Certifications – Don’t blame them! Change the hiring process.

Before I begin with this post, it should be obviously known that I hold a number of certifications.  However, I do feel that I can write this article without any bias.  However, take from this what you want.

For the past few months now, I’ve seen a constant, if not increasing, number of anti-certification and anti-certification body posts, tweets, etc.  This has come from a wide variety of various individuals, to (if memory serves me correct) even some articles on IT related websites.  However, one thing that you almost, if not always, see in common with these certification rants is that no other alternative is provided.

So what’s the point of IT certifications?  The reason we have certifications is to try to provide some sort of standardized method of testing individuals and demonstrating the level of knowledge that an individual has.  While IT professionals can use certifications as a method of ranking one’s knowledge of different concepts, IT professionals, seeing as they work in the field themselves, are generally capable of judging another person’s level of knowledge through interaction with one another, typically better than any certification can.

So what about those that don’t work in IT?  IT “outsiders” typically don’t have the same skill set as those that work in IT, therefore, they are usually unable to make a judgement on the level of knowledge required for a position in relation to a potential job candidate.  As a result, the certifications an individual holds is what is typically turned to in the early stages of an interview.

The complaints that I have seen lately stem from the fact how certain certifications are useless, how a certification doesn’t mean that an individual knows anything, or how anyone can learn something to pass a test.

All of these are valid points.

I am in no way arguing against these points.  However, if there is a failure within the hiring process while also using certifications as a metric, I would argue that the bigger problem is in your candidate vetting process.  Almost all HR/Recruiting departments (except for those that specialize in IT recruiting) need some sort of metric to measure a candidate to determine if they are worth passing on to a hiring manager.  IT professionals cannot expect any recruiter to be able to make a solid judgement of the level of knowledge that a job candidate has.  Recruiters simply do not have the background that IT professionals do, so it is not realistically possible for a recruiter to pass judgement.

This is where certifications come in.  Recruiters rely on the hiring manager to provide some sort of base requirements for jobs.  A hiring manager can provide certifications as a way to establish some base level of knowledge that a recruiter can use.  However, this should quite obviously not be the only roadblock simply because (as pointed out earlier) almost anyone can learn to pass a test.  At this point, a technical interview should be performed to assess a candidates true level of knowledge and experience.  This should be the most important part of the candidate vetting process, as this will be the only time to get the best picture of what a potential hire knows before bringing them on and working full time with them.

Another point might be that people “hate” certifications so much that they will purposefully not be tested for any of them (or any specific ones), and then valid candidates could be “skipped over”.  While this cannot obviously backed up with fact, I believe the number of candidates that fall into this category is far smaller than the number of candidates who may still dislike certifications, but still obtained some as a result of job requirements.  Those that do not obtain certifications due to their lack of respect for certs knowingly limit themselves for career opportunities, and I think this is almost a disservice to that individual.

In all the anti-certification posts that I have seen, I have yet to see anyone provide another usable metric that can be used by non-IT people to attempt to measure where a candidate stands in what they know.  To declare a problem, and not provide a solution, not even an idea, is not an answer.  Anyone can say any system is broken/flawed, a lot of systems far beyond the realm of IT are, but they just might be the best system out there at the moment.  Just claiming something doesn’t work provides a service to no one.

I’m challenging the anti-certification crowd to step up and provide the industry with a viable alternative.  I agree the certification route isn’t perfect, but it’s the best thing we have out there at the moment, which is why you won’t see any anti-certification posts come from me.  Provide the industry with a better, realistic, alternative than certifications, and I will be among the first to hop on that bandwagon.

However, I’m still waiting.

Newly OSWP Certified! My Exam Thoughts

Well, I am happy to report that the results of my OSWP exam came in and I was successful in passing the exam!

This was probably one of the most fun certifications that I had a chance to study for.  I already knew a good amount about breaking into wireless network, however I did not know all techniques, and that was exactly why I wanted to take the course.

Both the videos and the large pdf file provided go into detail describing different attacks and different scenarios that you could face.  After working my way through all the videos, and the pdf file, I felt up to the challenge to take the exam.

About 15 minutes before my exam, I received an e-mail with the login instructions and the instructions for the exam itself.  It was pretty much exactly what I had expected.  Oddly enough, I was fairly nervous once I logged into the system.  In retrospect, I have no idea why because I really knew all the material, and I’ve performed the same attacks on my own many times.  Maybe it was just because I felt I already knew it all, that if I couldn’t pass, I really would have felt pretty ridiculous.

