I dont know where to go...

I recently back unemployed and have been on the hunt again. I am literally burnt out by trying to keep up with everything at this point. I unfortunately am a bit of a jack of all trades but not a master of anything in the IT world. In some areas I lack a lot more then I feel I should but I get job offers easily but at the same time, I get tired of trying to learn something "new" all the time.

I recently got kali linux and realized that I like the whole pen testing, forensic or field work of infosec and honestly tired of sitting behind a desk all day. I don't have any security exp and about to get my security+ but not sure where to go from their. I was looking at the CEH but I am looking to land a job with in the field in the next 6 months or so. Im even considering taking a crap job as long as I get to study up for certs. I just need advice what is the fastest and best way of getting a job in this field with someone with no exp in infosec. I am looking for actual application or the theory and a cert that shows that off.

Find more posts tagged with

Comments

Master Of Puppets

Depends on where exactly you want to go? There is a difference between pen testing and forensics, for example.

Normally, you would need a higher level IT job in order to make the transition. Security requires other IT knowledge/experience to build on. For instance - if someone wants to do network security, getting a job in networking(network/sys admin) will probably be the best way to go.

LionelTeo

Fastest way would be as much cert as possible. Then ask for internal transfer or apply for security related job. SOC is a blooming industry and had the most headcount among all security team.

Year 0 to 2 exp (two of these)
SSCP
CEH
Security +

Year 2 to 3 EXP (one of these)
GCIH
GISP
G2700
GSEC
CASP

Year 3 to 4 Exp
CISSP

> Year 4 to
CRISC
CISA
CISM

Certs like SSCP and CISSP had 9 months to submit credentials before the mainteinace kicks in, so logically you can pass the certification at 1.5 years or 3.5 years respectively

In the end, your certfication should look lsomething like this
CEH, SSCP, GISP, GCIH, CISSP
CEH, SEC+, SSCP, GISP, CISSP
CEH, SEC+, GISP, CISSP, CRISC

looks good right?

Also worth mentioning would be GISP is SANS version of CISSP, passing GISP will give you a great deal of experience to do CISSP. So the easiest and most resonable self study path would be.

SEC+, SSCP, CEH, GISP, CISSP, CRISC

SEC+ - 0 years
SSCP - 1.5 years, credential to be submitted at 3 years
CEH - 2 years
GISP - 3 years
CISSP - 3.5 years, credential to be submitted at 4 years
CRISC - 4 years

That is for career options, if you are interested in some slide line other than general certifications, certs like OSCP, GPEN, GXPN, GCFA, EnCe, and GREM comes in somewhere later once you had set foot in this industry,

Master Of Puppets

I feel like I should point something out. We should make sure someone does not get the wrong impression - certs don't mean that much in infosec. Definitely get them but just be sure to not rely on them too much. Most people in hiring positions for infosec say that they don't give a **** about certs.

5ekurity

I would actually challenge that and say that most people in hiring positions want the InfoSec "gold" standard of the CISSP - not to mention if recruiters / HR are filtering through resumes first, without those 5 letters, you'll be passed over. IMO a CISSP is like having a Bachelor's Degree in InfoSec - you have a lot of exposure to different areas to make you educated enough to know what's going on, but your work experience makes you specialize into other areas - such as a CISA/CGEIT/CRISC, or some other flavor of SANS training (i.e. GCFE/GCFA/GWAPT).

LionelTeo

Master Of Puppets wrote: »

I feel like I should point something out. We should make sure someone does not get the wrong impression - certs don't mean that much in infosec. Definitely get them but just be sure to not rely on them too much. Most people in hiring positions for infosec say that they don't give a **** about certs.

I agree to some extend, experience do count. Certs are just paper like an degree, and some cert are very useless thanks to the presence of ****, or misguided information in the certs; but knowledge also helps during interview, and some of these certs comes with valuable knowledge that experience cannot comply, they somehow go hand in hand with each other. Constantly upgrading oneself though certification is also relatively important. When both candidates are evenly matched, certs can help in doing the final judgement.

