Advice on certification path

ThanatosNL

Hello all,

I would like to get your feedback on the certification path I've chosen to take. My educational background is a bachelor degree in CS as well as a bachelor and master degree in law. All professional experience I've gained was in my own company. I started my company 17 years ago in High School building websites, that gradually moved (as my studies progressed) towards web application development and later consultancy. Currently, I work for different clients as an IT consultant, project manager, and interim IT manager. In those roles, I've gained some experience in InfoSec, specifically in Identity management and Security/Risk management (especially compliance to privacy regulations). Because I receive a lot of requests from (potential) customers to set up an ISMS and/or test their security, I decided to move more into those areas. My goal is to provide security consultancy, pen testing and setting up an ISMS for my customers. Therefore, after research on different forums and blogs, I decided to take the follow certs/courses:

1. Sec+ (self-study)
2. ISO 27001/27002 Lead Implementer (Live class)
3. CEH (Live class)
4. GPEN (Live class)
5. OSCP (Live class)

For the pen testing courses I decided to brush up on:

• Linux skills (taking the Linux foundations courses)
• Network knowledge (N+ self-study)
• TCP/IP knowledge (Reading a few books)
• Coding skills (I know PHP and some ASP, taking online Python and Ruby courses)

Before I'm taking the CEH class I will read a CEH book.

I would like to have your comments on the following:

• Any advice on the certs I'm taking, are there any leaps I'm taking that are too big or are some certs overlapping too much?
• Do you recommend taking OSCP directly after GPEN or wait a while and gather more experience before taking it?
• Any advice on the pen testing prep? Do I need to cover some other areas as well or is there any overkill in what I'm doing now?
• I've already finished studying for Sec+ but contemplating whether or not to take the exam, any thoughts?

Thank you in advance for your time!

infoseclawyer

I lurked on this forum for well over a year before I made my first post. This place is indispensable. I'm replying since I have a legal background (JD and LLM), wanted to get my foot in the infosec career path, and wanted to do practical certifications. To get my foot in the door I earned the Security+ and CIPP/US certifications. For practical certifications, my goal is ECPPT then OSCP. My understanding, from reading lots of threads, is that the CEH has issues. I won't be taking it for the many reasons that you can find for yourself on this site. The GPEN is over $1K for the test and, if you want training, add another $5K. That's pretty expensive. From my research, I found a general consensus that Elearnsecurity (PTSV3 and PTPV4) were the best practical foundation courses for OSCP. Moreover, the EJPT certification (PTSV3) helped tremendously in easily passing the Security+. The Elearnsecurity courses will cover all your "brush up on" bullet points and they are really well done.

There are some valuable replies to questions like this already on this forum, so I would recommend doing some more thread research for additional insight.

636-555-3226

I'd skip CEH and move into GPEN, assuming you meet the SEC560 prereqs. CEH is garbage unless you're looking for it to boost your resume/CV. You also don't need a course to pass the CEH, just get some books. It isn't hard, and you won't learn much actual hacking.

BTW, GPEN and OSCP would fall under your "pen testing courses" section. That Linux, Network, TCP/IP, Coding should come BEFORE GPEN or OSCP.

FWIW, if you want to be a good pentester, you need to live in that world. Dabbling here and there isn't going to cut it. Sure, you'll get gigs, but you won't be maximizing the value you provide your clients. I dabble and could easily do security audits or pen tests for people, but I've got enough experience to know you need to live & breath this stuff if you're going to be signing up for the liability of telling your clients if their network is "low" risk.

OSCP is a great follow-up to GPEN, as is GWAPT. Both are good certs and skills to have. SEC660 is another great follow-up, as is GPYC.

Security+ isn't required, but it'll help you verify if you've learned the material. If you can't pass Security+ then you probably should refocus on the foundations before tackling the deeper GPEN and OSCP...

PS - put PowerShell in there. Most pentesters nowadays heavily rely on PS, hence why I don't have it installed on any device in my network and my IPS alerts and kills any PS traffic it sees unless it's coming from our handful of admins who actually use it.

EagerDinosaur

Regarding the TCP/IP learning in your pen testing preparation, I recommend "Internetworking With TCP/IP" by Douglas Comer. Reading that was a significant step forward in my career as a developer.

na56

Hi infoseclawyer,

I am an attorney as well and trying to get my "foot in the door" into the privacy sector. If I sent you an email or private message - would you have time to answer them. I would greatly appreciate it

ThanatosNL

Thanks for all the feedback.

Regarding the CEH, I've read about and understand it's limitations. For me, the primary reason to take it anyway is not CV building but marketing reasons. When I asked around quite a few clients could only name the CEH cert, if they could name an InfeSec cert at all. Besides that, I got a good package deal with the ISO cert, so the extra costs of getting it aren't that high.

I understand that pen testing is an all-or-nothing field of expertise. My involvement depends on if and how the business grows, whether it will be more managerial or hands on. Either way, I'll need to learn the basics. In the first few months (at least) I'll have my work reviewed by an independent well-seasoned specialist to guarantee the quality of the service.

I was indeed planning on brushing up my skills before the certs, Powershell is a very good idea! I'm adding it to the list. Also thanks for the Comet recommendation, it's actually my second book I'm planning to read.

When do you recommend taking higher level certs such as Sec660/GXPN and OSCE, as soon as possible or maybe after 1+ years experience?

ThanatosNL

By the way, I'll write reviews on each of the courses I take and post them here.

636-555-3226

ThanatosNL wrote: »

When do you recommend taking higher level certs such as Sec660/GXPN and OSCE, as soon as possible or maybe after 1+ years experience?

Once you've got a good feeling for the lower/mid level content and can generally hack into some boxes without consulting notes then you might as well take the courses to up your game. My personal preference is to have a mastery of the content from the first before moving on to the second, but I like to maximize my work's $$. Probably why I keep getting approved for any training I want - they know I make it worth it for them & me.

Tinted Eve

na56, I need to talk about some of the exam questions with someone who tested this year. I recall many of the fact scenarios but I'm working in a vacuum and need help. I am an atty and am having a hard time deconstructing the questions, which sometimes seemed to not match any of the options or matched all of them. Can I send you a private message to discuss? Thanks.

LonerVamp

There are different levels of security value add that your clients may be asking for.

1- For instance, your client may just wish to know if they have a good security posture. Sort of what a QSA looks for when evaluating PCI DSS compliance (note that you have to be a real QSA to do this for reals): do they check certain boxes for the right security tools and posture?

2- Some just want general vulnerability assessments. Run a tool, report back the findings, and probably give some advice on how to best address the gaps, both short term and long term.

3- And others want actual penetration testing.

The first two are not terribly hard to do, though advising on specific tools and strategies does come with more experience. But general courseware will help here.

Security+ can get your foot in the door of security knowledge.
CEH can give you a taste of the technical trenches.
I'd look strongly into pursuing your CISSP around this time as well. You've done technical work, which means you can make the requirements fit you.
GPEN will dive a little bit deeper than your CEH, and it will start to give you the tooling to do actual pen tests that will add value to your clients.

And the OSCP will solidify much of the pen testing area as well. But honestly, by the time you get to here, you'll probably be decided on whether you'd going whole hog into security or going to stop up above somewhere and outsource the deep technical piece to someone else.

You're going to want to be comfortable in the areas you've noted: Linux, Networking, TCP/IP, some scripting/coding (Python, C, particularly), before getting up to the GPEN.