An advice for someone to start in security

alexkurbanalexkurban MemberMember Posts: 32 ■■■□□□□□□□
Hello everyone and happy new year!
This year I propose to pass some certs and start in It but I don't know for what cert start. I think about this roadmap :

CCNA R&S > COMPTIA SECURITY > CEH > GSEC

Is that a good roadmap to enter in the security world?

Sorry for my bad grammar

Comments

  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Member Posts: 494 ■■■■■□□□□□
    It really depends on what you want to do in information security. Do you want to find and patch vulnerabilities? Do you want to do network security? or do you want to do compliance work?

    I would say that the CCNA and Sec+ would be a good start although the CCNA wouldn't be necessary unless you wanted a job in networking. The CEH has a really bad rep, it's good for getting past HR but doesn't really teach you anything other than theory, a very outdated theory at that. I myself was prepping for the CEH and got through almost all of the materials before deciding it was a waste of time and just went straight to the OSCP.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • alexkurbanalexkurban Member Member Posts: 32 ■■■□□□□□□□
    McxRisley wrote: »
    It really dependers on what you want to do in information security. Do you want to find and patch vulnerabilities? Do you want to do network security? or do you want to do compliance work?

    I would say that the CCNA and Sec+ would be a good start although the CCNA wouldn't be necessary unless you wanted a job in networking. The CEH has a really bad rep, it's good for getting past HR but doesn't really teach you anything other than theory, a very outdated theory at that. I myself was prepping for the CEH and got through almost all of the materials before deciding it was a waste of time and just went straight to the OSCP.

    I want to be oriented in network security. A lot of people say me that ccna is better than Comptia network, for this reason I think ccna and Comptia security will be a good start, but after it I don't know. I hope that this 2017 I will pass ccna, comptia and one more, but I don't know what, I am working and studying and the same time but I have over 4/5h per day to study. When I will pass my ccna (I date the exam on March) I start to search I work like help desk or support.

    What roadmap you advise for me?

    Thanks all for your time
  • nebula105nebula105 Member Posts: 60 ■■■□□□□□□□
    Hey Alex,

    I too was facing a somewhat similar crossroads like you.

    Work-wise:
    I planned my path from a Desktop Support Engineer, to an Infrastructure Engineer before moving on to a security role.

    Certificate-wise:
    I planned to take the MCSA and CCNA Security to ensure that my IT foundations were solid. I haven't achieved either, but I did take a course for the MCSA (which I've never regretted, the knowledge is gold).


    My personal advice is to start from the bottom, outside of security. Perhaps from a Helpdesk or Desktop/Infra engineer.


    Why do this? Let's see:

    Helpdesk/Desktop Support

    You get to pick up on common endpoints issues. These can range from the everyday malware and phishing emails, to understanding the differences in shared folder permissions, to shell commands, to scripting in bash, Powershell or simple batch scripts and even to something as simple as improving your efficiency to navigating around common functions in Outlook or Windows.

    Why would that be useful? Because all of these skills will be used especially when you're in a security role. For example, what's the difference in gpedit.msc and secpol.msc? How do you search through your registry for specific malware keys? What tools have you used over the years to maybe, retrieve deleted files or see what was the last file / last action taken on the PC? After you've pwned a web service running on a Linux server and you've got a shell/meterpreter running, what commands do you use to navigate around a Linux server? How would you navigate around a Windows OS/Server via command prompt as well?

    Also, just as importantly, you can get see first hand, the "cleanliness" of an end user and how they treat computers and IT personnel.

    I've had my fair share of traumatic incidents, including one where a user screamed at me when all he wanted to do was convert a Word Doc to a PDF. Would you be mentally prepared for these sorts of users when ransomware hits their computer? Would you know exactly which files and file extension are salvageable after a ransomware hits your PC? (Hint: email archives)

    I've also had to comfort a poor old lady whom lost 5 years of files due to a ransomware attack. You can learn how to develop a "bedside manner" similar to doctors and patients, whilst trying to salvage files that were missed out by the ransomware; while gently asking the user if they've kept a backup of their files (sometimes illegally) on their home PC/thumbdrive/external hard disk/shared drive/colleague's PC/handphone/cloud storage.

    You can also train yourself on translating tech topics, like even the simple act of scheduling auto archiving in Outlook to a .PST file in your user's D:, into something plain and simple for a user to understand.

    With the skill of translating tech topics in hand, you can start converting difficult security terminologies into something easy for users to understand in your monthly/annual security awareness talk.

