Security certification - where to start?

Spoonroom

Hi

I want to get more involved in security. I currently have the following qualifications:

A+
MCP
MCSE
MCSA +Messaging
Network+
INet+
CIW-A
CNA
Linux LPI 101 & 102

Whats a good security certification to start with?

Thx.

ajs1976

Security+ or because of your Windows background MCSA: Security.

dynamik

Agreed. Security+ is the typical starting point for security certifications. You can apply it towards your MCSA:S and MCSE:S, which you will need one and two additional exams for, respectively. It's really up to you want to do after that. There are several Cisco and Linux security certifications. You can also look into CEH, CHFI, SSCP, CISSP, etc. Read through the InfoSec forum to get a better idea of your options and go with what interests you.

Spoonroom

The MCSA: Security and Security+ seems a bit too basic and the CISSP too advanced, what's available inbetween those?

JDMurray

The SSCP would be the next one up from the Security+ cert. The GSEC is also between the Sec+ and CISSP, but it's a very expensive cert, so I rarely mention it.

keatron

Spoonroom wrote:

The MCSA: Security and Security+ seems a bit too basic and the CISSP too advanced, what's available inbetween those?

Be careful with this assumption. I've had many people sit my CEH class and realize they should have had Security+ level knowledge under their belts first. I by have it, I actually mean have it, not just pass the test.

I would say probably Sec+ (even if you do it self study).
Then MCSA:Sec
Then CEH
Then SSCP
At this point I'd suggest getting some Cisco in there. And you must start with CCNA, Then work the CCSP route (will not be easy, but worth it).

By this time you should be very ready to start preparing for the CISSP.

vegetaholic

Great Keatron , I learned a lot from you.

UnixGuy

keatron wrote:

Spoonroom wrote:

The MCSA: Security and Security+ seems a bit too basic and the CISSP too advanced, what's available inbetween those?

Be careful with this assumption. I've had many people sit my CEH class and realize they should have had Security+ level knowledge under their belts first. I by have it, I actually mean have it, not just pass the test.

I would say probably Sec+ (even if you do it self study).
Then MCSA:Sec
Then CEH
Then SSCP
At this point I'd suggest getting some Cisco in there. And you must start with CCNA, Then work the CCSP route (will not be easy, but worth it).

By this time you should be very ready to start preparing for the CISSP.

Hmmm, isn't this tooo long a way to earn a CISSP ??

JDMurray

UnixGuy wrote:

Hmmm, isn't this tooo long a way to earn a CISSP ??

keatron is a world-class certified (ISC)² instructor who professionally teaches CISSP and SSCP classes and proxies (ISC)² exams. His advice for "CISSP success" is probably the best you will ever hear.

UnixGuy

JDMurray wrote:

UnixGuy wrote:

Hmmm, isn't this tooo long a way to earn a CISSP ??

keatron is a world-class certified (ISC)² instructor who professionally teaches CISSP and SSCP classes and proxies (ISC)² exams. His advice for "CISSP success" is probably the best you will ever hear.

Yes, I really enjoyed his previous posts, and the certs he has obviously speak for themselves


The thing is, It sounds like a pure academic route. I mean, where's the work experience in that ? the kind of experience that will make you a good candidate for CISSP ? or do we really have to go down the road of getting all these previous certs ?



thanks JD Murray

sprkymrk

UnixGuy wrote:

JDMurray wrote:

UnixGuy wrote:

Hmmm, isn't this tooo long a way to earn a CISSP ??

keatron is a world-class certified (ISC)² instructor who professionally teaches CISSP and SSCP classes and proxies (ISC)² exams. His advice for "CISSP success" is probably the best you will ever hear.

Yes, I really enjoyed his previous posts, and the certs he has obviously speak for themselves


The thing is, It sounds like a pure academic route. I mean, where's the work experience in that ? the kind of experience that will make you a good candidate for CISSP ? or do we really have to go down the road of getting all these previous certs ?



thanks JD Murray

I don't think Keatron was in any way saying that practical experience is not a key factor in earning the CISSP, or any cert for that matter. He was simply showing a "Certification ladder" of progression. The OP asked for an intermediate certification between Sec+ or MCSE:Security and CISSP, so Keatron just addressed the varying levels and how one builds on the other.

