After security+ what is the next step up?

Matt_Smi

From what I understand Sec+ is considered to be an entry level security exam, although it is still difficult. But once one has obtained it what would be the next logical sec exam to take? Would it be CEH?

keatron

It would in part depend on where you want to end up. I would suggest either gaining some level of expertise in an OS area first, whether it be Linux, Unix, Windows or whatever OS you currently have experience in. For example maybe MCSA:Security to start with, then look at C|EH. The fact of the matter is, to truely be effective when it comes to penetrating a system, intimate knowledge of that particular system is key. I started with Linux security, so jumping to Windows security was a smooth transition. Do the same with networking. For example, gain some experience/knowledge with Cisco routers and firewalls. Then either obtain respective certs in that area, or at the least, aquire the knowledge required for those respective certs. Examples would be the Cisco Pix/ASA specialist stuff.

Bottom line, trying to understand the security of any OS or device without first understanding the workings of that OS or device puts you at a severe disadvantage and even makes you as the attacker/pentester/security professional vulnearable. Imagine trying to do a physical security recommendation for convention center without seeing and understanding a blue print of the place and knowing where all the doors are. And to top it off, you have no idea how human traffic flows in, out, and through the place. I've seen a many pentests fail horribly simply because the tester lacked sufficient knowledge concerning the particular system he/she was trying to attack.

Also you really need to decide if you're going to be a generalist, or a specialist. I'm seeing the IT security industry do like the medical field and branch off in to areas of speciality. IDS/IPS, Peremiter Security, Windows Security, Application Security (databases, OS's, web app, etc), Firewalls, or Forensics, just to name a few. Here's a couple of recommendations I have.

1. MCP (270 or MCDST)

2. MCSA (Security+ as one of your electives)

3. MCSA:Security

4. MCSA:Messaging (Messaging security is a concern)

5. MCSE (understanding the processes and considerations engineers go through when designing an infrastructure and AD environment has proven to be valuable to me more than once, while conducting pentests.)

6. CWNA - If you're going to be taken seriously, you need to know something about wireless (other than how to setup the linksys you bought from Bestbuy)

7. SSCP (If you meet the experience requirements by this time)

8. CISSP (If you meet the experience requirements by this time)

9. C|EH (C|EH fits nicely as an add on to CISSP as in getting more specialized. People forget that CISSP is a very generalized cert. By now you will have started to either conduct, participate in or oversee pen tests) The management slant of the CISSP will equip you for always seeing the big picture in theses tests and assesments, while the C|EH knowledge will prove helpful in laying out a tactical pentesting methodology for your team.

10. CWSP - Again wireless, wireless, wireless.

11. CHFI- Forensics is rapidly growing, and you as a pentesting professional need to know what the forensics teams will be looking for. This does wonders in helping you "cover your tracks"

Now keep in mind, this order DOES NOT reflect cert popularity or respect. If you have acces and/or experience with Cisco gear, you can stop right at number 5 and head off into the wild red yonder of the CCSP (and you'll certaily need to be on the Cisco forums with Mikej, darby, kenny and the rest of the experts there)

My question to you would be what about security interests you and what about it makes you feel you'd be successful in this field?

Just a hint to all job seekers out there, this is one of my favorite interview questions.

Slowhand

I definately agree with keatron on this one, go and get up to speed on the types of systems you want to work with. (Well, when dealing with security, there's really no such thing as too much knowledge, so getting up to speed on a lot of things, not just what you want to do, might be a good idea.)

I think the advice I got about where to go once I'm in my post-CCNA era says it best: "Go for CCNP before you do the CCSP. I know you want to do security, but you gotta know the network before you harden, or someone else will know it better than you.) I think it was good advice for me, and I'd say it's not a bad idea for anyone who wants to be a security professional. MCSE, CCNA/CCNP, LPIC, RHCE. . . all good things, especially if you're looking to secure those same types of networks/systems.

veritas_libertas

Just looking over this thread again and decided I would bump it since we keep getting so many question about what to do after the Security+.

Thanks again Keatron...

**bump**

impelse

Good post Keatron, there is not short way.

dynamik

Related post: http://www.techexams.net/forums/security-certifications/28593-security-certification-where-start.html#post205636

One of the first things I did after joining TE was reading every one of Keatron's posts. Seriously.

Super99

Then I'd say look into MCSE or maybe the Cisco certs?

veritas_libertas

dynamik wrote: »

One of the first things I did after joining TE was reading every one of Keatron's posts. Seriously.

Same here! I time to time (like today) go through and read his posts to keep my education plans sensible.

twodogs62

I'd think it would be depend on what you want to do and want to specialize.

Maybe more advanced security certs?
SSCP
CISSP
GSEC
CEH

Maybe other certs to round out your knowledge:
Microsoft
Linux
CCNA

I'm kinda looking more at specializing at Linux so,
LPI
SANS - Linux security
Novell's Linux certifications
Red Hat

Also specializing in Identity Management and Directory services.

Paul Boz

You will not get very far into IT if you don't have a traditional skillset to supplement the security knowledge. You have to know how to build something before you can secure it. If you're a host/server guy start on some entry-level Microsoft certifications. If you lean towards networking, start on the Cisco track. You'll need a certain level of experience for many of the higher-level security certs so you really need to get these foundation skills to be able to get that experience.

For some perspective, I started in IT focused 100% on networking and Cisco technologies. I was able to leverage this knowledge to get into employment positions which allow me to have an impact with security. If you don't have any experience in traditional IT what can you really do with security? You can't be any good at penetration testing if you don't know about servers and the networks they're connected to. You can't audit an IT environment if you don't know anything about how IT environments are supposed to be set up.

After being in security for a while now I've come to realize something: If you don't have the experience or knowledge to back up security training, you don't really know anything. There are two types of security practitioners out there: Those that live in the real world and make impactful statements, and those that live in the fantasy world of text books.

GAngel

PHD = Piled higher and Deeper (after BS = Bull..., MS = More of the Same...)

Oh and security sucks donkey balls most days. I was promised glamour and prestige I got reports and lectures.