    Infra Support

    Learning how to configure services in a server is a very useful skill, as well as learning about the different concepts (DHCP, DNS, ARP, High Availability, Clustering, AD DS, LDAP, NAC, Unified Comms, IP telephony). These topics will get thrown around even in a "security" meeting, because everything is related.

    For example, how would you, as a security personnel, advise an Infra personnel to lock down a user's internet access? Could you do it via a Security Group in AD? Could you do it via their username/MAC address in a proxy? Could you block it via MAC Address on a NAC? Could you assign them a static IP address and block it in a firewall? Or could you create a special OU in AD, enforce a GPO on it that turns on the client's Windows firewall to block outgoing HTTP/HTTPS traffic, followed by locking down changes to Windows firewall? Which method is the best? How would you plan ahead to scale it up from one user, to an entire department, or specific subnets in the entire organization?

    It could even stretch as far as; how would you, as a security personnel, ensure that your IP telephony traffic, that a vendor is implementing in a cross-country project, is secured? Would you understand and see through the vendor's smokescreen if they started talking about the wrong concepts of IPSec and SRTP?

    Learning how to configure networking devices (routers, switches, firewalls) is an extremely useful skill too. Once you know how to configure something, you know where to look out for common mistakes and potential security gaps. Even the smallest of things, like the difference in Cisco's password and privilege levels "5", "7" and "15" will turn out to be useful.

    For example, what if you've gained access to the network team's network device config backup server/shared drive? Would you be able to read the config file and determine what's going on? Would you have the ability to glance through and identify decryptable passwords?

    Learning about databases and how to configure them could be a vital skill as well.

    For example, what's the common port that SQL server 2008 is running? Would you be able to telnet in? Did you know that a lot of software usually have unsecured databases built in and installed by default? What's are their default username and passwords? What sort of databases would you run into and what are the common fallacies?

    Of course, there's also programming and secure practices, but you get the point :)


    In short, I believe there is no "right" way to security, and that you shouldn't be "too" specialized in the beginning.

    Pick your path, bash your way through, learn everything you can and make friends all around, then work your way into security. That way, you'll be an extremely useful and vital contributor to not only the security team, but to everyone in your organization.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    If I had to do it again....I would do this: MCSA > Linux+ > Network+ > CCNA:R&S > Security+ > GSEC.

    SSCP could be an ok substitute for GSEC and will cost you less but won't be quite as good. I might even get he CEH after you finish all of these if nothing more than an HR bypass but it does give you good conceptual knowledge.

    One thing to realize is your plans might have to change depending on what path you go down. I was in an InfoSec role and had to get Security+ first...so don't plan too far in advance but that path I gave you will take you about 2 years or so to finish but will set you up nicely. Additionally if you can learn at least powershell and bash...and Python if you really are motivated...you will have a very solid foundation.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    That was MCSA for server by the way.
  • alexkurbanalexkurban Member Member Posts: 32 ■■■□□□□□□□
    nebula105 wrote: »
    Hey Alex,

    I too was facing a somewhat similar crossroads like you.

    Work-wise:
    I planned my path from a Desktop Support Engineer, to an Infrastructure Engineer before moving on to a security role.

    Certificate-wise:
    I planned to take the MCSA and CCNA Security to ensure that my IT foundations were solid. I haven't achieved either, but I did take a course for the MCSA (which I've never regretted, the knowledge is gold).


    My personal advice is to start from the bottom, outside of security. Perhaps from a Helpdesk or Desktop/Infra engineer.


    Why do this? Let's see:

    Helpdesk/Desktop Support

    You get to pick up on common endpoints issues. These can range from the everyday malware and phishing emails, to understanding the differences in shared folder permissions, to shell commands, to scripting in bash, Powershell or simple batch scripts and even to something as simple as improving your efficiency to navigating around common functions in Outlook or Windows.

    Why would that be useful? Because all of these skills will be used especially when you're in a security role. For example, what's the difference in gpedit.msc and secpol.msc? How do you search through your registry for specific malware keys? What tools have you used over the years to maybe, retrieve deleted files or see what was the last file / last action taken on the PC? After you've pwned a web service running on a Linux server and you've got a shell/meterpreter running, what commands do you use to navigate around a Linux server? How would you navigate around a Windows OS/Server via command prompt as well?

    Also, just as importantly, you can get see first hand, the "cleanliness" of an end user and how they treat computers and IT personnel.