So far for my two interviews, certs had help me quite a lot in my journey, may not be the same for others though.

Salt0912

Master Of Puppets wrote: »

I feel like I should point something out. We should make sure someone does not get the wrong impression - certs don't mean that much in infosec. Definitely get them but just be sure to not rely on them too much. Most people in hiring positions for infosec say that they don't give a **** about certs.

First off I want to say thank you all for your input and insight on the subject. I've read all the comments and I concur with some of the information on here. I have no certs and have only 1yr and half of IT experience but in my defense unlike everyone else I come across in my department. I talk to my seniors and take notes, learn some of the theory and then apply it in a real world application. When I go to my interview I am a people person and can sell the bs, cleanly. A lot of jobs ask for a mile long list of requirements or asking for cert but I will get the job but when you get their you don't do half the stuff list on the job listing but I still nail it because I can sell myself and the bs enough to walk through the door.

That being said I understand both notation you do need certs to sell your bs and sell more but at the same time exp far out weights the "paper" all day any given day. You have to really sell it at the interview and gear the resume towards the job market in that field. I talked to a lot of recruiters and I will share what I know about acquiring jobs and the truth if yall already don't know. Recruiters are like women they are for you but against you at the same time and they will lie for you, put you in a spotlight to get you in front of the client and lie to you. That being said I have had many if not all of the recruiters to tell me to "fluff" the resume or out right lie. You are not the only person they are talking to but will tell you anything to get you in front of the client. I'm not going to go into detail because it is long winded but if you like to know more I love to share. This is GA IT job market but I'll say this social engineering teaches us that recruiters, sales, PUA, preachers, counselors, integrators and women are social engineers, Social engineering the are of human hacking. A great book to read about the subject but I digress.

I can't really wait around for 4 years to get the golden ticket as I don't even have exp in the field yet but have kali linux and wireshare prior to that which I played around with, know some VB to launch PS scripts. Im not high level or anything imo but I am looking to take a pay cut or whatever to walk in the door in a entry level sec job. The certs I'm looking at because I need real exp is OSCP, Security+, linux+, network+, sscp and I would like a sql/java cert. I currently don't have any certs. I have managed in my little IT career to obtain 50-60k job positions but I am burnt oui trying to learn the "new" stuff on the job description to get the job. I would love to be geared towards this field but its daunting at the same time with all the different types of positions. I like pentester and going into the field any light would be awesome or words of wisdom. Again thank you for all the comments and information you have already shared.

questions that come to mind:
What are they asking at the interviews?

what are they looking for exactly from the candidate i.e great communication, excellent troubleshooting and some fundamentals(talk and walk the position?)

Are the interviews personal or technical because I have gone to interviews that are not technical at all and I smash them the selling of the bs/social engineering.

The technical interviews are some what easy as well but as soon as I gauge the interview or interviewers I take control of the interview again. The tech questions are not difficult as well either and if I feel I know more then the individual or they are not as confident then i dominate the interview. Are they not like this in this field?

I had an interview at citrix and they way they take their screening of people they interview is they ask questions about your resume or the job. Depending on your they will ask you to explain or elaborate on the answer, think showing your work for a math problem. Thus the work around for this is giving an answer that is just enough to satisfy and not vague enough to show lack of knowledge. They will lock for confirmation in your face or the ques will come in. You still need a foundation and they are looking to break you or get you in a "aha we got you, you don't know"....are all the sec jobs like this?

What type of pen tester are their? i.e breaking a site, a network, a system?

Sorry but I am just refusing to work help desk any more and the shear level of dumb people that work in the same department with me is killing me. I at times wonder how did they get this job and they have certs/bs. I had a boss tell me, can you tell if this computer has internet connection...(it was a win 7 gui...-_-...)I told him theirs not x over the internet connection on the bottom right. He said good not a lot of people know that i was like what...this position paid 50k and upwards. He didn't know his stuff either and I dont think I know much but at the same time I know when I meet my senior in this field, I don't question. I am an empty cup of water and their is theory vs real world, their is a big difference. I need the real world with the papers to sell my bs but I really like this field.

