Are you already a penetration tester or preparing to become one? If so, then you might already know how important it is to acquire the right certification for penetration testing. Preparing for an IACRB Certification can give you the usage of the tools, techniques, and methodologies needed to efficiently pen test and become an SME able to secure systems successfully by beating malicious hackers on their terrain and with their weapons. Becoming certified pen testers can help professionals prove current or potential employers they have the right skills for the job and can truly help increase the security of the computing resources to them entrusted.

Pentesters’ professional experience and expertise build on expert IT knowledge of network systems architecture and configuration as well as of testing and evaluation methods. Those new to the profession and interested in being penetration testers should consider additional training (perhaps a CPT boot camp prep course) and then attempt certification; only having formal education, an IT Security degree for example, might not be sufficient as, in this field, hands-on training and lab work specific for mastering pen testing are necessary. Learning by doing is essential, and this need is captured well by the IACRB training and certifications that include practical examination and lab practicums.

Why a Certification as a Pen Tester?

Penetration testing, a subset of ethical hacking, a term that is often used interchangeably, refers to the process of putting to the test an organization’s buildup of security controls in place to ensure the protection of systems. A sort of legal “white hat” hacker, a penetration tester simulates actions similar to those that “black hat” hackers might attempt for malicious reasons. Their actions are performed with permission of the target owner, although they utilize exploits and attack tools and techniques similar to those of malicious hackers. Penetration testers look for security weaknesses in systems and in the infrastructure (hardware) and application (software) to uncover vulnerabilities, security holes to be patched in a network, as well as flaws in configuration and users’ behaviors that could potentially be exploited. The point of penetration testing is “protection, detection and response–and you need all three to have good security,” says Bruce Schneier, a renowned American computer security expert. It needs to be regularly conducted—at least annually, especially if there are changes to infrastructure and applications; penetration testers are in high demand today and. Therefore, this is a career field in constant growth.

With so many internationally recognized certs to choose from, it is hard, sometimes, to identify the right one to match career objectives. IACRB, however, has several options specific for pentesters and offers certifications like CPT, CEPT, and CWAPT, to name a few, that meet or exceed the requirements normally sought by organizations when hiring in the field. The Information Assurance Certification Review Board (IACRB) is an industry standard organization formed by information security professionals, and its certifications are among the most respected in the ethical hacking field.

How to Prepare for a Career in Pen-Testing. IACRB’s Trainings and Certifications

So, you desire to be a computer security expert who specializes in penetration testing? Well, to further your InfoSec career as an ethical hacker, apart from an academic background, it is important to get specific training and obtain certifications in the field. The Information Assurance Certification Review Board (IACRB) provides certifications that are well received in the industry; they can be sought through courses like those offered InfoSec Institute, an IACRB-approved training provider, where you can learn from experts, or from Intense School, which is one of the leading industry training organizations and has achieved Accredited Training Center (ATC) status from the IACRB.

Explore Your Options. The following are some of the certifications available for pen testers by IACRB. Each cert requires candidates to be aware of penetration testing methodologies, tools, and manual hacking techniques that can be used in an ethical situation. For general inquiries or status of your exam, contact them at exams@iacertification.org or via phone at 708-660-0721.

IACRB, Certified Penetration Tester (CPT)

This certification is designed to certify those who have been working or have knowledge in the field of penetration testing. The CPT consists of these nine domains: Penetration Testing Methodologies, Network Protocol Attacks, Network Reconnaissance, Vulnerability Identification, Windows Exploits, Unix/Linux Exploits, Covert Channels & Rootkits, Wireless Security Flaws, and Web Application Vulnerabilities.

Examination Info

Part 1: An online multiple choice exam

The exam: 50 Questions. Multiple Choice, T/F & Practical Questions. Allotted time: 2 hours. 70% right answers needed to pass.