    I've had my fair share of traumatic incidents, including one where a user screamed at me when all he wanted to do was convert a Word Doc to a PDF. Would you be mentally prepared for these sorts of users when ransomware hits their computer? Would you know exactly which files and file extension are salvageable after a ransomware hits your PC? (Hint: email archives)

    I've also had to comfort a poor old lady whom lost 5 years of files due to a ransomware attack. You can learn how to develop a "bedside manner" similar to doctors and patients, whilst trying to salvage files that were missed out by the ransomware; while gently asking the user if they've kept a backup of their files (sometimes illegally) on their home PC/thumbdrive/external hard disk/shared drive/colleague's PC/handphone/cloud storage.

    You can also train yourself on translating tech topics, like even the simple act of scheduling auto archiving in Outlook to a .PST file in your user's D:, into something plain and simple for a user to understand.

    With the skill of translating tech topics in hand, you can start converting difficult security terminologies into something easy for users to understand in your monthly/annual security awareness talk.

    Infra Support

    Learning how to configure services in a server is a very useful skill, as well as learning about the different concepts (DHCP, DNS, ARP, High Availability, Clustering, AD DS, LDAP, NAC, Unified Comms, IP telephony). These topics will get thrown around even in a "security" meeting, because everything is related.

    For example, how would you, as a security personnel, advise an Infra personnel to lock down a user's internet access? Could you do it via a Security Group in AD? Could you do it via their username/MAC address in a proxy? Could you block it via MAC Address on a NAC? Could you assign them a static IP address and block it in a firewall? Or could you create a special OU in AD, enforce a GPO on it that turns on the client's Windows firewall to block outgoing HTTP/HTTPS traffic, followed by locking down changes to Windows firewall? Which method is the best? How would you plan ahead to scale it up from one user, to an entire department, or specific subnets in the entire organization?

    It could even stretch as far as; how would you, as a security personnel, ensure that your IP telephony traffic, that a vendor is implementing in a cross-country project, is secured? Would you understand and see through the vendor's smokescreen if they started talking about the wrong concepts of IPSec and SRTP?

    Learning how to configure networking devices (routers, switches, firewalls) is an extremely useful skill too. Once you know how to configure something, you know where to look out for common mistakes and potential security gaps. Even the smallest of things, like the difference in Cisco's password and privilege levels "5", "7" and "15" will turn out to be useful.

    For example, what if you've gained access to the network team's network device config backup server/shared drive? Would you be able to read the config file and determine what's going on? Would you have the ability to glance through and identify decryptable passwords?

    Learning about databases and how to configure them could be a vital skill as well.

    For example, what's the common port that SQL server 2008 is running? Would you be able to telnet in? Did you know that a lot of software usually have unsecured databases built in and installed by default? What's are their default username and passwords? What sort of databases would you run into and what are the common fallacies?

    Of course, there's also programming and secure practices, but you get the point :)


    In short, I believe there is no "right" way to security, and that you shouldn't be "too" specialized in the beginning.

    Pick your path, bash your way through, learn everything you can and make friends all around, then work your way into security. That way, you'll be an extremely useful and vital contributor to not only the security team, but to everyone in your organization.

    Thx for your answer, i know that i need to start from the bottom, for this reason i need to know what cert is better to start. I think that CCNA are better because a lot of people say me that Comptia Network is ¨light¨. But the plus of comptia is that is vendor agnostic and for this reason it makes me a lot of doubts.

    I know what are my goals, i draw a roadmap and i am so motivated, i only have a problem, i have 28 (so old to start). I want to start right now, but i need almost one cert to start.

    CCNA is better that Comptia to start?

    thx for your time
  • alexkurbanalexkurban Member Member Posts: 32 ■■■□□□□□□□
    TechGuru80 wrote: »
    If I had to do it again....I would do this: MCSA > Linux+ > Network+ > CCNA:R&S > Security+ > GSEC.

    SSCP could be an ok substitute for GSEC and will cost you less but won't be quite as good. I might even get he CEH after you finish all of these if nothing more than an HR bypass but it does give you good conceptual knowledge.

    One thing to realize is your plans might have to change depending on what path you go down. I was in an InfoSec role and had to get Security+ first...so don't plan too far in advance but that path I gave you will take you about 2 years or so to finish but will set you up nicely. Additionally if you can learn at least powershell and bash...and Python if you really are motivated...you will have a very solid foundation.

    Why you will do first MCSA that Comptia Network?

