The IACRB and CEPT Certification

Submitted by justin on Wed, 08/13/2008 - 19:08.

I just got word that I passed by CEPT (Certified Expert Penetration Tester) certification. CEPT is a certification offered by the IACRB (the Information Assurance Certification Review Board), a "An industry standard organization," "Formed by information security professionals.,"A not-for-profit legal entity with a sole mission to certify individuals.," which "Requires all exam candidates to pass a hands-on practical examination." I became familiar with the IACRB after attending a class offered by InfoSec Institute. I had never heard of the IACRB before, but the class included certification based on passing an exam that was given at the end of the class. The exam had two parts - the first was a multiple choice exam, which is standard for most certifications. The second part was a take home practical that was extremely challenging. Because of the practical, I would rate the certification as one of the most comprehensive I'm aware of, and possibly the best.

After I took the exam I began searching around online for anyone else with the certification. There are a number of ethical hacking certifications available. The EC-Council offers a Certified Ethical Hacker certificate, which is possibly the most popular certification of this type. GIAC (Global Information Assurance Certification - affiliated with SANS) also offers a certification known as the GPEN (GIAC Certified Penetration Tester). The IACRB offers CPT as well as several other certifications (including CASS, CSSA, and CREA, all of which correspond to classes taught by the InfoSec Institute). The funny thing was, I couldn't find many people who had CEPT certification listed on their resume, or really much mention of CEPT other than from the IACRB or online references to the InfoSec Institute.

I knew that the IACRB was an all volunteer, not-for-profit organization, but it's official website is extremely sparse on details about the organization. How does one become a volunteer? Where is the organization located? Are there independent third parties that back their certification and how widely accepted are their certifications? How many people apply for certification? At what rate do people pass? How many people have been certified? Is there a way to verify certification? All of these questions remain unanswered by the IACRB website.

So, using some of the very skills I learned in the InfoSec Institute class I began to dig around and see what I could find. According to their website, the InfoSec Institute's program manager is Jack Koziol, one of the authors of the ShellCoder's Handbook (first edition - interesting note that he was not listed as an author of the second edition, which includes much of the same content as the first edition). Koziol's blog is listed as http://www.infosecinstitute.com/blog/ethical_hacking_computer_forensics...., but the most recent post is from July 23, 2007, and before that they're from March of 2006. Doing a lookup on the domain name iacrb.org reveals the domain registrar is none other than Jack Koziol:

[justin@madirish ~]$ whois iacrb.org

Domain ID:D143550447-LROR
Domain Name:IACRB.ORG
Created On:13-Apr-2007 15:25:34 UTC
Last Updated On:13-Jun-2007 03:58:26 UTC
Expiration Date:13-Apr-2009 15:25:34 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Registrant ID:GODA-030202719
Registrant Name:jack koziol
Registrant Street1:505 n. lake shore dr.
Registrant Street2:suite #221
Registrant Street3:
Registrant City:chicago
Registrant State/Province:Illinois
Registrant Postal Code:60611
Registrant Country:US

When you compare this output with a lookup of InfoSecInstitute.com you'll the address of the two registrants is the same, as is much of the contact information, although InfoSecInstitute.com was registered by Adam Behnke (rather than Jack Koziol). Using wonderful tools like LinkedIn.com you can find the connections between Adam Behnke (Channel Manager at InfoSec Institute) and other staff and instructors from InfoSec Institute. Interestingly enough, if you check out the registration information for iacertification.org (the domain that most of the links on the iacrb.org main page point to) you'll find that the registration information has been anonymized.

Details about the IACRB remain very vague. Although the IACRB claims they're "not for profit" the IRS doesn't list them as a nonprofit (charity) for tax exemption purposes. The Better Business Bureau doesn't have any record of either InfoSec Institute or the IACRB.

SIA (Secure Information Assurance - http://www.securia.com) offers training that prepares students to take the IACRB CEPT exam. SIA is a worldwide training company located out of Rhode Island.

