ISECOM Provides "Non-Profit" Competition for SANS
Just as SANS offers certifications, ISECOM offers the OSSTMM Professional Security Tester and the OSSTMM Professional Security Analyst. Not surprisingly, ISECOM offers classes to help students pass their certification tests. I was struck by the arrogance of this page from the OPSA course description:
"If all you want to do is pass an exam, we recommend the following:
- Read the newest versions of the OSSTMM, OSSTMM Internal, and the BSTA Workbook.
- Take a few MBA classes in business information and security.
- Read books on intrusion detection, honeypots, secure programming, and anything else you can to see how attacks arrive.
- Learn how to get what you need for security analysis off the Internet. Know where you can get the needed trend information, solutions, CVE info, hacks, exploits, etc. to do an OSSTMM security test.
- Learn how TCP, UDP, ICMP, IP, RIP, OSPF, BGP and various application level protocols work like FTP, DNS, SNMP, BOOTP, HTTP, HTTPS, etc. and how to analyze them.
- Learn how to analyze and categorize information leaks, privacy breaches, and competitive intelligence.
- Learn where to look in the Security presence to find weaknesses and deficiencies.
- Calculate risk assessment based on the current version of the OSSTMM.
- Understand how to calculate and execute project plans while upholding proper legal and ethical testing.
- Know how to follow the security tester's rules of engagement as per the most recent OSSTMM.
- Work with an efficient red team either internal or as a consultancy to learn efficient teamwork and project requirements.
- Read what you can about security policies and security architecture to be able to design secure network topographies with associated process controls.
Otherwise, you may be interested in the training course."
Wow! That sounds like a four year college degree. Wait -- this is all packed into a four day class? Who do these guys think they are?