Job will pay for any certs. Which ones to get?

fabostrong

So in order to keep me from leaving, my job has said they'll pay for any certifications I want. Study material and the test cost.

Which certs do guys think I should get? I was thinking Penetration Testing Professional and Practical Network Defender by Elearnsecurity, Certified Network Defender by ec council, I kinda want the CEH but just for the name recognition, I don't feel like the info it teaches is that great. I was also thinking about the SSCP. Or maybe the CSA+ cert.

What do you guys think? If you could pick up to 4 security certs that you could get for free, which would you guys pic?

I'm mostly interested in penetration testing and a security analyst role.

Clm

I would pick SANS certs maybe GPen sense you want the penetration side. SANS are the most expensive and I hear the best training

TechGuru80

If they are going to pay, go with SANS / GIAC for sure. They are pretty expensive compared to others but they give great quality material that would take signicant work to acquire the same information on your own.

GSEC / GCIH / GCIA...are the core certifications but they have GPEN / GWAPT for baseline network and web pentesting.

mbarrett

+1 to SANS/GIAC certs

fabostrong

Okay cool. I know those are really expensive. What do you guys think would be best for actual practical knowledge?

OctalDump

If they are willing to pay, get your money's worth. GIAC/SANS is usually too expensive to take without an employer paying, but they are great things to have. It also gets you out of work for a few days . 4 of those would be ~24k.

If they have a budget limit below that, then you might need to get cleverer.

However, if they won't pay for live classroom training courses just videos/books etc, then I suggest something like a subscription to Safari books and to something like ITProTV, Linux Academy, Pluralsight or CBT Nuggets. That way you get access to a lot of different books and training. Cisco has some good online things as well, but I think you pay for a specific course, and I'm not sure where they are with their CyberOps (real soon now™) and Security (CCNP Sec is being refreshed) training.

That would give you training for more than 4 certs, so you could pay for some exams yourself, or do the training and skip the certification and move on to something higher level.

CEH is good for the name, and provides a basic introduction to pen testing. eLearnSecurity is a better option if you want to learn hands on skills. I think they also have bundles of training.

It depends also where you are starting from and where you want to go. If you have IT experience, and only a little info sec, then something like Sec+ or GSEC is a good starting point. If you are interested in pen testing, then eLearnSecurity PTS is a good starting point, or GCIH and GPEN, or CEH (if you like the name). If it's more blue team, then the PND or GCED or even CCNA Cyber Ops. If it's analyst, then CSA+ or CCNA Cyber Ops. If it's security engineering, then CCNA Security or SSCP or CASP.

636-555-3226

If work's paying for four courses:

Penetration Testing starting from zero experience:
1st - SEC560: Network Penetration Testing and Ethical Hacking
2nd - SEC542: Web App Penetration Testing and Ethical Hacking
3rd - SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
4th - SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques
Then do eLearnSecurity/OSCP on your own dime if you have to (good tax write-off for unreimbursed business expenses). OSCP has some good stuff, but maximize the dollars your employer is willing to spend while they're willing to spend it.

Security Analyst from zero experience: (assumes you're analyzing things that are happening, not trying to defend your org)
1st - FOR408: Windows Forensic Analysis
2nd - FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting
3rd - SEC503: Intrusion Detection In-Depth
4th - FOR572: Advanced Network Forensics and Analysis (not quite a direct follow-up to SEC503, but will be a good challenge)

p@r0tuXus

Awesome responses. OD and 636 have great information.

JoJoCal19

As others have said, SANS/GIAC all day....foh with CEH

I second the Safari Books sub as well!

E Double U

I would go for SANS training if it is on the company's dime. Since you want C|EH, take SANS SEC504/GCIH and take C|EH immediately after for an easy win (and name recognition) since the material overlaps.

SEC503/GCIA and SEC511/GMON also good for analysts.

For a pentester, take SANS SEC560/GPEN and then OSCP.