UnixGuy

sprkymrk wrote:

UnixGuy wrote:

JDMurray wrote:

UnixGuy wrote:

Hmmm, isn't this tooo long a way to earn a CISSP ??

keatron is a world-class certified (ISC)² instructor who professionally teaches CISSP and SSCP classes and proxies (ISC)² exams. His advice for "CISSP success" is probably the best you will ever hear.

Yes, I really enjoyed his previous posts, and the certs he has obviously speak for themselves


The thing is, It sounds like a pure academic route. I mean, where's the work experience in that ? the kind of experience that will make you a good candidate for CISSP ? or do we really have to go down the road of getting all these previous certs ?



thanks JD Murray

I don't think Keatron was in any way saying that practical experience is not a key factor in earning the CISSP, or any cert for that matter. He was simply showing a "Certification ladder" of progression. The OP asked for an intermediate certification between Sec+ or MCSE:Security and CISSP, so Keatron just addressed the varying levels and how one builds on the other.

And there's a parallel practical experience associated with each cert. Hmmm interesting.

muzzybee

realy cissp is the best in the business, But it is hard and i understand u need lots of experience to do exams.

i would prefer to get into either cisco security or even software based security ,to get into specifics.

keatron

Thanks JD and Mark for jumping in and helping clarify.

For UnixGuy, think of it this way. Let's say you have 6 different certifications that all deal with 6 different areas of Information Security. Think of these as your 6 cans of Coke. Now think of the CISSP as the little plastic stuff that holds a six pack of coke together. Take your 6 cans of coke (your experience and other certs) and the little plastic stuff (your CISSP), add those together and you have a solid six pack that's held together well. For example, you might have a job as a firewall administrator. You might perform this job well for 6 or 7 years. However, you could be an expert firewall administrator, and not know squat about application security. In reality, the CISSP helps a security professional take all their years of experience, and certifications and FINALLY tie them all together and see clear relationships between it all. But there's the old saying "garbage in, garbage out". So in other words, if you are a person with only 1 can of coke (mimimal experience and minimal exposure to certifications), then the little plastic thing (CISSP) wont really do you much good, because you don't have any cans (experience and certs) to tie together. The CISSP is often described as a mile wide and an inch deep. But it should be understood that you don't go a mile deep because theoretically, you've already been 20 miles deep in several of the domains. I always stress experience first, then certs. However, sometimes you need the cert, to be awarded the opportunity to get the experience. But I often recommend people in the security field get vendor specific certs related to operating systems or network equipment they may be responsbile for securing. You can't possibly secure a large building if you don't know where all the doors and windows are. Additionally you need to know how to open and close these doors and windows. Same goes for systems and networks. Here's a few examples;

How can one possibly understand group policy if they've never implemented or least labbed it out in preperation for MCSE? How could you know that group policies only apply to computers that are a member of the domain, OU, or site that group policy was applied to if you haven't done it, or again labbed it out. Not to mention you have to remember to give groups read and apply group policy permissions to the group policy object if it is to have any effect at all. If one doesn't understand these basics, then how could they possibly even start to secure a Windows based network? How does Kerberos work (in Windows world). What's sent in clear text and what's encrypted? How feasible is it for an attacker to forge a ticket and fool another device or computer in the realm to believing it's legit? If you've never implemented a Pix or an ASA then how could you know what it's default inspection rules for the FTP protocol is? We're taught that FTP uses ports 20 and 21 only. But is that actually accurate? Is is true that FTP actually uses dynamically allocated ports to actually do the data transfer part of an FTP session? How does the ASA default inspection rules allow for this? And if you know the answer to that, then what security concerns does this behavior and allowance or disallowance by ASA introduce or expose your organization to? Have you observed it's behavior via ethereal or some other analyzer or sniffer? What about the bazillion other protocols you're forced to allow into your network? Are you sure DNS only uses port 53? TCP or UDP? Both? When you perform a query for a resource on the web, does the response to query come back in on UDP port 53? What about zone transfers? Is that via port 53 as well? TCP or UDP? Are these zone transfers in cleartext? If they are, what can you implement to encrypt these zone transfers? How does Checkpoint Firewall solutions deal with this behavior? (And saying it just works doesn't count). Are the ways in which it deals with this behavior introducing unique security considerations? Isn't it true that the biggest problems with firewall, IDS, and other mechanisms is that they act and behave in a very predictable manner? How does NTFS file systems store data and files? What about NFS? FAT? What about ZFS? So how do ZFS and EXT2 differ in how they store and catergorize data? From a confidentiality perspective, which is more feasible? If you haven't worked with these file systems you might not know the answers. However, getting certifications can expose you to this very information and least give you some level of knowlegde in those areas.

