WhiteWinterWolf.com - careerhttps://www.whitewinterwolf.com/2017-10-06T00:00:00+02:00EC-Council CEH certification review2017-10-04T00:00:00+02:002017-10-06T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-10-04:/posts/2017/10/04/ec-council-ceh-certification-review/<h3>The five Ws</h3>
<ul>
<li>
<p><strong>What</strong>:
The <a href="https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/" rel="external" title="CEH certification homepage (EC-Council)"><abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> Certified Ethical Hacker</a> (<span class="caps">CEH</span>) is a technical
certification on penetration testing.</p>
<p>While being oriented toward technical people, the certification itself
goes lightly on the practical side but insists instead on having a broad
general culture.
This certification covers definitions, concepts, tools, as well as a strong
focus on ethic.</p>
<p>This certification never go really deep in any subject, but instead
attempts to cover the widest possible range of topics related to pentesting.
Example of covered topics include cryptography, regulation and compliance,
operating systems (client, server and mobile systems are all covered),
networking (including wireless networking), procedures, code review,
physical security, social engineering and, last but not least, ethic.</p>
</li>
<li>
<p><strong>When</strong>:
This certification has no prerequisite (a two years experience in <span class="caps">IT</span>
security allows to avoid the training requirement, but subscribing to an
approved training removes any experience prerequisite).</p>
<p>It is suitable for anyone interested …</p></li></ul><h3 id="the-five-ws"><a class="toclink" href="#the-five-ws">The five Ws</a></h3>
<ul>
<li>
<p><strong>What</strong>:
The <a href="https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/" rel="external" title="CEH certification homepage (EC-Council)"><abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> Certified Ethical Hacker</a> (<span class="caps">CEH</span>) is a technical
certification on penetration testing.</p>
<p>While being oriented toward technical people, the certification itself
goes lightly on the practical side but insists instead on having a broad
general culture.
This certification covers definitions, concepts, tools, as well as a strong
focus on ethic.</p>
<p>This certification never go really deep in any subject, but instead
attempts to cover the widest possible range of topics related to pentesting.
Example of covered topics include cryptography, regulation and compliance,
operating systems (client, server and mobile systems are all covered),
networking (including wireless networking), procedures, code review,
physical security, social engineering and, last but not least, ethic.</p>
</li>
<li>
<p><strong>When</strong>:
This certification has no prerequisite (a two years experience in <span class="caps">IT</span>
security allows to avoid the training requirement, but subscribing to an
approved training removes any experience prerequisite).</p>
<p>It is suitable for anyone interested in computer security.
People with really no prior knowledge on computer security may find
themselves lost at first in the large number of topics covered by this
certification.
This just means that they will require more time to study, and progress
step-by-step.
With some efforts even fresh-beginners on the topic should be able to succeed.</p>
</li>
<li>
<p><strong>Why</strong>:
This certification demonstrates a strong general culture on penetration
testing, the offensive side of <span class="caps">IT</span> security.</p>
<p>This certification however has little to no value in demonstrating
practical abilities (on the other side more practical certification cannot
cover such a wide range of subjects).
This is not a problem for entry-level jobs where no practical experience is
expected, however for more advanced level a complementary certification may
be useful.</p>
<p>For <span class="caps">US</span> people, this certification is part of the list of the
<a href="https://iase.disa.mil/iawip/Pages/iabaseline.aspx" rel="external" title="DoD Approved 8570 Baseline Certifications (IASE)"><abbr title="Department of Defense">DoD</abbr> 8570.01-M</a> approved certifications, so it may open you
some doors with some government entities or contractors.
If you intend to use it just as a label on your resume, you may want to
compare the cost of a <span class="caps">CEH</span> with other certifications: it may or may no be
the best choice depending on your specific situation and needs.</p>
</li>
<li>
<p><strong>Who</strong>:
This certification is mostly useful for people entering the field of <span class="caps">IT</span>
security and people regularly manipulating security-related tools or
issues and wanting to deepen their knowledge from an offensive point-of-view.</p>
<ul>
<li>
<p>People entering the field of <span class="caps">IT</span> security, either as a pentester or in
another role, will obviously directly benefit from the general culture
built by this certification.</p>
<p>People already with a few years of full-time work in the <span class="caps">IT</span> security
field may not benefit the most from this certification.
While it may help to fill some weaker areas, specialized certifications
focusing on identified weaknesses may be a better investment.</p>
</li>
<li>
<p>People regularly manipulating security-related tools or issues, a
typical example being system administrators, also benefit from this
certification by gaining knowledge of the offensive side of <span class="caps">IT</span> security.</p>
<p>This is a topic which is rarely covered in usual system and network
security certifications, but is mandatory in my opinion to have
a sane approach of security and risk evaluation.</p>
<p>As <a href="https://en.wikiquote.org/wiki/Sun_Tzu" rel="external" title="Sun Tzu (Wikipedia)">Sun Tzu</a> once wrote:</p>
<blockquote>
<p>If you know your enemies and know yourself, you will not be imperiled
in a hundred battles… if you do not know your enemies nor yourself,
you will be imperiled in every single battle.</p>
</blockquote>
<p>I just feel sorry for all those system administrators and <span class="caps">IT</span> managers
who rely solely on vendor’s marketing discourses to take their
decisions.
They may tend to spend sometimes huge amount of money and efforts on
things which will only marginally improve their security posture, while
leaving vulnerable entry points wide open either because they are less
profitable to their vendors or because they are too specific to appear on
automated security assessment dashboards.</p>
<p>This certification allows to get a more critical point-of-view on things
that really matters in terms of security, and better challenge vendors
to get the most out of their offerings.</p>
</li>
</ul>
</li>
<li>
<p><strong>Where</strong>:
The <span class="caps">CEH</span> exam can be taken in any Pearson <span class="caps">VUE</span> or Prometric test center.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>If you cannot justify of more than two years of experience in
<span class="caps">IT</span> security (and if you can, as stated above, you may want to double-check
if this certification is indeed the most appropriate for you), you must
subscribe to an official training to be eligible to take the exam.</p>
<p>See the <a href="#mandatory-training">mandatory training</a> section below for more information.</p>
</div>
<p>The exam cost has considerably increased since I took it myself.
The exam itself now costs around <a href="https://store.eccouncil.org/product/ceh-vue-exam-voucher/" rel="external" title="CEH VUE Exam Voucher (EC-Council store)">$1000 <span class="caps">USD</span></a> (since <span class="caps">CEH</span> v9,
<span class="caps">CEH</span> v7 and v8 cost was $500), add to this a non-refundable eligibility
application fee of $100), but all this is usually bundled in the price of
the nearly-mandatory training you must take.
All people certified after January 1st 2016 must also pay a
<a href="https://store.eccouncil.org/product/ece-membership-fee/" rel="external" title="ECE Annual Membership fee (EC-Council store)">$80</a> annual membership fee to keep their certification.</p>
<p>The exam itself is composed of 125 multiple-choice questions you must fill
in 4 hours.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>The exam condition varies depending on where you take the exam.
See the <a href="#examination-process">examnation process</a> section for more information.</p>
</div>
</li>
</ul>
<h3 id="training-material"><a class="toclink" href="#training-material">Training material</a></h3>
<h4 id="building-a-lab"><a class="toclink" href="#building-a-lab">Building a lab</a></h4>
<p>If you already are familiar with offensive security, then you will need little
to no practice for this exam.
Personally my only practice was for the <abbr title="Open Source Intelligence"><span class="caps">OSINT</span></abbr>-part which presented me new
tools and techniques, but this is a very minor point and took, all-in-all, a single-afternoon.</p>
<p>The <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> provides you as part of the official courseware a huge archive
containing 40 <span class="caps">GB</span> of Windows software (6 DVDs for the disc-based version).
Personally I never used them and have no use for them either (well, there was
a 3 minutes video about Kevin Mitnick, this was the only file usable on my
Linux box and that I bothered to open).
Even if I need to work on a Windows machine, I think I would prefer to download
the latest version of a given software directly form the project website than
using a potentially outdated version from such archives.</p>
<p>Nevertheless, people not familiar with offensive security will find in the
<span class="caps">CEH</span> curriculum a mater to a lot of practical exercises as numerous
tools and techniques are mentioned in the curriculum.
In such case, if nothing else the archive is at least a safe way to ensure that
you have access to the software described in the course (even-though there is
sadly not a 1:1 matching between the software mentioned in the course and the
software available in the archive, and the software available in the archive
may not be up-to-date).</p>
<p>Unless explicitly mentioned, the <span class="caps">CEH</span> exam won’t test you on any advanced
feature of the mentioned tools.
What is important is to know their name, when and how they are most commonly
used and how they work internally at a high level.
Corner cases are usually out-of-topic.</p>
<h4 id="learning-resources"><a class="toclink" href="#learning-resources">Learning resources</a></h4>
<p>As stated in the <a href="https://cert.eccouncil.org/application-process-eligibility.html#ceh" rel="external" title="CEH eligibility criteria (EC-Council)"><span class="caps">CEH</span> eligibility criteria</a>, if you cannot justify
of more than two years of professional experience in an <span class="caps">IT</span> security job, you
must <em>must</em> buy training from an <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> partner to be eligible to take the exam.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Buying the <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> official courseware does not count as an official
training.
The eligibility criteria page may seem confusing about this, but this is
(a bit more) clearly stated in the <a href="https://store.eccouncil.org/product/cehv9-courseware-im/" rel="external" title="CEHv9 e-Courseware Only (EC-COuncil store)">courseware</a> page (emphasize is mine):</p>
<blockquote>
<p>Exam voucher is not included.
<strong>Students must apply for eligibility before purchasing exam voucher.</strong>
Please check the eligibility criteria</p>
</blockquote>
</div>
<p>This is not a question about your current skills and knowledge, this is not a
question about your sense of organization allowing you to reliably
self-study from books.
In my opinion this is a question of <em>business</em>: it is the way for the
<abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> to bring guaranteed customers (and money) to its partners training companies.</p>
<p>Fortunately, several companies provide affordable e-learning courses that
satisfy these prerequisites.
So the most affordable route to the <span class="caps">CEH</span> exam is to study from books as you
would do for any other exam, and then subscribe to such e-learning courses to
satisfy the exam eligibility conditions.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>E-learning offers often go by period.
Self-learning on your side before starting the e-learning program allows
you to ensure that you won’t need to renew or buy training time extensions
which may often be very expensive.</p>
<p>I suspect that some training provider have a business model where they
sell one-month (for instance) e-learning training session at a very low
price to attract customers, with the assumption that no student will never
be able go through the whole <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> curriculum in such a low time, so
they will be able to fund themselves by selling overpriced time extensions.</p>
<p>A <span class="caps">CEH</span> exam is very expensive when you have to pay it from your own pocket
(even more now, personally I’m even not sure I would do it now), so you may
want to act wisely.</p>
</div>
<h5 id="self-study"><a class="toclink" href="#self-study">Self-study</a></h5>
<p><span class="lb-small"><a href="#books.jpg" id="books.jpg-thumb" title="Click to enlarge"><img alt="Recommended self-study books" src="https://www.whitewinterwolf.com/posts/2017/10/04/ec-council-ceh-certification-review/books.jpg"/></a></span></p>
<p>The books by <a href="https://www.amazon.com/Certified-Ethical-Hacker-Guide-Third/dp/125983655X/?tag=electronicfro-20" rel="external" title="CEH Certified Ethical Hacker All-in-One Exam Guide, Third Edition (Amazon)">Matt Walker</a> (<em>All-in-One</em> series) and
<a href="https://www.amazon.com/CEH-v9-Certified-Ethical-Version/dp/1119252245/?tag=electronicfro-20" rel="external" title="CEH v9: Certified Ethical Hacker Version 9 Study Guide (Amazon)">Sean-Philip Oriyano</a> (<em>Sybex</em>) are safe values for your studies.
I recommend buying both as they complement well each other.
Which one you will use as your primary study material is left to your choosing.</p>
<p>Personally I passed more time with Matt’s book as it is written in a
more enjoyable style, with personal anecdotes scattered throughout the book.</p>
<p>Sean-Philip however goes more deeper in background information, which
come particularly handy on areas where Matt’s book may be lighter (like
cryptography or wireless networks), but Matt provides some information missing
in Sean-Philip’s book.
Moreover, having two books is useful when you want to double-check an
“<abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> approved” definition.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Beware of technical terms and definitions when studying for the <span class="caps">CEH</span> exam.
Some may more reflect <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr>‘s own opinion on a specific matter than a
universally accepted position.</p>
<p>In such cases the <span class="caps">CEH</span> exam is not about what <em>you</em> think.
It is testing whether or not you know <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr>‘s own position on the matter.</p>
<p>The books mentioned here are well written and do not refrain from
highlighting such discrepancies between the <span class="caps">CEH</span> curriculum and the usual
field practices.
They ultimate goal is indeed not to make you become certified but to make
you become a reliable professional.</p>
</div>
<p>Matt’s book is also provided with a free <em>.pdf</em> version of the book.
I found it specially useful to quickly search throughout the book from any
random term.</p>
<p>Now both are also available in bundled versions providing more exam-like
questions (see <a href="https://www.amazon.com/Certified-Ethical-Hacker-Bundle-Third/dp/125983753X/?tag=electronicfro-20" rel="external" title="CEH Certified Ethical Hacker Bundle, Third Edition (All-In-One) (Amazon)">here</a> and <a href="https://www.amazon.com/CEH-v9-Certified-Ethical-Version/dp/1119314003/?tag=electronicfro-20" rel="external" title="CEH v9: Certified Ethical Hacker Version 9 Kit">there</a>).
When I passed my exam only Matt’s book proposed this and I took advantage of
this and was happy with the questions.
However, depending on the mandatory training offer you will subscribe, this
may be optional.</p>
<p>Books’ questions do a great job in allowing you to thoroughly test
your knowledge and detect weak areas, but they are not actual <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr>‘s
questions.
I strongly recommend to also get your hands on questions from old exams, depending
on the formula you subscribe you may get them as part of your mandatory
training (after having signed a non-disclosure agreement, of course).
They will help to prepare yourself to better handle <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr>‘s sometimes
odd questions and phrasing.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Also fetch a book on Metasploit.
I would recommend it even if you already know how to use it:
a lot of people only know the feature they commonly use and ignore the
existence of certain other features.</p>
<p>Matt only very briefly presents it, Sean-Philip doesn’t even mention it
(according to the index), and you will most likely get questions on it in
your exam (mainly about features and names).</p>
<p>I bought <a href="https://www.amazon.com/Mastering-Metasploit-Nipun-Jaswal/dp/1782162224/?tag=electronicfro-20" rel="external" title="Mastering Metasploit (Amazon)">Mastering Metasploit</a> by Nipun Jaswal which provides a
good introduction on everything you need to know on Metasploit, but other
book may also be fine.</p>
<p>As with anything else, there is no requirement of any practical experience
with Metasploit to pass the exam so simply reading the book once should be sufficient.</p>
</div>
<h5 id="mandatory-training"><a class="toclink" href="#mandatory-training">Mandatory training</a></h5>
<p>The cheapest <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> approved training formulas may be quite barebone.
As with any official training, you will be provided with:</p>
<ul>
<li>The 40 <span class="caps">GB</span> archive of Windows software I mentioned in the
<a href="#building-a-lab">building a lab</a> section.</li>
<li>A set of more than 2000 slides in <em>.pdf</em> files (in fact
<span class="caps">DRM</span>-protected 1-year limited <em>.pdf</em> files readable only on Windows hosts
allowing connections to a non-standard, potentially firewalled port to
<abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> servers to validate your right to open the file).
While these files may be usable very occasionally to confirm <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr>‘s
official position on certain topics, I consider them unusable for self-learning.</li>
</ul>
<p>Depending on your formula, you may also have access to some kind of forum or
chat to ask questions to a trainer, and you may also have an option to get
access to exam-like questions.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>If your e-learning formula proposes exam questions as an option and at
a reasonable price, seriously consider subscribing to it as it may be a
very good investment.</p>
<p><span class="caps">CEH</span> questions and expected answers may sometimes seem… odd.
Official training partners usually have access to genuine <span class="caps">CEH</span> questions
from past exams protected behind a <abbr title="Non-Disclosure-Agreement"><span class="caps">NDA</span></abbr>.</p>
<p>These exam questions was the highest value I got from my mandatory
training, and these questions helped me far more than the questions
available in published books (they are good to test your knowledge, less
good to prepare you against <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr>‘s specific tricks).</p>
</div>
<p>When choosing a training, you must make sure:</p>
<ul>
<li>
<p>That it is an official training counting as a replacement for the two
years of experience requirement.
