OSCP and Other Certifications

harcos90

Hello All,
This is my first time posting on this website, though I have been lurking for the last month to get some information on certifications. I am currently a Web Application Developer who would like to transition into IT Security. I do not have work experience in the field, however I did get my minor in Security Risk Analysis which focused on Network Security. One of my other goals is to eventually apply to the FBI under their Cyber focus.

Where I am currently working has stated that they would pay for an OSCP class and certification as part of their tuition reimbursement program. However, looking at the current job application posted on the FBI's website for a Sepcial Agent with a Cyber focus www.usajobs.gov/GetJob/ViewDetails/389051400, it would appear that that certification is not included in any of the 3 Tiers of certs they are looking for. I would like to get one of the tier 1 certifications as that would remove one year of the work experience requirement, and would allow me to apply for that position any time it is posted after October of this year as I would then have 2 yrs experience + a tier one certification. From what I have read the application process can take a while, so I would like to begin that as soon as possible (this way if I am not a suitable candidate I can adjust my career goals accordingly asap).

With all of this in mind, do you think that A) OSCP certification would be good to pursue? And Does the training from this certification prepare me to take any of the tier one certification's tests without much additional studying?

xXxKrisxXx

Welcome Harcos90,

I do Web Development also as my day job and eventually plan on transitioning toward Security.

Even if the OSCP is not on the list (yet), it holds a lot of respect. The cost of PWK Training is a lot cheaper than the amount of money you're going to pay training and attempting the Tier 1 Certifications listed there. The course's content is also incredibly valuable. Talk about being able to walk away from a solid course proving that you actually had to pop machines. In my opinion, this holds more value than holding a pentesting certification that consisted of a multi-choice exam. The OSCP is gaining more and more recognition every day. While it may not be one HR is used to scanning for (i.e - CEH,CISSP,etc), the security team looking for another addition could easily see the value of an applicant holding a practical, hands-on certification.

I say go for it. It's good you know how to program, but I wouldn't say the course is incredibly beginner friendly.

Be sure to have a lot of hours to spend in the lab practicing. If you're absolutely new, I highly suggest getting up to speed on material on http://cybrary.it. There's a Post Exploitation, Ethical Hacking & Penetration Testing, & Advanced Penetration Testing course on there for free. The content isn't bad. Go through all of them before enrolling so you aren't wasting lab/practicing time. Others on here recommend eLearnSecurity's Penetration Tester Pro v3 course as a good course to take before enrolling in PWK. No eLearnSecurity's Certifications aren't on any of the Tier List, but their content is also affordable and hands-on.

Does the training from this certification prepare me to take any of the tier one certification's tests without much additional studying?

Hard to say here. This mainly depends on your background. I have heard of people taking and passing the OSCP and challenging the GPEN and were able to pass. There's definitely some content overlap in PWK and other Pentesting Courses, but I wouldn't take the PWK Material and challenge a separate exam.

Good luck in your endeavors.

SephStorm

Hi, welcome to the site. Well, if this isn't an immediate move you are looking at making, start with the security plus and move forward. The best bet might be S+ to CEH/CPT then to OSCP and other relevant certs like CEPT, CHFI, ect.

harcos90

Hey, Thank you for all of the information. It sounds like you have gone through OSCP, could you tell me more about the process? Did you go to a live course or did you do the online one? Were the resources engaging? Do you feel like what you learned in their test environment would easily transfer over to real life?

I will definitely check out all of the resources you have mentioned. cybrary.it looks like an awesome resource. If I wanted to get the Security+ certification do you feel that there course on it would be enough preparation? And thank for your honesty on the second question. I figure its a bit of a long shot to take one course and be able to pass another. I might just self study for the GWAPT exam to see if I could grab one of the Tier One certifications (as it is just multiple choice, and I don't think it has an actual course to go with it... they just recommend books or relevant courses from other certifications), and if where I work will pay for me to go through OSCP then I would also have a certification that actually gave me some practical experience in addition to one that would allow me to apply for the FBI minus one year of professional experience.

harcos90

And SephStorm, thanks for a timeline for if this does not turn out to be an immediate move. I've heard a lot of mixed reviews about CEH. I actually have access to a few of the course videos through an online learning center where I work... and they seem a bit long and dry (and the way the word column was being pronounced drove me a bit nuts). What was your experience with the course?

xXxKrisxXx

Glad you found my input useful here. I had the chance of taking PWB v3 when they first rolled out with it online (March 2010). I have not taken any courses with Offensive Security at Black Hat (it's not in my employers budget or mine). Live training would definitely be more engaging, but for the most part you are on your own throughout the course.

