Advice for Certifications

weilunnn

Hi all,

I am currently a student studying IT security and would like to take up certifications related to security. So the first certification that i know was OSCP but with my limited knowledge, my teacher recommend to go for CEH which will give me a better idea for OSCP. I also would like to have a better understanding of things needed for OSCP before applying it because i do not want to rush into taking it and end up struggling badly. Need advice !

Thank you !

636-555-3226

Ah, another new entrant to the wonderful world of pentesting! Lots of people jumping on that bandwagon for sure!

Start with Security+. It'll give you the broad range of exposure to infosec. It also helps with the resume (altho not so much for pentesting) and is a cheap/easy thing to get under your belt quickly. Pentesting alone is a very, very small portion of infosec. Plus, you need to know not just how to hack stuff, but also how to fix it. When you pentest my company, your job isn't just to tell me how you hacked me - you also need to tell me how to fix the problems!!


If you need someone to recommend a security track for you:


Security+ > EJPT > ECPPT > GPEN > OSCP > GWAPT > GXPN > GMOB - the "G" certs is where it starts to get expensive. OSCP takes a LOT of work. SANS also has some non-certification hacking courses that are good, and I'd start to insert them after GXPN & consider those before the GMOB.


Also start to follow all of the major hacking tool creators on Twitter to get updates on their tools & know when they've made cool new tools to play with. You'll get that list once you get into your studies. Play with those tools in your own lab and become a master of them. Also start to work on your command-line kung fu. Windows, *nix, scripting, PowerShell, and Python. Command-line kung fu mastery is an absolute necessity if you want to do this for a living.

I'd skip CEH. It isn't going to teach you anything about how to actually hack stuff. CEH is essentially Security+ but focused solely on red team (hacking) stuff. If you really want the CEH, do Security+ for the broad exposure then CEH afterward for the narrow, hacking focus. Just remember - CEH isn't going to teach you how to hack anything - it's all about naming this tool for this or this switch for that.

McxRisley

I would agree with the above post in saying that the CEH wont really teach you much about hacking, since its theory based and more about choosing the answer the EC-Council wants as opposed to what is actually true. BUT with that being said, if you plan to work for the DoD in anyway shape or form, you WILL need the CEH depending on your role. Also the path listed above is another thing I would agree with, eJPT will give you a good intro to pen testing but also know that pen testing isn't all about firing up metasploit, targetting an exploit and firing it off against a target. This is my main gripe of the ELS courses, they are very metasploit heavy and don't really give you any experience with hand jamming your way through a target, which is what you will need in order to pass the OSCP. I know this isnt what you want to hear but since you are still a student I would say you have a few years before you should attempt the OSCP. I'm not saying there is no way in hell you would pass it but it will be a lot harder without some of the basic skills needed that a sys admin or someone else would have. Good luck on your journey!