Don’t assume it as some training providers may use ambiguous marketing
buzzwords and logos but contact them and check this explicitly.</p>
</li>
<li>
<p>Check whether or not the exam voucher is included in the training
price.
Either way is good, but the exam voucher alone is around $1000 <span class="caps">USD</span> so
you must take this into account when comparing training prices from
different providers.</p>
</li>
</ul>
<h3 id="personal-impressions"><a class="toclink" href="#personal-impressions">Personal impressions</a></h3>
<h4 id="curriculum"><a class="toclink" href="#curriculum">Curriculum</a></h4>
<p><span class="caps">CEH</span> curriculum is very wide, and successfully allows to build a general culture
in a large number of domains.</p>
<p>It is light regarding practical training but I think this is intended and, as
long as it is expected, I don’t consider this a negative point:</p>
<ul>
<li>
<p>The curriculum is designed to teach a body of knowledge not only for actual
pentesters but also for people more remotely involved with <span class="caps">IT</span> security like
system administrators for instance.</p>
<p>People planning to become pentester usually already have a practical
knowledge that system administrators (to keep the same example) may not
have.
I therefore consider it normal that they may consider this certification to
be weak from a practical point-of-view: it simply targets a more wider
audience than pure <span class="caps">IT</span> security experts.</p>
</li>
<li>
<p>Due to the wide range of domains covered, entering into the details of each
domain would make the <span class="caps">CEH</span> curriculum size grow exponentially while
answering no real need as no one needs a detailed knowledge of everything.</p>
<p>This certification provides a strong general culture.
When a topic requires further digging, more closely study can be done as the
need comes either as part of a personal technology watch or as part of
another, more focused certification.</p>
</li>
</ul>
<p>This certification has a strong focus on learning definitions and software
names.
While I understand the need of definitions to establish a common language, and
the need of software names to be able to invoke the right tool for a given task,
the <span class="caps">CEH</span> curriculum pushes this either too far or not enough, I don’t know, but
the software names part in particular left me a very uncomfortable feeling.</p>
<ul>
<li>
<p>Either there is a list of software that any security professional is meant
to know.
In such case, the <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> should publish this list as part of the <span class="caps">CEH</span> curriculum.</p>
<p>Currently the names of several hundred tools and websites (URLs) is
mentioned, most often only once and given in an informal example,
scattered over the 2000+ official slides.
However, each tool and website name may be equally testable.
I don’t see how one is expected to study this.</p>
<p>The <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> should publish a standalone index of well-known security
tools and reference websites.
This would both make studying easier, and allow the <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> to put a
stronger focus on the tools and information sources that <em>they</em> consider
essential for the profession.</p>
<p>This would be a win-win.</p>
</li>
<li>
<p>Otherwise questions about software and sites names should be made less frequent
to get less weight on the final score.</p>
<p>I passed the <span class="caps">CISSP</span> exam too, another certification which follows a similar
“general culture” goal than the <span class="caps">CEH</span>.
The <span class="caps">CISSP</span> also mentions some tools and websites as part of the curriculum,
but very few so our attention can remain focused on actionable information,
and there are really few questions about such names during the exam as this is
not considered a major knowledge.</p>
<p>Simply knowing a set of names doesn’t make you a greater practitioner in field.</p>
</li>
</ul>
<h4 id="exam"><a class="toclink" href="#exam">Exam</a></h4>
<h5 id="questions-quality"><a class="toclink" href="#questions-quality">Questions quality</a></h5>
<p>While for all the <a href="/tags/certification" title="See other certification articles">other certifications</a> I covered until now I always
began this section by stating <em>“the question are clear and non-ambiguous”</em>,
I won’t do this here.</p>
<p>A noticeable amount of <span class="caps">CEH</span> exams questions are definitively unclear, ambiguous,
out-of-nowhere or the expected answer may be dubious if not plain wrong (see
this <a href="https://security.stackexchange.com/q/170274/32746" rel="external" title="Is the site wrong about an ethical hacking question or am I? (Stack Exchange)">example</a>).
Expect to loose 10-15% of your total score on such questions: as it is random
is may be less, but it shouldn’t be more.</p>
<p>While being a significant number, this shouldn’t however prevent you from
successfully passing the exam, just don’t expect to ever reach 100% either in
realistic trainings or in the final exam.
While in training just ensure that you consistently get at least 85% of
right answers, and you should be fine for the final exam.</p>
<h5 id="examination-process"><a class="toclink" href="#examination-process">Examination process</a></h5>
<p>The examination process varies depending on the location where you pass the exam:</p>
<ul>
<li>
<p>Prometric test centers deliver exams in similar condition than common
trainings: 125 questions, 4 hours, with the
possibility to review previous questions at any time.</p>
</li>
<li>
<p>Pearson <span class="caps">VUE</span> test centers divide the exam in several sections, following
the <a href="https://www.eccouncil.org/wp-content/uploads/2016/02/CEH-Exam-Blueprint-v2.0.pdf" rel="external" title="CEH Exam Blueprint v2.0 (EC-Council)"><span class="caps">CEH</span> Blueprint</a> sections.
The sections come in random orders.</p>
<p>The 4 hours time is divided between these sections proportionally to the number of
questions, the shortest time is for the <em>Ethics</em> section where the three
questions must be answered in less than 5 minutes (it is really scary when
you are not prepared to this! Moreover <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> “ethic” questions may
be really confusing at times…).</p>
<p>To not arrange anything, the time not used for a previous section is <em>not</em>
added to the following section.
Let’s say that you had 30 minutes left in a section and the next one will
be the <em>Ethics</em> one, the timer still starts at 5 minutes, in bold orange
warning mode.</p>
<p>At last, while you can review previous questions from the current section,
you cannot review previously validated sections.
Each section behaves as an individual exam.</p>
</li>
</ul>
<p>Needless to say that the Pearson <span class="caps">VUE</span> examination process is far more stressful
and less convenient than the Prometric one, in particular when you are not
expecting this (I didn’t find this documented anywhere) and are wondering
during the whole exam if you are facing a bug of if it is normal (and it is
indeed “normal”, one of the many surprises awaiting the <span class="caps">CEH</span> students ;) !).</p>
<p>At least, dear reader, <em>you</em> are now warned and can now prepare yourself !</p>
<h4 id="conclusion"><a class="toclink" href="#conclusion">Conclusion</a></h4>
<p>The <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> heavily relies on marketing:</p>
<ul>
<li>
<p>Their website is stuffed with buzzwords: open-source security tools become
<em>“Underground Hacking Tools”</em>, a virtual lab becomes a <em>“Cyber range”</em>,
and of course the entry-level <span class="caps">CEH</span> certification is described as:</p>
<blockquote>
<p>The Certified Ethical Hacker program is the pinnacle of the most desired
information security training program any information security
professional will ever want to be in.</p>
</blockquote>
</li>
<li>
<p>Preparing for the exam is very expensive, with an ingenious system to push
students to training centers.</p>
<p>When I passed my certification prices were far lower than they are now
(voucher price increased by 100%, just <span class="caps">WTF</span>?) and no annual fee was
required.
Personally I’m not sure I would do it in the current conditions, at least
not from my own pocket.</p>
</li>
<li>
<p>Their students resources is protected with a highly demonstrative security.</p>
<p>The website is protected using mandatory two-factor authentication. Well,
in fact a one-time code is sent upon each connection attempt to your
mailbox, but this is indeed two-factor, isn’t it?
And despite being bothering to use at least it significantly improves
security, doesn’t it?</p>
<p>And once connected to your student area you can download their slides as
<span class="caps">DRM</span>-protected <em>.pdf</em> files requiring a Windows host and an update of your
firewall rules to be opened.
But these files must be very precious to be so carefully protected!</p>
</li>
<li>
<p>The learning material seems both very classy, very impressive, and very useless.</p>
<p>I still don’t know what to do with their six DVDs full of Windows
hAx0r 1337 stuffz (whoops, sorry, <em>“Underground Hacking Tools”</em>).
Their 2000+ slides also are all very eye-candy, crafted by professional
graphic designers, very colorful with a lot of graphical effects and so
on… all this making them completely unusable for a proper learning
experience where the medium must not be distracting to the student.</p>
</li>
<li>
<p>Once you passed the exam, you very regularly receive ads for paid events
organized by the <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> (but rest easy, you benefit from “exclusive”
reductions reserved to the elite people you now belong to!).</p>
</li>
</ul>
<p><a href="https://youtu.be/1dkn_40nf-U?t=54" rel="external" title="'Going Postal' excerpt (YouTube)"><em><span class="dquo">“</span>dazzling the masses with bauble”</em></a>, as he said…</p>
<p>Nevertheless, <abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> marketing is also dual-sided: while they are trying to
sell things to you, they are also selling the certification to companies which
is good thing as this is those company which will then want to hire <span class="caps">CEH</span> people
like you.
<abbr title="International Council of Electronic Commerce Consultants"><span class="caps">EC</span>-Council</abbr> marketing power therefore also benefits to you.</p>
<p>Doing abstraction from these various money making techniques, I still believe
the content of the curriculum to be interesting.
This certification was indeed the occasion to cover domains that wasn’t
covered by any of the other certs I took until now.
However, again, the latest price increase may now make it less interesting for self-learners.</p>BSDA certification review2017-09-22T00:00:00+02:002017-09-26T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-09-22:/posts/2017/09/22/bsda-certification-review/<h3>The five Ws</h3>
<ul>
<li>
<p><strong>What</strong>:
The <a href="http://www.bsdcertification.org/certification/certification/bsd-associate" rel="external" title="BSDA certification homepage (BSD Certification Group)"><abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Associate</a> (<abbr title="BSD Associate"><span class="caps">BSDA</span></abbr>) is a technical certification on <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr>
systems administration.
It covers DragonFlyBSD, FreeBSD, NetBSD and OpenBSD.</p>
<p>This certification covers general <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems administration (there is not
much about system architecture itself), the specificities of each covered
<span class="caps">BAD</span> flavors, common Unix services administration, and also a few
non-technical points notably on the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> license and its difference with
other licensing types.</p>
<p>I personally find the official naming misleading, as the requirement for
this certification actually targets system <em>administrators</em>, not assistants.</p>
</li>
<li>
<p><strong>When</strong>:
The <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> has no prerequisites, but is very technical and covers a wide
range of domains so I would certainly not recommend it for the beginners.</p>
<p>It can be seen as the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> counter-part of the <a href="/posts/2017/09/03/linux-lpic-certification-review/" title="Linux LPIC certification review"><abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr>-2</a> Linux certification.</p>
</li>
<li>
<p><strong>Why</strong>:
<abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems have a different approach than Linux ones on a lot of things,
both technical and non-technical.
Being Linux certified does …</p></li></ul><h3 id="the-five-ws"><a class="toclink" href="#the-five-ws">The five Ws</a></h3>
<ul>
<li>
<p><strong>What</strong>:
The <a href="http://www.bsdcertification.org/certification/certification/bsd-associate" rel="external" title="BSDA certification homepage (BSD Certification Group)"><abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Associate</a> (<abbr title="BSD Associate"><span class="caps">BSDA</span></abbr>) is a technical certification on <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr>
systems administration.
It covers DragonFlyBSD, FreeBSD, NetBSD and OpenBSD.</p>
<p>This certification covers general <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems administration (there is not
much about system architecture itself), the specificities of each covered
<span class="caps">BAD</span> flavors, common Unix services administration, and also a few
non-technical points notably on the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> license and its difference with
other licensing types.</p>
<p>I personally find the official naming misleading, as the requirement for
this certification actually targets system <em>administrators</em>, not assistants.</p>
</li>
<li>
<p><strong>When</strong>:
The <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> has no prerequisites, but is very technical and covers a wide
range of domains so I would certainly not recommend it for the beginners.</p>
<p>It can be seen as the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> counter-part of the <a href="/posts/2017/09/03/linux-lpic-certification-review/" title="Linux LPIC certification review"><abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr>-2</a> Linux certification.</p>
</li>
<li>
<p><strong>Why</strong>:
<abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems have a different approach than Linux ones on a lot of things,
both technical and non-technical.
Being Linux certified does not mean that you are proficient, or even
familiar with <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> ecosystems.
This certification demonstrates that you are knowledgeable in the
specificities of <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems at a whole, and on each covered flavor more specifically.</p>
<p>I did not encountered any job offer specifically requiring this
certification.
It is not a common certification, and require a real determination.
Therefore, although it is not a stated as a requirement, I think it may
still make a significant difference in your resume and distinguish yourself
from the Linux-certified engineers crowd.</p>
</li>
<li>
<p><strong>Who</strong>:
It is not adapted for beginners in the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> world as it require a good
experience in administrating <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems in professional environments.
Practical experience of <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems in large corporation is not needed
(lucky for me!), but you need to have a practical experience on a wide
range of <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems components and situations, things you won’t have if
you only occasionally played with some <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> guest in a lab.</p>
<p>When you receive your results you also get a report providing some stats
including the average scores of your group and I was astonished about the
low average scores.
I think that the issue mainly comes from this poor denomination: the ‘A’
in <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> should really stands for <em>Administrator</em>, not <em>Associate</em>, and the
next level (<abbr title="BSD Professional"><span class="caps">BSDP</span></abbr><sup id="fnref-BSDP"><a class="footnote-ref" href="#fn-BSDP">1</a></sup>) targeting <em>‘senior administrators”</em> should really be
recognized as a <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr>-expert level certification.</p>
<p>I still don’t get why the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group decided to label them
<abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> and <abbr title="BSD Professional"><span class="caps">BSDP</span></abbr> instead of <abbr title="BSD Professional"><span class="caps">BSDP</span></abbr> and <span class="caps">BSDE</span> as they should have in my mind.
This would both:</p>
<ul>
<li>Better inform the students not used to pass exams about what to expect.</li>
<li>Better inform employers about the real value of this certification.</li>
</ul>
</li>
<li>
<p><strong>Where</strong>:
Sadly this certification is not associated with any common test center.
Exams are paper-based and organized during some <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> and open-source events.
It is not uncommon to have to go abroad to pass an exam suiting your
schedule, but this is not necessarily so much a bad point as it is also the
occasion to attend the event itself.</p>
<p>The <a href="https://archive.fosdem.org/2017/certification/" rel="external" title="FOSDEM 2017 Certification exams (FOSDEM archives)"><span class="caps">FOSDEM</span></a> in Belgium organizes a <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> exam each year, this is where I
passed my exam.
Other events are listed on the <a href="https://register.bsdcertification.org/events" rel="external" title="Events (BSD Certification Group)"><abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group</a> website.</p>
<p>You only need to pass one exam to be certified, and the exam fee is around
$75 <span class="caps">USD</span>.</p>
</li>
</ul>
<h3 id="training-material"><a class="toclink" href="#training-material">Training material</a></h3>
<h4 id="building-a-lab"><a class="toclink" href="#building-a-lab">Building a lab</a></h4>
<p>You will need a virtual machine for each of the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> system covered by the exam:</p>
<ul>
<li><a href="http://www.dragonflybsd.org/" rel="external" title="DragonFlyBSD homepage">DragonFlyBSD</a></li>
<li><a href="http://www.freebsd.org/" rel="external" title="FreeBSD homepage">FreeBSD</a></li>
<li><a href="http://www.netbsd.org/" rel="external" title="NetBSD homepage">NetBSD</a></li>
<li><a href="http://www.openbsd.org/" rel="external" title="OpenBSD">OpenBSD</a></li>
</ul>
<p>Pay attention to choose a version which matches the exam requirements.
Some of these systems may decide from one version to another to apply sometimes
really impacting changes.
While the exam will eventually be updated to reflect those changes, this may take some time so
just ensure that the systems you are using have all the files and commands
expected for the exam so you can practice in good conditions and not loose
unnecessary time and effort on off-topic subjects.</p>
<p>In all cases people from the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group are very friendly and as I was studying
during such change period I receive an email from Dru Lavigne herself
informing me on which material to use for my studies.</p>
<p>Also note that you can buy an official <a href="http://www.bsdcertification.org/store" rel="external" title="BSDA Certification Study DVD (BSD Certification Group)"><abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> Certification Study <span class="caps">DVD</span></a>
which gather the virtual machines and documentation arranged specially for <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr>
students in a convenient manner.
They are made and sold directly by the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group and the profits
allow to maintain and develop the certification.</p>
<p>I often encounter comments from people explaining that they only use one or
maybe two of the covered systems and they don’t want to have to learn the
other operating systems to pass the certification.</p>
<p>In fact unless you target 100% good answers you don’t need to be expert in all
those systems.
Personally I have the most experience with FreeBSD and OpenBSD systems.
