Need helping chosing Security Certification

I'm looking for a security certification that will actually enable me to land a security related job. I have the Security+, and while it's nice, its basic enough that I'm still doing tech support (ugh) and not security (which is what I want to be doing). I know some certs require you to have security experience (which I don't have). I want a certification that will let me get my foot in the door into the security area.

Any suggestions?

Find more posts tagged with

Comments

ajs1976

My plan is to do Sec+, then MSCA:Security. I aleady have already taken a Citrix related security exam and i'm looking at another one next year.

JDMurray

cyberblade3001 wrote:

I want a certification that will let me get my foot in the door into the security area.

Information Security is a very broad field containing many specializations and certifications. The kind of InfoSec job(s) that interest you will determine what types of certifications you should pursue.

cyberblade3001

JDMurray wrote:

Information Security is a very broad field containing many specializations and certifications. The kind of InfoSec job(s) that interest you will determine what types of certifications you should pursue.

Long term I want to information security consulting (as in, go to a company, take a look around and suggest a plan for them to improve their security). I know that I can't expect to start there, so I'm looking for something that will allow to start working in the security area.

JDMurray

cyberblade3001 wrote:

Long term I want to information security consulting (as in, go to a company, take a look around and suggest a plan for them to improve their security).

The full business continuity planning consulting or risk assessment and management? Or do you only want to specialize in a particular area, such as physical security or network security?

cyberblade3001

JDMurray wrote:

The full business continuity planning consulting or risk assessment and management? Or do you only want to specialize in a particular area, such as physical security or network security?

I'm trying to focus more on just Information Security. I know that is a part of Risk Management, but I'd like to focus on just that. Also, I don't see choosing between physical and network security, as I feel that both are crucial elements to total Information Security. So both, as far as those two options are concerned.

Does that help at all?

cyberblade3001

ajs1976 wrote:

My plan is to do Sec+, then MSCA:Security. I aleady have already taken a Citrix related security exam and i'm looking at another one next year.

In order to get the MCSA:Security do you do the MCSA, then specialize or is it another route? Would this be a viable option for me to pursue given my goals?

JDMurray

You need an idea of the specific kind of infosec work that you are looking for. Just saying "I'm interested in information security" is really too general of a statement from which to determine the direction in which you need to proceed from the Security+. I don't want to point you to the CISSP/CISM/CISA path if you are more inclined towards the MCSE/CCSP/CEH route, and visa versa. There isn't a single, "best track" for security certs. It all depends on what your infosec career aspirations are.

You need to do work looking around on the information security-related job sites to get an idea of what kind of infosec work appeals to you. Once you know that, we can help you determine what security certifications are the best one for you to pursue.

Webmaster

cyberblade3001 wrote:

I'm trying to focus more on just Information Security. I know that is a part of Risk Management, but I'd like to focus on just that.

It's the other way around, Risk Management is part of InfoSec. The latter is - just like "I want to work in IT" - too general to focus on. Something you could do to get a better idea of what jobs fit in Information Security, or more important: jobs that would fit you, you could try one of the many online jobsites and search for available jobs (i.e. using certifications or typical infosec terms as keywords).

cyberblade3001 wrote:

I'm looking for a security certification that will actually enable me to land a security related job.

Without experience to back up the certification that is very hard. The reality is that most people don't start out in information security without having years of experience in general information technology - the systems that you want to secure. For example, many full-time firewall and IDS/IPS admins were once network administrators, the same goes for system admins becoming penetration testers.

But, it's not like you have an unlimited number of choices:

CISSP - definitely a certification that can lead to a job, but it's impossible to get the certification without having years of experience. If you would meet the requirements for this one, it would have been your best bet.

SSCP - Unfortunately not that well known as the CISSP nor as the following certs and will unlikely lead to a job, but also requires a year experience.

CEH - a specialist cert that can lead to a job but again only when you have plenty of relevant experience.

As you found out already, Security+ won't make you a security professional. It's a good one to have for virtually anyone in IT though and a good one to start with.

