In medieval times, kings and queens would call upon the Royal Engineer (thus was he certified, prithee) to plan, design and build the castles that sat at the heart of their realms. The Royal Engineer was, of course, responsible for ensuring the security of the royal personage and their vast amounts of treasure (taxation has always enriched some noble somewhere) through his design of the castle’s royal chambers and treasure rooms.
Once the castle was built, the Royal Engineer would take the king and queen on a tour, pointing out all of his cunning and elaborate design features meant to keep them and their valuables safe. But, after the tour was done, a wise king and queen would then hire an outsider to actually test the defensive stoutness of the castle. This person was likely someone of dubious origins, who wouldn’t be able to tell you the difference between a turret and a parapet — unless he was using one to sneak past a sleeping royal couple and enter their treasure room, grabbing some gold and gems as proof of his success. The next day, the red-faced, royally chewed-out engineer would begin the necessary castle “renovations” based on the recommendations of the newly-designated “Royal Intrusion Specialist.”
Thus was the role of the “white-hat hacker” born.
Earning GPEN certification
One of the IT security specializations that has evolved over the last few years is the Security intrusion specialist. These are people trained to analyze computer systems and networks, and find vulnerabilities that malicious characters could use to attack a corporation or government department to gain access to sensitive data or valuable intellectual property.
Security intrusion specialists looking for a formal way to demonstrate their skills to an existing or potential employer should consider the GIAC Penetration Tester (GPEN) certification. GIAC, which stands for Global Information Assurance Certification, has been offering its certification programs in IT security subjects since the late 1990s, and GIAC credentials are well-recognized by private employers and government agencies the world over.
GIAC classifies the Penetration Tester certification as an “Advanced Security Administration” certification. There is no official prerequisite required to try for the GPEN certification, but candidates should have some experience in the field, and GIAC encourages them to take at least one security intrusion course before they take the exam.
The GPEN certification exam itself can be taken at any Pearson VUE test center, and it can be booked through the GIAC website, though a GIAC user account must be created first. The exam consists of 115 questions, and candidates must achieve a passing score of 74 percent or higher to get certified. They have three hours to complete the exam.
The major knowledge domains covered in the GPEN certification exam, listed in alphabetical order, are as follows:
- Advanced Password Attacks
- Attacking Password Hashes
- Command Shell vs. Terminal Access
- Enumerating Users
- Exploitation Fundamentals
- General Web Application Probing
- Initial Target Scanning
- Metasploit
- Moving Files with Exploits
- Password Attacks
- Pen-testing Foundations
- Pen-testing Process
- Pen-Testing via the Command Line
- Reconnaissance
- Scanning for Targets
- Vulnerability Scanning
- Web Application Attacks
- Wireless Crypto and Client Attacks
- Wireless Fundamentals
Renewing GPEN certification
The GPEN certification is valid for four years, and a GPEN-certified individual can begin the re-certification process two years prior to its expiration date. Certification renewal is done using GIAC Certification Maintenance Units. CMUs can be earned in a number of ways, including training courses and practical work experience. All of the details for renewing the GPEN certification can be found on the GIAC Renewal webpage.
The GIAC Penetration Tester certification is well-recognized across the industry. It is a vendor-neutral certification, so it is not tied to any specific security hardware or software, which can make it a desirable certification for security intrusion specialists to pursue.