    I want to orient my roadmap to security, i know that have a good understanding of linux and system administration is good, but this kind of knowledges i will acquire by my own. Scratching this forum i find an interesting post from one guy who put a link to one blog: https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/


    In this blog i get a lot of valuable info about security. But i need to start from the bottom, just get a job in IT like Help Desk to get some experience. I just want to know what certification is better to start in it? CCNA? Comptia Net?...


    thx for your time
  • Mike7Mike7 Member Posts: 1,101 ■■■■□□□□□□
    alexkurban wrote: »
    Scratching this forum i find an interesting post from one guy who put a link to one blog: https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/


    In this blog i get a lot of valuable info about security. But i need to start from the bottom, just get a job in IT like Help Desk to get some experience. I just want to know what certification is better to start in it? CCNA? Comptia Net?...
    In total, she has 7 chapters.
    For advice about starting from bottom, you can try https://danielmiessler.com/blog/build-successful-infosec-career
  • alexkurbanalexkurban Member Member Posts: 32 ■■■□□□□□□□
    Mike7 wrote: »

    Yeah, i know that there are 7 chapters, i put the link just for the example. I think about it and i decided to start with comptia networking and after this comptia security, this should be a better route for my roadmap
  • yoba222yoba222 Senior Member Member Posts: 1,233 ■■■■■■■■□□
    I did A+ > Network+ > Security+ > CCNA R&S.
    I spent 6 months studying and digesting the CCNA and I think I probably would have gave up on the CCNA had I attempted it first. Similar to what TechGuru80 mentioned, you'll likely find that your plans/interests change as you go down the study path.

    I'd start with the A+. It digs into some network and security stuff and you'll learn subnetting IIRC. If it's too easy, great! You'll complete it quickly and can move on. But more likely you'll discover what you're good at and not so good at. This you can use to gauge your direction for the next cert--CCNA or something else.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • alexkurbanalexkurban Member Member Posts: 32 ■■■□□□□□□□
    yoba222 wrote: »
    I did A+ > Network+ > Security+ > CCNA R&S.
    I spent 6 months studying and digesting the CCNA and I think I probably would have gave up on the CCNA had I attempted it first. Similar to what TechGuru80 mentioned, you'll likely find that your plans/interests change as you go down the study path.

    I'd start with the A+. It digs into some network and security stuff and you'll learn subnetting IIRC. If it's too easy, great! You'll complete it quickly and can move on. But more likely you'll discover what you're good at and not so good at. This you can use to gauge your direction for the next cert--CCNA or something else.

    Why you do network > security > CCNA R&S

    I were seeing the CBT Nuggets Comptia A+ and i have the knowledge of this certificate, i just write it in my resume. My roadmap is the next:

    CompTia Network > Comptia Security > SANS GSEC/GPEN/ ISACA CISA > OSCP/CISSP

    This is my 5 years roadmap.

    In this 5 years Besides acquiring those certificates I want to acquire the necessary knowledge of BASH scripting, sys admin and understand better network security
  • TheFORCETheFORCE Senior Member Member Posts: 2,298 ■■■■■■■■□□
    How is the CISA fitting in your 5 year roadmap? How do you tie it with the other more technically oriented certificates?
  • alexkurbanalexkurban Member Member Posts: 32 ■■■□□□□□□□
    TheFORCE wrote: »
    How is the CISA fitting in your 5 year roadmap? How do you tie it with the other more technically oriented certificates?

    Sorry, i have a mistake in the roadmap:
    CompTia Network > Comptia Security > SANS GSEC/GPEN > SANS GCIA/GMON > SANS GWAPT/GMOV > OSCP/CISSP
  • nebula105nebula105 Member Posts: 60 ■■■□□□□□□□
    Hey Alex,

    CompTIA Network+ is a really good starter and should help kick start you into a helpdesk position.

    However, I must stress that the Network+ isn't necessary at all, and since you've mentioned that you already have IT skills (you mentioned you have the knowledge of CompTIA A+), you just need to get into an IT role.

    What you seem to want is to move from general security knowledge, to pen-testing, to auditing, to monitoring, to web pentesting, to (I'm guessing that you meant) mobile security, back to pen-testing and general security knowledge.

    You're probably excited and looking at all the different vendors and certs that you can get. I was once in this position, but once I got into IT proper, I realized there was a lot of certs that I wished I could have, but do not have the resources to pursue.

    Again, I must stress; get into the field of IT first and start learning, then you can start tuning and pruning your roadmap :)

    Also, age is just a number. I had a junior desktop support engineer under me who was 30 years old who knew nothing much about IT support and had zero certs. He was literally taking notes all the time and so, so willing to learn that I taught him everything I knew and learnt. Today he's a senior engineer.

    I was 24 back then.
  • alexkurbanalexkurban Member Member Posts: 32 ■■■□□□□□□□
    nebula105 wrote: »
    Hey Alex,

    CompTIA Network+ is a really good starter and should help kick start you into a helpdesk position.