Part 2: A two-step practical examination

It’s a take-home exam that needs to be completed within 60 days. Candidates are required to set up two Virtual Machines and complete three challenges. An exam proctor grades the test and marks it passed with a score of at least 70%.

For certification, the candidate will first need to undergo the completion of the multiple choice exam to complete the practical examination.

To take the test, candidates will need to pay a flat fee of $499 per exam and $399 per voucher for on-site proctored exams.

Recertification: Needed after four years

How can you prepare for the exam? Practical knowledge and work experience is certainly a plus, but there are courses that can help candidates prepare for the exam. The InfoSec Institute, for example, offers the CPT Hacking Course. Alternatively, Intense School offers Ethical Hacking: Penetration Testing for Professionals, which helps to prepare for the CEH (Certified Ethical Hacker) and the CPT. The course is meant to give students exposure to hacking and penetration testing. A hands-on training course by InfoSec Institute like the Ethical Hacking Boot Camp (CEH v9) one and its Free CEH Practice Exam is a good place to start learning about ethical penetration testing or ethical hacking practices.

IACRB, Certified Expert Penetration Tester (CEPT)

This certification is suitable for expert-level penetration testers. These IT professionals are expected to know pen testing in and out. The CEPT consists of these nine domains: Penetration Testing Methodologies, Network Attacks, Network Recon, Windows Shellcode, Linux & Unix Shellcode, Reverse Engineering, Memory Corruption/Buffer Overflow Vulnerabilities,

Exploit Creation – Windows Architecture, plus Exploit Creation – Linux/Unix Architecture and Web Application Vulnerabilities. Experts will need to demonstrate practical knowledge of attack methods to test the security of systems, and find any vulnerability due to software or hardware flaws or configuration mistakes.

Examination Info

Part 1: An online multiple choice exam

The exam: 50 Questions. Multiple Choice, T/F & Practical Questions. Allotted time: 2 hours. 70% right answers needed to pass.

Part 2: A three step practical examination

It’s a take-home exam that needs to be completed within 60 days. Candidates are expected to complete three challenges including the creation of 2 working exploits.

For certification, the candidate will need to undergo the completion of the theory exam and hands-on practicum, just like the CPT question and answer test and exercise, and also requires candidates to answer 70% of the questions correctly for a passing score.

To take the test, candidates will need to pay a flat fee of $499 per exam and $399 per voucher for on-site proctored exams.

Recertification: Needed after four years

Although candidates who do this certification are experts, courses might help fine-tune preparation and ensure a higher passing probability. Courses are available at InfoSec Institute for Advanced Ethical Hacking: Expert Pen Testing. The Advanced Ethical Hacking Training covers the theory and hands-on practicums needed for a successful attempt at the CEPT exam.

IACRB, Certified Web App Penetration Tester (CWAPT)

This certification is designed for penetration testers in the web application field. The CWAPT consists of these ten domains: Injection, Cross-Site Scripting, Broken Authentication, Insecure Direct Object References, Cross-Site Request Forgery, Security Misconfiguration, Insecure Cryptographic Storage, Failure to Restrict URL Access, Insufficient Transport Layer Protection, in addition to Invalidated Redirects and Forwards.

Examination Info

Part 1: An online multiple choice exam

The exam: 50 Questions. Multiple Choice, T/F & Practical Questions. Allotted time: 2 hours.

70% is the passing score.

Part 2: A two-step practical examination

One can take the exam over the internet. Again 70% of the questions need to be correct to attain a passing score.

To take the test, candidates will need to pay a flat fee of $499 per exam and $399 per voucher for on-site proctored exams.

Recertification: Needed after four years

Courses are available also to prepare for this modern, highly-sought certification. InfoSec Institute’s Web Application Penetration Testing Boot Camp, for example, is a totally hands-on learning experience. Every lecture is directly followed up by a comprehensive lab exercise. A similar type of course and instruction can be obtained from Intense School’s web application pen testing through a high-energy seminar approach. These pen tester programs can help prepare for the IACRB CWAPT certification exam.