I highly recommend taking advantage of SANS - especially when someone else is paying.

fabostrong

Big thanks for all the information guys. It doesn't look like they won't do any of the SANS courses cause they're 3-5K plus I'd have to miss a weak of work. However they would be okay with paying the $1200 for me to take the GIAC GSEC test.

So it seems like anything that I can self study or watch videos, they're okay with paying for. Just not $3-5k for one cert where I'll also have to miss work for a week.

Something about the Certified Network Defender attracts me. It's $1900, they said they'd pay for that. They'd pay for OSCP but I don't think I'm ready for that. I think I could do Penetration Testing Professional by eLearnSecurity though.

Also thinking about the CCNA Cyber Ops.

My job already pays for CBT Nuggets but they don't really have any security courses other than Security+.

I kind of want to do the CEH but I feel like the main benefit of it is the name. I've read a lot about how it doesn't teach much practical knowledge.

I was thinking of the CSA+ but it's relatively cheap so I may do that on my own down the line.

Decisions, decisions....

TechGuru80

Actually a GIAC certification with SANS course will run you at minimum around $6500 but that sucks they won't do that.

Don't challenge the exam, the value is in the courseware which you don't get without taking the class. For future reference they do have onDemand where you can go at your own pace over four months and don't have to go anywhere or sign on at a certain time.

CBT Nuggets has several security courses...CEH, CISSP, CCNA, and a few others I don't recall off the top of my head.

The value of CEH is it's well known by HR and can get you past filters but it will be very conceptual...if you don't have 2 years experience it's gonna run you like $1500-2000 for the official course to alleviate the experience requirement.

CEH > eJPT > eCPPT...is probably a good start to build towards the OSCP.

OctalDump

I'm not selling ITProTV, but I have access, so I thought I'd just put it out there. I haven't used other subscription services, so not sure how it compares. The courses I've done seem to be pretty good (Project Management, ITIL, VMware), but not sufficient by themselves to pass the exams.

They have these security certification courses:

CCNA Cyber Ops
CCNA Security
CSA+
Security+
CASP
SSCP
CISSP
CCSP
MTA Security Fundamentals
GSEC
ECES
CEH
CHFI
ECIH
CISA
CISM

In addition they also have security courses on:

Cisco Firepower
Cisco ASA
Metasploit
Kali Linux
Nmap
python
AntiVirus / AntiMalware
Cryptography
Cyber First Responder
OpenPGP
Pentesting
Pfsense
social engineering
wireshark

Danielm7

To spin this a different way since they're not willing to let you take time off or spend a lot on training... Did you have another job offer already? You mentioned that they offered you this to keep you there. If all they're offering is allowing you to challenge a GSEC without training, then you're staying at a job you were ready to leave for under 2 thousand dollars in benefits, it's worth thinking over if you were ready to walk out the door already.

core22

SANS SEC504. Has a lot of information that can be useful for both an analyst, as well as for pentesting.

Cybrary is another great resource, with videos by many notable folks. For example, some pentesting videos are by Georgia Weidman, which follow the theory of her book.

SteveLavoie

I second what Danielm7 said. They are willing to give you a candy (2K$ on a cert), but in the long term .... You should ask a commitment on your training. A budget like 5-8K$ / year, that you could manage (get Pluralsight, Safari, pay for exam, pay for training) with them.

Mike7

fabostrong wrote: »

Big thanks for all the information guys. It doesn't look like they won't do any of the SANS courses cause they're 3-5K plus I'd have to miss a weak of work. However they would be okay with paying the $1200 for me to take the GIAC GSEC test.

Something about the Certified Network Defender attracts me. It's $1900, they said they'd pay for that. They'd pay for OSCP but I don't think I'm ready for that. I think I could do Penetration Testing Professional by eLearnSecurity though.