    However, I must stress that the Network+ isn't necessary at all, and since you've mentioned that you already have IT skills (you mentioned you have the knowledge of CompTIA A+), you just need to get into an IT role.

    What you seem to want is to move from general security knowledge, to pen-testing, to auditing, to monitoring, to web pentesting, to (I'm guessing that you meant) mobile security, back to pen-testing and general security knowledge.

    You're probably excited and looking at all the different vendors and certs that you can get. I was once in this position, but once I got into IT proper, I realized there was a lot of certs that I wished I could have, but do not have the resources to pursue.

    Again, I must stress; get into the field of IT first and start learning, then you can start tuning and pruning your roadmap :)

    Also, age is just a number. I had a junior desktop support engineer under me who was 30 years old who knew nothing much about IT support and had zero certs. He was literally taking notes all the time and so, so willing to learn that I taught him everything I knew and learnt. Today he's a senior engineer.

    I was 24 back then.

    Yeah, I think twice but I live in Spain and here you need degrees for all, even if you have a degree and don't know anything of your position, for this reason I need to have almost one certification to enter and find a IT role.
    Maybe I need to perform my resume for a Help Desk position, I will try in this days.

    About the certificates, you are right, I am so excited, I want to got it all xD, maybe with the time I am only want to get the knowledge about them.

    Thx for your answer, can you advise me about how to structure my resume with no degree in IT?
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    alexkurban wrote: »
    Why you will do first MCSA that Comptia Network?

    I want to orient my roadmap to security, i know that have a good understanding of linux and system administration is good, but this kind of knowledges i will acquire by my own. Scratching this forum i find an interesting post from one guy who put a link to one blog: https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/


    In this blog i get a lot of valuable info about security. But i need to start from the bottom, just get a job in IT like Help Desk to get some experience. I just want to know what certification is better to start in it? CCNA? Comptia Net?...


    thx for your time
    Starting out at a system level instead of a network level is the most likely path you will face. If you go into a help desk type role...the MCSA will be closer to what kind of tasks you face than network+. By studying OS certifications first you are building a foundation of knowledge so you don't have to go back later. Knowing best practices and how to configure and check certain things will be vital for InfoSec. CompTIA certifications are going to be easier but from my experience in the field I would do the path I suggested...like everybody though the decision is yours.
  • yoba222yoba222 Senior Member Member Posts: 1,233 ■■■■■■■■□□
    alexkurban wrote: »
    Why you do network > security > CCNA R&S
    Network+: At the time I was in college taking a networking course. They complemented each other so I spent 12 or so weeks studying for this cert.
    Security+: I've heard the Security+ is more difficult now, but the knowledge I gained doing the Network+ was about 80% of what was on the Sec+. So I spent maybe 2 more weeks studying and did the Security+.
    CCNA: I was working at a NOC at the time. The cert complemented my work environment. I also learned I don't care much to pursue a CCNP now.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • alexkurbanalexkurban Member Member Posts: 32 ■■■□□□□□□□
    TechGuru80 wrote: »
    Starting out at a system level instead of a network level is the most likely path you will face. If you go into a help desk type role...the MCSA will be closer to what kind of tasks you face than network+. By studying OS certifications first you are building a foundation of knowledge so you don't have to go back later. Knowing best practices and how to configure and check certain things will be vital for InfoSec. CompTIA certifications are going to be easier but from my experience in the field I would do the path I suggested...like everybody though the decision is yours.

    i know what you want to say me, but my first step is to find a job in IT role, like Helpdesk, and for this in this retarded country (Spain) i need almost 1 certification. I want to learn about sys administration because i know that is a basic fundation of InfoSec, but firstly i need a job in IT.

    Thx for you advice, i will consider it
  • alexkurbanalexkurban Member Member Posts: 32 ■■■□□□□□□□
    yoba222 wrote: »
    Network+: At the time I was in college taking a networking course. They complemented each other so I spent 12 or so weeks studying for this cert.
    Security+: I've heard the Security+ is more difficult now, but the knowledge I gained doing the Network+ was about 80% of what was on the Sec+. So I spent maybe 2 more weeks studying and did the Security+.
    CCNA: I was working at a NOC at the time. The cert complemented my work environment. I also learned I don't care much to pursue a CCNP now.


    I hope that i can pass the Network+ in 2 months. I am studying 3/4 hours per day and reading book orientated to networking (The TCP/IP guide of Kozierok)
Sign In or Register to comment.