This certification was the occasion to discover NetBSD and DragonFlyBSD, but
I am nowhere near an expert on those.</p>
<p>When starting to study for this exam you should already start with a very good
knowledge on at least one of these system.
As long as the various flavors “issue” is concerned, to pass the exam you just
need to familiarize yourself with the main differences between the systems you
already know and the other ones.
Install them, compare how things such as software management and network
settings features work, and you should be fine.</p>
<p>Again, the goal of the <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> is not to certify that you’re an expert on each of
these platforms.
The goal is only to test that you are able to administrate a <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> system in a
professional context.
I think it is fair to consider the ability to adapt yourself and a general
culture over the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> world to be part of the exam requirements.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>As opposed to the <abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr> certification which also covers several Linux
distributions but only requires the student to know the various commands,
files and settings without necessarily being able to infer the underlying
system, with the <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> you will need to be able, from the availability of
certain specific commands and files, to deduce which <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> flavor you are facing.</p>
<p>Questions are never asked this straight, but for instance some questions
may very well have equally valid answers matching several <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> (and Linux
(!)) systems, you should be able to find the clue telling you which system
you are facing and therefore which is the right answer.</p>
</div>
<h4 id="learning-resources"><a class="toclink" href="#learning-resources">Learning resources</a></h4>
<p>A good point to start your journey is Wikipedia’s
<a href="https://en.wikipedia.org/wiki/Comparison_of_BSD_operating_systems" rel="external" title="Comparison of BSD operating systems (Wikipedia)">Comparison of <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> operating systems</a>.
This is general information, but provides a good introduction to approach
the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> ecosystem as a whole.</p>
<p><span class="lb-small floatright"><a href="#bsd-certification-group.png" id="bsd-certification-group.png-thumb" title="Click to enlarge"><img alt="BSD Certification Group logo" src="https://www.whitewinterwolf.com/posts/2017/09/22/bsda-certification-review/bsd-certification-group.png"/></a></span>
The <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group created <a href="http://bsdwiki.reedmedia.net/wiki/" rel="external" title="BSDwiki homepage">a collaborative wiki</a> with the aim
to be the main resource for <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> students.
Sadly it is not very complete and a bit outdated now, nevertheless it remains
very useful to guide your studies through the large amount of domains covered
by this certification.</p>
<p>On their <a href="https://register.bsdcertification.org/exam-preparation-checklist" rel="external" title="Exam Preparation Checklist (BSD Certification Group)">Exam Preparation Checklist</a>, the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group
website provides useful links (including the above mentioned wiki).
Be sure to carefully follow the certification requirement and commands
reference guide as they will help you to ensure that you did not missed any
notion during your studies.
The Certification requirement is particularly detailed as an attempt from the
<abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> certification group to compensate for the lack of a formal study guide:
take advantage of this.</p>
<p>The <a href="http://www.bsdcertification.org/resources" rel="external" title="Resources for BSD Certification">Resources</a> section of the same website contains more general
information on how the certification has been created.
They are not directly useful to pass the exam, but it is not very often that
such kind of information “from behind the scene” is made available and I found
it quite interesting.</p>
<p>There is no book specifically focusing on the <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> certification.
However, if you like to study from books as I do, you should have no real
problem to find a book which will help you to clarify the point remaining
obscure in your studies.</p>
<p>Prefer one general book covering several <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> flavors instead of several books
each one focusing on a particular <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> flavor.
A general book has indeed more chance to highlight the differences between the
systems when there is one, the kind of information you may easily miss if you
are studying from different books and the kind of information you will most
likely need to pass your exam.</p>
<p>I have no recommendation in terms of books as I happen to have just fetched an
old French one I bought when starting on <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems and which was taking dust
for more than a dozen of years somewhere on my shelves ;).</p>
<p>There is no official <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> practice exams out there, at least none I am aware of.
This is in part a deliberated choice from the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certificiation Group,
as stated by <a href="https://www.mail-archive.com/bsdcert@lists.nycbug.org/msg01275.html" rel="external" title="Re: [BSDCert] BSDA Practice Questions (BSDCert mailing list)">Dru Lavigne</a> (her whole email is an interesting reading):</p>
<blockquote>
<p>On purpose, we do not provide practice questions. Part of this is philosophical
(we don’t want people to just learn to an exam), part is practical (if you
understand the exam objectives, it does not matter how the question is asked),
and part of it deals with the psychometrics (which requires us to only ask
questions covered by the objectives in a very clear manner, which means there
really is only so many ways you can ask a question).</p>
</blockquote>
<p>However, for those not familiar with such exams, as long as common Unix
services are concerned you may expect the same kind of question as in the
<a href="/posts/2017/09/03/linux-lpic-certification-review/" title="Linux LPIC certification review"><abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr>-2</a> exam.
Feel free to check resources developed for this exam as, for instance, an
Apache server remains an Apache server, no matter if it running on a Linux
or a <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> box.
Once you gets used to answer questions on common Unix services, you
should be able to answer questions on anything else and it is just, as
Dru Lavigne stated, a matter of correctly following the exam objective in your studies.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Studying <abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr> material for a <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> certification may be double-sided.
While questions on common Unix services will usually remain the same,
the correct answer may not.
In particular paths and platform specific commands may not be the same.</p>
<p>Use such material for the questions, but practically check your answer in
your <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> lab.</p>
</div>
<h3 id="personal-impressions"><a class="toclink" href="#personal-impressions">Personal impressions</a></h3>
<h4 id="curriculum"><a class="toclink" href="#curriculum">Curriculum</a></h4>
<p>As I said throughout this article, I really feel the <abbr title="BSD Associate"><span class="caps">BSDA</span></abbr> certification as the
<abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> counter-part of the <abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr>-2 certification, and the good impressions that
applied to the <abbr title="Linux Professional Institute Certification"><span class="caps">LPIC</span></abbr>-2 certification also apply here.</p>
<p>It is very complete and allows you to deepen, systematize and better organize
your knowledge of numerous aspects on <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems.</p>
<p>I liked to use this as an occasion to try different systems.
As I said I am more used to FreeBSD and OpenBSD systems.
I was very surprised with NetBSD which really feels mature (I did not
imagine that an internationalized <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> system could even exist!).
I was also very surprised with DragonFlyBSD which may be the fastest for
scientific computing but really doesn’t seem to lead the group in terms of security:</p>
<p><span class="lb-small"><a href="#DragonFlyBSD_rootpw.png" id="DragonFlyBSD_rootpw.png-thumb" title="Click to enlarge"><img alt="Characters restriction for root password on DragonFlyBSD" src="https://www.whitewinterwolf.com/posts/2017/09/22/bsda-certification-review/DragonFlyBSD_rootpw.png"/></a></span></p>
<h4 id="exam"><a class="toclink" href="#exam">Exam</a></h4>
<p>I cannot discuss the questions or the exam in details here, but there were no
surprise: I was tested on the topics I expected, the exam questions were clear,
non-ambiguous, and closely matched the topics list.</p>
<p>The allocated time did not left me a lot of room.
While it was enough to answer the questions, I made the final check in a
hurry during the very last minutes and focused only on the most troublesome questions.</p>
<p>Nevertheless, even-though this is a paper-based exam the proctor does a good
job in notifying of the passed time so it is easy to correctly manage your time.</p>
<h4 id="conclusion"><a class="toclink" href="#conclusion">Conclusion</a></h4>
<p>This certification lacks enough reconnaissance, as do <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems in general
by-the-way.
More reconnaissance would mean more certified people would mean more funds to
make more study material and exam sessions available.</p>
<p>Nevertheless, I highly recommend this certification despite these limitations.
<abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> systems deserve a professional certification program, I am happy that this
certification exists and proud to have earned it.</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-BSDP">
<p>As far as I remember I only encountered the <a href="http://www.bsdcertification.org/certification/certification/bsd-professional" rel="external" title="BSDP certification homepage (BSD Certification Group)"><abbr title="BSD Professional"><span class="caps">BSDP</span></abbr></a> certification
documented as in <em>“beta”</em> or project stage.
It is meant to include practical exercises, making it even more complex to
organize during events, and the documentation about these exercises is
still not available
(<em>“Details about the lab portion of the exam will be listed here once they are confirmed.”</em>).
If you are interested in this exam, you should directly get in touch with
the <abbr title="Berkeley Software distributions"><span class="caps">BSD</span></abbr> Certification Group. <a class="footnote-backref" href="#fnref-BSDP" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Linux LPIC certification review2017-09-03T00:00:00+02:002017-09-03T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-09-03:/posts/2017/09/03/linux-lpic-certification-review/<h3>The five Ws</h3>
<ul>
<li>
<p><strong>What</strong>:
The <a href="http://www.lpi.org/our-certifications/summary-of-certifications" rel="external" title="Linux Professional Institute homepage">Linux Professional Institute Certification</a> (<span class="caps">LPIC</span>) is a technical
certification on <span class="caps">GNU</span>/Linux systems administration.
This certification is vendor-neutral and covers the major <span class="caps">GNU</span>/Linux
distributions (Debian, <span class="caps">SUSE</span>, Red Hat) and their derivatives.</p>
<p>With the <em>Linux Essentials</em> certification aside (it targets end-users,
not administrators), the <span class="caps">LPIC</span> certification path has three
main levels:</p>
<ul>
<li>
<p><span class="caps">LPIC</span>-1 <em>“Linux Administrator”</em>: This level studies the <span class="caps">GNU</span>/Linux system
itself: how it works, how to administrate the local system with some
knowledge on troubleshooting and main services.</p>
</li>
<li>
<p><span class="caps">LPIC</span>-2 <em>“Linux Engineer”</em>: This level has two folds: on one side you study
advanced administration and troubleshooting techniques, on the other
you now envision the <span class="caps">GNU</span>/Linux system as part of the corporate
ecosystem and study the administration of the most common network
services (here again vendor neutral, so you should be comfortable with
both Apache and Nginx <span class="caps">HTTP</span> servers for instance).</p>
</li>
<li>
<p><span class="caps">LPIC</span>-3 …</p></li></ul></li></ul><h3 id="the-five-ws"><a class="toclink" href="#the-five-ws">The five Ws</a></h3>
<ul>
<li>
<p><strong>What</strong>:
The <a href="http://www.lpi.org/our-certifications/summary-of-certifications" rel="external" title="Linux Professional Institute homepage">Linux Professional Institute Certification</a> (<span class="caps">LPIC</span>) is a technical
certification on <span class="caps">GNU</span>/Linux systems administration.
This certification is vendor-neutral and covers the major <span class="caps">GNU</span>/Linux
distributions (Debian, <span class="caps">SUSE</span>, Red Hat) and their derivatives.</p>
<p>With the <em>Linux Essentials</em> certification aside (it targets end-users,
not administrators), the <span class="caps">LPIC</span> certification path has three
main levels:</p>
<ul>
<li>
<p><span class="caps">LPIC</span>-1 <em>“Linux Administrator”</em>: This level studies the <span class="caps">GNU</span>/Linux system
itself: how it works, how to administrate the local system with some
knowledge on troubleshooting and main services.</p>
</li>
<li>
<p><span class="caps">LPIC</span>-2 <em>“Linux Engineer”</em>: This level has two folds: on one side you study
advanced administration and troubleshooting techniques, on the other
you now envision the <span class="caps">GNU</span>/Linux system as part of the corporate
ecosystem and study the administration of the most common network
services (here again vendor neutral, so you should be comfortable with
both Apache and Nginx <span class="caps">HTTP</span> servers for instance).</p>
</li>
<li>
<p><span class="caps">LPIC</span>-3 <em>“Linux Enterprise Professional”</em> (previously
<em>“Senior level certification”</em>, but I suppose it sounded too elderly ;) ):
This is the last level of the <span class="caps">LPIC</span> path and allows to specialize on a
chosen domain.
Three domains are currently available:</p>
<ul>
<li><em><span class="dquo">“</span>Mixed Environment”</em> studies services and functionalities designed
to work notably with Windows servers and client, like <span class="caps">LDAP</span>, <span class="caps">SAMBA</span>, etc.</li>
<li><em><span class="dquo">“</span>Security”</em> studies tools and techniques allowing to increase the
security at various levels in a enterprise context.</li>
<li><em><span class="dquo">“</span>Virtualization and high availability”</em> studies tools and techniques
allowing to build virtualized, cloud and clustered environments.</li>
</ul>
</li>
</ul>
</li>
<li>
<p><strong>When</strong>:
The <span class="caps">LPIC</span>-1 has no prerequisites, but it is very technical and demanding so
is not adapted for starters in the <span class="caps">GNU</span>/Linux world
(check the <em><a href="https://www.lpi.org/our-certifications/linux-essentials-overview" rel="external" title="LPI Linux Essentials overview (LPI)">Linux Essentials</a></em> certification instead).</p>
<p>Obtaining the <span class="caps">LPIC</span>-2 and <span class="caps">LPIC</span>-3 certification have both the previous level
certification as prerequisite, but the exams themselves can be taken in any order.</p>
</li>
<li>
<p><strong>Why</strong>:
This certification demonstrate how comfortable you are with <span class="caps">GNU</span>/Linux
environments in corporate environments.</p>
<p>While vendor certifications cover only a single distribution, often
even a single version of their distribution, and limit their scope
accordingly, the <span class="caps">LPIC</span> certification tests you on various tools and
distributions and on new and legacy versions.
This shows employers your flexibility and your ease to adapt yourself
to any <span class="caps">GNU</span>/Linux environment.</p>
</li>
<li>
<p><strong>Who</strong>:
Don’t confuse the <span class="caps">LPIC</span> certification with an end-user certification.
This one covers a very wide range of technical domains regarding the <span class="caps">GNU</span>/Linux
internals and is targeting corporate environments.
If you are not at least remotely familiar with some of the topics <em>before</em>
starting your study, chances are that you will quickly find yourself
overwhelmed with new concepts and information (as I said in my
<a href="/posts/2017/08/17/are-certifications-useful-a-few-words-about-career-plans/" title="Are certifications useful? A few words about career plans.">general post</a> on certifications, expect the exam to target small
details, not generalities).</p>
<p><span class="dquo">“</span>Liking Linux” or regularly using it to for Web browsing for instance
is not enough, consider passing the <em><a href="https://www.lpi.org/our-certifications/linux-essentials-overview" rel="external" title="LPI Linux Essentials overview (LPI)">Linux Essentials</a></em> certification instead.</p>
<p>That being said, working for this certification is also a great way to
learn.
There are a lot of people who use <span class="caps">LPIC</span>-1 study materials not necessarily
with the goal to pass the exam, but simply to complete the gaps and better
organize their knowledge of the <span class="caps">GNU</span>/Linux environment (a good <span class="caps">LPIC</span>-1 study
book can effectively be used as one of those “Linux bible” books).</p>
</li>
<li>
<p><strong>Where</strong>:
The exams can be taken in any Pearson <span class="caps">VUE</span> test center.
The <span class="caps">LPI</span> also regularly organize exam sessions at discounted price in
Linux-related events, in this case they are announced in the event program.</p>
<p>The <span class="caps">LPIC</span>-1 and <span class="caps">LPIC</span>-2 requires to pass two exams each, each exam having its own
set of topics.
The <span class="caps">LPIC</span>-3 requires only single exam.</p>
<p>Each exam contains 60 multiple-choice and fill-the-blank questions to
answer in 90 minutes.
It is possible to go back to previously validated questions.</p>
<p>Each exam costs around $200 <span class="caps">USD</span> if you pass it in a Pearson <span class="caps">VUE</span> test center.
During events, the discounted price may depend but looking at the <a href="https://archive.fosdem.org/2017/certification/" rel="external" title="Certification exams (FOSDEM 2017)"><span class="caps">FOSDEM</span></a>
page for instance it was about half of the normal price.</p>
</li>
</ul>
<h3 id="training-material"><a class="toclink" href="#training-material">Training material</a></h3>
<h4 id="building-a-lab"><a class="toclink" href="#building-a-lab">Building a lab</a></h4>
<p>Nothing fancy here, all you will need is several virtual machines each running
a different distribution of the <span class="caps">GNU</span>/Linux operating system.
If your system is not very powerful or is lacking <span class="caps">RAM</span>, you should be fine with
only one virtual machine running at a time so, as long as your system
is able to start one virtual machine in good conditions, you should be fine.</p>
<p>You will at least need one copy of <em>each</em> the following Linux distribution:</p>
<ul>
<li><a href="https://www.debian.org/" rel="external" title="Debian homepage">Debian</a>, as itself.</li>
<li><a href="https://www.centos.org" rel="external" title="CentOS homepage">CentOS</a>, as the community maintained version of the commercial Red Hat distribution.</li>
<li><a href="https://www.opensuse.org" rel="external" title="openSUSE homepage">openSUSE</a>, as a community maintained equivalent of the commercial <span class="caps">SUSE</span> distribution.</li>
</ul>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Fedora and CentOS are not the same!</p>
<p>From a technical point of view CentOS <em>is</em> a Red Hat but with no support
license.
