Goal is to be in InfoSec, not sure what path of Certs to seek

thewiz8807

As the title suggests, my dream job would be InfoSec with the DoD. A former military brat, I'm sure you can guess why I want to be involved with the Government again lol. More importantly I think InfoSec is the most important. Just not sure what path to take to get my foot in that door crack.

If you look at my sig you can see what I have mapped out for myself as far as future goals are concerned...not certain which of those are unnecessary for a DoD InfoSec job though. I know the Cisco certs are highly regarded but they aren't vendor neutral.

Any pointers would be greatly appreciated.



Thanks,
Wiz

broli720

First step is to forget about certifications for the moment. Find an area that you're passionate about and learn the technologies associated with it. Do you currently have a degree? That might help as well. Once you're proficient in said tech you can apply for entry level positions. Once you get experience, then you validate your hard work by pursuing the certification.

And honestly you're better off going the programming route if you want to get into security. It has a lower barrier to entry and it's something you can practice on your own. I suggest C and C++. After you learn those languages then move over to Python. You'll find it easier getting an analyst position with a coding background.

E Double U

I don't know what DoD wants, but my first security role was in a telco's SOC which required CCNA and CCSA. My networking background helped me land that role (4+ years in NOC, 1+ years in configuration/migrations).

I do bank security now and the CISO recommended vendor agnostic certs (CompTIA, ISC2, GIAC). Been here 2+ years and completed CCNA/P Security, CISSP, and now working on GCIH.

BlackBeret

If you want to go in on the GS side you'll almost always need a degree, the contractor side doesn't really care about that. As far as certifications go you'll take a look at the DoD 8570 chart, http://www.1staff.com/images/DOD8570.jpg.

For the security side, everything I have seen has required minimum IAT level 2 (Security+ covers) AND a certification for one of the CND areas. Notice that CEH covers almost all of the areas. With Sec+ and CEH you should meet the requirements for most positions. Beyond that the rest of the positions require CISSP, and more specialized certifications for whatever the job function you're being hired is.

636-555-3226

Certs aren't everything, but when people here ask me what certification path to aim for in terms of security or general flow of learning all things security via certs, I recommend

CompTIA Network+ (since you need a basic network foundation for many infosec principles)

CompTIA Security+ (base starting point)
or SANS SEC301: Intro to Information Security (GISF cert test) (if you want to pay a ton more money)
or SEC401: Security Essentials Bootcamp Style (if you already have a decent security "base" and, again, lots more money)

CompTIA CASP (start immediately after Security+, it's the next level up)
or spend a ton more money & branch into the SANS offerings like SEC501: Advanced Security Essentials - Enterprise Defender or SEC504: Hacker Tools, Techniques, Exploits and Incident Handling

(ISC)² SSCP (if you're on the budget path and avoiding SANS expenses)

(ISC)² CISSP (this is just about a must-have for any 2nd or 3rd level security job in my region)

At this point you need to consider if you want to branch into management or specialize into various operations roles like forensics, pentesting, Windows/Linux security, researching, etc. There are specialized SANS courses for all of those. If you're interested in the management path, consider:

ISACA CISM

ISACA CRISC (risk is the base of all things security, so I'd strongly recommend this guy)

After that you start getting into the niche products like

ISACA CISA (IMO nearly all 2nd or 3rd level security jobs are going to ask for auditing skills in the near future). SANS also offers a competing cert.

CIPM - Certified Information Privacy Manager or alternative (the company offers a few) - Privacy will also be big in the coming years

CBCP - Certified Business Continuity Professional (many companies, esp. large companies, have separate security & BCP teams, but it never hurts to be able to talk to them in their own language)

thewiz8807

Hmmm lots of stuff to consider here. Would the CCNA be worth nabbing if my ultimate goal is InfoSec? Would any of the Cisco certs be in that case?


I have no prior experience in IT.

broli720

I strongly recommend you go the coding route if you have no IT experience. Bigger ROI and no degree required.

JoJoCal19

broli720 wrote: »

I strongly recommend you go the coding route if you have no IT experience. Bigger ROI and no degree required.

