Information Security Superstars – Cert advice

Viewing 12 reply threads
  • Author
    Posts
    • #2815
      silxp
      Participant

      So you want to be a security superstar and are asking questions like: “Which cert!@ CISSP, CISM, CISA, OSCP, C|EH, CHFI, NSA IAM!” In an effort to explain it all to those new to the industry, I will offer some detail about the pros and cons of security “certifications”. Take it with a grain of salt, your mileage may vary.

      What exactly is it you want to focus on. Security is a broad field and there is no one all inclusive security certification to “prove your worth”. There is experience, intuition, know how, broad knowledge, but no one certification will make you a security guru period. If you think the CISSP will make you a star, an OPST, a GPEN, you’re wrong. One hundred percent wrong.

      Let me start with a primer for the beginner… Five year plan

      Study
      A+
      Network+
      Security+
      MCSA
      RHEL
      CCNA

      What the hell? A+ gives you a good understanding of computers. You will HAVE TO KNOW about how the hardware involved if you ever wanted to move into the forensics arena. Aside from this, its best to understand it all from the ground up.

      Network+ and CCNA!@ You must be smoking… Understanding networking is a MUST period. In order to understand security, you MUST understand how networks connect on all levels. I threw the CCNA into the mix since it offers a comprehensive overview into routing, the OSI layer, and how networks mingle with each other.

      Security+!@!@ That’s for newbies!@… Security+ is a primer, enough to give you a kickstart into information security. It will allow you to learn and apply some core fundamentals of security. Nothing spectular, and surely nothing simplistic as some may think.

      MCSA and RHEL studied for two years… This does not imply become a Microsoft Systems admin or Redhat admin. Its thrown in to give you experience on the Microsoft side of things and a primer into Linux. Forget about Ubuntu, forget Debian, forget about Linux zealotry altogether. Think about this for a second… Do you think someone in say 80% of the Fortune 500’s will know what Ubuntu is as opposed to Redhat Enterprise Linux? Let’s be realistic and keep the trolling for kids.

      If I had to give say a relative advice, this would be the advice I would give them. Understanding the fundamentals of computing – hardware and software will certainly make learning easier down the road.

      Intermediate Plan…

      This is where we make huge decision. Which route do we want to go. Since security is so broad, ask yourself, what do you envision yourself doing. Pushing papers, reading and writing policies, understanding regulatory controls and governance. Do you see yourself doing penetration testing, cryptography, forensics. You have to make this decision. Here is my breakdown for various fields…

      Penetration Testing…
      1) C|EH – Love it or hate it, the C|EH will give you a primer on what tools to use, how they work.
      2) OSCP – Offensive Security Certified Professional… Your exam… Own the box. And its not easy I can tell you firsthand.
      3) OPST – This to me is the grandfather/Masters Degree of Pentesting related certifications
      4) GPEN – Another value added certification from SANS

      The C|EH was very introductory for me as was the CHFI. However, I’d already had years of experience prior to taking them both. I finished them both in about an hour and a half (yes I said both). I was disappointed, but understood what they were trying to accomplish. For the beginner to mid level pentester, you may learn a thing or two from this exam. Aside from that, browse over to Dice and you will see that there are companies slowly demanding C|EH/CNDA, CHFI certifications including IBM.

      OSCP. If you truly want to understand penetration testing, shoot for this exam. Either purchase the lab time and exam online, or attend a class in person. Its definitely worth having an explanation on subjects you might not know about. It will give you a thorough understanding of buffer overflows, SQL injection, ARP spoofing, etc., however, its mainly geared towards users of Backtrack, in fact, your exam will be based off of the tools used on Backtrack. I personally created my personal scripts for the exam, but you will need to know enough about a variety of tools, exploits, and definitely buffer overflows to pass this exam. It is NOT an easy exam.

      OPST. Good old Pete Herzog. I’d read so many things from Pete over the years and ISECOM hits an exam right on the nose of “knowing your stuff”. For the OPST, you should have minimum – 3 to 5 years doing penetration testing however, verification is key. It’s one thing to say you know of a Proof of Concept, even running one once upon a time. Double checking and verifying this will be the key here. You should have a sound understanding of enumeration, applications, networking, etc.

      GPEN… SANS has been around for a while and I hear sensational stories about GPEN. Since I’ve never taken the exam, I cannot state nothing other than, I know some seriously talented individuals who’ve told me this exam is not a walk in the park.