You can consider eLearnSecurity bundles. You do not miss work and there are a few ranging from 2K to 5K; https://www.elearnsecurity.com/landing/the_elite_pentester_bundle, https://www.elearnsecurity.com/offers/4_in_a_box and https://www.elearnsecurity.com/offers/all_access

fabostrong

TechGuru80 wrote: »

Actually a GIAC certification with SANS course will run you at minimum around $6500 but that sucks they won't do that.

Don't challenge the exam, the value is in the courseware which you don't get without taking the class. For future reference they do have onDemand where you can go at your own pace over four months and don't have to go anywhere or sign on at a certain time.

CBT Nuggets has several security courses...CEH, CISSP, CCNA, and a few others I don't recall off the top of my head.

The value of CEH is it's well known by HR and can get you past filters but it will be very conceptual...if you don't have 2 years experience it's gonna run you like $1500-2000 for the official course to alleviate the experience requirement.

CEH > eJPT > eCPPT...is probably a good start to build towards the OSCP.

I know CEH has the HR effect but I'm really not interested in it. For some reason the Certified Network Defender stands out to me more. I'm pretty sure that the eCPPT is definitely one I'll have them get and I'd love to shoot for the OSCP one day.

And yeah, it sucks they won't pay for GIAC certs but they're still helping me out big time so I'll take what I can get.

fabostrong

OctalDump wrote: »

I'm not selling ITProTV, but I have access, so I thought I'd just put it out there. I haven't used other subscription services, so not sure how it compares. The courses I've done seem to be pretty good (Project Management, ITIL, VMware), but not sufficient by themselves to pass the exams.

They have these security certification courses:

CCNA Cyber Ops
CCNA Security
CSA+
Security+
CASP
SSCP
CISSP
CCSP
MTA Security Fundamentals
GSEC
ECES
CEH
CHFI
ECIH
CISA
CISM

In addition they also have security courses on:

Cisco Firepower
Cisco ASA
Metasploit
Kali Linux
Nmap
python
AntiVirus / AntiMalware
Cryptography
Cyber First Responder
OpenPGP
Pentesting
Pfsense
social engineering
wireshark

Thanks for this. I probably never would've look into this site. They currently pay for me a CBT Nuggets account. I'm going to see if they'll cancel that one and sign me up for ITPro.tv. I looked through the site and course and it looks legit.

fabostrong

core22 wrote: »

SANS SEC504. Has a lot of information that can be useful for both an analyst, as well as for pentesting.

Cybrary is another great resource, with videos by many notable folks. For example, some pentesting videos are by Georgia Weidman, which follow the theory of her book.

I'll explain the situation. I went to school for IT certifications in August 2015. Got my first IT job in March 2016. So I'm right at a year of experience in IT, or I should say actual work experience.

When I got into IT, I wanted to get into cyber security. I was an Intelligence Analyst in the Army and have always been interested in hacking and stuff like that.

I quickly found out that no job will hire you with no security experience.

Now I work for a managed services company. I do remote desktop support, I'm a level 1 tech. We support over 400 clients. I'm a domain administrator for all of our clients. I have access to their entire infrastructure for the most part. I found out there was no security role here at the company when I interviewed. I've been here 8 months and just kind of stopped worrying about it.

Recently I got a job offer from a company to do what I do now but with a path into security. They only have one security guy and he's one of the owners. He was going to teach me things and have me do certain security related tasks until eventually I'd only do security work. This company was offering a bit more money which typically wouldn't be enough for me to change jobs but I was going to take it cause of the security experience I'd get. It was also going to be salary. When I asked if they'd pay for certs, they said they'd pay half for any cert up front and the other half a year later. They said they'd rather do it that way in case I got the cert and left for another company.

Anyway my company came to me and said that next month, the CEO is meeting with a security firm. Nobody on my level had known about it just because they hadn't told anyone yet. One way my company grows is by acquisition. They said they're meeting with a security firm to see how they can incorporate security services and build our own security team and there's also a chance they may buy a security firm. They said the whole second half of 2017 is going to be focused on getting a security team with at least one working position by the end of the year.