To add, I'm seeing more and more security roles require knowledge of at least one scripting and/or programming language.

636-555-3226

Agreed about the programming language. Big increase in analyst roles asking for experience scripting or creating custom signatures for use in standard security tools IPS

thewiz8807

I actually have no interest in programming lol, I tried my hand at that more than once and each time I hated it more. My heart just isn't in it.

Should I continue pursing my CCNA if my end goal is InfoSec with DoD?

DoD isn't the end all be all though, I'm open to InfoSec in general.

broli720

If you want to do the technical side of infosec, then you're going to have to learn how to code or script. If not, I suggest you stay on the operations side of things and go with CCNA.

thewiz8807

Mmmm. I definitely do want to remain on the operations side of the spectrum. Is the Cert progression pathway for Operations after CCNA:R&S different than what 666' advised above?

BlackBeret

The Cisco certs are required for the networking engineer guys, not the security guys.

BlackBeret

The only people I've seen in a DoD SOC that are basically required to have some programming are the pentesters. Outside of that, everyone dabbles in a bit but it's not a requirement by any means. BASH is routinely used and helpful, and is all but a requirement.

Basically you would be fine if you can follow higher level scripts without too much trouble.

Also, I'd HIGHLY recommend learning Linux to a deep level. The cert isn't a requirement but I've only been in one SOC that was fully Windows, and a few that were Linux dependent. Watching guys struggle and eventually get fired because they can't learn to use Linux is sad. If you want a cert path to follow, knowing what I know now, I would choose RHCSA over Linux+.

What most people are leaving out is that security isn't usually an entry level job, and it definitely requires a lot of knowledge. I would set up a home lab, using VMware because that's what you'll see and have to get used to in every company, and a variety of Linux and Windows machines. I would study networking in detail and work at configuring all of VM's on some static IP subnet. I would have one or two server edition VM's and run various services like DNS, HTTP, Samba/SMB, FTP, SSH, etc. I would learn to configure and use these things on both Windows and Linux. I would set up Security Onion and learn to read traffic and to properly configure and monitor an IDS/IPS, SIEM, etc. I would set up Kali and learn to throw attacks at my servers, while monitoring the traffic.

Yes, learning and doing all of that properly will take time, but by that point you'd be ready for an entry level analyst role. Also, the certifications aren't important. The only hard requirements are the DoD 8570 requirements that I explained above. For GS positions you will 98% of the time need a Bachelors degree in Comp Sci or IT. For contractor positions no on focuses on the degree but it helps. The rest of these things are more about knowing your stuff and being able to prove it. If you're dead set on having a cert path to walk through all of that it would look something like, Net+, RHCSA (RHCSE if you want to get in to configuring Red Hat Servers), MCSA (Server if you want to configure Windows Servers), Security+, and CEH for a baseline. GCIA is good for analysis, OSCP is great for offensive security. Learning offensive techniques will strengthen your overall security knowledge no matter what you end up doing.

thewiz8807

If I were to take the Networking Engineer route, would I be able to land a job with the US Gov? What would the recommended path of Networking certs look like?

I guess what I'm asking now is if I were to follow the path listed in my signature, what other certs would I need to be able to find employment with the government?

broli720

I would honestly focus on getting an job in IT first. You'll know more about what you like after a few years. The CCNA wouldn't hurt but at the end of the day it's an entry level certification. If you want to work for the government then you'll have to build your network and see where that takes you.

Just having a piece of paper or taking some certification path is not going to get you hired nor can we guarantee any outcome. If you want to do networking, then focus on learning the material and becoming the best engineer you can be. After you've developed a mastery, then you can start putting the feelers out there to make the jump into security.

Like others have said, everyone in security that I've worked with has years of experience in one or more domains. I got the chance after two years a few years ago because I was one of the best engineers on our technical services team. In my case, I had a bachelors, masters, and I was an intern at my current company. Even after all of that, I still did a year on the help desk and 2 years with the network and server teams.

My point being, it takes time and there are no shortcuts. Your performance and contacts are more likely to get you a job than certs. Remember, certifications validate experience.