CCSP - Even though it's niche, Cisco's market share is huge. Especially CCSP is hot right now. Not as golden as CISSP, but definitely a winner if you want to enter the security arena. CCSP is a track of 5 exams plus you need to be a CCNA (1 or 2 exams) which would give you some time to 'gather' experience. If you are a CCNA or CCNP for example this is in my opinion your best bet. Obviously it focusses on the more practical aspects of information and network security so it may not suit the type of job you're looking for.

ajs1976's plan is also a good option. Although it can just as well be MCSE, or a current or future MCTS or MCITP. The reason why this is a good option is the experience issue I mentioned above - with several years of experience with Microsoft systems (or Cisco networks) your chances of getting a security professional job with the help of infosec certs will be much better.

There are others, such as SANS (expensive, good one if your employer wants to sponsor it). And Checkpoint certifications, which is also more suitable as an 'addition' to other certifications and experience rather than an entry ticket to the security arena. There's really no such thing, it's road you need to travel, with likely jobs and certifications along the way that aren't infosec-only.

Good luck with your decision!

cyberblade3001

JDMurray wrote:

You need an idea of the specific kind of infosec work that you are looking for. Just saying "I'm interested in information security" is really too general of a statement from which to determine the direction in which you need to proceed from the Security+. I don't want to point you to the CISSP/CISM/CISA path if you are more inclined towards the MCSE/CCSP/CEH route, and visa versa. There isn't a single, "best track" for security certs. It all depends on what your infosec career aspirations are.

You need to do work looking around on the information security-related job sites to get an idea of what kind of infosec work appeals to you. Once you know that, we can help you determine what security certifications are the best one for you to pursue.

Of the two tracks you listed I'd much prefer the former (the CISSP/CISM/CISA track). What would be a good starting place for that track? I realize that where I am right now (tech support) isn't going to help me much with that.

cyberblade3001

Thanks for your reply Webmaster.

I'm really hoping to avoid vendor specific certifications (if possible) though if thats what it takes to break into the security field I'll do it. It seems from looking around that the EC-Council certifications (CEH, ECSA, etc.) are probably my best option to start with-as they don't require experience in security. Should CEH, ECSA, etc. plus several years of general IT work be enough to get me into a security related position?

JDMurray

cyberblade3001 wrote:

Of the two tracks you listed I'd much prefer the former (the CISSP/CISM/CISA track). What would be a good starting place for that track?

Those certifications are typical in the management side of information security. Each of those certification requires actual industry experience to earn. You can study the objectives of the certification exams to get an idea of the type of knowledge required for a career in those field(s). You will also find that other, non-infosec learning, such as project management and accounting, will help you on the management side of infosec.

cyberblade3001

JDMurray wrote:

Those certifications are typical in the management side of information security. Each of those certification requires actual industry experience to earn. You can study the objectives of the certification exams to get an idea of the type of knowledge required for a career in those field(s). You will also find that other, non-infosec learning, such as project management and accounting, will help you on the management side of infosec.

Well, I'm planning on starting my MBA (probably with an MIS emphasis) within the next couple years. So that should help. I think for now I'll work with the EC-Council certifications that don't require experience.

Thanks for your help.

keatron

As JD pointed out already, we have to start looking at security just like we look at the medical field. Just saying I want to be a doctor is just the start, you also have to eventually decide what you want to specialize in (unless you want to be a general practitioner). In Infosec, you can view CISSP as somewhat of your "license to practice" kinda like having a license to be doctor. Then from there you'll need to decide what you want to specialize in, as it's almost impossible to be a master and regular practitioner of even the 10 domains. Now with those 10 domains, you can take one, like network and telecom security and even that one domain has it's own specialty areas.