      Forensics…
      CCE (period…) http://www.certified-computer-examiner.com/ Having the CHFI to me doesn’t mean I can qualify as an outright “Forensics Investigator” at least not by my standards. The Certified Computer Examiner (CCE) is the certification of choice. EnCE is nothing more than a vendor specific certification. So unless you plan on using EnCase for the rest of your forensic career – which in that case won’t be too long, you want to maybe start with the CHFI to understand the different tools, arenas of information security/carving, etc., then follow it off with the CCE

      Intro to management
      SSCP – ISC2’s mini CISSP. This cert will give you a thorough into the realm of information security management.

      Mid-Experienced manager
      CISSP, CISM, NSA IAM/IEM – All certifications mentioned are managerial and are for experienced security individuals. I don’t want to troll about any specific cert, but take note, holding any one of these certs will not make you a security expert as anyone can memorize from a book to pass an exam.

      Others worth mentioning… CISA if you’d like to spend your time auditing information security policies, procedures, etc.. A CISA is not a “uber hacker investigator” so if you’re confused about this cert, I suggest you read up more about it on ISACA’s website.

      Bottom line…
      Its up to you to determine what you want to do in life. If you envision yourself being responsible for the security mechanisms of a company, you’d want to shoot for the CISM, CISSP. Want to do a bit of high level auditing, NSA IAM complements any of the pentesting certs.

      If you truly want to be impressive from my perspective… Shoot for the CCIE-Security. You need to understand a heapload about security and prove it in a lab. While tailored for Cisco based products, studying at the CCIE Security level introduces a lot more than meets the eye. I’ve studied for the CCIE Security for some time now and have learned extensively about VPN’s, IPSec, IKE, RADIUS, connectivity as a whole, LDAP, Windows networking, Unix networking, network forensics. It definitely helps to understand these concepts from the RFC level up. Do I want to become a CCIE, not really, I just like learning. Take note, to fully grasp it all, you’d want to set up a decent lab… (http://www.infiltrated.net/AugDeskPix/)

      My lab’s hardware
      2 Juniper SSG 350M’s, Cisco 3620 w/VIC 2XS, Cisco 3640, Cisco 3620, Cisco 3620, Cisco 4500-M, Cisco 2511 term, Cisco 2524, Cisco MCS-3810-V, Cisco MCS-3810-V 6 port FXS, Sonicwall 2040 paperholder, Cisco MCS-3810-V 6 port FXS, 4 Cisco 2610’s with assorted WIC’s, Netscout Fiber taps, Mercury M5 RFID voodoo gizmo, Cisco 35xx switch, Marconi Fore ATM switch, Dinosaur Sun U1, ISDN simulator, Sparc 10, Netscout ETHERNET tap, Sun Netra, Cisco Pix 506e, Juniper Netscreen 5XT, 4 Stonegate SG1100’s, 2 Sun 280’s, 3 Cisco 4500m’s, 1 Cisco LS1010, 2 Juniper EX switches (shh), Foundry BigIron

      Mu current study path… CISM, NSA IAM, JNCIA, CCIE Security… All at the same time. Will I take the certs… Unsure yet. I just like learning 😉 For those wondering – “Well who the hell are you…” … Just me 😉

    • #19674
      Anonymous
      Participant

      that’s some strong opinions about certifications you dont hold.

    • #19675
      oleDB
      Participant

      The most important point of the article: If you think a cert will make you a star you are 100% wrong. I agree with silxp that the focus should be on learning the content well and not what a cert gets you. Also another point I like, which was kinda hinted at. Don’t make your certification selection based on trendiness or job boards, you should think out your career path first to make sure you align your certification goals correctly.

    • #19676
      silxp
      Participant

      @ChrisG wrote:

      that’s some strong opinions about certifications you dont hold.

      You’re absolutely right, and I find it absolutely amazing that these certification holders have often used works of mines for their books, courses, teachings. I’ve schooled plenty of certified individuals and have had the honor to being humbled my some as well. I speak from experience and real world where I’ve dealt with so many throughout my time. From 1997 on through, my history goes back a while specifically on the technical side of systems administration, network administration, network forensics, denial of service attack mitigation and strategies, you name it. I’m no stranger to this arena so feel free to Google away.

    • #19677
      Anonymous
      Participant

      @silxp wrote:

      @ChrisG wrote:

      that’s some strong opinions about certifications you dont hold.

      You’re absolutely right, and I find it absolutely amazing that these certification holders have often used works of mines for their books, courses, teachings. I’ve schooled plenty of certified individuals and have had the honor to being humbled my some as well. I speak from experience and real world where I’ve dealt with so many throughout my time. From 1997 on through, my history goes back a while specifically on the technical side of systems administration, network administration, network forensics, denial of service attack mitigation and strategies, you name it. I’m no stranger to this arena so feel free to Google away.