This list could go on and on. And obviously a CISSP that thinks they only utilize port 21 when they go to an FTP site and download files probably could have benefited from getting little more experience (or getting more cans) before getting the plastic peice (CISSP) to pull it all together. Because pulling it all together with too few cans causes us to have huge "knowledge gaps" and therefore renders us less effective in our roles as information security professionals.


So UnixGuy, the above is some of the major reasons I suggest a path to the CISSP that's probably a little longer than what you normally hear. Thanks for reading. And I hope it helps.

Keatron.

UnixGuy

keatron wrote:

Keatron.

Omg, wow!

Did I say that you are one of the reasons why I kept on viewing this forum for 6 months ?

This is very very helpful indeed, and I do agree with you aggressively


I met many certified people, who are good in passing exams, but they don't have a competent knowledge/experience. They know stuff, but they don't have the full picture.

I will definitely follow your advice. I will keep on pursuing certs and experience in my field (Solaris, Sun Servers/Storages ...etc). And only after getting acceptable knowledge/experience, I will shift to another field related to InfoSec. I will not think of CISSP, not now


Thank you very much Keatron !

Schluep

What a brilliant example. Very well put as always, Keatron.

shednik

Schluep wrote:

What a brilliant example. Very well put as always, Keatron.

+1...awesome...that response should be in a sticky called the road to the cissp

bertieb

I agree, that's worthy of a sticky.

What a brilliant post! Thanks Keatron

dave0212

Dito...

Fantastic post

As someone looking to enter IT Security it has given me a starting point to create a path to CISSP

Currently working on Security+ and enjoying it

zenlakin

keatron wrote:

Spoonroom wrote:

The MCSA: Security and Security+ seems a bit too basic and the CISSP too advanced, what's available inbetween those?

Be careful with this assumption. I've had many people sit my CEH class and realize they should have had Security+ level knowledge under their belts first. I by have it, I actually mean have it, not just pass the test.

I would say probably Sec+ (even if you do it self study).
Then MCSA:Sec
Then CEH
Then SSCP
At this point I'd suggest getting some Cisco in there. And you must start with CCNA, Then work the CCSP route (will not be easy, but worth it).

By this time you should be very ready to start preparing for the CISSP.

Just to follow up with what you said Keatron, I figure it is about time I do some of these security certs and was curious if you still recommend someone to go through the MCSA: Security if they don't have any Microsoft certs currently? I was thinking of doing the certs you have listed in order but skipping the MCSA altogether. I am not a big fan of Microsoft products or their curriculum and in my current SOC where I work we use mostly Linux flavors for our workstations and all of our main servers are Linux.

shednik

zenlakin wrote:

Just to follow up with what you said Keatron, I figure it is about time I do some of these security certs and was curious if you still recommend someone to go through the MCSA: Security if they don't have any Microsoft certs currently? I was thinking of doing the certs you have listed in order but skipping the MCSA altogether. I am not a big fan of Microsoft products or their curriculum and in my current SOC where I work we use mostly Linux flavors for our workstations and all of our main servers are Linux.