It is built from the same sources, and has the same repository content by default.</p>
<p>You are free to get a Fedora <em>in addition</em> to these three distributions if
you like, but I do not recommend to replace the CentOS with a Fedora as
they are different beasts and you may miss some Red Hat specificities.</p>
</div>
<p>Of course, if you have access to a genuine Red Hat or <span class="caps">SUSE</span> distribution, take
advantage of this.
But if don’t, there is no major difference as far as the <span class="caps">LPIC</span> topics are
concerned with their community maintained counterparts.</p>
<p>This is just the minimal requirement, feel free to add any supplementary
distribution you would like.
Adding an <a href="https://www.ubuntu.com" rel="external" title="Ubuntu homepage">Ubuntu</a> for instance may be interesting as it is a common choice,
even in corporate environments, and would allow you to test the differences
between an original Debian and this well-known derivative.</p>
<p>You don’t necessarily need the latest version.
In fact, given the time to qualify a new system and the upgrade process, most
companies do not run the latest version in their production environment.
Moreover, in addition to your main images, your will also likely need an
intentionally older image of at least one of these systems (like a Debian 6 or
7 for instance) to test older features not present anymore in the most recent
versions (like the <span class="caps">UNIX</span> System V Init system).
If the author of your book or any other training material you use tells the
version he is using in his examples, you should use the same to better follow him.</p>
<p>The <span class="caps">LPIC</span> is a professional certification which is lead by corporate needs.
While interesting to check for your own information, distributions which are
more confidential in the corporate world (usually due to the lack of proper
business-grade support service from the editor) are not directly covered by
the exam (package installation commands, etc.).</p>
<h4 id="learning-resources"><a class="toclink" href="#learning-resources">Learning resources</a></h4>
<p><span class="lb-small floatright"><a href="#the-urban-penguin.png" id="the-urban-penguin.png-thumb" title="Click to enlarge"><img alt="The Urban Penguin logo" src="https://www.whitewinterwolf.com/posts/2017/09/03/linux-lpic-certification-review/the-urban-penguin.png"/></a></span>
First and foremost, I have to tip my hat to the awesome work made by
<a href="https://www.youtube.com/user/theurbanpenguin/search?query=LPIC" rel="external" title="LPIC videos from The Urban Penguin (YouTube)">The Urban Penguin</a>.
Andrew Mallet’s videos are clear, to-the-point and highly pedagogical.
Everything is explained and demonstrated in a calm, clear and concise way.
Somehow, his videos really gives the impression to attend a live training, to
the point that often when a question pops-up in my mind during his explanation
he answers it just right away.</p>
<p><span class="caps">IMHO</span>, The Urban Penguin is a just a mandatory (and nice!) stop for every
<span class="caps">LPIC</span> student and possibly even more as he regularly publishes videos on other
Linux-related topics.</p>
<p>Nevertheless, while videos are a good thing to learn through live demonstration
and by hearing, I always like to rely on books for my studies.
Sadly for you, dear reader, for some reason for my own studies I happened to use
a French book, so I cannot vouch for any English book in particular.</p>
<p><span class="caps">LPI</span> has setup a <a href="http://www.lpimarketplace.com/" rel="external" title="LPI Certification Marketplace homepage">marketplace</a> where you can buy exam vouchers and all kind of
resources including books and other videos trainings.
The marketplace can ship books only to the <span class="caps">US</span> addresses, but the same books can
also be found on any other book-selling websites.
The exam vouchers however can be bought internationally and at the same
price than Pearson <span class="caps">VUE</span> website.</p>
<p>A good <span class="caps">LPIC</span> book is a good investment as it can easily serve later as a
reference like a “Linux bible” to quickly refresh you memory about how to
configure something or how to proceed in some circumstances.</p>
<p>The first levels of the <span class="caps">LPIC</span> are usually well covered, including books
from the <a href="https://www.amazon.com/CompTIA-Certification-LX0-103-LX0-104-101-400/dp/0071841687/?tag=electronicfro-20" rel="external" title="CompTIA Linux+/LPIC-1 Certification All-in-One Exam Guide (Amazon)">All-In-One</a> and <a href="https://www.amazon.com/LPIC-1-Linux-Professional-Institute-Certification/dp/1119021189/?tag=electronicfro-20" rel="external" title="LPIC-1 Linux Professional Institute Certification Study Guide (Amazon)">Sybex</a> series.
The latter also provides other books covering <a href="https://www.amazon.com/LPIC-2-Linux-Professional-Institute-Certification/dp/1119150795/?tag=electronicfro-20" rel="external" title="LPIC-2: Linux Professional Institute Certification Study Guide (Amazon)"><span class="caps">LPIC</span>-2</a> and a large set
of <a href="https://www.amazon.com/CompTIA-Linux-LPIC-Practice-Tests/dp/1119372690/?tag=electronicfro-20" rel="external" title="CompTIA Linux+ and LPIC Practice Tests (Amazon)">practice questions</a> covering both <span class="caps">LPIC</span>-1 and <span class="caps">LPIC</span>-2 which, if
done correctly, may be of great help especially if you are not used to pass
certification exams).</p>
<p>I mention those two editors simply because they are well-known in the
certification industry, as I said I didn’t read them and some alternative may
also be as good.
For what I know from other certs, Sybex book are usually more wordy, focusing
on background explanation, while All-In-One are usually more practical, but may
miss some background or secondary information compared to Sybex books.
Make your choice!</p>
<p>No matter the book you are choosing, here are a few advises which may help you:</p>
<ul>
<li>
<p>The <span class="caps">LPIC</span> curriculum is very dense, with a lot of knowledge of varying
nature covering a large number of different domains.
While with some certification focused on a given topic it may possible to
learn the whole curriculum from cover to cover at once, don’t try this here
or your head will explode.</p>
<ul>
<li>
<p>First follow the book without really thinking to the exam.
Read the explanation, do the practical exercises, if something looks
too complex now simply read the explanations and proceed.
Skip all quizzes during this step.
This will familiarize you with the content of the book and tell you
where are the easier and harder part are located.</p>
</li>
<li>
<p>Still due to the large amount of information and its varied nature, a
good <span class="caps">LPIC</span> preparation book should be divided in two parts to follow the
<span class="caps">LPIC</span> division in two exams.
On your second read, focus only on the part dedicated to your upcoming
exam (if your book mixes all topics, use the official topics list from
the <span class="caps">LPI</span> website).</p>
<p>I don’t think it is humanely possible to learn each and every details
of the whole curriculum at once (expect the exam to set the bar well
higher than what is required for a daily activity, see my
<a href="/posts/2017/08/17/are-certifications-useful-a-few-words-about-career-plans/" title="Are certifications useful? A few words about career plans.">general post</a> on certifications for more information).
In all cases this is not what is expected by the <span class="caps">LPI</span>: that’s why they
divided each level in two exams, each one with its own topics list.</p>
</li>
</ul>
</li>
<li>
<p>Once you have mastered the content of your training material, check and
double-check the official topics list from the <span class="caps">LPI</span> website.
It seems common for <span class="caps">LPI</span> preparation books to miss a various number of
topics.
In itself, this is not a big deal as usually a simple Internet search is
enough the complete your knowledge with the missing information, but you
do not want to come to the exam unprepared.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>As a personal fact, I just completely missed the Unix printing section
during my studies for the <span class="caps">LPIC</span>-1.
I still wonder how I managed to do that.</p>
<p>As the exam went on, the first question on this topic looked like an alien
to me, and the bad news was that this question was only the first from a
particularly painful and depressing set.</p>
<p>While I was feeling down for the rest of the exam, at my own surprise I
still managed to pass it with a reasonable score.
Nevertheless, don’t tempt the devil, as this is a very uncomfortable
situation I wouldn’t wish to anyone.</p>
</div>
</li>
</ul>
<p>As a complement, the <span class="caps">LPI</span> also manages a list of <a href="http://www.lpi.org/how-to-get-certified/free-training-materials" rel="external" title="Free Training Material (LPI)">free training material</a>
available from various sources.
This material may be more or less complete depending on the source, but in case
of doubt it can nicely complement the above mentioned resources.</p>
<p>Some people also published good exam-like questions.
While maybe not always up-to-date now, these questions still correctly reflect
the kind of questions you will be asked during the exam (note that these
questions have been specially written for these exercises, it is forbidden to share
actual exam question) and allowed me to find my last weaknesses before taking
the exam:</p>
<ul>
<li><a href="http://www.penguintutor.com/quiz/index.php" rel="external" title="Linux Certification Practice Exams (Penguin Tutor)">Penguin Tutor</a>: This one covers both <span class="caps">LPIC</span>-1 and <span class="caps">LPIC</span>-2, and also hosts
an blog with interesting feedbacks from the author’s own experience.</li>
<li><a href="http://www.gnosis.cx/publish/tech_index_lpi.html" rel="external" title="LPI Certificaiton practice Test (Gnosis Software)">Gnosis Software</a>: Covers <span class="caps">LPIC</span>-1.</li>
<li><a href="http://www.gocertify.com/quizzes/linux-practice-questions/" rel="external" title="Linux Practice Quizzes (GoCertify)">GoCertify</a>: Provides a free access to a few small quizzes covering <span class="caps">LPIC</span>-1.</li>
</ul>
<h3 id="personal-impressions"><a class="toclink" href="#personal-impressions">Personal impressions</a></h3>
<h4 id="curriculum"><a class="toclink" href="#curriculum">Curriculum</a></h4>
<p>The <span class="caps">LPIC</span> curriculum is very well thought, and regularly updated in a sensible
way.
It contains real subjects which are of concrete use for Linux system
administrators.
As I said above, the <span class="caps">LPIC</span> curriculum in itself can serve as a basis to write
a good “Linux bible” book.
Almost every parts of a common corporate <span class="caps">GNU</span>/Linux environment and its administration
is covered, with here again a sensible weight attributed to each topic.</p>
<p>I regularly read criticism from people claiming that the curriculum or the
<span class="caps">LPIC</span> training resources often cover old or obsolete technologies and software
versions.
I guess that the people who have such claim did not work in a lot of large
institutions.
In large environments, when things are working and each minute of downtime may
cost hundreds of thousands of dollars, people are really afraid from touching anything.
In such situations, you are more likely to encounter an obsolete, unsupported
system than anything even remotely brand-new.</p>
<p>In such environments, “new” is not a quality but a threat.
In such environments, “new” doesn’t mean “improved” but it means “unknown” and
“untested”.
It usually takes months, or even years before upgrading a
system, the time required to test and fix the system reaction in every known
conditions and events combinations to remove these “unknown” and “untested” threats.</p>
<p>That’s why, as a Linux systems engineer, you need to know both the new and old
systems, because it may be very well your duty to maintain the current
production, qualify the upgrade, and maybe proceed with the migration when the
new system is not new anymore.</p>
<p>Having worked in this area for several years, I can confirm that the <span class="caps">LPIC</span>
curriculum does a great job in preparing its student to real-life needs.</p>
<p>However as nothing is perfect and, whatever you do, there will still be people
to complain, let me still complain a bit too ;) !
Actually, the following points are more some room for improvements, or things
that I was a bit surprised to not find covered, but I guess that the <span class="caps">LPI</span> has to
make choices to keep its curriculum focused on really impacting topics.</p>
<p>In all cases the following points do not remove anything of all the good I
think of this certification.</p>
<h5 id="lpic-2"><a class="toclink" href="#lpic-2"><span class="caps">LPIC</span>-2</a></h5>
<p>Linux is a very versatile system with a very heterogeneous community.
I feel a bit sorry that the <span class="caps">LPI</span> curriculum focuses so exclusively on the three
well-known distributions.</p>
<p>There are other distributions which took different technical or architectural
approaches, like the way they handle the system installation, updates and
software management which may be worth mentioning.</p>
<p>The most notable examples are <a href="http://www.archlinux.org/" rel="external" title="Arch Linux project homepage">Arch</a>, <a href="http://www.gentoo.org/" rel="external" title="Gentoo Linux project homepage">Gentoo</a> and <a href="http://www.slackware.com/" rel="external" title="Slackware Linux project homepage">Slackware</a>, but
for more experimental systems I could also mention <a href="https://gobolinux.org/" rel="external" title="GoboLinux project homepage">GoboLinux</a> (the whole
directory tree is reorganized so each application reside in its own tree to
provide better isolation) and <a href="http://www.openwall.com/Owl/" rel="external" title="OpenWall GNU/Linux project homepage">OpenWall</a> (notably for its per-user <em>/tmp</em>
directory to increase overall security).</p>
<p>The goal here is not to be proficient in every Linux distribution out there.
Once you get the fundamentals right (and the <span class="caps">LPIC</span> curriculum takes care of that)
then you can quickly adapt yourself.
The goal here is just to be conscious of the richness and flexibility of the
Linux system, the very thing which makes it the number one system from
low power embedded devices up to the most powerful supercomputers: they all
share the very same Linux kernel.</p>
<p>Some <span class="caps">LPIC</span> training book attempt to convey this message in their historical and
cultural introduction chapters, but I think that the <span class="caps">LPI</span> should try to go
beyond the simple client/server scheme as, even in corporate environments,
Linux can do way more than that.</p>
<h5 id="lpic-3"><a class="toclink" href="#lpic-3"><span class="caps">LPIC</span>-3</a></h5>
<p>You may have noticed how in this article I emphasized that this was <em><span class="caps">GNU</span>/Linux</em>
certification as opposed to a <em>Linux</em> certification as the <span class="caps">LPI</span> advertises
it.
This is not some random pedantry as, while this certification does a good job
in being distribution agnostic, the Linux kernel is always envisaged in a
<span class="caps">GNU</span> environment.</p>
<p>I am really missing a section on embedded Linux systems, either as
a standalone <span class="caps">LPIC</span>-3 specialization or mixed within the already existing <span class="caps">LPIC</span>-3
specialties.
In particular, Android is not something which can be ignored in the current
Linux world, including business environments.
To say the least it is Android which solved the historical
Ubuntu’s <a href="https://bugs.launchpad.net/ubuntu/+bug/1" rel="external" title="Microsoft has a majority market share (Ubuntu bugs tracker)">bug #1</a>: <em>“Microsoft has a majority market share”</em>.</p>
<p>An embedded Linux remains a Linux, but due to technical limitations and
development choices it presents some specificities compared to a traditional
<span class="caps">GNU</span>/Linux system.</p>
<p>Knowing, at least from a general perspective, what are these specificities and
why there are here should be required for anyone presenting himself as a Linux expert.</p>
<p>For instance, speaking of the <span class="caps">LPIC</span>-303 “Security” certification, the topics
list mention that <em>“candidates should have a thorough knowledge of SELinux”</em>.
Android also relies on SELinux to ensure some of its security, but being an
embedded environment while the Android port of SELinux remains a SELinux in
its main functionalities it presents some notable differences (more information
can be found <a href="/posts/2016/08/15/examine-android-selinux-policy/" title="How to examine Android SELinux policy">here</a>).</p>
<p>SELinux being often presented as an obscure topic, I think it should be great
to take conscience of its use in major end-users devices and understand how it
is used in such contexts.</p>
<p>At last, on a different subject, I take note of the removal of <span class="caps">GPG</span> of the
<span class="caps">LPIC</span>-303 “Security” topics list its latest update (V4).
On the other side the <abbr title="Host Intrustion Detection System"><span class="caps">HIDS</span></abbr> section has been expanded and whole new section on
FreeIPA has been added.
I understand that <span class="caps">LPI</span> needs to keep the number of different subjects to a
reasonable amounts, but both <span class="caps">SSH</span> and OpenVPN having been already moved to
<span class="caps">LPIC</span>-202 this should leave enough room for three or four commands.</p>
<p>In these times of mass surveillance and corporate espionage, I
think that having at least some basis on <span class="caps">GPG</span> (like a bullet point somewhere in
the cryptography section, at least mentioning the name) still seems quite
important to me.</p>
<h4 id="exam"><a class="toclink" href="#exam">Exam</a></h4>
<p>The exam questions are clear, non-ambiguous, and closely match the topics list.</p>
<p>Granted, for the <span class="caps">LPIC</span>-1 and <span class="caps">LPIC</span>-2 exams, there might be a few
questions seeming to come from the wrong topic list (for instance one or two
questions from the <span class="caps">LPIC</span>-102 topics list making their way into the <span class="caps">LPIC</span>-101 exam
and vice-versa).