Process is as simple as signing up, choosing a course start date. The materials (PDF + Videos) arrive via e-mail and your lab access begins the same day. I found the resources (content of the course) good, but feel they intentionally left content out to keep you digging. OffSec prides themselves in telling their students to, 'Try Harder'. The lab environment at the time was setup with over 50 machines spread out across 4 subnets that the student would hack his way through, obtaining keys to unlock/reveal deeper parts of the network. The Operating Systems in the Lab vary from various Windows Versions, to different flavors of Linux. I even saw a Mac OS X and BSD box or two. They've upgraded their lab environment a lot since I enrolled (almost 5 years ago). I feel their test environment would almost transfer over to real life, except there weren't a large amount of hardened systems out there. Each one has it's own way(s) of breaking into it but you won't trip an IDS/IPS. I liked the lab setup and found it great you had to pillage information from a box you rooted, and pivot around network to network to further your leverage. This is what I found most real world and practical.

You will definitely use pretty much everything they give you in the course to pull of attacks. Plus you will be researching a whole lot more.

All of the GIAC Certifications have accompanying courses. The accompanying course for the GWAPT Certification is their SEC542 course. I was told that if you studied The Web Application Hackers Handbook 2nd Edition along with the studying whatever questions you missed on the 2 practice exams they give you, you should pretty much be in good shape if you wanted to challenge it. Of course, with your web application development background, you'll be able to read the code just fine.

I haven't ran through the Security+ course on Cybrary yet. It looks good and they've offering discounted CompTIA vouchers. The testout.com Security+ material I ran through was solid. You may be able to find a coupon code online to get their courses for $89 instead of $495.

Again, before you officially enroll in PWK, just be sure you can allocate the necessary time and effort to get the most out of it. When I went through it, I was unemployed and literally spent all day working my way through the content, researching, and trying to break into machines. If you're working the 8 to 5 and have a family to spend time with after work, you will be losing a lot of lab time. With OffSec, each day of your lab access is counted even if you don't connect to it.

harcos90

Wow, this is good to know. I did not realize the time requirement to get through the course. I would definitely have to prioritize some things differently in order to get through. Even if I signed up for 90 days of lab time I would have to put in on average about 3 hours a day from what others are saying on different forums. I did look at the SEC542 course, though isn't that a SANS course? Is that meant to directly parallel the GIAC certification or is there a SANS cert that it is intended for?

Edit: Also, I noticed that the testout.com course states it prepares you for the SSCP so if my goal was to be able to pass one of those tier 1 certifications that might be a better route to take than hoping I can pass the GWAPT and if I could get a coupon for 89 that would definitely be worth it.

2nd Edit: But of course for that certification you need 1 year working in IT security haha so I guess that would not be viable.

xXxKrisxXx

SANS is the training provider and GIAC is their Certification.

ramrunner800

CEH is listed as a Tier 1 cert by the FBI, and is probably your easiest route. I've taken CEH and the PWK course. If you can pass the OSCP exam at the end of PWK, you will be more than prepared for CEH. Do not underestimate the PWK course and exam though. The primary value of this course is in the lab environment and the experience you gain working through it. When it comes to the actual teaching of the material, others are superior.

harcos90

Hey, I know this thread is dead, but I just started the OSCP class, and wanted to thank you for all of the info. I think that this class will definitely suit my needs as far as transitioning my career into IT Security (after talking to my employer, it's really the only cert they look at), and I am having a blast going through the material so far. Hopefully by the time I get around to applying for a job in the FBI this certification will be on their radar, or I will be able to snag one of the certs on their Tier 1 list.

MrAgent

Once you complete the OSCP course and challenge, you will be more than ready for the CEH exam.
I would complete the OSCP, buy the Matt Walker book AIO CEH book, and then try to get the waiver to take the exam.
IMO CEH is a joke. The only reason I got it was to get by the HR filters.

harcos90

That is good to hear, I will add that to my Amazon wishlist so I don't forget. Do you know off hand how much it costs just to take the exam? I think I have approximately another 800 in tuition reimbursement for 2015 so I would love to be able to put it towards something.

Cyberscum

@Harcos

I you are looking for GOV work go CISSP hands down. I am sure you can apply some of your Web App Dev to the cert requirements.