They said that if I decided to stay that they'd match what the other company was going to pay me except I get paid hourly here as opposed to salary which is what I would've been with the other company. And there's always room for overtime here. In addition to that, they said they'd be okay with paying right now for whatever certifications I want. Except GIAC for a week apparently lol.

I thought that was neat because I was expecting them to just let me go with no problem. I really didn't want to leave because it's a smaller company. We go out drinking with the CEO and owner sometimes and they foot the bill lol. We have beer here at the office and have parties. Everybody I work with is pretty cool. It's a really good work environment.

Typically there's certs you have to have to be a level 2 technician. You can get it before you become a level two or within 6 months after you become a level 2. One is CCNA routing and switching and I can't remember what the other is at the moment. I told them I want security to be a level 2 role and that I wanted to focus on whatever security certs I choose and not have to focus on the level 2 certs that they already had in place. They were okay with that. So they're kind of letting me make my own path into security even though it's not even established here at the company yet. Plus they said at the end of the year, I'll get another raise that will be $5-10K.

So now I'm just trying to find next 2 certs I wanna get. And at the very least, if I get a number of certs and they feel like they don't wanna pay so much for them cause I'm at least qualified enough, I know they'll still pay at least exam costs for whatever certs.

Sorry for the novel but thanks if you've read it.

NetworkNewb

Since it sounds like you really like your company and your working for a managed services provider, I would think that you want to figure out what security services your going to providing to your clients and focus on those. Maybe it is pentesting like alot of the courses most people are recommending, or maybe it is configuring firewalls, IDS, or whatever. Just become an expert at whatever you guys are doing so your company can charge a lot for your services so you can make more money too

fabostrong

That makes sense. As of now, they don't know exactly what it'll be...they're saying it should be pentesting and network hardening and general network/infrastructure security but they just don't have specifics yet. So at least for now, I get to pick the certs I want them to pay for.

NetworkNewb

I'd probably say do the CEH > eCPPT > OSCP than. Possibly skipping the eCPPT if your feeling ambitious. I saw your other thread about the CND cert and think it does look interesting. Can't say I've known anyone who has done it, but the outline of the topics it covers looks like it might be beneficial. Knowledge wise. Which if your not looking to jump to another company anytime soon is the most important factor imo. (over the low recognition of the cert)

core22

I once resigned, was countered, and stayed for more $$. Following that decision I never felt the same level of trust, both for the company, and for how they saw me, and decided that I would not do that again.

As far as the new company, perhaps ask that they pay full cert costs, but have an agreement signed by both you and their HR folks stating that if you leave before x number of months, you pay back the costs. Something else to consider is the salary vs hourly compensation. I don't know your situation, but benefits usually go hand-in-hand with salary, while limited benefits (or none) usually accompany hourly.

Maybe not in title, but it sounds like you are doing security work today, such as domain administration. It may not be work that includes buzzwords like cyber or DLP, but it definitely counts toward security experience regarding CISSP requirements.

p@r0tuXus

core22 wrote: »

I once resigned, was countered, and stayed for more $$. Following that decision I never felt the same level of trust, both for the company, and for how they saw me, and decided that I would not do that again.

I completely understand not accepting a counter offer and I can't really argue with the rammifications for accepting. However, it sounds like OP is in thick with his company, loves the culture and environment. They mentioned their only reason for wanting to go elsewhere was to pursue their interest and learning opportunities. If their current company is serious about setting up that kind of opportunity and they benefit, I see no reason not to stay. It wasn't a lack of loyalty on OP's part or a failure to provide adequate pay that was the motivating factor, it was a lack of opportunity. Sounds like a win-win if they stay. Provided the OP feels comfortable afterward, but should probably recognize they may be burning a bridge with that other company. Maybe get cert-reimbursement signed on paper from a manager?