IDS specialist, firewall specialist, penetration tester, forensics investigator, security assessments (not to be confused with penetration testing because they are different), just to name a few. Most people hear the term Infosec, and they automatically associate that with network and telecom security, but in reality it's much broader than that. I know people who do nothing but design and test physical security, they break biometric mechanisms, social engineer the heck outta people, and do tons of other things that require little or no knowledge of network or telecom security. The fact is, in most small and medium sized companies, the security team usually consists of one person (if they have that much), so this person by default becomes a general practitioner. This is good for getting "exposure" to different areas of security, but in most cases you won't be exactly proficient in either area. For example, there's not a lot of general security people (one man security teams), that can properly do a complete forensics investigation from start to finish. It requires in depth knowledge of certain tools, extremely in depth knowledge of operating systems, and file systems, and considerable knowledge of local, state, and federal laws and regulations. You'd be hard pressed to gain and maintain all of this without doing it on a regular basis. But in the real world there are common trends to how these different areas are broken up.

Network Security policy guys: Manager, CISO, sometimes the CIO (CISSP, CISM, CISA, other security management certs)
They usually come up with network security policies. They come up with policies that best protect the network and company resources. It is often mistakenly said that these guys don't have to know much about the actual technical side of things as they only make policies, but this is not always the case. In order to make policies that can actually be implemented on a technical level, you have to be aware of what's possible at the technical level. The best way to gain this knowledge is by actually "doing" it on a technical level. This is why I'm a fan of the policy guys being guys that have spent some time in the trenches. Often times you end up with wasted time as proposed policies go back and forth before something actually doable is produced. An example: Network Security Policy dude says "I think all TCP traffic from the outside should be blocked at the firewalls". Network Engineer says "Ahhhh, are you sure you mean ALL traffic?" The policy guy also has to be concerned with how security implementations affects functionality and availability as well (look up the CIA triad).

Network Security Engineer guys (CISSP, CEH, other vendor specific security certs)
They take policies or security requirements and engineer or design technical solutions that will make these policies an enforced methodology. This is the person that usually sends stuff back to the manager saying it's not possible, or it's not feasible. The security engineer will usually be very well versed and know a lot about current/available technologies. He would also be wise to have skills needed to test the strength of his designs before rolling them out in production. It's also helpful (if not a requirement) that this person have some vendor specific certs not security related. For example, if the company uses Cisco equipment, then this person needs to be very familiar with how this equipment works, and how it is configured. So CCNP, CCDA, CCSP would be helpful and probably even required if it were my decision.

Network Security Jr engineers, technicians, etc (Security+, Network+, Vendor specific security certs)
These are the people that will either be implementing or assisting with whatever implementation the engineer comes up with. If he's smart he'll always be wondering and asking why a certain design is this way or that way (so he can one day be an engineer). Or just blindly implement without having a clue as to why and never progress beyond assisting (in some circles it is required that you don't ask why, due to seperation of duties and "need to know" type situations).
Same goes here for the Cisco entry and mid level certs.

Network Security Analysts. (ECSA, Vendor specific IDS certifications and IPS certifications)
They might actually touch stuff and implement a little bit, but they mostly analyze logs (loganalysis), tweak IDS rules (remember a true IDS is passive so they can't screw up communications here much), decide when there's a breach or potential breach and other similar functions. Again, if Cisco equipment is in use, then the entry level certs that aren't related to security would be paramount here.

So now let's pretend your company has all these people in place, and IDS guys report a potential breach has happened. Now comes the other side, forensics and incident response guys.

Forensics Investigator (EnCE, CHFI, and other vendor specific forensics certs)
Since the IDS guys think there's an incident, but can't prove it, they need to forensics guys to pretty much 1. decide if there's indeed been a breach, 2. prove there's been breach, and 3. if there has been take steps forensically to ensure that a forensically sound investigation can actually take place and ensure that if prosecution turns out to be the desire of the company owner/owners, the case is not thrown out of court because of not following commonly accepted rules of evidence. This person might have to communicate and work with all the folks above to actually obtain certain logs (because the person configuring a router or firewall is the best person to ask where they configured the logs to be stored). He will certainly have to work closely with the CISO in order to get permission to get all this information in the first place. The days of the CISO saying to everyone on the security team "give this guy whatever he asks for" are long gone. In actuality the process is much more granular and tedious than that. In this person's case, knowing where logs are stored will only help his case and might even speed up the process if he can tell the security guys exactly where to look for what he needs. So knowledge of equipment logging and storing procedures can only help. Which is why I would again recommend knowledge of Cisco equipment if that's what the company uses.

