Security certification - where to start?

13

Comments

  • v_infosecv_infosec Member Posts: 15 ■□□□□□□□□□
    Could anyone tell me is MCSA:Security and MCSE:Security certifications retired? If they are, what are other alternative Microsoft certification with security concentration. I need a full explanation please. I have been on MS website and I seem not to find any info regarding MCSA/MCSE: security.

    I would appreciate if Kreaton , JDMurray will comment on this post and have it broken down for me.

    I want to follow kreaton's advice on

    Security+
    MCSA, MCSE
    CEH
    CNNA/CCNP:security
    SSCP

    If MCSA/MCSE: security are retired? What do you suggest I do to follow the above plan sequentially?


    Thanks for your response.

    MIke
  • itsgonnahappenitsgonnahappen Member Posts: 95 ■■■□□□□□□□
    Tagging this post for reference. Keatron props +1.
  • nandan.phiranginandan.phirangi Registered Users Posts: 2 ■□□□□□□□□□
    I am CCNA Certified and have 2 years of experience in Network Monitoring and troubleshooting field.


    I have interest in Information security. I am planning to pursue CEH.


    But I don't have any experience in Info. Security.


    Please advise Keatron or any experienced security professional if I should go for CEH .
  • Master Of PuppetsMaster Of Puppets Member Posts: 1,210
    A little more info would be useful but the CEH will definitely increase your chances of getting a job.

    Do you know the area you wish to get into?
    Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
  • JustFredJustFred Member Posts: 678 ■■■□□□□□□□
    I just wanted to say thank you all for this post. It gave me ideas on the path to follow as a network engineer who also wants to have a solid background in security since I'm starting to deal with firewalls and security a lot.

    It's great when people share their knowledge with others. Some people seem annoyed just by asking them a simple question or some guidance. It's a shame these people do not realize they were once novices too.
    [h=2]"After a time, you may find that having is not so pleasing a thing, after all, as wanting. It is not logical, but it is often true." Spock[/h]
  • Master Of PuppetsMaster Of Puppets Member Posts: 1,210
    JustFred wrote: »
    I just wanted to say thank you all for this post. It gave me ideas on the path to follow as a network engineer who also wants to have a solid background in security since I'm starting to deal with firewalls and security a lot.

    It's great when people share their knowledge with others. Some people seem annoyed just by asking them a simple question or some guidance. It's a shame these people do not realize they were once novices too.

    That's great to hear! Just a little side note on the annoyed people you are talking about - a lot of people, especially in infosec, get retarded questions on a daily basis by people who want to become an ethical hacker but can't tell the difference between a computer and a fridge(people who have no idea what it is and say they want it because it sounds cool and everyone else is doing it). Or people who want to take an easy way and continue to ask stupid questions even when you have explained to them that you can't join Anonymous after 3 months of studying hacking.

    I just wanted to point out the some of these people in some circumstances, should not be blamed for not wanting to deal with it all. However, it is an entirely different story when someone wants to begin/advance in a certain field, knows what he is doing, has ambition and a desire to learn, improve and get better. In other words - like many people on this forum. It really is a shame when people deny individuals like that advice. Knowledge should be shared and I have always tried to help someone if I am competent enough on the subject. But we should bear in mind that some people do not deserve help as much as others.
    Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    a lot of people, especially in infosec, get retarded questions on a daily basis by people who want to become an ethical hacker
    When people ask me how to get a job doing pen testing, ethical hacking, digital forensics, etc. I first ask them why they think they would like to do that for a living. Most answers I get usually involved the perceived notion that the money is very good or that it's a really fun/kewl job to have. I tell them it's also about long hours, hard travel, boring and tedious investigations, business meetings with customers, and generating lots and lots of documentation. I also recommend that they find people who actually work in those jobs and ask them.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    JDMurray wrote: »
    Most answers I get usually involved the perceived notion that the money is very good or that it's a really fun/kewl job to have.