Good Luck OP!

fabostrong

p@r0tuXus wrote: »

I completely understand not accepting a counter offer and I can't really argue with the rammifications for accepting. However, it sounds like OP is in thick with his company, loves the culture and environment. They mentioned their only reason for wanting to go elsewhere was to pursue their interest and learning opportunities. If their current company is serious about setting up that kind of opportunity and they benefit, I see no reason not to stay. It wasn't a lack of loyalty on OP's part or a failure to provide adequate pay that was the motivating factor, it was a lack of opportunity. Sounds like a win-win if they stay. Provided the OP feels comfortable afterward, but should probably recognize they may be burning a bridge with that other company. Maybe get cert-reimbursement signed on paper from a manager?

Good Luck OP!

Definitely this. I was leaving because I was trying to further my career or build my career in security. I had never brought up security since the day I interviewed here because I knew they didn't have it. When they told the CEO I was leaving to pursue security, he was like well hey, we're working on getting security services. That's the next project. Let him know that he can do security here and we'll pay for whatever certs he wants. Everybody here is pretty cool for the most part. I doubt they'll be any hard feelings cause of this.

fabostrong

Hey, guys. I think I'm gonna go with the CEH since it's so expensive and good for HR. It's $700 just to take the test. But at the same time I wonder if I should worry about the HR aspect since more than likely I won't be leaving my company anytime soon. So idk...Still not 100% sure on that one. That and the eCPPT for the practical hands on knowledge. I know OSCP is worth more and probably better all around but I don't think I'd be ready for that one. Probably after eCPPT. I'm currently doing eJPT.

yoba222

fabostrong wrote: »

Hey, guys. I think I'm gonna go with the CEH since it's so expensive and good for HR. It's $700 just to take the test. But at the same time I wonder if I should worry about the HR aspect since more than likely I won't be leaving my company anytime soon. So idk...Still not 100% sure on that one. That and the eCPPT for the practical hands on knowledge. I know OSCP is worth more and probably better all around but I don't think I'd be ready for that one. Probably after eCPPT. I'm currently doing eJPT.

I think CEH + eCPPT are good next choices for you.

eCPPT: This is on my radar to do soon myself. The eCPPT looks to be about 4 times the content amount of the eJPT by my estimates. You'll probably learn a ton from it and $1200 is reasonable for your company.
CEH: You get a shiny gold resume star at no cost to you. This is also on my distant "maybe" radar, solely for the allure of that shiny gold star.

As far as worrying about the HR aspect--I think you definitely should. By "worrying" I'm assuming you mean continuing to strive to keep your resume the best possible despite the fact that times are good where you are now. By doing what you are doing, if for some unpredictable reason your work environment changes and goes sour, you won't be scrambling/stressed out. It will give you peace of mind and confidence to not tolerate that hypothetical bad workplace.

fabostrong

I've been going through the OSCP threads and I can't help but wonder if I should just go for it.

The eCPPT and OSCP are about the same price.

The OSCP while extremely hard is also extremely rewarding from what I hear. Not only that, it's also recognized and has a good reputation.

The eCPPT isn't nearly as hard, isn't nearly as known, but does teach a lot from what I hear.

I don't care to have the OSCP and the eCPPT. But I'm also wanting to finish in 3-4 months and not up to 9 months like I've seen some people have taken to finish the OSCP.

I also hear the CEH is pretty easy after OSCP. I need to make a decision by tomorrow lol.

NetworkNewb

fabostrong wrote: »

I also hear the CEH is pretty easy after OSCP.

I'm sure it is. I think that is kinda like saying the Network+ exam is easy after getting your CCNP.

I'd go CEH > OSCP.

fabostrong

Thanks for all the input guys. I'm gonna go with the CEH for now. I'm currently on the site and can't get past the captcha to pay for it. like wtf lol