March 15, 2014

CERTIFIED PENETRATION TESTING VS. ETHICAL HACKING — BY AMIR KOLAHZADEH

Authored thought-leadership piece by Amir Kolahzadeh on LinkedIn Pulse drawing the technical distinction between penetration testing and ethical hacking, citing the US Air Force's 2006 CEH vs CPTS comparison.

↗View Original Source

Published on LinkedIn Pulse, this authored thought-leadership piece by Amir A. Kolahzadeh, Founder and CEO of ITSEC, draws a clear technical line between two terms the cybersecurity industry frequently confuses.

Kolahzadeh argues that penetration testing and ethical hacking are fundamentally different disciplines. Penetration testing assesses an enterprise's security posture against the current threats and risks surrounding it, while ethical hacking checks only whether an enterprise can defend itself against a narrow selection of attacks launched using a handful of well-known tools. The two approaches, he writes, could not be more different.

The article cites the United States Air Force's 2006 comparison of Certified Ethical Hacker (CEH) and Certified Penetration Testing Specialist (CPTS), which dismissed CEH as woefully inadequate for meaningful security assessment. Kolahzadeh concludes that ethical hacking is at best a subset of penetration testing, and that any organization serious about assessing its real security posture should pursue certified penetration testing specialists rather than settling for entry-level ethical hacking credentials.

The piece is widely cited in cybersecurity training and certification discussions across the industry and reflects ITSEC's long-standing position on rigorous, standards-based security assessment.

Source: LinkedIn Pulse — Amir Kolahzadeh