You gotta catch them all in because it makes me more marketable. The more that I'm doing the more that I'm engaged with the community and if that be through certification showing my passion because I don't wanna have an air of arrogance like a Security+ it's beneath me, right? It could apply. That might be the thing that gets me the job. Maybe they're like, oh man I got the Security+ I know what that is, all right let's bring them in. You know-- - I like what you said. I mean, it's, I mean, my counter to you would be time and money, time and money. - Time and money do play it yes, time and money. - So, you know, that's why I'm kind of pushing you. Like, you know, if I'm short on time, short on money, - Short of time, short of money. - Which do I go? - I would go eJPT 'cause it's relatively inexpensive by far less, its like half as expensive as CEH. It's very geared toward pen testing. So if that's where you wanna go, that's perfect. And would do fine for you if you were wanting to, if you had to be that security person and know something about the offensive side of things it would be just fine for that as well. PenTest+ also another very viable, alternative, very strong showing. Let me put it this way. I didn't hate taking the PenTest+ certification exam. - (laughs) But you loved eJPT - I love the JPT, but I didn't hate PenTest+, I thought it was a great especially for their first foray into offensive security Red Team side of things. I thought it was a very strong showing for them to come out of the gate with that. Did a great job. I think it's a very practical exam even though it's not a practical exam. - So which would you choose a Security+ or PenTest+? Sorry to keep putting you on the spot, It's just time and money you know, give me, give me, give me like just your opinion. - If I'm just starting out, I would go Security+, if I was, if I had some, some time in the grass, I know a bit security. You know, maybe foundationally, I would go PenTest+. If I, you know, I might not have had a security certification but I've kinda messed around with it, I know a bit about it. You probably got the wherewithal to jump into a PenTest+ and be successful. - Okay, here is a nasty question. I'd like to ask this question, so get ready. - (chuckles) I like it. - (laughs) What is the best cybersecurity ethical hacking certification? Like if you only could pick one, what would you pick? Is it OSCP? - That's a tough one. So OSCP has a lot of positives. OSCP has industry recognition, HR gatekeeping kind of idea going behind it. It's very practical, I say very, It is practical. It's probably a top of the entry-level bottom of the mid tier just from my experience what I've seen, a lot of people consider OSCP to be an entry-level certification, it is-- - It is interesting that people say I've heard that as well. People say it's like, entry-level mid-level. I mean, it's not something you would recommend as your first cert is that right? - Yeah, I wouldn't recommend it for a lot of people's first cert. It would depend on the person if I was going case by case but generally no. You do need to understand a lot of they assume a lot of knowledge right at that point. So, and then you get to the exam itself and the exam itself is-- - Is a beast. - Well, it's a beast because it's a big puzzle, right? It's it's five big puzzles. One of the exam boxes. This is all well-known information from us. So I'm not giving away their secret sauce or anything but there's going to be a buffer overflow challenge e that you have to create a very basic exploit, couple of twists and turns in there that anybody that just sits there and think, but most of it is designed to be kind of like a CTF. And CTF are basically like, little hacking puzzles. And it can be like wicked frustrating, especially when you're under a time crunch and you're like, you've spent some money. You don't wanna fail. So that's probably the negative aspect of the OSCP. You, it's a rite of passage almost at that point because it was a really hard thing. You stuck your hands in the, in the bullet Ant mites and you didn't scream for 24 hours and you came out and you did it good for you, you know? So that's why it's kind of respected. They have started to, they had at one point a real issue with them being relevant and their relevancy they've-- - Like guys were saying it was outdated yeah? - Yeah, It was outdated a bit and I think that they've since kind of updated things and tried to bring it up more to speed what's going on with relevancy. What was definitely one of the things I liked about eJPT it was very strict. I wasn't a CTF. It was, here's basically what may very well be what it looks like for you on your first pen testing engagement. - They've got a web application, they got this, they got that and you've gotta try to use these skills that we've taught you answer questions that only you will be able to answer if you did it correctly, right. - I like that. So it's not like, what I don't like about the CTF thing is they're trying to cut you out. Whereas this sounds like it's more like perhaps like what, like you said you'd encountered in the real world, you have certain tools. It's not like just to try and it's not a gotcha or trying to get you. - A lot of exams are trying to, or at least it seems like it to me. - Trip you up, yeah. - It was like they're trying to test you on how well you take a test. - Yeah which is pointless. - Which is that's, this is not the job. The job is, do you understand these technologies? Are you familiar with X, Y, or Z tool? Maybe not to the, you know maybe it's just a basic familiarity. Maybe it's a little more in depth that you understand the switches and where you would use different things within that tool set to accomplish a goal and that's fine. But don't make it to where it's like was it port, you know, 8839 or 8838? Oh - That's why we have Google, all right, come on-- - Right, it's exactly right, that's why we have Google. That's why I'd love to see all certifications. Just be practical at one point with here's a Google screen, here's the machines. If you can do the job then you can do the job. - So I need to, I need to push you because I've got like this loop that I have to close. If you could only choose one cert, what would it be? And I'm sorry to push you it's just your opinion I