OSCP cheating allegations a reminder to verify hacking skills when hiring

For years the notoriously difficult OSCP exam signaled to employers and colleagues alike a minimum level of technical competence, but a former student's claim should motivate hiring managers to test candidates before making a job offer.

Few infosec certifications have developed the prestige in recent years of the Offensive Security Certified Professional (OSCP), an entry-level penetration testing certification with a reputation for being one of the most difficult out there.  Run by Offensive Security (OffSec), the makers of Kali Linux, whose motto is "Try harder," the OSCP features a grueling 24-hour exam that requires students to hack a variety of machines on a test network. (Full disclosure: This reporter previously paid to self-study for the OSCP but did not take the exam. He plans to #TryHarder.)

However, a kerfuffle erupted last week when a critic going by the handle cyb3rsick, annoyed at what they claimed was widespread cheating on the notoriously difficult exam, published a brain dump of one of the exam machines, and threatened to publish half a dozen more, raising questions about the integrity and continued value of the OSCP as a certification.

The OSCP (Offensive Security Certified Professional) has the reputation as one of the most difficult entry-level penetration testing certifications out there, with a grueling 24-hour exam that requires students to hack a variety of machines on a test network. Created and run by OffSec, whose motto is "Try harder." (Full disclosure: This reporter previously paid to self-study for the OSCP but did not take the exam. He plans to #TryHarder.)

The drama began, as it so often does in infosec, on Twitter, with a link to this now deleted web page (archived here). The author says they are hiring penetration testers and are increasingly disappointed by OSCP holders who know nothing about hacking. "OSCP is losing its credibility by not updating the exam machines which allowed thousands of guys to cheat and pass the exam," the author writes. "It’s just turned to be a brain dump exam which always kill the beauty of the competition."

A brain dump is when a cheater regurgitates from memory everything they just did after an exam, and either shares it with others or sells it on the black market. cyb3rsick's brain dumps included complete solutions to hacking some of the OSCP exam machines.

The author claims to have contacted OffSec and to have received no reply. "So, I decided to do something about it. From now and on I will publish write-ups for all exam machines," the author adds. "This will literally cover 100 percent of the machines of the exam until the date of this post. It’s up to OffSec now to update their exam machines or not."

Cyb3rsick twists the knife at the end of their blog post, writing, "To employers. Now you know."

Hacking skills difficult to assess

Hiring for hacking ability, as opposed to test-taking ability, has long been a serious challenge in infosec, and has led to criticism of test-based security certifications such as the CISSP. Because of the hands-on nature of the OSCP — either you can hack the exam machines or you can't — holders of OffSec's well-respected certification received deference in the marketplace, if not necessarily an automatic job offer. Any threat to the integrity of the lab machines, or the possibility of rampant cheating using brain dumps, calls into question the value of the OSCP for hiring managers.

"No, employers should not trust those who got certified in the last year at all," cyb3rsick told CSO in a Twitter DM. "They should retest them by any other way to make sure of the qualification of the employee. Hopefully, OffSec updates the exam machines as they promised."

Offensive Security disputed cyb3rsick's claim that cheating on the OSCP exam was widespread. "There's definitely a market where people are selling these brain dumps," OffSec chief content and strategy officer Jim O’Gorman tells CSO. "In terms of effectiveness of those brain dumps? No. If a student is going to cheat, we want them to feel confident that they're going to be able to do so successfully. That way it's easier for us to find them and ban them."

Students caught cheating have their certifications revoked and are banned from OffSec classes and certifications for life. OffSec does not publicize many of the measures they have in place to catch cheaters, O'Gorman explains, to avoid making it easier for cheaters to, well, cheat.

"We're good at catching cheaters," OffSec founder Mati Aharoni adds. "Unfortunately it's a skill set we've had to develop over the years."

Aharoni points out that OffSec rolled out exam proctoring last year. To prevent cheaters from claiming to possess an OSCP certification after revocation, OffSec also offers an online badge that only students who have completed the exam and remain in good standing may display. Employers, of course, can always contact OffSec directly to verify a job applicant is certified.

One thing OffSec and cyb3rsick agree on? Certifications are great for hacking through the HR firewall, but there's no substitute for validating an applicant's technical skill.

"Hiring by credentials alone, whether that's OSCP or anything else, is probably an HR fumble," Aharoni says.

Copyright © 2019 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations