Well, I've been lurking on this site for a while now and figured it was about time to register myself on the forum.

Who am I: I am a 22 year old college student who is going after a BBA in Information Systems while at the same time pursing an AAS in Information Security. Unlike most people, my interest in Infosec didn't start until a year ago and have found myself trying to play catch up with the rest of the industry ever since.

Current Goals: Right now, my current goal is to set up a laptop pen testing lab where i can toy with programs without fear of screwing up my gaming PC (After i get my laptop, I'll see about converting my gaming PC into a GPU powered password cracking machine). During this time, I'm trying to learn the basics of Ruby, Python, and Javascript (in that order) along with the basics of TCP/IP and Hacking platforms such as Metasploit.

Beyond that, I'll see about adding more stuff to my pen testing lab beyond just the laptop with VMs. Thomas Wilhelm's Rant opened my eyes a bit and i found myself agree with him that i invest more in my lab if i want to get more out of it.

Specialization: Ideally, i want to go into Pen Testing but Computer Forensics has also sparked my interest along with Malware Analyzing so it depends if my interests involve fishing for files that no one wants to see (but it's your job to find) or to be building exploits.

Future Possible Projects: Lately, I've been looking a the Prey anti-thief software. Now, this program is all great and good but the problem is that a thief could steal a computer, reformat the hard drive and you lose your tracking. I've been toying with the idea of combining a rootkit into the BIOs of the computer so if the hard drive gets wiped, you can still track them. Any ideas or resources that can help me with this would be appreciated.

Now on to the cert path:

My AAS degree has aligned it's self with the CompTIA certs (A+,Network+,Security+) along with some basic Cisco knowlage (the CCNA is offered at this school but it is in a different program so I'll have to pick that up later) so it should give me the basic knowledge for the more advanced certs.

beyond that, I'm stuck at a bit of a crossroads.
I've heard mixed results about the C|EH (it's a cert that HR wants but most infosec people dismiss it). likewise, i've heard good things about the eCCPT (provides lots of actual experience but HR doesn't like it).

Regardless of the middle level certifications, I eventually want to obtain the OSCP and proceed to get a CISSP shortly after.

So anyways, there's my story and hope to see you around the forums.

Welcome to EH! 

Sounds like you have a lot of good plans, and that you're on the right track, but I have to say that BIOS is spelled like this (No offense intended.)

About the certs, CEH will only give you a broad foundation that will teach you the very basics, but it won't make you a real hacker, and eCPPT is fine, but as other's have said: It's very "web application based", and the content of this section in particular, is also basic.

OSCP on the other hand, is good and also hard, but it's a good one to accomplish. Especially because more and more employers, value this cert higher than CEH, so if you have OSCP you may be able to get some jobs easier.

CISSP requires working experience within InfoSec, so you can only become an associate if you don't have the necessary experience. You may wonder why there is such a requirement? Well some might think it's to document that you've actually worked with InfoSec, but your CV / Resumé and references can provide that.

Once a young person, at the age of ~14 passed the CISSP test, so you can imagine that they had to make some sort of requirement so anyone couldn't just obtain CISSP, even though they would have the knowledge to pass the test.  CISSP is very good to have for HR purposes, and perhaps as a manager if you're not really doing pentesting.

Here's a video about the benefits of being CISSP: http://youtu.be/8DZkpynFhak

Well, it's hard for me to say, as I took OSCE as the first infosec course and cert I had ever done, and at that time, the only book I had read was The Penetration Testers Open Source Toolkit vol. 2 (that won't prepare you for OSCP, but it gives you a lot of useful practical information). I do however suggest you read some of the threads in the OSCP section here, as there's a lot of good advice, even how people managed to pass    (Not actual solutions.)


It happens to some, and yes it is easy to fall behind, so at some point it may be reasonable to become e.g., a manager if you want to become that of course. A manager that may not be 100% up to date, but have practical experience ranging over decades is definitely worth having / being.

I should note however, that XSS is like at least 10 years old, and it still exists on many websites. SQL Injection, and buffer overflows too, and if you're a good programmer or reverse engineer able to find 0days, then it may almost become impossible to become outdated.

Of course, new exploitation techniques are occasionally developed, where you may have to learn how these function, but if you were e.g., a pentester that only use automatic and semi-automatic tools, then it's almost impossible to become outdated too. (After all, the tools are updated for you.)

But there's definitely some areas where anyone can fall behind, and with the ever growing technology, you never know what's going on in like 20 or 30 years 


Great :-)

True and I'm currently looking to ways to get deal with that issue. Currently, I don't have the experience and thus, i have a feeling that i will be relegated to *shudder* the tier 1 help desk sinkhole and thus will get no experience that i can put on a resume for possibility years.



I actually spent my lunch hour watching that and while it's content is good, it mostly geared towards professionals already in the field (SysAdmins, Network Engineers, etc) and want to make the leap into Infosec. there is sadly little use for a college student working on certs.


I understand that it's not one or the other, but as a student starting off, i need to make choices regarding my resources (chiefly, time and money) and need to see what will get me the most bang for the buck in the immediate future (which is why I'm looking at the eCPPT and OSCP over the C|EH).


yes, i know. Like i said, I'm still intensely curious about all the different tools, techniques, and schools of Infosec so I'll settle down in something fairly soon.

Thanks for the input.

This thread puts a big smile on my face. It makes me proud of what our community has become and how it is viewed by newcomers.

Thanks for getting my vision without having to srceam it from the rooftops.

Don