The Ethical Hacker Network also offers a review of the CEPT certification (http://www.ethicalhacker.net/content/view/68/3/). Another interesting note is that the volunteer exam proctor with whom I had contact, one David Renwald, seems non-existent on the net save for this review on the Ethical Hacker Network. Of course, there's no list of IACRB staff or volunteers available anywhere, so it's hard to know who these folks are.

At this point one might wonder about the weight of a certification that is offered by an organization ostensibly run by the InfoSec Institute, the organization that teaches the exam preparatory class. One might wonder if the IACRB may have an interest in certifying their students in order to encourage repeat customers. I have to weigh this suspicion against my own experience with the exam, which was quite good. However, from what I can tell I'm one of the only third parties (and I'm far from neutral) who have reviewed this certification process. It would be great to see other people come forward with their own certification experiences, or for the IACRB to publish more details about their organization and operations.

Hi Justin, some

Submitted by jack koziol (not verified) on Fri, 08/29/2008 - 04:50.

Hi Justin, some clarifications here. Yes, the IACRB and CEPT were originally sponsored by the InfoSec Institute. This is not some huge secret, we have posted regularly about it on the eh-net forums. If you look around, there are a number of older posts from 2004-5 claiming the CEPT as an "infosec institute", rather than an IACRB certification.

A bit of history, we decided about 2 years ago to split the IACRB into a separate entity from InfoSec entirely, file for non-profit status, and elect a board of directors with a minority of the members of board from Infosec. We actually tried to give the intellectual property for the certifications to another organization, but they were too busy/refused!! When it comes down to it, the idea is that a training company has too much of a vested interest to run a certification program, and it needs to be independent organization to stay neutral. Im not going to go into it, but if you know the inner workings behind isc2, the giac program, etc, the IACRB is organizationally way more independent than these organizations!!! We also want the certifications to grow beyond the reach of what infosec can do organizationally. Lastly, with initial funding in year 1 from infosec, the IACRB doesnt have to worry about financial implications as much. Meaning, it doest have to rely on a huge number of people taking exams and filling coffers. There will never be 30,000 CEPTs out there. If there were, something would be wrong, because there arent 30,000 people on the planet capable of passing the exam.

Personally, the issue that i have with many certifications out there, is that so many unqualified people achieve the cert through cheating, braindumps, etc. that it loses all value. This is especially frustrating competent professionals. I always seethe with frustration when im told that before we can bid on a pen test or code review that i must have my cissp (i do, for this reason).

So i think the mission statement behind the IACRB is solid, and I feel the organizational structure is solid, that we want to assess and certify technical skills of candidates in the security industry. The basic idea behind the CEPT is, if you cant write an exploit, what business do you have being in a senior level pen testing job role? For the CREA, if you cant reverse x86 malware, why are you a Senior Reverse Engineer at beltway-bandit X?

What i do take away from your post here, is that we need to make these facts more transparent, like right out in the open on the IACRB website to prevent people from thinking something fishy is up. Because there isnt.

Thanks so much!

Submitted by justin on Fri, 08/29/2008 - 16:29.

Thanks for your wonderful comments Jack. I've consistently said here and on the eh-net boards that the CEPT is one of the best certifications out there. That's my only motivation for questioning the IACRB. I would like the CEPT to gain more acclaim because it is such a great test. I believe that the value of a certification rests on two pillars: the strength of the test itself (which the CEPT already has in spades), and the reputation of the certifying authority. I was unable to find out very much about the IACRB, so non-technical people (i.e. employers) would probably find even less, which wouldn't do the credit to CEPT certificate recipients that they deserve. For this reason I really appreciate your clarification of the IACRB and its relationship to InfoSec Institute. I also notice that the IACRB website is undergoing a pretty profound makeover which seems to include new features, such as a 'Members Area'. It would be wonderful to establish a community around the IACRB that could help to promote their certifications.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Captcha Image: you will need to recognize the text in it.
Please type in the letters/numbers that are shown in the image above.