Forensics analyst/examiner (EnCE, CHFI, and other vendor specific forensics certs)
This person would usually be in a forensics lab and would actually be the one examining all the collected information (or actually copies of it). He would be performing data carving, file system analysis, log validation and all kinds of other functions that would locate evidence to prove or disprove what the IDS guys initially thought happened.

Now keep in mind this is just the scratch of the surface of the network and telecom side. There might be an entire risk assessment or risk management team that does nothing but try and keep these things from happening by using quantitive and qualitive data to decide based on occurences and potentials what to spend on what, and where things need to be tightened down more. There might also be an incident response team or person that is responsible for deciding who deals with what and how it's dealt with when it happens. So the fact that the IDS guys report to the CISO he engages the forensics team should be something already planned by the incident response team in coordination and with the help of the rest of the security team. Often times the incident response person is temporarily called upon to be the "quarterback" of the entire security team as a whole, because during an incident they will probably become part of what's known as an incident response team that includes not just IT Security but other areas of the company as well (HR, PR, Accounting, Loss Prevention, etc.). Once this breach is contained, there could be an effort to get someone unbiased, that's not part of the company to regularly assess the security posture of the organization in hopes of minimizing the changes of a breach happening again. Enter the Penetration testers, security consultants, and security assessment guys. Understand these roles can all be carried out internally as well, but just like with auditing of financial records, it holds more weight when a third party does it.

This is certainly not intended to be a comprehensive post that spells out every possible position in Infosec, but it is intended to give you an idea of "how deep the rabbit hole goes".

Keatron.

sprkymrk

Keatron:

That last post of your belongs in a sticky or FAQ on Secuirty Certifications. Great post.

ajs1976

sprkymrk wrote:

Keatron:

That last post of your belongs in a sticky or FAQ on Secuirty Certifications. Great post.

I second that. Thanks for the info.

keatron

Done!!

Empathy

I'm in a similar situation to cyberblade3001.

I've only worked peripherally in IT for years now... I just recently left a finance job at a corporate-level hosting provider with the intention of starting a career in InfoSec. After years of finding the technology-related aspects of my job infinitely more interesting than the finance aspects

I finally decided to go for it and try to change careers (again - I have a music degree)

My plan is to start with Network+ (I'm pretty close to knowing that material already), then move on to Security+, then CCNA. From there I'm not sure whether it's more prudent to go for another vendor-specific InfoSec-related cert, like Checkpoint, or focus more on a specific OS track. I'm far more interested in the "big picture", than in narrowing my scope of expertise to a specific OS.

Anyways, thanks again for this thread. I have a lot of decisions to make, but I'm excited about the possibilities! I haven't felt like that in too long...

ajs1976

cyberblade3001 wrote:

ajs1976 wrote:

My plan is to do Sec+, then MSCA:Security. I aleady have already taken a Citrix related security exam and i'm looking at another one next year.

In order to get the MCSA:Security do you do the MCSA, then specialize or is it another route? Would this be a viable option for me to pursue given my goals?

You work on the MCSA with the plan of getting the specialization. The MCSA requires a client exam, to Windows server exams and an elective. the specialization requires the same first three exams and two 'restricted' electives. Any of these restricted electives will count as the elective for the MCSA.

vegetaholic

Wow Keatron,Great post man.

(I was referred by schluep)
It will really help me in understanding my future goals.

Darkwolf2054

Great post keatron! Was refered by shednik.

robertguess

JDMurray wrote:

cyberblade3001 wrote:

I want a certification that will let me get my foot in the door into the security area.