I also can’t talk such good things about this exam format as well.  Sure, learning theory and being able to answer test questions are a tried and true method of learning material.  However, I don’t think much else can represent truly knowing the material other than actually performing what was learned.  All Offensive Security certifications are based on actually forcing you to demonstrate your knowledge.  Not only does it make you prove your knowledge, but it also just makes it a lot more enjoyable.

Anyways, the exam was a good representation of the material that was learned during the course itself, and I would certainly recommend this course to others interested in learning about wireless security.  If anyone has any questions about the certification, feel free to ask.

Next on my list, OSCP!

OSWP – Offensive Security Wireless Professional Progress

About a month ago I signed up for Offensive Security’s Offensive Security Wireless Professional (OWSP) certification.  I’ve had a decent amount of experience hacking both WEP and WPA wireless networks, however, I knew that I did not know it all, and I wanted to get into something like the OSWP to fill in the gaps.  After registering for the course, I am happy to say that the OSWP certainly did provide that service.

Once you’re registered, all candidates receive access to a large pdf file and a number of flash based training movies helping to explain all background information, and provide demonstration based training for the attacks you’re expected to perform.  I really enjoyed it because the OSWP goes in depth on all attacks that one can carry out with the aircrack-ng suite and it provided the training on the attacks that I’ve never (had to) perform before.  Beyond the attacks, the training materials provide an extensive technical background clearly explaining the theory behind wireless security, and the attacks.

I’m registered to take the test in a few weeks, so I’m looking forward to putting everything I’ve gained to the test.  I’ll be sure to post once I know how everything went.

Passed the CISSP Exam!

I can very happily say that I have passed the CISSP exam!

I originally posted that I first started studying for the CISSP in January, but I stopped for a couple months as I switched jobs, and wanted to be able to get acclimated with the new workplace.  Finally around April I started studying for the CISSP from the moment I got home until I went to bed.  Pretty much I spent any spare time I had studying.

My study materials included Shon Harris’s All In One CISSP Study book 5th edition, Shon Harris’s additional questions, the Official ISC2 CISSP Study guide, and a paid test subscription to cccure.org’s test questions.  While I had all these materials, the two biggest sources of information was Shon Harris’s AIO book, and the cccure.org test engine.  I believe just constant studying and constant test taking forced me to learn the material, and I was able to use it to take and pass the exam!

I sat for the exam on June 12th in Reston.  I was maybe the 5th person done taking the test at exactly 2 hours and 59 minutes into the 6 hour exam.  I walked away feeling fairly confident that I did well, and just hoping that I passed.

Waiting to find out the results is the worst.  I kept taking one small practice test a day just in case I would have to retake the test again so I could help keep it all fresh in my mind.  It took just about 2.5 weeks to find out how I did.  I was at a conference when I got the e-mail from ISC2 on June 29th.  Very nervously I opened up the e-mail, and was very very very relieved when I saw the “Congratulations”.

It was a long time studying, and required a lot of time to learn all the material, but it was well worth the effort in the end.  As of now I have passed the exam, but I will not receive the actual certification until around April of 2012.  Needless to say, I think the hard part is past me.

CISSP Begins

So I’ve just started studying for the CISSP.  I’ve been doing so for about a week now, and I am feeling very confident with all the content that I have read.  The big thing I have noticed when working to obtain all my certifications is that the material needs to make logical sense, as I am very much a logical thinker.  As long as the material is, then it will not be an issue for me understanding any of it.

Additionally, I’ve been working a lot with Backtrack 4 lately.  I’ve been playing around with a lot of the tools again and I still believe it is the best security based linux distro available.  The number and quality of tools built into it is superior than anything else I have used.  It never hurts to to have a great understanding of these tools, and I’ll continue to do so.

I purchased a couple different books to help me study and obtain the CISSP.  The first one, and probably the most popular one, is Shon Harris’s All in One Study guide.  I also purchased her smaller book that contains practice tests.  The other book I bought is the (ISC)2’s official study guide. It’ll be interesting to read through both and see which I book works best for me.  As of now, I’m going to keep working my way through the Access Control domain. and on from there!