But these are very broad questions that you should be able to answer without
having specifically studied the subject in details.</p>
<p>As a Linux administrator, you are expected to have a minimum of culture on
Linux system administration.
Sounds fair, doesn’t it?</p>
<p>I was afraid because of a book where the proposed “exam-like” questions were
of poor quality, but the actual questions which make their way to the exam
are really good quality ones.</p>
<p>While the topics list evolve from one level to another, so does the questions
which become more complex as you reach <span class="caps">LPIC</span>-2, then <span class="caps">LPIC</span>-3 levels:</p>
<ul>
<li>
<p>In the first level there are very few fill-in-the-blank questions, the exam
is composed of mostly multiple-choice questions.
But as you progress you find yourself facing these significantly
harder fill-in-the-blank questions more and more often.</p>
<p>Personally these fill-in-the-blank questions where also a cause of worry
for me before taking the exam, but they are really done the right way as
there is no ambiguity in what you are expected to type.</p>
<p>They are usually <em>significantly</em> harder as there is no proposed answers
anymore to help you refresh your memory as there is with MCQs, but
they are fair: as long as you know the correct answer, you will have no
problem answering, the real difficulty comes when you need to guess…</p>
</li>
<li>
<p>As you progress, the questions will ask you more and more subtle details.
For the <span class="caps">LPIC</span>-1, the exam questions even learned me new ways to use some
commands asking me the expected result, which I found very interesting,
dare I say entertaining.
But as you progress the questions focus on tinier and tinier technical or
configuration details, and entertainment quickly leaves place to headaches!</p>
</li>
</ul>
<p>I see nothing negative in all of this: the <span class="caps">LPIC</span> exam is just how I expect it to be.</p>
<h4 id="conclusion"><a class="toclink" href="#conclusion">Conclusion</a></h4>
<p>If you are interested in Linux systems, if you would-like to work with Linux
systems, you can’t go wrong with this certification.</p>
<p>While there are other distribution agnostic Linux certifications out there
including one from the <a href="https://training.linuxfoundation.org/certification" rel="external" title="Linux Certification (Linux Foundation Training)">Linux Foundation</a> itself (about which I’m still
curious <span class="caps">BTW</span>), the <span class="caps">LPI</span> one is the only one I regularly encounter in job offers,
demonstrating its reconnaissance in the professional world.</p>
<p>Regarding distribution specific certification, the <span class="caps">LPI</span> works hands-in-hands
with <span class="caps">SUSE</span> at least for their first level <span class="caps">LPIC</span>-1 certification.
Previously, getting your <span class="caps">LPIC</span>-1 automatically awarded you an actual <span class="caps">SUSE</span> <abbr title="Certified Linux Administrator"><span class="caps">CLA</span></abbr>
certification in addition to the <span class="caps">LPIC</span>-1 certification.
Now <span class="caps">SUSE</span> reorganized its certification and, while they now limit their
certification to people having really passed a <span class="caps">SUSE</span> exam (which I can easily
understand, it feels strange to be <span class="caps">SUSE</span>-certified without having passed any
<span class="caps">SUSE</span> exam), they accept the <span class="caps">LPIC</span>-1 as a substitute of their Level 1
certification to satisfy their Level 2 certification prerequisites.</p>
<p>I don’t know how are the relation between Red Hat and the <span class="caps">LPI</span> foundation, in all
case there is no such agreement there.
Nevertheless, the <span class="caps">LPI</span> certification having acquired a certain reconnaissance in
the professional world, you may still have your chances in positions initially
requiring a Red Hat certification by showing a <span class="caps">LPI</span> certification.</p>
<p>But enough of this blah-blah.</p>
<p>Did I say that when you pass you <span class="caps">LPIC</span>-1 exam you even get a ticket for a free
issue of the <a href="http://www.linux-magazine.com/" rel="external" title="Linux Magazine homepage">Linux magazine</a><sup id="fnref-linuxmag"><a class="footnote-ref" href="#fn-linuxmag">1</a></sup>?
At higher levels you are even invited to join their community as a volunteer to
help to design the future of the <span class="caps">LPI</span> certification, and no secrets happens
there as their Wiki and mailing-list are public.</p>
<p>An open and friendly community to certify your competencies on an open system,
what more would you ask?</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-linuxmag">
<p>Note that there is no public commitment for this whatsoever.
This came as a surprise for me, and allowed me to discover a good quality
magazine (far more interesting than most alternatives which loop over and over
again on the same topics for people discovering Linux for the first time).
I don’t know if this offer was occasional, depends on stock availability,
or is systematic.
Don’t take my words as an engagement from <span class="caps">LPI</span> side! <a class="footnote-backref" href="#fnref-linuxmag" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Cisco CCNA Security certification review2017-09-01T00:00:00+02:002017-09-01T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-09-01:/posts/2017/09/01/cisco-ccna-security-certification-review/<h3>The five Ws</h3>
<ul>
<li>
<p><strong>What</strong>:
<span class="caps">CCNA</span> Security is a technical certification about general network security
in a professional context.
It describes the typical threats potentially affecting such networks then
various Cisco technologies allowing to mitigate them.
This covers the networking devices themselves, but also the data both in
transit and at rest and end-user devices both corporate ones and personal
one (<abbr title="Bring Your Own Device"><span class="caps">BYOD</span></abbr>).</p>
</li>
<li>
<p><strong>When</strong>:
Obtaining this certification requires to have at least the <span class="caps">CCENT</span>
certification (I recommend having a <a href="/posts/2017/08/21/ccna-routing-switching-certification-review/" title="CCNA Routing & Switching certification review"><span class="caps">CCNA</span> Routing <span class="amp">&</span> Switching</a>, though).</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>While the <span class="caps">CCENT</span> or <span class="caps">CCNA</span> R&S is a prerequisite to be granted the
<span class="caps">CCNA</span> Security certification, they are not technically required to take
the exam.</p>
<p>If for some reasons it suits you, Cisco allows you to take the <span class="caps">CCNA</span>
Security exam before having obtained a <span class="caps">CCENT</span> or <span class="caps">CCNA</span> R&S.
If you pass the exam, you will be granted the <span class="caps">CCNA</span> Security
certification once you get your …</p></div></li></ul><h3 id="the-five-ws"><a class="toclink" href="#the-five-ws">The five Ws</a></h3>
<ul>
<li>
<p><strong>What</strong>:
<span class="caps">CCNA</span> Security is a technical certification about general network security
in a professional context.
It describes the typical threats potentially affecting such networks then
various Cisco technologies allowing to mitigate them.
This covers the networking devices themselves, but also the data both in
transit and at rest and end-user devices both corporate ones and personal
one (<abbr title="Bring Your Own Device"><span class="caps">BYOD</span></abbr>).</p>
</li>
<li>
<p><strong>When</strong>:
Obtaining this certification requires to have at least the <span class="caps">CCENT</span>
certification (I recommend having a <a href="/posts/2017/08/21/ccna-routing-switching-certification-review/" title="CCNA Routing & Switching certification review"><span class="caps">CCNA</span> Routing <span class="amp">&</span> Switching</a>, though).</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>While the <span class="caps">CCENT</span> or <span class="caps">CCNA</span> R&S is a prerequisite to be granted the
<span class="caps">CCNA</span> Security certification, they are not technically required to take
the exam.</p>
<p>If for some reasons it suits you, Cisco allows you to take the <span class="caps">CCNA</span>
Security exam before having obtained a <span class="caps">CCENT</span> or <span class="caps">CCNA</span> R&S.
If you pass the exam, you will be granted the <span class="caps">CCNA</span> Security
certification once you get your <span class="caps">CCENT</span> or <span class="caps">CCNA</span> R&S.</p>
<p>Depending on your schedule, this might be something worth to know.</p>
</div>
</li>
<li>
<p><strong>Why</strong>:
This certification demonstrates fundamental knowledge on threats affecting
corporate data networks and familiarity with Cisco technologies designed to
mitigate them.</p>
<p>For <span class="caps">US</span> people, this certification also officially meets the
<a href="https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-security/cnss-4011-recognition.html" rel="external" title="CCNA Security: CNSS 4011 Recognition (Cisco)"><span class="caps">NSA</span> / <span class="caps">CNSS</span> 4011</a> training standard and is <a href="https://www.cisco.com/c/en/us/training-events/training-certifications/certifications/associate/ccna-security/dod-8570.html" rel="external" title="CCNA Security: DoD 8570 Recognition (Cisco)">DoD 8570</a>
compliant, approved for the <span class="caps">IAT</span> Level <span class="caps">II</span>.
This may satisfy some of requirements to be hired either directly by <span class="caps">US</span>
governmental entities or by consulting companies providing services to them.</p>
</li>
<li>
<p><strong>Who</strong>:
If you are interested in networking and in security, this certification
is an obvious choice.
Cisco technologies are widespread, this certification provides the
opportunity to dig further areas which are only scratched by the <span class="caps">CCNA</span> R&S
and familiarize yourself with various technologies like Cisco’s <span class="caps">VPN</span>
and firewall technologies.</p>
</li>
<li>
<p><strong>Where</strong>:
You only need to pass one exam to get this certification.
It can be taken in any Pearson <span class="caps">VUE</span> test center.</p>
<p>This is a classical Cisco exam, it presents itself in a similar fashion
as the <span class="caps">CCENT</span> and <span class="caps">CCNA</span> R&S exams: MCQs and lab simulation (the lab being
of course extended to cover products specific to the <span class="caps">CCNA</span> Security curriculum).</p>
</li>
</ul>
<h3 id="training-material"><a class="toclink" href="#training-material">Training material</a></h3>
<h4 id="building-a-lab"><a class="toclink" href="#building-a-lab">Building a lab</a></h4>
<p>Let’s say it straight: devices and services deployment is out-of-scope for this
exam.
Cisco training material assumes that you are provided, either by your training
center or by your company, access to read-to-use environments to do your
practical training.</p>
<p>When working on the <span class="caps">CCNA</span> R&S, there is enough documentation sources available
to know what you will need, and once you have your lab ready you can fully
dedicate yourself to the training step.</p>
<p>Here, chances are that your studies will frequently be brutally interrupted for
an unknown amount of time because the author suddenly adds a new service like
<em>“Configure you <span class="caps">CCP</span> as in the following screenshot”</em>, leaving you with a lot of
unanswered questions:</p>
<ul>
<li>What is a “<span class="caps">CCP</span>”?</li>
<li>Do I really need a practical knowledge of this or is it enough to just
learn it from theoretical point-of-view from the book?</li>
<li>Where can I get it? Is it freely available?</li>
<li>Does the <span class="caps">CCNA</span> Security expects a specific version of the software?</li>
<li>How to install it, what are the prerequisites and installation process?</li>
<li>Why doesn’t it work? Is it because of a bug, an incompatibility, a wrong
setting in the emulator or in the operating system or a license issue?</li>
<li>Several hours of debugging and Internet searches later, why it still
doesn’t work?</li>
<li>How do I manage it? How do I make it interoperate with the rest of the
topology, how do I create an account for myself?</li>
</ul>
<p>And once you went through this, you can go back to your study… until the next
component is added.</p>
<p>From my personal experience, in addition to <span class="caps">CCNA</span> R&S components you also need
a practical training on <a href="/posts/2017/08/28/how-to-install-cisco-adaptative-security-appliance-asa-in-gns3/" title="How to install Cisco Adaptative Security Appliance (ASA) in GNS3"><span class="caps">ASA</span> and <span class="caps">ASDM</span></a>, <a href="/posts/2017/08/28/how-to-install-cisco-secure-access-control-system-acs-server-in-gns3/" title="How to install Cisco Secure Access Control System (ACS) server in GNS3"><span class="caps">ACS</span></a>, <a href="/posts/2017/08/28/how-to-install-cisco-configuration-professional-ccp-in-gns3/" title="How to install Cisco Configuration Professional (CCP) in GNS3"><span class="caps">CCP</span></a> and <a href="/posts/2017/10/05/how-to-configure-windows-as-a-scep-server-cisco-asa-enrollment/" title="How to configure Windows as a SCEP server & Cisco ASA enrollment"><span class="caps">SCEP</span></a>.
Some other technologies are covered by the curriculum such as end-devices
security technologies but having an general knowledge on what they are and
how they work from high-level perspective is usually enough (for now, that was
true for me but keep in mind that the <span class="caps">CCNA</span> Security curriculum may evolve).</p>
<p>I’m currently completing the <a href="https://www.whitewinterwolf.com/tags/virtualization/" rel="tag" title="View articles tagged 'virtualization'">virtualization</a> section of
this site to cover the installation of required components in your lab.
Moreover, you will also find unvaluable information in <a href="https://www.youtube.com/watch?v=VgoFXwb1QvI" rel="external" title="Building a Cisco CCNA Security Virtual Lab (YouTube)">this video</a> by
Keith Barker.</p>
<h4 id="learning-resources"><a class="toclink" href="#learning-resources">Learning resources</a></h4>
<p>The <span class="caps">CCNA</span> Security is not a widespread certification compared to the <span class="caps">CCNA</span> R&S
for instance.
The main consequence of this is a very low amount of documentation available.</p>
<p>If you’ve read my <a href="/posts/2017/08/21/ccna-routing-switching-certification-review/" title="CCNA Routing & Switching certification review"><span class="caps">CCNA</span> Routing <span class="amp">&</span> Switching review</a>, you should have
read how satisfied I was of the <a href="https://www.subnetting.net" rel="external" title="Subnetting.net homepage">subnetting.net</a> website.
While I was studying for my <span class="caps">CCNA</span> Security, they were in the process of building
their <span class="caps">CCNA</span> Security course and it was not yet available.
By now their <span class="caps">CCNA</span> Security training material became available.
I did not view it, so I cannot tell whether it is good or not, but given the
quality of their <span class="caps">CCNA</span> R&S material I highly recommend you to at least check them.</p>
<p>Other than that, your have Cisco’s official book and… not much else.
I guess that the <span class="caps">CCNA</span> security cursus attract to few people and changes too
often to interest editors (note though that while writing this article, I see
that Sybex announces <a href="https://www.amazon.com/CCNA-Security-Study-Guide-210-260/dp/1119409934?tag=electronicfro-20" rel="external" title="CCNA Security Study Guide: Exam 210-260 (Amazon)">a book</a> for January 2018, yet again I cannot vouch
for its content).</p>
<p><span class="lb-small floatright"><a href="#cisco_guide.jpg" id="cisco_guide.jpg-thumb" title="Click to enlarge"><img alt="Cover of the Cisco CCNA Security official cert guide" src="https://www.whitewinterwolf.com/posts/2017/09/01/cisco-ccna-security-certification-review/cisco_guide.jpg"/></a></span>
Cisco’s <a href="https://www.amazon.com/CCNA-Security-210-260-Official-Guide/dp/1587205661?tag=electronicfro-20" rel="external" title="CCNA Security 210-260 Official Cert Guide (Amazon)">official certification guide</a> is of poor quality.
For its defense, it is well written and what is explained is explained clearly,
but I have the strong feeling that by it has been rushed and delivered in an
unfinished state.
The final product is therefore an incomplete book with missing parts (including
sections announced in the table of content) and with some chapters are mixed up.</p>
<p>To give a first example there is no introduction to the <span class="caps">CCP</span> tool, except to
tell you that you need to know it (not even any mention of which version and
flavor is concerned, both the book and Cisco’s curriculum remain vague on this).
It is mentioned for first time on page 41 and the author directly throws
screenshot at you. From where, how, what: you don’t know.
And as it happens, setting-up a working <span class="caps">CCP</span> is not an easy matter without
prior knowledge of its specificities.</p>
<p>The best case of mixed-up chapters is the chapter <em>5</em> about <span class="caps">PKI</span>
infrastructures which assumes that you have already read the chapter <em>8</em> which
introduces <span class="caps">ASA</span> to the reader:</p>
<blockquote>
<p>What I want to do now is walk you through an example of applying these
concepts to some devices you are already familiar with if you have read the
previous portions of this book.
Both the <em>Adaptative Security Appliance (<span class="caps">ASA</span>)</em> and Cisco routers can use
digital certificates.
Let’s take a look at installing digital certificates on the <span class="caps">ASA</span>, using the
<em>Adaptative Security Device Manager (<span class="caps">ASDM</span>)</em>.</p>
</blockquote>
<p>This is page 107 of the book, and is your first contact with these tools your
are anything but <em>“familiar”</em> with.