    Yeah - One of my boss's go-to questions in interviews is, "why security?" - The last guy said "because it's big right now.."
  • Master Of PuppetsMaster Of Puppets Member Posts: 1,210
    This is part of the point I was trying to make.
    JDMurray wrote: »
    When people ask me how to get a job doing pen testing, ethical hacking, digital forensics, etc. I first ask them why they think they would like to do that for a living. Most answers I get usually involved the perceived notion that the money is very good or that it's a really fun/kewl job to have. I tell them it's also about long hours, hard travel, boring and tedious investigations, business meetings with customers, and generating lots and lots of documentation. I also recommend that they find people who actually work in those jobs and ask them.

    I'm sure the people who are asking you for advice are quite fortunate because I have no doubt it will be of the highest quality. I have a tremendous amount to learn and I am nowhere near as experienced as you but when someone asks this, I too try to sneak the question about their motives and expectations. A lot of times someone perceives this negatively and assumes I am not willing to help while my goal is the exact opposite - I think a serious desicion like that should be informed and not made for the wrong reasons. This is what I did when I was around 15. I researched every aspect of the job for a long time before deciding this is what I wanted to do. Many people think that you sit in front of a black terminal with green letters all day but as we know this is not the case.
    Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
  • JustFredJustFred Member Posts: 678 ■■■□□□□□□□
    Thanks for the reply.

    I ordered a security+ book, then i found this thread and I'm happy i did. I will work on getting a solid security background on a CCNP like level and also help others along the way who will most likely end up in the position I'm currently in one day.
    [h=2]"After a time, you may find that having is not so pleasing a thing, after all, as wanting. It is not logical, but it is often true." Spock[/h]
  • lukingluking Banned Posts: 46 ■■□□□□□□□□
    This is an awesome thread, kudos to all who spent time posting the useful information.
    I too am thinking of moving into info/web security and ultimately aspire to land jobs that pay north of 120K+.
    I guess that means I must become a CISSP or CCIE. Are there any other top notich certificates that can get me 120K+?
    Secondly, I have about 15 years experience in help desk environment. I am msce in win NT/2K/MCDBA. I never worked directly in network administaration although I do have "peripheral IT and Network" experience while poking with clients' networks during troubleshooting etc.
    So what would be ideal path for me to start to acquire some:
    A. Certifications
    B. Real life security related knowledge

    I was thinking for starting with ccna and then ccnp but please suggest what you think is best path to above.
    Thanks in advance.
  • chopstickschopsticks Member Posts: 389
    blaker00 wrote: »
    Good security engineering route depends on what you want to specialize in. I've seen way too many people that memorize nist 800-53, iso 27000, itil, cobit... and claim they are security engineers. These people are not security engineers, they are auditors or security managers.

    if you are looking to become a well rounded security engineer this is what you should know.

    Offensive security: Scripting(python,ruby), Programming(C, Assembly), Javascript, PHP, Metasploit, sqlmap, Burp-proxy, SQL, OSCP/E, ollydbg, pydbg, etc...

    Defensive security:
    • Network Route: CISCO, JUNIPER, CHECKPOINT, MRTG, SOLARWINDS- NAC, AAA, VPN, SSL, AES,SHA,MD5. Understand the difference between a hash and encryption. CA, Wireshark, TCPdump, Network segmentation, Architecture roles. Understand Next gen Firewalls such as Palo Alto's, Understand IPS such as Snort, SIEM, wLoadbalancing(f5,citrix). Bluecoat,Riverbed,Netscaler type products.
    • System Route: Linux(RHCE), Microsoft(MCITP), Mcafee EPO, Nagios, CLAMAV, Websense or other DLP, Qualys, nexpose, SQL, NOSQL, you should probably understand concepts of NIST 800-53 and ISO27000, Certificate Authorities, Active Dir., Puppet
    • Manager : ISO27002, NIST 800-53,34, COBIT, ITILv3, CISSP,CISM,CISA. Not very active in technological side more interested in Confidentiality Integrity Availiability. Gets really in depth with security access and flows. Very interested not just in technology(logical) but also Physical and Administrative
    • Programming : Learn SQL injections, Web-app security(web application hackers handbook 2), know everything I've written for Offensive security plus know agile, waterfall, etc different methods of application creation. Best bet for this path would be learn assembly x86 and 64. Learn how to create APT and end up working as a malware or security researcher
    Good luck, takes a very long time and a dedicated person to become a sec engineer