I don't think it would hurt to have the MS knowledge not sure all the duties that are entailed in the SOC, but having the knowledge when providing any type of service will definitely help out overall. like keatron said you can use that as one of your cans of coke

dynamik

While I agree with what Shednik says, you also need to focus on what you're working with now and what interests you. I believe the point Keatron was making was simply that you need to develop a variety of skills. I don't think that was intended to be a set-in-stone path to follow. Both Sun and Red Hat offer security specializations, so you might want to consider those if you're a *nix guy. I'm sure one of those would be an acceptable substitution for the MCSA:S. However, given the prevalence of Windows, you should strive for some MS certifications at some point.

shednik

By all means I didn't mean that it was something that needed to be done...I just think IMHO that to be a really well rounded security professional it doesn't hurt to atleast have a sold MS foundation but on the contrary I think having a strong *nix background/foundation is even more important because of how much more you can do with different tools and such. I'm only scraping the surface of my journey through security I decided to stray away from MS for now and knock out some Linux experience then return to finish at least my MCSA since I only need 2 more exams. Sorry if that came off the wrong way.

keatron

dynamik wrote:

While I agree with what Shednik says, you also need to focus on what you're working with now and what interests you. I believe the point Keatron was making was simply that you need to develop a variety of skills. I don't think that was intended to be a set-in-stone path to follow. Both Sun and Red Hat offer security specializations, so you might want to consider those if you're a *nix guy. I'm sure one of those would be an acceptable substitution for the MCSA:S. However, given the prevalence of Windows, you should strive for some MS certifications at some point.

Absolutely. Obviously, if you want to get into security, it's wise to learn how to secure something you already know. I made the point of it being impossible to secure something if you don't really know how that something works in the first place. In other words, how can you physically secure a building that has 100 doors if you only know that 20 of the 100 doors even exist. So if you already have Unix knowledge, then certainly that's probably a good place to start.

coffeeking

Keatron, thanks for a very detailed post. I had been thinking about starting a forum where I was going to ask you for some advice, not anymore, you said it all. Thanks for the time you put in to write such forums.

Pash

Thats a great analogy again keatron, inspires me for my studies

But those cokes are full fat cokes yeh? no girly diet cokes with lemon or lime twists?

Cheers!

zenlakin

Just to follow up on this thread, if someone wanted to follow this path and doesn't yet have network+ would you guys recommend getting the network+ before moving onto the security+?

dynamik

zenlakin wrote:

Just to follow up on this thread, if someone wanted to follow this path and doesn't yet have network+ would you guys recommend getting the network+ before moving onto the security+?

I guess it depends on your current level of networking knowledge. Could you tell me which ports on a firewall would be required to be opened for HTTP and SSL? Do you understand network-related command-line utilities, such as netstat? You can get through the Security+ with a fairly rudimentary level of networking knowledge. You're not going to have to do subnetting or anything like that. If you're feeling shaky, you should probably start with the Network+.

Here's the official word from CompTIA:

CompTIA wrote:

Although not a prerequisite, it is recommended that CompTIA Security+ candidates have at least two years on-the-job networking experience, with an emphasis on security. The CompTIA Network+ certification is also recommended.

http://certification.comptia.org/security/

Bill Kaster

keatron, you are my personal Jesus Christ.

Love,
Bill

Computer idiot

keatron wrote: »

Be careful with this assumption. I've had many people sit my CEH class and realize they should have had Security+ level knowledge under their belts first. I by have it, I actually mean have it, not just pass the test.

I would say probably Sec+ (even if you do it self study).
Then MCSA:Sec
Then CEH
Then SSCP
At this point I'd suggest getting some Cisco in there. And you must start with CCNA, Then work the CCSP route (will not be easy, but worth it).

By this time you should be very ready to start preparing for the CISSP.

This is all great advice - assuming that one has an unlimited amount of time to pursue certifications. Some of us aren't necessarily in too much of a rush to get something, but we don't want to spend years at it, either. 1-3 good certs are valuable enough for most of us.

goforthbmerry

I think the CISSP is one of those certs you get if you are going to be a network security professional. This is not a cert for some one who just wants to knock out one or two quick exams and get just some sort of IT job. This exam is for someone who is going to get into the industry, decide on security as their path and pursue it on a professional level for the long haul. The certs you take in your path to the CISSP are just part of your professional development whether it be Microsoft, Linux, or a Cisco path (most careers involve a mixed path). You don't get to just take the CISSP. You have to show that you have years of network security experience. It is in my plan as well. Of course, my goal is to be and CISO one day.