What is the full form of CEH


Hacking vs. penetration testing - the birth of the BACPP

by Dominik Sauer | 26. September 2018 | binsec | 0 Comments |

As a lecturer for “penetration testing”, I know only too well the decisive motivation of my students for their participation in the compulsory elective subject. We are talking about "hacking". An exciting topic for many from a young age - the hacking of IT systems burns itself into the minds of viewers as exciting because of its depiction in film and television. It is therefore no wonder that a professional path to becoming a penetration tester sounds more than tempting. What many do not know: Hacking is “only” the technical part of a pentest, which is why the search for a suitable personal certification is (e) difficult.

In general, hackers try to circumvent or break security mechanisms in order to gain unauthorized access to data. The penetration testing task area therefore emerged more or less as a kind of countermeasure on the part of IT security in the arms race with the attackers: Potential clients ask or commission pentesters to identify the weaknesses of their IT systems in order to harden or close them in the end to be able to.

A pentester consequently uses the same technical procedures as a malicious attacker. But not only that. In addition, a structured approach is required in order to achieve reproducible results. Without such an approach, (obvious) weaknesses can go undetected. In contrast to a hacker, the pentester does not need a single entry point into the IT system; it wants to uncover all of them. The identified weak points must also be communicated to the client. This usually takes place in a final report or in a presentation, whereby the weak points must not only be listed but also prioritized according to their risk. As a result, hacking is "only" the technical part of a pentest.

To date, there is neither a state-recognized training nor such a course of study for penetration testing, which is why it is common in the information security sector to acquire and / or prove such special abilities and skills via certification programs. With regard to penetration testing, the CEH certificates from the EC Council and OSCP from Offensive Security are particularly widespread - but they differ in the test of the participants like black and white. While certification as CEH can be achieved by means of a theoretical test - specifically multiple-choice tasks - the future OSC student must complete a 24-hour practical test in which 5 IT systems are to be completely compromised. Regardless of this, I see the focus on technical understanding in both certifications, which is the foundation of a penetration test, but does not yet enable any; for me a point of criticism, without wanting to question the degree of difficulty of both exams.

At least for me, the transition from the OSCP exam environment to reality was difficult. This was most noticeable in relation to the vulnerability of IT systems to security gaps. Compared to the Offensive Security practice laboratory, (tougher) security measures are often found in practice, which means that the complete compromise of an IT system cannot always be guaranteed. In addition, the client of a pentest usually wants the identification of all weak points in his IT systems, which is why the test does not end with the discovery of the first possible gateway. Reporting is also seen in a completely different light, as this is the only document the client will hold in their hands. In short: The OSCP's play paradise came to an end and reality collapsed. Unfortunately, this came unexpectedly, as none of the numerous reviews consulted on the Internet had mentioned the differences to the real field of activity of a penetration tester.

After completing my B.Sc. in computer science at the Darmstadt University of Applied Sciences (h_da) and with my professional experience as a pentester at binsec GmbH had acquired the formal aptitude to hold a course, I wanted to pass on my knowledge of penetration testing. In the future, people with a penchant for IT security should have an “easier” introduction to the subject than I did when I was there. With the approval of the specialist group “IT security” at the h_da, I designed the elective module “Penetration Testing”, in which the students use the example of the “pentest multiplication table” - from the classification of a pentest to the actual hacking to reporting be able to learn and apply a fictitious company network. This was initially done with the help of Amazon AWS; However, due to the great demand and positive feedback from my students, we at binsec decided to design a global online certification program: the BACPP (Binsec Academy Certified Pentest Professional) qualification, which consists of an online exam, the "Pentest Exam" , and an optional online training course, the “Pentest Training”.

While the online training has historically developed from my university course, IT specialists can put their expertise to the test under newly designed, real conditions in the “Pentest Exam”. This is how certified BACPP

  • Compromise IT systems and develop zero-day exploits,
  • Examine networks and applications for weak points according to a reproducible procedure,
  • put all your findings in a structured report for the client and prioritize them according to their risk,
  • professionally carry out a penetration test lasting several days.

In retrospect, my (time-consuming) interdisciplinary work seems to have paid off: Using situated learning in information security not only aroused the enthusiasm of many students, but also appealed to the first BACPP-certified. The theory of situated learning relies on realistic application situations in the transfer of knowledge, which are the primary characteristic of my courses and my trainings. The BACPP was designed analogously and relies on evidence of practical and real experience.