Certified Ethical Hacker

Well, it certainly has been a busy holiday season for myself.  A significant amount of the time has been spent studying for the CEH, Certified Ethical Hacker exam.  Anytime I had free time, it seems that I would feel guilty if I just watched tv instead of studying for the certification.

Thank goodness, the hard work paid off.  I took the test last week and walked away with 87% correct, needing only 70% to pass.  It was interesting, and a little tough, but I did feel confident throughout the whole exam.  I felt confident going into it as I spent a lot of time using some of the tools that were discussed in the books I looked over, and it significantly helped to reinforce all the concepts of the books.

There were some questions that just did not seem to be covered in any of the material that I had read, which was a little surprising, but nonetheless, I was able to pass, and definitely walked away really happy.

So what’s next, I’m trying to decide.

My original goal was to receive 4 certifications, Net+, Sec+, CEH, and CISSP.  I’ve achieved three of the four that I originally wanted.  However, I am now feeling a little inclined to get the MCITP: Server Administrator.  I feel that since I’ve just been going through Security certifications, I should go ahead and continue and try to go for the CISSP next.  It wouldn’t seem to make a lot of sense to completely switch to a Microsoft certification, and then go back to a security one.  It just makes more sense to go one after another.

Well, I think that’s what I’ll do.

Network+ Certified!

Well, I am now glad to report that I am also Network+ certified!  I went to go take the test on Monday this week, and I did pretty well.

It was interesting comparing this test to the Security+.  In the Security+, I was able to take the whole test, just blow right through it and do really well.  On the Network+, the first 10 questions I had were the toughest.  My first thought was, “Wow, I had really studied, and I knew all the material, what’s going on?  This is going to be close.”.  But after the first 10, I pretty much just got into a groove and was able to go through the rest of the test with no issues.

So, now I’m taking a break.  But, I have a feeling at the end of this first week, I’m just going to get started studying for my next certification.

Next up… Certified Ethical Hacker

Security+ Certified!

So, as you all know I have been studying for the Security+ for the past month roughly. This past week, with two weeks left in my class, I just felt that I really knew all the information we had previously gone over, and all the upcoming information. So instead of just sitting there, I figured, why not just try taking the test, and see where I’m at?

Went on a rainy Thursday morning, walked right in, sat down, and 25 minutes later came out a Security+ certified professional!

It was interesting, I felt that for almost every question, I was able to eliminate 2 of the 4 possible answers, so if I didn’t know it, I nearly always had a 50/50 shot at getting it right.

Anyways, I walked away with a score of 845 out of 900, and a big weight off of my shoulders.

Security+ Update

Well, I’ve been “going” to the virtual class for about three weeks now.  We meet twice a week for 3 hours.  This class in all honesty is pretty easy.  Well, I guess that would be attributed to the certification itself.

In the end, I know I could have definitely taken the test and received the Security+ certification without having to go through the class.  Really, all that is being done is the instructor is just reading through the book, which I can do myself.  But, I guess it doesn’t hurt to have an instructor.

The only thing I really need to focus and remember are the encryption algorithms.  How many bits each one is, and if it is asymmetric or symmetric.  Besides that, all the concepts that the book presents seem very straight forward and logical.

I believe the class is going to be sending out our vouchers very soon.  Hopefully I get it this week.  If I can, I’ll take a few more practice tests (already getting 85%) and as long as I stay around the same score, I’ll just go take the exam early, and be done with it.  Not much of a point of sitting for a few more weeks to learn things I already know.

Well, we’ll see, and hopefully I’ll be certified shortly!


For the past week and a couple days I have been studying for the Security+ exam.  I’ve been going through a couple books, websites, and practice tests to get ready, and my work actually has sent me to a class to get ready for the exam.

After going through the books, and the start of the class, I feel I probably could have got this done without going to the class.  The first chapter, and the first day of our class, was learning what updates are, hot patches, service packs, etc.  It was a little funny to learn that, should probably be common sense if you are going for the Security+ cert, but still a good review.

Tonight we are about to have our second class, and I am looking forward to it.  My only weak area (from what I can tell after taking practice tests) seems to be the memorization of things, such as how many bits are in a specific encryption algorithm.  Short of that, all the concepts I feel are straight forward and make sense.

Tonight will be the end of week 1, with 5 weeks to go.  Looking forward to getting through the class, and getting the cert.