      I have to echo Chris’ thoughts. How can you have such strong opinions on certifications that you do not hold? Have you co-authored the course material? Taken the associated classes?

      I do however agree with your statements on learning as much as possible about operating systems and networking.

    • #19678
      silxp
      Participant

      @Bane wrote:

      I have to echo Chris’ thoughts. How can you have such strong opinions on certifications that you do not hold? Have you co-authored the course material? Taken the associates classes?

      I suggest you contact Lisa Lukas @ SANS, Dr. Eric Cole @ SANS for my credentials on authoring VoIP Security – thank you. You can freely see my information on OWASP, Hackproofing Your Network which I’ve been mentioned and a slew of other books. So the short answer is – as a matter of fact, YES I have authored a lot more than I care to mention about – do I need to prove this, not at any point, but feel free to peruse around and ask perhaps Henning Schulzrinne @ Columbia who uses my VoIP Security tools to teach security… I could go on and on throwing out names at all of the SIRTs (Cisco, Juniper, Foundry, Microsoft) but it would mean little to me. On the flip side, how long have YOU been in the industry… What have YOU authored? I can give you ISBN’s for my information and the public domain can surely weed you enough information to see who I am and where I come from.

    • #19679
      Anonymous
      Participant

      @silxp wrote:

      @Bane wrote:

      I have to echo Chris’ thoughts. How can you have such strong opinions on certifications that you do not hold? Have you co-authored the course material? Taken the associates classes?

      I suggest you contact Lisa Lukas @ SANS, Dr. Eric Cole @ SANS for my credentials on authoring VoIP Security – thank you. You can freely see my information on OWASP, Hackproofing Your Network which I’ve been mentioned and a slew of other books. So the short answer is – as a matter of fact, YES I have authored a lot more than I care to mention about – do I need to prove this, not at any point, but feel free to peruse around and ask perhaps Henning Schulzrinne @ Columbia who uses my VoIP Security tools to teach security… I could go on and on throwing out names at all of the SIRTs (Cisco, Juniper, Foundry, Microsoft) but it would mean little to me. On the flip side, how long have YOU been in the industry… What have YOU authored? I can give you ISBN’s for my information and the public domain can surely weed you enough information to see who I am and where I come from.

      I have a lot of respect for Eric Cole. But, throwing around names of people at SANS and titles of books that you are mentioned in still doesn’t qualify you to give opinions on certifications that you do not hold, unless you have taken the exams, written course material for, or evaluated the material of the associated class.

      I can say that the CCIE is garbage, but my opinion is not valid as I do not have it, have not evaluated the course material. etc.  I have only heard what others say about it.

      Some of the best IA professionals have written nothing and some not so great professionals have written books. That argument is pointless.

      It does the community no good for you to come here and provide blanket opinions on certifications that you do not really have knowledge of. Same as it would do not good for me or anyone else to offer opinions of certifications that we have not been involved in. It also does the community no good for you to come here and get rude when people ask how you can speak to certifications that you apparently have not been involved with.

    • #19680
      silxp
      Participant

      @Bane wrote:

      It also does the community no good for you to come here and get rude when people ask how you can speak to certifications that you apparently have not been involved with.

      Your perception is yours alone. You asked, I told. I offered an opinion on certs that mean little in the sense that anyone and I mean anyone can read a book, memorize what is in it, pass a test and not have a shred of knowledge on a CBK. I offered an opinion based on my REAL WORLD experience of interviewing people who hold all sorts of certs and have INKLINGS of a clue when it comes to real world experience.

      You have every right to state the CCIE means nothing, it means technically a lot more than any of the paper certs since there is no input validation (real world testing) to prove that not only does one posses a good memory, but one has applicable knowledge. That is what separates the CCIE from other exams.

      So while your opinion is your opinion, mines is mines and I offered it with REAL WORLD applied experience, REAL WORLD applicable writings and teachings for some of these same certifications. Think of the irony… Myself being mentioned in about 4 different certification tests of which NONE I care about… Having tools I’ve written thrown into lab exams and books. Having “securing x distro/technology” used by PhD professors in Columbia, Purdue, Washington University and Carnegie Mellon since 1997…

      You asked, I told, so I have every right to throw my opinion around, it is after all my opinion. Its what makes the world a great thing. People agree, people disagree, its what makes great discourse, and I’ve had them with the best of them Bruce Schneier, Marcus Ranum, Theo DeRaadt, RFP and the list of course goes on and on.

