Basic questions about CISA, CGEIT, CIA, CISSP, SSCP

Hi, which from following certificates CISA, CGEIT, CIA, CISSP, SSCP can I do most easy (with my OSCP experience)? is any of this possible to do on-line? Thanks for advice!

Find more posts tagged with

Comments

UnixGuy

Don't look for easy.

Choose CISSP, it has the more Return on Investment (I think)

Mike7

CISA, CGEIT and CIA are more for auditors. CISA, CGEIT, CISM and CRISC are from ISACA
Questions is, are you interested in auditing type roles?

CISSP and SSCP are from ISC2.

With your background (the part about finishing OSCP in record time was very impressive

), you may want to get into very technical roles, i.e. penetration tester, APT/malware, network packet analysis.

Take note that most of the above requires relevant work experience; 5 years for some of them.
CISSP associate is good option. You do not seem to have the 5 years required work experience to get full CISSP.

eth0

Mike7 wrote: »

CISA, CGEIT and CIA are more for auditors. CISA, CGEIT, CISM and CRISC are from ISACA
Questions is, are you interested in auditing type roles?

I need this to do security jobs like pentests follow our crazy law (I mean as own company for gov)

...

Mike7 wrote: »

With your background (the part about finishing OSCP in record time was very impressive ), you may want to get into very technical roles, i.e. penetration tester, APT/malware, network packet analysis.

Thanks, I am already ex-admin 0.5y, ex-forensic 1y, ex-cert 1.5y and now 1y pentester in bank

. But I can have own company since I don't have any non-competition clause and I need any of this certificates from first post to work for government in infosec consulting. You can think that I am genius or something, but I am not, I got problems with math my whole school time, I just like infosec for some 15 years so when I was young teenager and I wanted to be hacker, so you know I started with NetBus 1.6 etc hehe... and just over this time was linux, networks, unofficial web pentests etc... do you really think that you know any good pentester who wasn't blackhat? whitehats will never be good pentestes, and this is not about any real cybercrime because hacking is not about stole money/changing content of server (like hacked pages) etc, it was just 4fun - nothing more and today we have bug bounties (I done over 50 in well known companies) and it worked same years before

.

I think CISSP can be hard for me, since even when I tried do CEH questions there is a lot of theoretical stuff. For example I know how do pentests but there is question

Scanning is performed in which phase of a pen test?
Hint: Pen-test steps are different from the five hacking steps.
A. Pre-attack
B. Attack
C. Post-attack
D. Reconnaissance

So you know, technicals skills aren't procedural

. Because for me scaning like there can be A,B,D:
A - because of OSINT
B - because this is active and follow i.a. probably law in my country this is like attack illegal and probably in USA too
D - because of OSINT as in "A" too, because reconnaissance is pre-attack lol

so you know

... because of this I think is not so easy to pass exam like CISSP for me, I am just full technical person and knowledge about IT have nothing to this procedures like in example question above, I don't have much soft skills

BTW, sorry for my English skills...

Mike7

eth0 wrote: »

You can think that I am genius or something,

Understand. A person becomes good in what he does regularly and enjoys doing. We call it passion.

eth0 wrote: »

I need this to do security jobs like pentests follow our crazy law (I mean as own company for gov) ...

I am just full technical person and knowledge about IT have nothing to this procedures like in example question above, I don't have much soft skills

There is always the non-technical aspects; talking to potential customers, writing pen test reports...
No idea about CIA. CISA, and CGEIT are fairly high-level management type certs; which means less technical.

SSCP is a subset of CISSP. One year infosec experience is required.

Since you need a cert for government jobs, CEH may be a better option. The "Hacker" in CEH is more appealing.

eth0 wrote: »

Scanning is performed in which phase of a pen test?
Hint: Pen-test steps are different from the five hacking steps.
A. Pre-attack
B. Attack
C. Post-attack
D. Reconnaissance

There are some procedures and processes in CEH. Just memorize them for the exam.
For study resource, you can refer to the exam outline and use Matt Walker CEH AIO to read up on what to memorize.
CEH exam registration process is a bit complicated. Refer to this post for more info

TechGuru80

eth0 wrote: »

Hi, which from following certificates CISA, CGEIT, CIA, CISSP, SSCP can I do most easy (with my OSCP experience)? is any of this possible to do on-line? Thanks for advice!

I do not think OSCP is going to apply to any of those hardly at all. SSCP and maybe CISA can be technical and might have a little overlap but in general...OSCP is about offensive hacking, and SSCP / CISA are about defense.