What the frustrated reader may not know is that this book indeed contains
an introduction to the <span class="caps">ASA</span> device, but it is buried a hundred pages later, in
the chapter 8 about <em>Implementing <span class="caps">SSL</span> VPNs using Cisco <span class="caps">ASA</span></em>.
The reader may assume this the same thing as with <span class="caps">CCP</span> and he is just
supposed to learn how to deploy and administrate <span class="caps">ASA</span> systems on-the-fly before
continuing to read.</p>
<p>But chapters are not only mixed-up and the <span class="caps">CCP</span> presentation is not the only
thing missing.
This book is incomplete as per the exam requirement.
If it is your only source of study, you <em>will</em> fail<sup id="fnref-failure"><a class="footnote-ref" href="#fn-failure">2</a></sup>.</p>
<p>Here are the missing parts from this book with a link to the material I used
to complement my learning:</p>
<ul>
<li>
<p>802.1X: The table presented in the introduction chapters show that it was
intended to be covered in the fourth chapter, but the whole section is
missing from the book.
Read Cisco’s <a href="https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html?referring_site=RE&pos=2&page=http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/ht_8021x.html" rel="external" title="Wired 802.1X Deployment Guide (Cisco)">Wired 802.1X Deployment Guide</a>.</p>
</li>
<li>
<p><span class="caps">ACS</span> authentication protocols (<span class="caps">PAP</span>, <span class="caps">CHAP</span> and <span class="caps">EAP</span>-based ones) are extensively
tested during the exam but not even mentioned in the book.
Read the relevant chapter in the
<a href="https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/eap_pap_phase.html" rel="external" title="Authentication in ACS (Cisco)"><span class="caps">ACS</span> online documentation</a><sup id="fnref-acs-version"><a class="footnote-ref" href="#fn-acs-version">1</a></sup>.</p>
</li>
<li>
<p><span class="caps">PVLAN</span> was meant to be covered in chapter 9 according to the tables in the
beginning of the book, but it was forgotten.
See <a href="https://www.youtube.com/watch?v=tbG9YboATvA" rel="external" title="Private VLAN tutorial and demonstration (YouTube)">this video</a> by Keith Barker.</p>
</li>
<li>
<p>Reflexive Access Lists are also never mentioned in the book while tested
in the exam.
They are not a complicated topic, but not so easy that you can just assume
that everybody already knows that.
Check this <a href="https://www.youtube.com/watch?v=ZptZy0EgUnI" rel="external" title="Reflexive Access Lists">short video</a> also by Keith Barker.</p>
</li>
<li>
<p>Extranet VPNs: usually they are considered as a kind of <span class="caps">DMZ</span>, but in Cisco’s
world extranet VPNs provide a direct access to a company internal network.
This is the “historical occasional definition” stated in
<a href="https://en.wikipedia.org/wiki/Extranet" rel="external" title="Extranet (Wikipedia)">Wikipedia</a> and also explained in
<a href="http://www.ciscopress.com/articles/article.asp?p=24833" rel="external" title="Overview of VPNs and VPN Technologies (Cisco)">Cisco documentation</a>.
This is often asked under one form or another, it is not complicated,
but if you come to the exam with the common definition of extranets you
will fail.</p>
</li>
<li>
<p>Firewalls are covered in this book, that’s fortunate, but they are covered
incompletely as per the exam requirements:</p>
<ul>
<li>
<p>You are expected to know the limitations potentially affecting
multicast handling:</p>
<ul>
<li>Zone-based firewalls: filtering of multicast traffic is
<a href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zone-pol-fw.html" rel="external" title="Zone-Based Policy Firewalls (Cisco)">not supported</a> (search for “multicast” in the linked
page).
Control Plane Policing is the only way to go in this case.</li>
<li><span class="caps">ASA</span> firewalls: filtering of multicast traffic is
<a href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115804-asa-multi-probs-00.html" rel="external" title="ASA Multicast Troubleshooting and Common Problems (Cisco)">supported</a> (this link serves only as a reference to
show it is supported, you are not expected to know the details).</li>
</ul>
</li>
<li>
<p>You are expected to be familiar with <span class="caps">ASA</span> Security Contexts, know what
they are and why they are used.
Read this <a href="http://www.ciscopress.com/articles/article.asp?p=426641" rel="external" title="Cisco ASA Security Contexts (Cisco)">Cisco documentation</a>.</p>
</li>
<li>
<p>You must also be familiar with Cisco <span class="caps">ASA</span> Accelerated Security Path
(<span class="caps">ASP</span>).
Sadly, the blog I used as resource is now closed, so you’re on your
own for this one but there are many resources available online.</p>
</li>
</ul>
</li>
</ul>
<p>Maybe you noticed that I was often referring to Keth Barker’s videos.
He is a presenter for <span class="caps">CBT</span>-Nuggets videos.
The videos I linked here were free samples, but you can find the complete
set on <a href="https://www.cbtnuggets.com/it-training/cisco-ccna-security-210-260" rel="external" title="Cisco CCNA Security 210-260 IINS (CBT Nuggets)"><span class="caps">CBT</span> Nuggets website</a>.
You can use them to complete your knowledge, moreover new members benefits
from a free 7 days trial period so it may even not cost you any money.</p>
<h3 id="personal-impressions"><a class="toclink" href="#personal-impressions">Personal impressions</a></h3>
<h4 id="curriculum"><a class="toclink" href="#curriculum">Curriculum</a></h4>
<p>The curriculum associated to this exam matches the goal expressed at the
beginning of this post, as it allows someone starting in the realm of network
security and / or starting with Cisco’s network security technologies to
effectively deepen his knowledge on the subject.</p>
<p>However, personally I have two reservations:</p>
<ul>
<li>The topic list provided by Cisco is too vague.</li>
<li>It focuses too much on Cisco products usage at the expense of more
general background knowledge.</li>
</ul>
<p>Let’s see each of these reservations more in details.</p>
<h5 id="the-topics-list-is-too-vague"><a class="toclink" href="#the-topics-list-is-too-vague">The topics list is too vague</a></h5>
<p>First, both Cisco’s <a href="https://learningnetwork.cisco.com/community/certifications/security_ccna/iins-v3/exam-topics" rel="external" title="IINS Exam Topics (Cisco)">topics list</a> and official cert guide are really
too vague about what is actually expected from the student.</p>
<p>Yes, the topic list has Cisco’s usual disclaimer:</p>
<blockquote>
<p>The following topics are general guidelines for the content likely to be
included on the exam.
However, other related topics may also appear on any specific delivery of
the exam.
In order to better reflect the contents of the exam and for clarity
purposes, the guidelines below may change at any time without notice.</p>
</blockquote>
<p>This was also the case for the <a href="/posts/2017/08/21/ccna-routing-switching-certification-review/" title="CCNA Routing & Switching certification review"><span class="caps">CCNA</span> Routing <span class="amp">&</span> Switching</a> exam,
but while in the later this disclaimer actually covered a few secondary
questions about knowledge that one is expected to gain during any normal
training and wouldn’t prevent a candidate from passing, here Cisco really seem
to go free-style regarding the choice of tested topics.</p>
<p>As this is a common claim regarding this certification, I remember a <span class="caps">CCIE</span>
on a forum who explained that this is a good thing because the more your
learn, the more you know, and one should not study with the exam as a goal,
giving as example the <span class="caps">CCIE</span> curriculum where the topics are voluntary very vague.</p>
<p>I do not agree at all with such statements.
The <span class="caps">CCNA</span> is an entry-level certification and the <span class="caps">CCIE</span> is an expert-level
one, you cannot compare them as they are two different beasts.</p>
<p>In entry-level certifications, the student needs to know precisely what
he has to study so he does not loose precious time on off-topic subjects
while missing important on-topic subjects (time is always playing against
any student).
Of course, given an infinite amount of time, the student could become an
expert in every topic before passing the <span class="caps">CCNA</span> exam, but this is not what
is expected: there is an upper-bound in each topic which must be clearly
indicated.
The student remains free to investigate over this upper-bound if time
allows him such additional research, and this may also provide insightful
background information about on-topic subjects, but this remain
<em>additional</em> research.</p>
<p>In expert-level certifications, there is basically no upper-bound anymore:
you are meant to be an expert on the listed topics.
For the domains where you are only required to be familiar with the “common
features” of something, your position should allow you to determine what
features are “commonly” found in the industry, which a candidate for an
entry-level certification is most likely unable to do.
For the domains where you are required to have a thorough knowledge, there
is effectively no upper-bound and you could be asked about any aspect of
the subject.
Of course you are not expected to know everything, which means you won’t
reach 100% score as you may potentially do in a lower-level exam, but the
gaps in you knowledge should be small enough to allow you to stay over the
required score.</p>
<p>Without a proper topic list or, at least, a proper certification guide, it is
just impossible for a self-learner to pass this exam.
That’s why you may have to check online either for specially created
training questions or for old exams (by the way the <span class="caps">IINS</span> exam currently labeled
210-260 was previously labeled 640-554, this may help you find older material
which, while not up-to-date, may still help you more accurately
determine what is expected from the student as the main topics remained the same).</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Don’t fall in the trap of learning the questions and answers and hoping to
pass only with that knowledge.</p>
<p>This is stupid (see my <a href="/posts/2017/08/17/are-certifications-useful-a-few-words-about-career-plans/" title="Are certifications useful? A few words about career plans.">general post</a> on certifications) and
most likely useless as Cisco regularly generates new batch of questions
with either new questions or, more subtly, the same question but with
a slight variation (a change in host names, numbers, etc.) making the
correct answer change in an otherwise similar-looking question.</p>
<p>As I said in the <a href="/posts/2017/08/17/are-certifications-useful-a-few-words-about-career-plans/" title="Are certifications useful? A few words about career plans.">general post</a>, don’t forget that you study
for yourself, to develop your own aptitudes in domains you are supposed to
like and be good at.</p>
</div>
<h5 id="curriculum-too-focused-on-cisco-product-usage"><a class="toclink" href="#curriculum-too-focused-on-cisco-product-usage">Curriculum too focused on Cisco product usage</a></h5>
<p>The <span class="caps">CCNA</span> R&S curriculum is <span class="caps">IMHO</span> a perfect example of curriculum where the
theoretical and practical content are well weighted.
In the <span class="caps">CCNA</span> R&S, you begin by learning for instance a protocol: why it is
needed, how it works, and then finally you learn how to implement it using
Cisco technologies.</p>
<p>The <span class="caps">CCNA</span> Security curriculum, on the other hand, focuses more heavily on Cisco
products.
I’m not saying that there is no theoretical knowledge at all, on the contrary
the details of IPsec for instance and its comparison with <span class="caps">SSL</span>-based VPNs are
very well developed and very interesting, and I suppose that someone new in
the security area will also enjoy the parts about the threats and <span class="caps">PKI</span>
infrastructures, but the theoretical knowledge does not go very far beyond that.</p>
<p>After that the curriculum seems boils down to a catalogue of features,
each one with its own succession of screenshots, web interface menus and
command-line options to learn.</p>
<ul>
<li>The threats remain theoretical, you are solving problems you don’t known
practically know and never experienced or verified for yourself.
In other words, you are more taught <em>good practices</em>.</li>
<li>The features are analyzed individually, with very little perspective onto
the global network architecture and how each elements are organized and
react with each other.
For instance individual chapters describe centralized authentication, <span class="caps">SCEP</span>
and site-to-site <span class="caps">VPN</span>, but how they could be securely to associate them is
off-topic (but most probably covered in the <span class="caps">CCNP</span> curriculum).</li>
</ul>
<p>Depending on your affinities and the reasons why you choose a <span class="caps">CCNA</span> Security
certification, I would recommend you to accompany this certification with
at least another one:</p>
<ul>
<li>
<p>If you are more interested in the security aspect, you should highly
benefit from a general security certification, like a <a href="/posts/2017/10/04/ec-council-ceh-certification-review/" title="EC-Council CEH certification review"><span class="caps">CEH</span></a> for instance.
This will provide you a better understanding of the threats, allowing to
take more appropriate decisions.</p>
</li>
<li>
<p>If you are more interested in Cisco technologies, I think you should take
the step and push toward the <span class="caps">CCNP</span> Security.
I did not took this one so I cannot vouch for it, but it should allow you
to become more intimate with Cisco technologies than the introduction
provided in the <span class="caps">CCNA</span>, making you more efficient and more apt to take the
right decisions or react correctly in case of unforeseen events.</p>
</li>
</ul>
<h4 id="exam"><a class="toclink" href="#exam">Exam</a></h4>
<p>Similarly to the <span class="caps">CCNA</span> R&S, the question themselves are clear and non-ambiguous,
even-though as mentioned above they follow a topic list which noticeably differs
from the one available on Cisco website and in its official certification guide.</p>
<p>As a self-learner, you must therefore do your own investigations to discover the
topic effectively covered by the exam.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Having been through this myself, I’ve shared with you in this post the
complete list of topics which I find to be asked in <span class="caps">CCNA</span> Security exams and
missing in Cisco’s official certification guide.</p>
<p>So <em>maybe</em> this list may save you some investigation time so you can more
focus on your study, at least I hope so!</p>
<p>Don’t take it for granted, though, as Cisco regularly updates its questions
sets and may include new, unmentioned topics.</p>
</div>
<p>The exam engine is… crap.</p>
<p>Yeah, I already knew it from my <span class="caps">CCNA</span> R&S exam so I was expecting the broken
<span class="caps">XML</span> tags and attributes in the questions and answers, but here I got a <span class="caps">BSOD</span>,
a Windows Blue Screen of Death right in the middle of the exam (while the
engine was loading a simulation lab).</p>
<p>How is that even possible that a simple exam engine could make the whole
operating system crash?</p>
<p>Needless to say I was very worry and my first reaction was, breaking the rule,
to directly get up and fetch one of the responsible of the exam center less to
get technical assistance than to get an official witness in case I would fail
the exam because of this.</p>
<p>Fortunately, once Windows restarted, the exam went on as usual, at the
current question, current time and keeping all previously saved answers.
What a relief, but still: this is not what I would call good or comfortable
exam conditions<sup id="fnref-exam_bugs"><a class="footnote-ref" href="#fn-exam_bugs">3</a></sup>.</p>
<h4 id="conclusion"><a class="toclink" href="#conclusion">Conclusion</a></h4>
<p>Unless you need this very certification to meet some <span class="caps">US</span> governmental contract
prerequisites, I would not recommend taking this certification alone.</p>
<p>I would however recommend it mainly in those two situations:</p>
<ul>
<li>
<p>As a complement of a more general security learning path, to dig a bit
deeper some protocols such as IPSec which is often mentioned but rarely
studied elsewhere and familiarize yourself with Cisco’s approach to security.
This is why I chose it personally, and I really don’t regret it.</p>
</li>
<li>
<p>As a first step to get your <span class="caps">CCNP</span> Security and become an actual Cisco
Security Professional.</p>
</li>
</ul>
<div class="footnote">
<hr/>
<ol>
<li id="fn-acs-version">
<p>This links leads to the documentation of the version 5.6 of <span class="caps">ACS</span>.
To access a different version or if this one is not found, simply change the
version number in the <span class="caps">URL</span> as the path itself remains constant over <span class="caps">ACS</span> versions. <a class="footnote-backref" href="#fnref-acs-version" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn-failure">
<p>Some gossips say that this may be a voluntary move from Cisco in
order to bill more exams and put forward their official, expensive training
sessions.
Personally, I believe in the
<em>“Don’t see malignity where there is just stupidity”</em> and I think that Cisco
just do not care.
There is too few money to make on people training using books and free
simulators, so there is no business reason to invest money on them either.
This is not a matter of thinking of strategies to push people to pay more, this
is simply a matter of reducing funding where the <span class="caps">ROI</span> is not profitable enough. <a class="footnote-backref" href="#fnref-failure" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn-exam_bugs">
<p>I passed nearly a dozen of exams in the same test center, I
encountered such issues only with Cisco exams.
These issues seem therefore unrelated to the exam center itself but really
caused by Cisco’s specific exam engine. <a class="footnote-backref" href="#fnref-exam_bugs" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>Cisco CCNA Routing & Switching certification review2017-08-21T00:00:00+02:002017-08-21T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-21:/posts/2017/08/21/ccna-routing-switching-certification-review/<h3>The five Ws</h3>
<ul>
<li>
<p><strong>What</strong>:
<span class="caps">CCNA</span> Routing <span class="amp">&</span> Switching is a technical certification about
enterprise-grade <span class="caps">IT</span> networking from Cisco.