Information Security is a very broad field containing many specializations and certifications. The kind of InfoSec job(s) that interest you will determine what types of certifications you should pursue.

What are your views on ISC2 and ITIL. I hope this is relevant. I am new to the security arena of certification but highly interested.

JDMurray

robertguess wrote:

What are your views on ISC2 and ITIL. I hope this is relevant. I am new to the security arena of certification but highly interested.

ITIL is very strongly related to security management. I can see the CISSP, CISM, and ITIL being very good complementary certs to have. I've heard that the next revision of the CISSP exam will have ITIL questions on it too.

Computer idiot

Webmaster wrote: »

CCSP - Even though it's niche, Cisco's market share is huge. Especially CCSP is hot right now. Not as golden as CISSP, but definitely a winner if you want to enter the security arena. CCSP is a track of 5 exams plus you need to be a CCNA (1 or 2 exams) which would give you some time to 'gather' experience. If you are a CCNA or CCNP for example this is in my opinion your best bet. Obviously it focusses on the more practical aspects of information and network security so it may not suit the type of job you're looking for.

The equipment costs will be high if you go after the CCSP, and you're going to have to learn new technology and cabling. You can also do this with virtual equipment, but again, the learning curve will be steep if you're not already familiar with it.

onesaint

JDMurray wrote: »

You need an idea of the specific kind of infosec work that you are looking for... You need to do work looking around on the information security-related job sites to get an idea of what kind of infosec work appeals to you. Once you know that, we can help you determine what security certifications are the best one for you to pursue.

Sorry for bringing this thread back from the depths.

JD, can you list a few of those search boards? I'd like to nail down a direction into infosec as well, but with the vastness of positions its hard to know what to get into and frankly, what those positions actually entail (the example being the pentesting paper pusher).

kurosaki00

Besides Security+, what certification would give me a good ground/general cover in the subjects of security?

My area? Systems and Networking
Systems as in systems connecting through servers, server to internet etc
Networking if anyone know a sec cert that cover mobile technologies, would be awesome

help plz?

idr0p

kurosaki00 wrote: »

Besides Security+, what certification would give me a good ground/general cover in the subjects of security?

My area? Systems and Networking
Systems as in systems connecting through servers, server to internet etc
Networking if anyone know a sec cert that cover mobile technologies, would be awesome

help plz?

I would say look into, GCIH, GCFW, also CCNA Sec

idr0p

idr0p wrote: »

I would say look into, GCIH, GCFW, also CCNA Sec

Oh and GSEC

mightywarrior

I have a 4 months experience of working as a network engineer,i am employed in a mid sized enterprise so I am actually engaged in a multi-job role.I know this hardly counts as an experience. But I really want to get into information security field and I don't know how to get into that field with the kind of scenario i am in right now. Does experience really count for getting into a information security field and what are the certifications that are really required????? Please help me out....

afcyung

@ Mightywarrior Read the below thread.

http://www.techexams.net/forums/security-certifications/28593-security-certification-where-start.html

mblu3

This is a great thread. Keatron's post is particularly useful.

My position is that I've worked in the IT Sec field for about 9 years having progressed from an IT support position in 2003 to a security analyst role and now a security manager. I have a CISSP and a Masters Degree. I completed some CCNA and MCP reading early on but don't hold the certs.

Having been in a management role for about 3 years now I've been hands off and feel that the technology has moved under my feet and I'm now out of date. I'm torn because the natural progression has been to management but I'm finding now that to continue to be effective I need to maintain my skills in the tech that I'm responsible for securing.

So I'm thinking of revisiting CCNA, possibly to CCNA: Sec, MCSE and then something on the virtualisation side of things. Ideally I'd like to do something project management related as well. I'm a little intimidated at the amount of work this is! Probably 2-3 years worth and not sure how realistic it is to maintain.

Anyone in or have been in this situation?

Any feedback welcome.

Cheers.