These IACRB certifications, through traditional multiple choice and true/false questions as well as, in several cases, a hands-on practicum part, determine if a candidate possesses the required knowledge combined with the experience necessary for helping their current and future employers secure their systems. Although hands-on experience is the greatest asset in this field, being certified by IACRB is proof that an individual is a subject matter expert (SME) and has, as a minimum, established, a baseline skill level to perform well on the job. This can be a plus when on the market looking for a new or better position.

Ethical Hacking Training – Resources (InfoSec)

Conclusion

Penetration Testing has been recognized as one of the fastest growing areas within the IT security realm in the world, as the need for more ethical hackers and pen testers grows. The penetration tester salary in the US, as per PayScale, is anywhere between $43,840 – $123,837 (average salary: $77,000). Those who become Certified Ethical Hackers (CEH) could earn as much as $120,000. Professionals who have become Certified Penetration Testers (CPT) can earn a similar pay.

While money shouldn’t be the only reason to be in this field, many IT professionals are obviously drawn to this field that promises to continue providing great earning potentials and interesting opportunities. According to the Occupational Outlook Handbook by the Bureau of Labor Statistics, the Information Security Analysts, who often perform penetration testing has an expected growth of 18% up to 2024, a much faster than average rate. “Demand for information security analysts is expected to be very high, as these analysts will be needed to create innovative solutions to prevent hackers from stealing critical information or causing problems for computer networks.”

Penetration testing has gained wide adoption in the security community and is now essential to provide “an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, either known and unknown hardware or software flaws, or operational weaknesses,” as quoted by PicaTes HackZ.

Time and again, pen testers are performing regular penetration tests to probe the security of computing infrastructures systems, applications, and the organization as a whole to discover possible issues and identify the best way to resolve them. IACRB offers several certifications that can help professionals identify the best career path for their skills in the field in addition to providing an effective assessment of their current ability.

References

Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, 2016-17 Edition, Information Security Analysts. Retrieved from http://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm

Conran, B. (2014, March 1). Why Not to Hire an Ethical Hacker. Retrieved from http://www.securitymagazine.com/articles/85263-why-not-to-hire-an-ethical-hacker

Dalziel, H. (2013, June 13). A day in the life of a pentester (ethical hacker). What’s it like? Retrieved from https://www.concise-courses.com/security/penetration-tester-job/

Don. (2011, May 25). Course Review: CPT by InfoSec Institute. Retrieved from

https://www.ethicalhacker.net/features/root/course-review-cpt-by-infosec-institute

Geier, E. (2012, February 15). How to Become an Ethical Hacker. Retrieved from http://www.pcworld.com/article/250045/how_to_become_an_ethical_hacker.html

Help Net Security. (2013, September 9). How important is penetration testing? Retrieved from https://www.helpnetsecurity.com/2013/09/09/how-important-is-penetration-testing/

IACRB. (n.d.). About IACRB. Retrieved from http://www.iacertification.org/about-iacrb.htm

Pearson, A. (2014, March 20). What is Penetration Testing and Why is It Important? Retrieved from http://www.securityinnovationeurope.com/blog/what-is-penetration-testing-and-why-is-it-important

Penetration Testing Tools. (n.d.). The Mindset of a Penetration Tester. Retrieved from http://www.pen-tests.com/the-mindset-of-a-penetration-tester.html

PicaTesHackZ. (n.d.). Difference between hacking, ethical hacking and penetration testing. Retrieved from http://www.picateshackz.com/2015/04/penetration-testing-complete-guide-for.html

SANS Institute. (2004). Three Different Shades of Ethical Hacking: Black, White and Gray. Retrieved from https://www.sans.org/reading-room/whitepapers/hackers/shades-ethical-hacking-black-white-gray-1390

Schneier, B. (2007, May 15). Is Penetration Testing Worth it? Retrieved from https://www.schneier.com/blog/archives/2007/05/is_penetration.html