It covers the involved devices, protocols and how to implement them
using Cisco technologies.</p>
</li>
<li>
<p><strong>When</strong>:
This is an entry-level certification with no prerequisite.</p>
</li>
<li>
<p><strong>Why</strong>:
This certification demonstrate a good level of familiarity with
enterprise networks and Cisco’s <span class="caps">IOS</span>-based devices.</p>
<p>It is a de-facto standard in terms of <span class="caps">IT</span> networking certification, valuable
even for employers using different technologies than Cisco, and
is also a prerequisite for several other Cisco certifications.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Note that Cisco certifications may not have the actual <span class="caps">CCNA</span> R&S
certification as a prerequisite, but the <span class="caps">CCENT</span> instead which is half
of the <span class="caps">CCNA</span> R&S.</p>
<p>If you are interested in networking (and I expect you are when you
intend to pass a Cisco exam) I warmly encourage you to pass the full
<span class="caps">CCNA</span> R&S certification instead of …</p></div></li></ul><h3 id="the-five-ws"><a class="toclink" href="#the-five-ws">The five Ws</a></h3>
<ul>
<li>
<p><strong>What</strong>:
<span class="caps">CCNA</span> Routing <span class="amp">&</span> Switching is a technical certification about
enterprise-grade <span class="caps">IT</span> networking from Cisco.
It covers the involved devices, protocols and how to implement them
using Cisco technologies.</p>
</li>
<li>
<p><strong>When</strong>:
This is an entry-level certification with no prerequisite.</p>
</li>
<li>
<p><strong>Why</strong>:
This certification demonstrate a good level of familiarity with
enterprise networks and Cisco’s <span class="caps">IOS</span>-based devices.</p>
<p>It is a de-facto standard in terms of <span class="caps">IT</span> networking certification, valuable
even for employers using different technologies than Cisco, and
is also a prerequisite for several other Cisco certifications.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Note that Cisco certifications may not have the actual <span class="caps">CCNA</span> R&S
certification as a prerequisite, but the <span class="caps">CCENT</span> instead which is half
of the <span class="caps">CCNA</span> R&S.</p>
<p>If you are interested in networking (and I expect you are when you
intend to pass a Cisco exam) I warmly encourage you to pass the full
<span class="caps">CCNA</span> R&S certification instead of limiting yourself to the <span class="caps">CCENT</span> as
<span class="caps">IMHO</span> the latter really feels like a truncated version of the <span class="caps">CCNA</span> R&S
and makes you miss a lot of interesting areas.</p>
</div>
</li>
<li>
<p><strong>Who</strong>:
This certification is suitable for anyone willing to learn more about
enterprise-grade networking.</p>
<p>While the implementation part obviously relies on Cisco devices, the core
of this certification focuses on general knowledge on enterprise-grade
networks, in particular their architecture and various protocols involved
at each layer.</p>
</li>
<li>
<p><strong>Where</strong>:
The exam can be taken in any Pearson <span class="caps">VUE</span> test center.
It is a mix of MCQs and tasks to accomplish in a virtual lab.</p>
<p>You can get this certification through either one or two exams, depending
on your preference (personally I took the single-exam route, but the two
exams route is also equally valid).</p>
</li>
</ul>
<h3 id="training-material"><a class="toclink" href="#training-material">Training material</a></h3>
<h4 id="building-a-lab"><a class="toclink" href="#building-a-lab">Building a lab</a></h4>
<p>Building your own lab is a major part of the <span class="caps">CCNA</span> learning-path, be it a
virtual or physical lab.</p>
<ul>
<li>
<p>If you plan to work as a network engineer, I highly advise you to buy real
physical Cisco hardware.</p>
<p>The <span class="caps">CCNA</span> certification doesn’t require a lot of components and doesn’t
require last-generation devices.
Paul Browning, author of <em>Cisco <span class="caps">CCNA</span> in 60 days</em> (see below) made a very
good video on <a href="https://www.youtube.com/watch?v=dWOlc4uu_DI" rel="external" title="CCNA Home Lab - How to Build (YouTube)">how to build your home lab</a>.</p>
</li>
<li>
<p>On my side, as a security guy I specifically wanted to more focus on the
virtualization-side.
This was not an attempt to avoid using real gear as it would
have certainly be a fun experience (and maybe easier than hunting down
for firmware images and virtualization issues) but we all have to manage
our available time and to focus on the practical knowledge which will be
most beneficial for us down the road.
In my case, being to able to build virtual network allowing to reproduce
vulnerabilities and attack techniques seemed more relevant.</p>
<p>Being also a free-software guy, I did not went the Cisco <span class="caps">VIRL</span> route either
but instead learned the ins and out of <span class="caps">GNS3</span>.
You will find all my notes on this subject in the
<a href="https://www.whitewinterwolf.com/tags/virtualization/" rel="tag" title="View articles tagged 'virtualization'">virtualization</a> section.</p>
</li>
</ul>
<p>Building a lab should mean something for you.
As I said in my <a href="/posts/2017/08/17/are-certifications-useful-a-few-words-about-career-plans/" title="Are certifications useful? A few words about career plans.">general post on professional certification</a>, the whole
process will require a lot of time and effort, you must do this
not for a certification or for an employer, you must primarily do this
<em>for yourself</em>.</p>
<p>As Keith Barker summarizes it well in a very interesting video:
<em><a href="https://www.youtube.com/watch?v=EgTdoqcGXRA" rel="external" title="Building a Home Lab: The Mindset (YouTube)">Find your Passion</a></em>.</p>
<h4 id="learning-resources"><a class="toclink" href="#learning-resources">Learning resources</a></h4>
<ul>
<li>
<p><a href="https://www.subnetting.net/" rel="external">subnetting.net</a>:
<span class="lb-small floatright"><a href="#subnetting-net.jpg" id="subnetting-net.jpg-thumb" title="Click to enlarge"><img alt="Subnetting.net logo" src="https://www.whitewinterwolf.com/posts/2017/08/21/ccna-routing-switching-certification-review/subnetting-net.jpg"/></a></span>
Get your training from this website!
At $5 per month, I don’t think you can get cheaper and for the price you
get very well-made videos, well-thoughts hands-on exercises, study sheets,
practice questions and the whole gets regularly updated to follow Cisco’s
requirement evolution.</p>
<p>The whole thing is very well organized, with a logical progression, and
ensures a proper coverage of the knowledge required both to allow you to
pass the exam but also to prepare you to the real life.</p>
<p><a href="https://www.subnetting.net/company-info" rel="external">Kevin and Trey</a> really made an
awesome job with this website, you seriously can’t get wrong with them!</p>
</li>
<li>
<p><a href="https://www.amazon.com/Routing-Switching-Complete-Study-Guide/dp/1119288282?tag=electronicfro-20" rel="external" title="CCNA Routing and Switching Study Guide (Amazon)">Sybex <span class="caps">CCNA</span> Routing and Switching - Study Guide</a> by Todd Lammle:
This book is very massive, more than a thousand of pages, I did not even
attempt to read it from cover to cover.
However, this books really shines as a secondary source for your studies
(and later) as a reference book, to get things explained a different way,
find different examples, etc.</p>
<p>While I highly recommend this book as a secondary source of information,
I would not recommend it as your main or only source.
The thousand pages of this book follow a thematic organization, which
is really great to quickly search and find some information, but awful if
you need to learn it from cover to cover and must still remember very
accurately the protocol your learned 800 pages ago and did not used since then.</p>
</li>
<li>
<p><a href="https://www.amazon.com/Cisco-CCNA-Days-William-Browning/dp/0956989292?tag=electronicfro-20" rel="external" title="Cisco CCNA in 60 Days (Amazon)">Cisco <span class="caps">CCNA</span> in 60 days</a> by Paul Browning et al.:
This book focuses on hand-on exercises with a good dose of motivational
discourses and a structured daily planning spread over 60 days to take your
hand and allow you to successfully pass the exam.</p>
<p>The originality of this book is indeed this 60 days planning, where each
day matches a chapter with its daily lesson and dose of practical exercises.</p>
<p>The first part of the book, where the foundations are being laid, is very
demanding while the rest of book, simply adding new concepts on top of the
building in an incremental way, are far more easier.
I therefore highly recommend to start this book during a vacation period,
where you can easily dedicate enough of your time to get your foundations
right, then you will find easier it to mix your <span class="caps">CCNA</span> studies with you daily activity.</p>
<p>Personally I have no problem in organizing my studies my own way and prefer
to do so.
I enjoyed the first part and learned the <span class="caps">IOS</span> shell with this book, but
later-on it became merely a secondary study book.
But even as a secondary source of information this book remains great:
it’s table-of-content allows to directly find the days covering certain
notions and the courses are always to-the-point and highly practical.</p>
<p>Moreover, the author provides a very interesting <span class="caps">PDF</span> about the mindset to
develop while working for certification (whether it is this one or any
other one).
It is indeed the Paul’s point-of-view that a lot of people fail not because
of technical knowledge, but because of improper mindset, and he does
a more thorough job in this area than any other author on the subject.
This alone could be a sufficient reason to buy this book.</p>
</li>
</ul>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Cisco regularly updates its exams, requiring training books to be updated.</p>
<p>Don’t blindly buy the books linked here: they are the latest edition
available while I write this article but may be outdated when you read it.</p>
<p>Always check the exact identifier of the exam you want to take and ensure
that the book you choose matches it.</p>
</div>
<h4 id="exam-simulation"><a class="toclink" href="#exam-simulation">Exam simulation</a></h4>
<p>The <span class="caps">CCNA</span> exam is a widely known exam:</p>
<ul>
<li>
<p>Each of the above mentioned learning sources already come with a good pile
of questions to practice before taking the exam.
These questions are good quality and usually provide an explanation about
the right answer.</p>
</li>
<li>
<p>In case this is not enough for you, you can also search the web for
supplementary questions.
Beware however that the quality of the questions freely available on the
Internet may vary a lot, sometimes what is given as the right answer isn’t
even the correct one!</p>
<p>Moreover, I also send you back to the explanation on my
<a href="/posts/2017/08/17/are-certifications-useful-a-few-words-about-career-plans/" title="Are certifications useful? A few words about career plans.">general post</a> about professional certification on why you should
stay away from websites offering “brain dumps” or “real exam questions”.
There is enough legal learning material for the <span class="caps">CCNA</span> R&S certification to
not enter in such grey area.</p>
</li>
<li>
<p>At last, to get familiar with the exam <span class="caps">GUI</span> and various types of questions
you will be asked, Cisco provides a <a href="https://www.cisco.com/c/en/us/training-events/training-certifications/exam-tutorial.html" rel="external" title="Cisco Certification Exam Tutorial (Cisco)">free online exam tutorial</a>
(this requires Flash Player).
Note that a significant part of the Cisco exam goes beyond classical
multiple choices questions and rely on a graphical interface specific to
Cisco exams.</p>
<p>You will have the same kind of tutorial on the exam day, right before
starting the test.
I recommend you however to familiarize yourself with the <span class="caps">GUI</span> <em>before</em> taking
the exam as, if you’re like me, you may want to take advantage of this
upfront time to fill your whiteboard with subnetting tables<sup id="fnref-1"><a class="footnote-ref" href="#fn-1">1</a></sup>.</p>
</li>
</ul>
<h3 id="personal-impressions"><a class="toclink" href="#personal-impressions">Personal impressions</a></h3>
<h4 id="curriculum"><a class="toclink" href="#curriculum">Curriculum</a></h4>
<p>The <span class="caps">CCNA</span> exam does a great job in learning about enterprise-grade networks,
no wonder it imposed itself as a de-facto standard on the subject.</p>
<p>If you aren’t following a golden spoon-fed thousands dollars training path, you
will have to build your own lab.
While this may seem a daunting task (it is hard to choose and install
devices you don’t know yet), it is very educating.</p>
<p>The balance between Cisco-proprietary and common standard information, at least
in the sources I mentioned above, is well preserved making this certification
useful to have a better understanding of both Cisco technologies and of common
standard surrounding such networks.</p>
<p>The <span class="caps">CCNP</span>-level certifications, the logical sequel of the CCNAs, seem far more
focused on Cisco technologies.
You may therefore be interested in taking only the <span class="caps">CCNA</span> first, and potentially
progress toward the <span class="caps">CCNP</span> only if you find yourself hired at a position dealing
with Cisco devices on a regular basis.
Otherwise the <span class="caps">CCNA</span> R&S is valuable certification by itself.</p>
<p>For those who take the two exam route, on the contrary I don’t consider the
<span class="caps">CCENT</span> to be a valuable certification by itself.
It just feels like a truncated <span class="caps">CCNA</span> R&S and has no real professional
benefits, except serving as a prerequisite for some other Cisco certifications
or for students as proof of good-will before getting their first job.</p>
<h4 id="exam"><a class="toclink" href="#exam">Exam</a></h4>
<p>The questions themselves are good: they are clear and non-ambiguous.
They <em>globally</em> follow the certification curriculum, but Cisco
expects the student to have done its own research and practical studies
allowing him to answer more general questions outside of the curriculum.</p>
<p>This is stated explicitly in the <a href="https://learningnetwork.cisco.com/community/certifications/ccna/ccna-exam/exam-topics" rel="external" title="Cisco Certified Network Associate: Exam Description (Cisco)"><span class="caps">CCNA</span> exam description</a>:</p>
<blockquote>
<p>The following topics are general guidelines for the content likely to be
included on the exam.
However, other related topics may also appear on any specific delivery of
the exam.</p>
</blockquote>
<p>From my personal experience however they do not abuse of this, as I said
the questions were good.</p>
<p>The only hindrance were several formatting issues in the questions,
typically broken <span class="caps">XML</span> tags randomly leaking in the question and answer captions
making in few rare occasions answering more a guess than anything else
(this exam was the only one for which I found myself regularly using the
<em>Comment</em> button to notify Cisco teams about these issues).</p>
<p>This affected about a dozen of questions with one where the answers were barely
readable, enough to make their exam feel cheap and dirty: Cisco really
should try to improve this.</p>
<h4 id="conclusion"><a class="toclink" href="#conclusion">Conclusion</a></h4>
<p>This is a very good certification.
I warmly recommend it to anyone wanting to take the step from home <span class="caps">LAN</span> knowledge
to corporate <span class="caps">LAN</span>.</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-1">
<p>The memory of me frantically filling the whiteboard with lines, numbers
and calculus <em>even before the first question was asked</em> seems odd even now, but
this is clearly the way to go to start the examination serenely :). <a class="footnote-backref" href="#fnref-1" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Professional Penetration Testing (Thomas Wilhelm)2017-08-19T00:00:00+02:002017-08-19T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-19:/posts/2017/08/19/professional-penetration-testing-thomas-wilhelm/<p>This book does not teach you penetration testing technically, it teaches you
penetration testing <em>professionally</em>.
Here, the pentest is not a technical exercise anymore, it becomes a paid
service delivered to a customer to satisfy a business need.
This requires more than throwing a bunch of tools and lines of code toward a
target.
This requires things like planning, methodology, quality and risks management,
and communication.
<em>This</em> is what this book is about.</p>
<p>This book target mainly three kind of audiences:</p>
<ul>
<li>
<p>People who are already familiar with the technical side of pentesting and
are wondering if making it a career would be interesting for them (doing
something as a hobby and as a job is not the same) and, if so, how to
proceed and what to expect.</p>
</li>
<li>
<p>Pentesters already in the field but who would-like to have a broader view
of their current job.</p>
</li>
<li>
<p>Project managers who are already …</p></li></ul><p>This book does not teach you penetration testing technically, it teaches you
penetration testing <em>professionally</em>.
Here, the pentest is not a technical exercise anymore, it becomes a paid
service delivered to a customer to satisfy a business need.
This requires more than throwing a bunch of tools and lines of code toward a
target.
This requires things like planning, methodology, quality and risks management,
and communication.
<em>This</em> is what this book is about.</p>
<p>This book target mainly three kind of audiences:</p>
<ul>
<li>
<p>People who are already familiar with the technical side of pentesting and
are wondering if making it a career would be interesting for them (doing
something as a hobby and as a job is not the same) and, if so, how to
proceed and what to expect.</p>
</li>
<li>
<p>Pentesters already in the field but who would-like to have a broader view
of their current job.</p>
</li>
<li>
<p>Project managers who are already familiar in handling technical projects
but are new in the field of penetration testing.</p>
</li>
</ul>
<p>A lot of books describe pentesting in a world of exploits and mitigations.
The fact that this one describes pentesting in a world of business needs,
risks and costs sets it apart from the others.</p>
<p>While in the introduction I heavily emphasize on the management aspect of this
book, this is actually only half the book.
Technical aspects such as
<em>“creating and operating a formal hacking lab”</em><sup id="fnref-subtitle"><a class="footnote-ref" href="#fn-subtitle">1</a></sup> and the several
phases of conducting a penetration test from information gathering to writing
the final report are also well covered (a <span class="caps">DVD</span> is even provided to feed your
pentest lab with targets systems).</p>
<p>However, if you are only interested in these technical aspects, other books
analyze them more deeply.