You guys are great!

This a good idea or save my money?

http://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

Master Of Puppets

Don't get me wrong - certs are important. I also think that the CISSP is "the" infosec cert. However, I don't think that certs A,B,C and D will get you a job. They always help and people should get them but it may not be a good idea to expect a job because of certain certifications. That's all I'm trying to say.

There will be technical interviews as well as interviews in which they will just want to know you. People want to find others who will fit in with their team, who like what they do and show a desire to learn. Technical skill is not always the most important factor. Sometimes you can teach a person to work with some technology or train them for a job but it may be harder to find someone with the kind of personality you are looking for. Communication skills are very important for every job. In infosec you will most likely have to explain technical stuff to non technical people. This is usually a big problem. Example - you have to make your case to management for beefing up security. For you it is obvious but they don't see it. Security is just an expense to a lot of people. Being on the same page with management is actually one of the biggest problems infosec people face.

The type of technical questions will depend on the job. There is infrastructure penetration testing where you try to penetrate a network and the servers on it. You can also do web application pen testing. Some people really like social engineering where you need not technical but people skills. The last one has proven to be very effective if done right.

You may tested on TCP/IP. Knowledge of vulnerabilities and operating systems, a little coding etc. I think it is hard to summarize unless you see some job description.

As of the OSCP - best pen testing cert in my opinion. I think it will be hard to find someone who will disagree on this one. My only advice is that you familiarize yourself with the topics before going in so you don't waste valuable lab time for what can be done outside the course on your own time. I think you will benefit from learning at least some of the things before starting.

LionelTeo

I think certs help to "show interest" that to proespective employers on being keen on the job. And doing so employer will likely to pick over other candidates if primary considerations fails (could be due to budget requirements). Thus, its possible to sqeeuze into a junior position this way. In regards to OSCP and pentesting. I had participate in some topics, take your time to go through
them

http://www.techexams.net/forums/jobs-degrees/87522-career-penetration-tester.html

http://www.techexams.net/forums/security-certifications/100679-path-advice.html

Dunkers404

Is the A+ really necessary, when you have a few technology qualifications e.g. a diploma?

JDMurray

The A+ is necessary if you are applying for a job that states it's necessary. Otherwise, it's just a fun cert learn about and get.

NovaHax

IMO...the two entry level certs that are most likely to land you your first job are going to be A+ or CCNA. That being said...it is possible to get through without them (I never got either).

ethkhkr

I agree with Master of Puppets, certs really don't mean **** when it comes to hiring for a position in the Infosec field. The cert may get you into the door for an interview, but at that points it's the knowledge you have and your personality that will land you a job. My recommendation would be to pay more attention on what the course teaches you as opposed to the letters you gain after the exam.

n8236

I wouldn't go as far to say certs don't mean jack poop, especially for the likes of CISSP, GIAC and CeH. Those exams are very hard to brain **** and requires a lot of dedication and real study. Employers value that sort of commitment and see potential if you are willing to go that far to advance yourself. That translates into someone with a lot of potential and knowledge that is bottled up. All in all, it does mean a lot, but not a free pass to the job. I got my first security job because of my first GIAC cert whilst not being in the field.

However, with that said, the security field is WAY short on supply. With the right attitude towards the field, I don't see any issues finding a good paying job.

Jon_Cisco

Salt0912 wrote: »

You guys are great!

This a good idea or save my money?

I read this post barely and what it sounded like was a long winded way of saying I am entitled to more and should not have to put the work in.
If your tired of learning the bs for the interview why to you pick a focus and actually learn it.

I am not being critical just felt I should express how you were coming across to me in the post.
I don't have any recommendation about what you should study just try to find something that interests you.

Good Luck!