think. - Yeah, just my opinion. - What would you choose? - Man, - You're stuck on an Island, the only way off is to choose one cert. What did you choose - I gonna go with one cert, I'm gonna go eJPT, - And that's interesting. - I think eLearnSecurity has really done the right thing. Like their philosophy on the certification. - I'm amazed that you didn't say OSCP. - I don't say OSCP because, well, there are so many different factors that you have to kind of boil it down to. I'm gonna try to cast as wider net as possible and OSCP-- - You know, I mean, Daniel, it's your opinion and you can say whatever you like. - OSCP to me does not cast that net. It's a much more, right? And as you move up the wrong, even in eLearnSecurity, those nets are gonna get smaller and smaller and smaller. You're working on very specific skill sets for and having a very broad prerequisite set of skills so that you can move into that. So the focus starts to narrow as you move up in difficulty and things of that nature. So OSCP to me is a little more like if you had eJPT, that will be a great precursor to moving into the OSCP and then taking OSCP exam and going, okay, I'm not starting from jump street and trying to work my way up. So again, if you're trying to hem me into a path, I would go something like, I would say something like Security+ then maybe like CEH or PenTest+ and then eJPT, if I'm building a perfect world here and then OSCP, and then back to like eCPPT, then maybe back to OSCE, that kind of stuff and starting to work that way in them in eWPTX the extreme web or they've got the, there's so many they've got these acronyms are crazy.(chuckles) - You're talking about like the offset, like the wireless stuff yeah. - So they, they have wireless and then eLearnSecurity, has their Penetration Tester eXtreme version two. I think it's the latest version, which is extremely hard. You've got like a GPEN. Do you think about SANS? They have certifications as well at the, what I-- - Yeah, it's tough because I mean like I'm pushing it. - It is. And when you start talking about the value. I think that's the real-- - Yeah what's the value, yeah? - Is the certification is gonna have some value itself. But the real to me, right? This is my opinion as Daniel, take it or leave it. To me, the real value comes in the training and the experience you get with that training. And that's why when I teach CEH, one of the major things I heard and experienced when I took CEH was man, they just, they turn a fire hose on and they hammer you with all this theory and concepts and tools and you've got to just all this stuff. And then I'm like, oh, someone turns around and says "Now you teach CEH?" and I go okay, well now that it's my baby, I'll do it the way I want. I'll do it the way I think would be most effective. And that's why when you watch my CEH class, it's not just a fire hose and a Deluge. We're gonna get our hands dirty. We're going to apply these things. I also have like, you know, methodology classes like I built a hands-on hacking series where, hey, let's take all those things we learned in CEH or that maybe we're getting ready to take CEH or OSCP or eJPT or whatever certification that's on that Red Team's side of things. And let's see how we work our way through this. Let's build a good methodology. that's gonna help us be successful in those exams. So then, they apply to everything instead of just, Oh this is the CEH training. You take my PenTest+, it's gonna be the same thing. I'm not just gonna say, well, here's the problem with SQL injection is that you're allowing the execution of transact SQL in the back end through (mumbles) and these mechanisms. Not that you don't need to know that we go through that. And then I go, now let's do it. Let's, spin something up. Here's my web application right here. And yeah, this is fun. Here's the one you'll see one equals one. I'll look, that worked. But how do we get the database? How do we get, how do how do we make this a little, a little more? Okay, let's keep going down the rabbit hole. Let's start with, how do I find a SQL injection? How do I exploit a SQL injection? How do I use SQL injection to gain access to the database? How do I use that access to then gain access to the system itself? Maybe getting even a shell back from the system all through one concept, which was SQL injection. - So just to make sure I understand that's a course that you've created. That's part of ITProTV, yeah? - Yeah absolutely yes - And what is it called again? - That would be CEH. - Oh, that's CEH. - Yeah we do that in PenTest+ my--. - So in other words, you you've taken the, sorry to interrupt you. You've taken the, the certs like PenTest+ or Security+, or CEH and you've kind of like made it practical if you like and that you you're demonstrating stuff rather than just talking about it. I've looked at some of the security stuff, like Security+ and like the books and some of the materials out there. And it's like, just concept, after concept after concept. It's like, after like an hour of that, you like spat out your mind. So I'm really glad to hear what you've done. - Yeah, you know, that came from me having the exact same experience as that going. I cannot stay engaged with this. This is-- - Death by PowerPoint. - Oh man, We've all been there and we've all had to come back from the blink of like going huh, I'm ready to just toss in the towel. This is, this is not fun. - It's terrible, yeah - Right, why can't it be fun? Why can't it be, hey, run over to volume hub grab this vulnerable machine and let's do this stuff that we're talking about here. (upbeat music)
Info
Channel: David Bombal
Views: 66,103
Rating: undefined out of 5
Keywords: ethical hacking, ethical hacking course, ethical hacking career, cyber security, ethical hacker, hacking, hacking course, hacker, ceh, oscp, cissp, ccna, itprotv, itprotv review, cehv10, learn ceh, ceh v10, ceh exam, certified ethical hacker, ceh practical, ceh certification, certified ethical hacking, hack, cybersecurity, kali linux, black hat hacking, learn ethical hacking, computer hacking, learn hacking, comptia, ethical hacking tutorial, oscp certification, ctf, aws full course
Id: 7BaYLX1MYBQ
Channel Id: undefined
Length: 40min 5sec (2405 seconds)
Published: Sun Feb 28 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.