Here they are covered mainly to allow technical and management people to
understand each other by speaking the same language and having a better
realization of the ins and outs of each other’s activity.</p>
<p class="buy button"><a href="https://www.amazon.com/Professional-Penetration-Testing-Second-Creating/dp/1597499935?tag=electronicfro-20" rel="external" title="Buy 'Professional Penetration Testing' (Amazon)">Buy on Amazon</a></p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-subtitle">
<p><em><span class="dquo">“</span>creating and operating a formal hacking lab”</em> happens to be the
subtitle of the first edition of the book, <em>“learning”</em> replacing
<em>“operating”</em> in the second edition.
I find this subtitles a bit misleading as people buying this book in order
to technically learn to build and work with a pentest lab are usually
disappointed by the relatively small amount of information compared to
other books dedicated to the subject. <a class="footnote-backref" href="#fnref-subtitle" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Are certifications useful? A few words about career plans.2017-08-17T00:00:00+02:002017-08-17T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-17:/posts/2017/08/17/are-certifications-useful-a-few-words-about-career-plans/<p>I regularly encounter people claiming that certifications have no use, or at
best only help to pass <span class="caps">HR</span> screening.</p>
<p>I acknowledge that the importance and impact of certification is often
over-emphasized by people selling certification-related books and services
(which is to be expected: they are <em>selling</em> something, this is <em>advertisement</em>),
and I also agree that a certification is not a <em>proof</em> of anything per see.</p>
<p>However, I believe that a certification from a well-known and trusted organism
benefits the whole <span class="caps">IT</span> security chain: it benefits both you, your employer
and the final customer.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>I talk here of <em>“certification from a well-known and trusted organism”</em>.
There is a tendency for a lot of websites hosting a few training
material to deliver “certifications”, praising the value your resume will
get with one of these.</p>
<p>In case of doubts, check job offers: if there is no demand for this
particular certification (and …</p></div><p>I regularly encounter people claiming that certifications have no use, or at
best only help to pass <span class="caps">HR</span> screening.</p>
<p>I acknowledge that the importance and impact of certification is often
over-emphasized by people selling certification-related books and services
(which is to be expected: they are <em>selling</em> something, this is <em>advertisement</em>),
and I also agree that a certification is not a <em>proof</em> of anything per see.</p>
<p>However, I believe that a certification from a well-known and trusted organism
benefits the whole <span class="caps">IT</span> security chain: it benefits both you, your employer
and the final customer.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>I talk here of <em>“certification from a well-known and trusted organism”</em>.
There is a tendency for a lot of websites hosting a few training
material to deliver “certifications”, praising the value your resume will
get with one of these.</p>
<p>In case of doubts, check job offers: if there is no demand for this
particular certification (and don’t be fooled by similar names), it means
that it will be most likely useless to you as a professional certification.</p>
<p>However, this does not mean that the training material itself will also
be useless.
Even if a lot of such websites provide generally poor content and try to
sell it by putting on the storefront a few reasonable quality “preview”
and their shiny “certification program”, some of them may be serious
organisms really trying to become part of the tomorrow’s trusted ones.</p>
<p>Do your research, don’t get fooled by marketing tricks.</p>
</div>
<h3 id="for-yourself"><a class="toclink" href="#for-yourself">For yourself</a></h3>
<h4 id="choosing-the-right-certification"><a class="toclink" href="#choosing-the-right-certification">Choosing the right certification</a></h4>
<blockquote>
<p>If you don’t design your own life plan, chances are you’ll fall into
someone else’s plan. And guess what they have planned for you? Not much.</p>
</blockquote>
<p>I find this quote from Jim Rohn at the same time so true and so widely ignored.
You <strong><em>need</em></strong> to design yourself a concrete career plan.
This is your life we are talking about!</p>
<p>You may already take some time to choose your shoes, your car, you cellphone
and your flat.
Why not take a few moments to also choose your life?</p>
<p>Lee Kushner and Mike Murray made a very good talk at <span class="caps">DEF</span> <span class="caps">CON</span> 17,
<a href="https://www.youtube.com/watch?v=Ijs0VaRGs1w" rel="external" title="DEF CON 17 - Lee Kushner and Mike Murray - Effective Information Security Career Planning">Effective Information Security Career Planning</a> where they presented
a diagram like this:</p>
<p><span class="lb-small"><a href="#aptitudes.png" id="aptitudes.png-thumb" title="Click to enlarge"><img alt="Aptitudes: the union of talents and interests" src="https://www.whitewinterwolf.com/posts/2017/08/17/are-certifications-useful-a-few-words-about-career-plans/aptitudes.png"/></a></span></p>
<p>I really recommend you to view their whole talk<sup id="fnref-kushner"><a class="footnote-ref" href="#fn-kushner">1</a></sup> as it is really
interesting and well-presented.</p>
<p>To make it short here they explain that you have:</p>
<ul>
<li>On one side things you are good at (you may or may not be interested in them).</li>
<li>On the other side things you have some interest in (you may or may not be
good at them).</li>
</ul>
<p>The intersection between the two are the things you are simultaneously good at
and interested in.
<em>These</em> are the things you must focus on, Lee and Mike named them your
<em>aptitudes</em>.</p>
<ol>
<li>Discover your personal aptitudes.</li>
<li>Search for job names which rely on these aptitudes (<a href="https://www.youtube.com/watch?v=57BzHxcn2V0" rel="external" title="Rory Alsop: Starting your Security Career - Where can you go? ">Rory Alsop</a> made
an interesting overview of jobs description and requirements for people
entering the <span class="caps">IT</span> security field).</li>
<li>Read corresponding job offers to check which certifications they value.</li>
</ol>
<p>Too often I see people skipping one or several of these steps, or even worse
doing the whole thing in reverse order by first getting a certification
matching their current talents (maybe on something they don’t like, but are
talented in), then find a job matching the obtained certification, and
finally (try to) build a life around this job.
This is so wrong!
You may be lucky and still be happy this way, but your life deserve more care
than leaving it to luck.</p>
<h4 id="getting-certified"><a class="toclink" href="#getting-certified">Getting certified</a></h4>
<p>Once you have done this work on yourself, the certification allows you to
focus and sharpen your aptitudes.</p>
<p>Don’t over-estimate yourself!
Since this is a domain you both like and are good at, most chances are that you
are already highly familiar with it.
You may therefore be tempted to think that you already know enough, this is an
easy trap.
Doing so you will most likely discover the hard way the difference between
<em>being familiar</em> and <em>know</em>.
This is why so many people fail their exam, and repeat their failure as long as
they do not acknowledge where the real problem is but instead prefer to blame
the exam itself.</p>
<p>Granted, depending on the exam some questions may be dubious at best, but the
amount of such questions is never large enough to fully explain a failure,
only to prevent people from reaching 100%.
When you fail an exam, it not because the questions were not good, it is
because you were not prepared for them.</p>
<p>In the exams authors mind, a few months after you passed the exam you will only
remember about 40 to 60% of the things your learned to get it.
This is normal and expected, this how any training system goes.</p>
<p>The consequence of this is that, to indeed grant you the certification, exams
authors put the bar very high, far higher than what the professional
positions associated to the certification requires on daily basis, this with
the only objective that these remaining 40-60% will, at the end of the day,
effectively match the jobs needs.</p>
<p>Because of this, when studying for an exam, you must prepare yourself for tears
and suffering.
In those hard-times when you feel that your head will explode, that the chapter
your are currently reading just feels like random gibberish, that the end
of the course seems to reside in a galaxy far, far away: remind yourself why
you are doing all this.</p>
<p>You are not studying to be able to setup and configure that foobar device.
You are not studying for the exam, or for the certification, or for the job.
You are studying for yourself: you are studying to build yourself your own life.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>You may find on the Internet so-called “brain-dumps” or websites
offering you “real exam questions” so you just have to learn the mapping
between a question caption and its corresponding answer without having to
understand their meaning.</p>
<p><strong><em>Ignore them.</em></strong></p>
<ol>
<li>
<p><em>Such material violates the exam Non-Disclosure Agreement</em>.
By using it to pass your exam you expose yourself to get your
certification revoked at any time.</p>
</li>
<li>
<p><em>Such material kills the certification</em>.
Once enough people manage to get certified without having the
accompanying knowledge, putting the certification on a resume looses all
its value.</p>
</li>
<li>
<p><em>This is useless</em>.
Would you manage to get a job this way, how do you
expect to perform your duties if you do not have the corresponding
knowledge?
The employer will quickly be able to tell.</p>
</li>
<li>
<p><em>This is stupid</em>.
As a reminder, you do this for yourself, to extend and systematize your
knowledge on an area you are supposed to like and be good at, why on
hell would you jeopardize all this by cheating when you can just go on
and be proud of yourself and of your work once you managed to pass the test?</p>
</li>
</ol>
<p>This warning however does not targets “exam-like” questions which are
independent creation and are not part of the exam, or old retired questions
<em>published by the certification organism</em>.
They are both good ways to train yourself to the wording and topics
targeted by an exam and may be a required step to pass it.</p>
</div>
<h3 id="for-an-employer"><a class="toclink" href="#for-an-employer">For an employer</a></h3>
<p>When looking for a job, an appropriate certification goes beyond simply passing
human resources screening:</p>
<ul>
<li>
<p>Well-known certifications act as a kind of common language with a potential
employer to convey your aptitudes and competency in a few acronyms.</p>
<p>While the rest of your resume provides details on your experience,
an employer knows what a <span class="caps">CEH</span> or a <span class="caps">CISSP</span> are for instance, he knows what he
can expect from an employee bearing such certifications and which roles
in the company would match its qualifications.</p>
<p>Providing a sound set of complementary certifications allows an
employer to get a factual, objective and clear view of who you are
and what you can bring to his company right from your resume header,
without even having to read any further.</p>
</li>
<li>
<p>As said earlier, certifications are hard to obtain.
The benefit from this is that, beyond the technical knowledge, a
certification is also an objective testimony of your determination.</p>
<p>You are capable of working hard and provide efforts to achieve a goal.</p>
</li>
</ul>
<p>A certified employee also represent an added value for the employer, which
may translate in a better position and salary within the company.</p>
<h3 id="for-a-customer"><a class="toclink" href="#for-a-customer">For a customer</a></h3>
<p>In technical and specialized domains such as <span class="caps">IT</span> security, it is very easy
for a customer to find himself lost in a <a href="https://en.wikipedia.org/wiki/The_Market_for_Lemons" rel="external" title="The Market for Lemons (Wikipedia)">Lemon Market</a> where he has no clue
on how to distinguish good quality services from poor ones, thus lowering the
general market price to poor quality services.</p>
<p>Here, the certification plays a major role by allowing a company providing <span class="caps">IT</span>
security services to bring an objective testimony of its employees competency.
For some contracts like governmental contract, this may even become a prerequisite.</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-kushner">
<p>Sadly the linked video covers only the first part of their talk, I have
the impression that <span class="caps">DEF</span> <span class="caps">CON</span> did not release the sequel.
If anyone knows where it can been seen, please inform me, nevertheless this
first part still remain a very good talk in itself. <a class="footnote-backref" href="#fnref-kushner" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>Why I teach people how to hack (Ýmir Vigfússon)2017-08-17T00:00:00+02:002017-08-17T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-17:/posts/2017/08/17/why-i-teach-people-how-to-hack-ymir-vigfusson/<p>In this short TEDx talk, Ýmir Vigfússon tells us what it means to be a hacker,
from the curious teenage who does not really have a “moral compass” (yet!) to
the senior professional sharing his knowledge.</p>
<p>He tells us what leads people in this direction, but above us he tells us how
all these people, from the teenage to professional, do all benefit to the
society as a whole.</p>
<p>For those who may not know this text, this video has a strong feeling of the
<a href="/posts/2017/08/12/hackers-manifesto-the-mentor/" title="Hacker's Manifesto (The Mentor)">Hacker’s Manifesto</a>, but now explained by a well-respected professional and
assistant professor instead of a 11 years old teenager.</p>
<p class="watch button"><a href="https://www.youtube.com/watch?v=KwJyKmCbOws" rel="external" title="Why I teach people how to hack | Ýmir Vigfússon | TEDxReykjavík (YouTube)">Watch on YouTube</a></p><p>In this short TEDx talk, Ýmir Vigfússon tells us what it means to be a hacker,
from the curious teenage who does not really have a “moral compass” (yet!) to
the senior professional sharing his knowledge.</p>
<p>He tells us what leads people in this direction, but above us he tells us how
all these people, from the teenage to professional, do all benefit to the
society as a whole.</p>
<p>For those who may not know this text, this video has a strong feeling of the
<a href="/posts/2017/08/12/hackers-manifesto-the-mentor/" title="Hacker's Manifesto (The Mentor)">Hacker’s Manifesto</a>, but now explained by a well-respected professional and
assistant professor instead of a 11 years old teenager.</p>
<p class="watch button"><a href="https://www.youtube.com/watch?v=KwJyKmCbOws" rel="external" title="Why I teach people how to hack | Ýmir Vigfússon | TEDxReykjavík (YouTube)">Watch on YouTube</a></p>Hacker’s Manifesto (The Mentor)2017-08-12T00:00:00+02:002017-08-12T00:00:00+02:00WhiteWinterWolftag:www.whitewinterwolf.com,2017-08-12:/posts/2017/08/12/hackers-manifesto-the-mentor/<p>Teenagers interested in computer hacking in the broad sense of the term, where
hacking focuses on the technical aspects of computer science and security is
just a part of it, often face the same roadblock.</p>
<p>As this practice is generally not understood and the subject of a lot fantasies
and misconceptions, they are often facing the same criticisms: they spend all
their time playing on their computer, are anti-social, do not respect authority.
In a few words, they are ruining their life.</p>
<p>However, the most difficult in such situations are not the criticisms by
themselves, it is the sense of isolation that they produce.
Forty years ago, one of such teenager raised up against this feeling and wrote,
under the pen name The Mentor what now counts as one of the most heart-moving
and inspirational text about the hacking culture: the <em>Hacker’s Manifesto</em>,
also known as <em>The Conscience of …</em></p><p>Teenagers interested in computer hacking in the broad sense of the term, where
hacking focuses on the technical aspects of computer science and security is
just a part of it, often face the same roadblock.</p>
<p>As this practice is generally not understood and the subject of a lot fantasies
and misconceptions, they are often facing the same criticisms: they spend all
their time playing on their computer, are anti-social, do not respect authority.
In a few words, they are ruining their life.</p>
<p>However, the most difficult in such situations are not the criticisms by
themselves, it is the sense of isolation that they produce.
Forty years ago, one of such teenager raised up against this feeling and wrote,
under the pen name The Mentor what now counts as one of the most heart-moving
and inspirational text about the hacking culture: the <em>Hacker’s Manifesto</em>,
also known as <em>The Conscience of a Hacker</em>.</p>
<p>Forty years later, the text still did not wear out.
I, too, went through such feelings and found relief when discovering this text.
I, too, now share it and am happy if it can help youngsters to build themselves
their own lives.
This even became one of my <a href="https://security.stackexchange.com/q/89676/32746" rel="external" title="How to communicate a positive feeling about ethical hacking to non technical people? (StackExchange)">best closed-question answer</a> on StackExchange!</p>
<p class="read button"><a href="http://www.phrack.org/issues/7/3.html#article" rel="external" title="Read 'The Conscience of a Hacker' (Phrack)">Read on Phrack</a></p>
<p>For those who want more, Loyd Blankenship, alias The Mentor himself, made a
public speech in the <span class="caps">HOPE</span> conference in 2002 and provided some interesting
contextual information<sup id="fnref-quality"><a class="footnote-ref" href="#fn-quality">1</a></sup>.</p>
<p class="watch button"><a href="https://www.youtube.com/watch?v=0tEnnvZbYek" rel="external" title="View The Mentor presenting 'Conscience of a Hacker' (YouTube)">Watch on YouTube</a></p>
<p>People interested in this manifesto may also be interested in Ýmir Vigfússon’s
<a href="/posts/2017/08/17/why-i-teach-people-how-to-hack-ymir-vigfusson/" title="Why I teach people how to hack (Ýmir Vigfússon)">Why I teach people how to hack</a>.</p>
<div class="footnote">
<hr/>
<ol>
<li id="fn-quality">
<p>Sadly the sound and image of this record are not of very good
quality, feel free to tell me if you find a better link! <a class="footnote-backref" href="#fnref-quality" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
</ol>
</div>