    • #19681
      Anonymous
      Participant

      @silxp wrote:

      @Bane wrote:

      It also does the community no good for you to come here and get rude when people ask how you can speak to certifications that you apparently have not been involved with.

      Your perception is yours alone. You asked, I told. I offered an opinion on certs that mean little in the sense that anyone and I mean anyone can read a book, memorize what is in it, pass a test and not have a shred of knowledge on a CBK. I offered an opinion based on my REAL WORLD experience of interviewing people who hold all sorts of certs and have INKLINGS of a clue when it comes to real world experience.

      You have every right to state the CCIE means nothing, it means technically a lot more than any of the paper certs since there is no input validation (real world testing) to prove that not only does one posses a good memory, but one has applicable knowledge. That is what separates the CCIE from other exams.

      So while your opinion is your opinion, mines is mines and I offered it with REAL WORLD applied experience, REAL WORLD applicable writings and teachings for some of these same certifications. Think of the irony… Myself being mentioned in about 4 different certification tests of which NONE I care about… Having tools I’ve written thrown into lab exams and books. Having “securing x distro/technology” used by PhD professors in Columbia, Purdue, Washington University and Carnegie Mellon since 1997…

      You asked, I told, so I have every right to throw my opinion around, it is after all my opinion. Its what makes the world a great thing. People agree, people disagree, its what makes great discourse, and I’ve had them with the best of them Bruce Schneier, Marcus Ranum, Theo DeRaadt, RFP and the list of course goes on and on.

      I can say that anything is garbage based on interviews with people in the know, that doesn’t make it so. My point is that if you are going to try to sway people’s opinions on a certification, or anything else for that matter, it would be useful to offer up your reasons why and provide background on your reasons, so that we can make our own judgement on your thoughts. It does no good to offer opinions based on heresay. Plenty of people in the know, turn out to really know nothing or are pulling their opinions out of thin air.

      EDIT:

      I just wanted to add, I don’t think anyone here is trying to be a jerk to you. I think we just want to understand your reasoning. Name dropping doesn’t help us understnad why you think GPEN is good for example.

    • #19682
      Clay Briggs
      Participant

      Enough with the cert pissing contest.  Interesting post on various certs silxp, some of it I agree with some of it I’m clueless about so I have no opinion.  As with anything, I suggest everyone takes anything gleaned online with due precaution and researches it for themselves.  Learning how to learn is the first step to not looking like an ass in the end.  As far as who should talk about what because of what they have or such, I really don’t care.  We have an open forum, and any opinions I see and suggestions will be tempered personally with a good bit of googling and searching/asking friends for either confirming or contradicting opinion.  I suggest the same precaution to anyone, regardless of who says something. 

      And welcome to both of you, as I don’t think I’ve said hello to either of you yet. 

    • #19683
      Kev
      Participant

      I actually liked silxp’s post and enjoy people that post with a little passion, regardless if I agree 100% with them. I still maintain that a cert is only as good as the person behind it. So much depends on what you want to focus on.  For instance some doors will be completely closed to you if you don’t have a CISSP. In other IT fields you might get along just fine without it.  As he stated, take it with a grain of salt and mileage may very.  Thanks for taking the time to post your thoughts here silxp. 

    • #19684
      Anonymous
      Participant

      @g00d_4sh wrote:

      Enough with the cert pissing contest.   Interesting post on various certs silxp, some of it I agree with some of it I’m clueless about so I have no opinion.  As with anything, I suggest everyone takes anything gleaned online with due precaution and researches it for themselves.  Learning how to learn is the first step to not looking like an ass in the end.  As far as who should talk about what because of what they have or such, I really don’t care.  We have an open forum, and any opinions I see and suggestions will be tempered personally with a good bit of googling and searching/asking friends for either confirming or contradicting opinion.  I suggest the same precaution to anyone, regardless of who says something. 

      And welcome to both of you, as I don’t think I’ve said hello to either of you yet. 

      I agree his post was informative on some of the certifications and agreed with part of it as I mentioned. I simply asked what his knowledge of them were. I’m just asking for some full disclosure on his part.

      Thanks for the welcome.

    • #19685
      Anonymous
      Participant

      i wasn’t trying to be a jerk or start a cert war.  I just personally feel that if you are going to give advice you should either have experience in what you are giving advice on or other experience to make your advice valid (everyone can have an opinion regardless of experience).

      I think silxp has since dropped enough information that we can google him and get a feel for his background which to me was wasnt apparent with the initial post in this thread.

      you’ll have to pardon my pessimism because we’ve had people talking out their ass on this forum before (not the case this time) and most people dont seem to have any balls to call people out.

Viewing 12 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?