GPEN vs GCUX

I just recently passed the CISSP exam and I am waiting on the endorsement process. I probably should have planned my next step, but I was so caught up in getting that one out of the way that I didn't. (I suck.) Now I am in a holding pattern trying to decide what to do next. I have passed the SEC+ and CISSP in about 8 months. I took both of those through self study and now my employer says that I can have a SANS course this summer/fall. I've narrowed it down to something technical, because at this point I need to get my chops back.

The org I'm in has a lot of Windows expertise, but very little UX. We also don't have anyone in my group certified for PEN testing. So good opportunities to have. My question to you good folks is this:

What is the recognition like for these in the market?

I don't plan on going anywhere, but if something ever happened, I'd like to have certs that are recognized and appreciated. It's kind of a question of priority since it's likely that I'll get another SANS class next year so I can do the other one then. I will probably do CISA in the down time.

Find more posts tagged with

Comments

kiki162

Start with GSEC first to get your feet wet. With most SANS courses, you'll need to have some experience using Linux as well. GPEN will probably get you the most ROI, however I'd take a look at the course layout if I were you. Also look at GCIH and GCIA too.

636-555-3226

One word of caution - taking a few pentesting classes won't make you a pentester. It's a world you need to live in to really be good at it. Not saying the classes won't be good - they'll be very beneficial and you'll learn a ton, but I'd still recommend hiring an external company to test your systems on a regular basis.

FWIW, I don't see pentesting certs getting a lot of traction when companies hire pentesters. they don't hurt at all, but if you're looking to get into the field you're going to (hopefully) be quizzed up the wazoo and need to really know your stuff.

Your ultimate class will really depend on what knowledge gaps your work needs filled and where your personal interests lie. If i had to recommend a generic starter class for SANS, it'd probably either be the classes for GSEC or GCIH. GSEC is a little rudimentary but it's rudimentary for every area of IT/InfoSec, so it'll help fill in your 101-level weak areas for unix, networking, etc. GCIH is a great follow-up and a very valuable course. If Strand is still teaching the GCIH course make sure you get him as the instructor, if you choose GCIH.

Ertaz

636-555-3226 wrote: »

One word of caution - taking a few pentesting classes won't make you a pentester. It's a world you need to live in to really be good at it. Not saying the classes won't be good - they'll be very beneficial and you'll learn a ton, but I'd still recommend hiring an external company to test your systems on a regular basis.

FWIW, I don't see pentesting certs getting a lot of traction when companies hire pentesters. they don't hurt at all, but if you're looking to get into the field you're going to (hopefully) be quizzed up the wazoo and need to really know your stuff.

Your ultimate class will really depend on what knowledge gaps your work needs filled and where your personal interests lie. If i had to recommend a generic starter class for SANS, it'd probably either be the classes for GSEC or GCIH. GSEC is a little rudimentary but it's rudimentary for every area of IT/InfoSec, so it'll help fill in your 101-level weak areas for unix, networking, etc. GCIH is a great follow-up and a very valuable course. If Strand is still teaching the GCIH course make sure you get him as the instructor, if you choose GCIH.

Thank you for taking the time to reply.

I should have explained my background a little better. I have been in technology for 20 years. I've been a lot of things,

. I did SCO Unixware/AIX/ and HP-UX administration back in the day, (I even got certified in HP-UX, lol). I got my first CCNA back in 01, Then redid it as part of CCSP (Now referred to as CCNP-Security) in 2006. I have been an Oracle and SQL server DBA. I have worked as a Sr. Engineer at a large telco and WISP. Most recently, I've been the Server/Network/Data historization guy for a large manufacturing facility that has been shutdown. So I'm no ninja, but it's not my first day either. Security has always been part of what I've done. Now I'm trying it on full time.

I suppose I realize that these classes don't make me a pentester or a Unix guru, but they will give me up-to-date info on current best practices and the certification process will be recognition of a level of knowledge about the subject. I wasn't excited to take the CISSP. I choked that material down and waded through it. I'm excited to learn something that has a practical hands-on side.

kiki162 ,

I would love GCIA since I run a UTM at home that has snort enabled, but we have a separate department assigned to that. GCIH is also out since another resource does the incident handling.

UnixGuy

636-555-3226 wrote: »

One word of caution - taking a few pentesting classes won't make you a pentester. ...
FWIW, I don't see pentesting certs getting a lot of traction when companies hire pentesters. they don't hurt at all, but if you're looking to get into the field you're going to (hopefully) be quizzed up the wazoo and need to really know your stuff.

....

I found the certs/training courses to be a good structured way to start and learn the material, as it's organised all in one place instead of randomly reading books. Gotta start somewhere