Open source software security

The IACRB and CEPT Certification

30 November -0001

I just got word that I passed by CEPT (Certified Expert Penetration Tester) certification. CEPT is a certification offered by the IACRB (the Information Assurance Certification Review Board), a "An industry standard organization," "Formed by information security professionals.,"A not-for-profit legal entity with a sole mission to certify individuals.," which "Requires all exam candidates to pass a hands-on practical examination." I became familiar with the IACRB after attending a class offered by InfoSec Institute. I had never heard of the IACRB before, but the class included certification based on passing an exam that was given at the end of the class. The exam had two parts - the first was a multiple choice exam, which is standard for most certifications. The second part was a take home practical that was extremely challenging. Because of the practical, I would rate the certification as one of the most comprehensive I'm aware of, and possibly the best.

After I took the exam I began searching around online for anyone else with the certification. There are a number of ethical hacking certifications available. The EC-Council offers a Certified Ethical Hacker certificate, which is possibly the most popular certification of this type. GIAC (Global Information Assurance Certification - affiliated with SANS) also offers a certification known as the GPEN (GIAC Certified Penetration Tester). The IACRB offers CPT as well as several other certifications (including CASS, CSSA, and CREA, all of which correspond to classes taught by the InfoSec Institute). The funny thing was, I couldn't find many people who had CEPT certification listed on their resume, or really much mention of CEPT other than from the IACRB or online references to the InfoSec Institute.

I knew that the IACRB was an all volunteer, not-for-profit organization, but it's official website is extremely sparse on details about the organization. How does one become a volunteer? Where is the organization located? Are there independent third parties that back their certification and how widely accepted are their certifications? How many people apply for certification? At what rate do people pass? How many people have been certified? Is there a way to verify certification? All of these questions remain unanswered by the IACRB website.

So, using some of the very skills I learned in the InfoSec Institute class I began to dig around and see what I could find. According to their website, the InfoSec Institute's program manager is Jack Koziol, one of the authors of the ShellCoder's Handbook (first edition - interesting note that he was not listed as an author of the second edition, which includes much of the same content as the first edition). Koziol's blog is listed as http://www.infosecinstitute.com/blog/ethical_hacking_computer_forensics.html, but the most recent post is from July 23, 2007, and before that they're from March of 2006. Doing a lookup on the domain name iacrb.org reveals the domain registrar is none other than Jack Koziol:

[justin@madirish ~]$ whois iacrb.org

Domain ID:D143550447-LROR
Domain Name:IACRB.ORG
Created On:13-Apr-2007 15:25:34 UTC
Last Updated On:13-Jun-2007 03:58:26 UTC
Expiration Date:13-Apr-2009 15:25:34 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Registrant ID:GODA-030202719
Registrant Name:jack koziol
Registrant Street1:505 n. lake shore dr.
Registrant Street2:suite #221
Registrant Street3:
Registrant City:chicago
Registrant State/Province:Illinois
Registrant Postal Code:60611
Registrant Country:US

When you compare this output with a lookup of InfoSecInstitute.com you'll the address of the two registrants is the same, as is much of the contact information, although InfoSecInstitute.com was registered by Adam Behnke (rather than Jack Koziol). Using wonderful tools like LinkedIn.com you can find the connections between Adam Behnke (Channel Manager at InfoSec Institute) and other staff and instructors from InfoSec Institute. Interestingly enough, if you check out the registration information for iacertification.org (the domain that most of the links on the iacrb.org main page point to) you'll find that the registration information has been anonymized.

Details about the IACRB remain very vague. Although the IACRB claims they're "not for profit" the IRS doesn't list them as a nonprofit (charity) for tax exemption purposes. The Better Business Bureau doesn't have any record of either InfoSec Institute or the IACRB.

SIA (Secure Information Assurance - http://www.securia.com) offers training that prepares students to take the IACRB CEPT exam. SIA is a worldwide training company located out of Rhode Island.

The Ethical Hacker Network also offers a review of the CEPT certification (http://www.ethicalhacker.net/content/view/68/3/). Another interesting note is that the volunteer exam proctor with whom I had contact, one David Renwald, seems non-existent on the net save for this review on the Ethical Hacker Network. Of course, there's no list of IACRB staff or volunteers available anywhere, so it's hard to know who these folks are.

At this point one might wonder about the weight of a certification that is offered by an organization ostensibly run by the InfoSec Institute, the organization that teaches the exam preparatory class. One might wonder if the IACRB may have an interest in certifying their students in order to encourage repeat customers. I have to weigh this suspicion against my own experience with the exam, which was quite good. However, from what I can tell I'm one of the only third parties (and I'm far from neutral) who have reviewed this certification process. It would be great to see other people come forward with their own certification experiences, or for the IACRB to publish more details about their organization and operations.