Question regarding SEC401: Security Essentials OnDemand course and GIAC GSEC test
Hello,
I decided after months of thinking and evaluating that my 40's birthday gift it will be a SANS course because I really need a boost in my career. I have an Bachelor of Science in Network and System Administration, 10 years work experience in IT and som certification that are getting more than 10 years old now and full of dust
. My current position is network and security administrator in a small office (50 users) and I really want to get some of SANS "black belts" in security field. (I also train Kyokushin kay
which is kind of "SANS security courses" in karate).
I will choose to start with SEC401: Security Essentials OnDemand version of the course because it's suits me and my family best. I have take a look at the course syllabus and under the SEC401.4: Secure Communications i see that cryptography and stenography are well covered and the GIAC GSEC exam will test these concepts in depth. Especially under "Crypto Concepts" GIAC states that "The candidate will demonstrate a high-level understanding of the mathematical concepts which contribute to modern cryptography."
My question is for those who have passed the exam and is regarding how deep the exam will test the crypto concepts? I'm asking that because I know that I do not have a high-level understanding of the mathematical concepts such as discrete mathematics, probability, complex algorithms and so on.
( i have decided to jump over CompTIA Sec+ because i used Darril Gibsons practice test book and i feel that I'm doing well and the SANS Security Essentials Assessment shows me 3 stars in each of the 3 sections with a 69% score. I will self finance all this SANS course journey and I want to assure me that this is right for me and I'm ready for it.)
After GIAC GSEC 401 i intend to take 504 and 560 and hopefully entering the world of cool pentesters
.
I decided after months of thinking and evaluating that my 40's birthday gift it will be a SANS course because I really need a boost in my career. I have an Bachelor of Science in Network and System Administration, 10 years work experience in IT and som certification that are getting more than 10 years old now and full of dust
. My current position is network and security administrator in a small office (50 users) and I really want to get some of SANS "black belts" in security field. (I also train Kyokushin kay which is kind of "SANS security courses" in karate).I will choose to start with SEC401: Security Essentials OnDemand version of the course because it's suits me and my family best. I have take a look at the course syllabus and under the SEC401.4: Secure Communications i see that cryptography and stenography are well covered and the GIAC GSEC exam will test these concepts in depth. Especially under "Crypto Concepts" GIAC states that "The candidate will demonstrate a high-level understanding of the mathematical concepts which contribute to modern cryptography."
My question is for those who have passed the exam and is regarding how deep the exam will test the crypto concepts? I'm asking that because I know that I do not have a high-level understanding of the mathematical concepts such as discrete mathematics, probability, complex algorithms and so on.
( i have decided to jump over CompTIA Sec+ because i used Darril Gibsons practice test book and i feel that I'm doing well and the SANS Security Essentials Assessment shows me 3 stars in each of the 3 sections with a 69% score. I will self finance all this SANS course journey and I want to assure me that this is right for me and I'm ready for it.)
After GIAC GSEC 401 i intend to take 504 and 560 and hopefully entering the world of cool pentesters
. Mess with the best,Die like the rest!
Comments
Yes those differential equation questions were tough. On a serious note, there really wasn't that many questions on crypto concepts and no math was involved.
It seems that I have been scared a little bit regarding crypto. Dr.Eric Cole gets also in some details in his Network Security bible 2nd ed. and I thought that this section will get difficult in the test without a proper understanding of the mathematical concepts. Anyway...it seems like the GSEC starts to disappear from my plan since I feel like I know all the concepts from the course syllabus and i have work experience with most of them.
Now I want to ask you what is the right path for a beginner pen tester training and most important which vendor training shall I choose? They are many out there ,cheap/expensive, accredited/not accredited and so on. My "investment" plan is to get the right training and work experience for the next few years and then to start moving to a independent consultant role (maybe pen testing firm if i get the right team).I know that I want to be a pen tester! I have a good understanding of network concepts, Linux, and some Java programming experience and willing to adopt a pen tester way of living: finding hidden doors. I looked also to other paths like CISSP,CISO certifications but no,they are boring for me even though they can give you more cash. I always do what I like not what can potentially give me more money.
After TechGromit reply I assume that a possible path can be : to choose SANS being a solid vendor in cybersecurity (but expensive for self financing )and take in this order: SEC501, SEC504, SEC 560 and so on ...maybe SEC 573, SEC 567 and so on.
Or maybe to choose Offensive Security certs, or Mile2s, or EC-Council ? Which vendor it will prepare me best to get on the business market not job market because I have worked for others almost 20 years and explained things I learned hard to people not understanding what is it about but the have decision power over me and I want to stop doing that!
My impression about Norway is that not many firms, employers(IT-head position), recruiting firms have a clear understating about let's say what is the difference between a vulnerability test and a pentest? I mean my new IT-chief last autumn when he has begun has asking me "What it's SANS and GIAC?" when I was applying for financial cover for a SANS course. I hope that not all IT-chiefs in Norway are like this but the last 3 I had the never challenged me technically/professional! and I'm not blaming them, I blaim myself because I let the time passed by without proper action.
Has anyone have any experience with the SEPP certification and training from https://www.social-engineer.com/social-engineering-training/ .they are pricey too.
CISSP definitely covers a LOT of information, so I can understand why it may seem boring. If you dive into that exam, use Transcender for a good testing engine. Even the GIAC exams are tough, especially when you take a class where you don't completely understand the concepts, or how something works. Looking back, the CISSP gives you a taste of what is to come with GIAC exams.
One piece of advice on GIAC, look at getting more experience on the Linux admin side. You have 10 yrs experience, but it sounds like your jumping ahead of yourself just to get to an "ideal" role. As an example, I've seen people take bootcamps to get their MCSE or CCNA or both in hopes of getting a better paying job within a few months. Even if you did pass those exams, your only going to retain that information for a short time, and with no experience, you'll still start at the bottom and eventually work your way up.
You have to build your experience over time, and this type of stuff doesn't happen overnight. In order to really get yourself "there", I'd suggest making it a point to do 2-3 exams per year. One because you'll need the CPE credits, and two because you'll be able to stay on top of your skills set. You have the option of doing work-study for GIAC which is a lot cheaper, but you'll need to devote a good week for it. Also, see if your work will pay for some of these classes, maybe not fully, but a little bit.
I think your goals are good, however I'd look at "pen tester" jobs, and see what they REALLY require as far as experience is concerned. Get yourself a copy of Nessus Home to do some vulnerability scanning. Get a Kali box setup, and play with Metasploit, Armitage, sqlmap, and other pen testing tools. Work on getting Sec+, and other security certs. Even GSEC is a good one, but I think you can challenge it based on your experience. At $1200, you DONT wanna mess that up.