CISSP is more of a management style certification regarding policy and an information security program for an organization not being the "boots on the ground".

What kind of job are you trying to go for? Why did you start with OSCP and not have anything prior? Just because you can pass the OSCP doesn't mean you have enough knowledge of even Security+, so I would probably start with that or Network+. If you actually have experience, I would probably go with SSCP...or if you have a lot of experience CISSP but again it is meant more for management.

I have not heard of any online proctored exams being offered for those certifications. Offensive Security is one of the few that offer the ability to test online.

eth0

TechGuru80 wrote: »

What kind of job are you trying to go for?

To be honest, I am not sure. I always wanted to work in some well known company in my country, and first step was sysadmin but always I was interested mainly in infosec so that was like unreachable dream... and after ~3 years I got it, but I was always sure that will take some 10-15y :P...

TechGuru80 wrote: »

Why did you start with OSCP and not have anything prior?

Just to show others that maybe I don't have professional experience but real tech knowledge and I can do it

TechGuru80 wrote: »

Just because you can pass the OSCP doesn't mean you have enough knowledge of even Security+, so I would probably start with that or Network+. If you actually have experience, I would probably go with SSCP...or if you have a lot of experience CISSP but again it is meant more for management.

Yeah, probably SSCP sounds good not only from your post but also Mike7's, thanks! I must only check if there is in Poland possible to do some course (and in normal price) next after eWPT which I do now

.

Do you recommend some materials to self study SSCP?

gncsmith

eth0
Check out this thread, I got some great information and suggestions for study materials.

http://www.techexams.net/forums/isc-sscp-cissp/114386-recommendations-possible-enroute-sscp.html

Quoted it here for you.

tedjames wrote: »

I passed Security+ in August 2014 and SSCP in April 2015. For SSCP, I used Darril's book. I believe he has published an errata on his website to cover those errors.

Regarding SSCP study materials, I created a spreadsheet outlining all of the domains based on the official CIB bullet points. ISC(2)gives you those for a reason. This is what you should know to be ready for the test. After creating the spreadsheet, I found as many sources of reference for each domain and made sure that I covered every bullet point. I used these sources:

- Darril Gibson's SSCP All-in-One (extremely well written but a little too close to his Security+ book)
- Michael Gregg's CASP study guide: Amazon.com: CASP CompTIA Advanced Security Practitioner Study Guide: Exam CAS-002 (9781118930847): Michael Gregg: Books SSCP is a practitioner-based certification. I figured that if I study above what I need, it'll give me an edge.
- Cybrary CASP, CISSP, and Cloud+ training (Kelly Handerhan's CASP lectures are fantastic, especially her discussion on PKI. Because of her, I get it.)
- CCCure SSCP and CISSP practice questions and flash cards (definitely worth the tiny expense)

Regarding using other sources, no need to read the entire book. Just study the sections that correspond to the cert you're studying for.

For Security+, I created a memory **** (NOT a brain ****) that included port numbers, RAID, incident handling steps, encryption types, etc. It's about four pages. I just created this as I studied. I practiced writing these things out from memory every day (backwards and forwards) to keep them in my head. It really paid off, because it was very easy to jot these items down on my scratch paper during the test. This really helped with the SSCP exam.

I finished the exam in less than two hours. I felt really confident going in. But after I finished, I felt like I had guessed too many of the answers. I went back and doublechecked my work. I changed only a few answers that I realized that I gotten wrong. If you do this, be careful not to second guess yourself. As I reviewed each answer, I kept a tally of the answers I knew I had gotten right. I ended up with at least 111 of 125. There may have been more, but at that point I knew I had passed. So I walked out feeling really good about it. The paper the proctor gave me verified that I passed. I wish they could've given me a score, but the important thing is that passed.

Tongy wrote: »

For Sec+ - Darrill Gibson only
For SSCP - Darrill Gibson 2nd edition and ISC2 CBK (latest edition) - you can use CISSP material, too.

You just need to know the domains, if you feel comfortable with the material, you'll pass.... That counts for both exams. Sec+ is straight forward with far less confusing questions than SSCP

I'll be ordering my books and beginning next week. Good luck.

eth0

Thanks! You guys are lucky that materials and exam is in your native language

, my friend made CISSP yesterday and told me that he got some problems with English questions on exam when he have much better language skills that me with my communicative B1 (so sorry because I know how hard sometimes must be to read my text)