    Thanks for your guidance. :)
  • lukingluking Banned Posts: 46 ■■□□□□□□□□
    Well, anyone?
    luking wrote: »
    This is an awesome thread, kudos to all who spent time posting the useful information.
    I too am thinking of moving into info/web security and ultimately aspire to land jobs that pay north of 120K+.
    I guess that means I must become a CISSP or CCIE. Are there any other top notich certificates that can get me 120K+?
    Secondly, I have about 15 years experience in help desk environment. I am msce in win NT/2K/MCDBA. I never worked directly in network administaration although I do have "peripheral IT and Network" experience while poking with clients' networks during troubleshooting etc.
    So what would be ideal path for me to start to acquire some:
    A. Certifications
    B. Real life security related knowledge

    I was thinking for starting with ccna and then ccnp but please suggest what you think is best path to above.
    Thanks in advance.
  • kandy2905kandy2905 Registered Users Posts: 1 ■□□□□□□□□□
    Hi everyone , i am new here so i needed some help from security gurus. I have recently completed masters in information systems and wanted to do some certification in information security or network security
    1. Which has better job opportunities and good salary.
    2. If i wanted to do CCNP security, what is prerequisite like i first have to do CCNA or CCNA security

    I have no experience

    Thanks
  • auxiliarypriestauxiliarypriest Member Posts: 59 ■■■□□□□□□□
    Yes, CCNA Security would be the prereq for CCNP Security. To be eligible for CCNA Security you would either need to be a CCNA RS or a CCENT.
    2020 Goals: [x ] C|HFI [x] CySA+ [x ] MSCSIA
    Connect with me on Linkedin, just say you're from TechExams
  • bradl3yCbradl3yC Member Posts: 67 ■■■□□□□□□□
    Keatron,

    What would you recommend currently in place of MCSA:Sec? I read in an earlier post that its all wrapped up into another exam. The exams I have found are the 410-412 and that is specifically Server 2012

    Thanks for your advice
  • enterityenterity Registered Users Posts: 1 ■□□□□□□□□□
    Hi,


    I am in a little bit different situation comparing to most of the people that shared their questions above. I have picked more business/managerial path related to service delivery management in Security area. Out of all technical certificates have only ITIL. I am not planning to move to any security related technical role where hands-on skills are crucial.

    What certificate would you recommend in my case?


    CISSP sounds like a perfect solution but still do not have enough experience (so would become "Associate") and it would probably be a huge challenge for me, as I do not have security background - I am not afraid of learning, just trying not to bite more than I can chew.


    Have been also considering Security+ as a staring point but maybe it would be just a waste of money? I do not want to get the certificate just to have one, but to make myself study in a more structured way and have a clear goal. Would I learn more if I took Security+ before taking CISSP or would it be more reasonable to go directly to CISSP as there is some overlap and I want to do it anyway? I know Security+ would give me 1 year experience waiver for CISSP so for sure that is a benefit.


    Starting with SSCP does no make too much sense to me as I have heard the overlap is so big it is better to learn a little bit more and pass CISSP.


    Or maybe you would recommend any other certificate that would work better in my situation? I am sure it would be best to pass all of them staring for instance from CCNA/Network+ to build strong background but don't want spend my life chasing after certificates, one after another and would like to focus only on those that make most sense.


    Thank you for any suggestions.
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    I would start out by studying the Security+ material. Not having formal experience in the fields of Information Security, you may not be sure if it's of any interest to you for a career track. Security+ will give you an idea of the many areas of knowledge that you must have to be a well-rounded information security practitioner. If you find InfoSec not to your liking, you can pivot into some other area of technology for your career that is more to your interests. If you do find InfoSec material appealing, you can then decide to go on and get the Security+ cert (recommended for the knowledge and resume) or going instead for the SSCP or CASP. Jumping straight to the CISSP is recommended for someone that already meets the education/experience requirements for full CISSP certification.
  • TK1799_stTK1799_st Member Posts: 111
    This COMPTIA Roadmap is very helpful:

    https://certification.comptia.org/docs/default-source/downloadablefiles/it-certification-roadmap.pdf?sfvrsn=2

    See the top section for IT Security Certifications
  • eth0eth0 Member Posts: 86 ■■□□□□□□□□
    TK1799_st wrote: »
    This COMPTIA Roadmap is very helpful:

    https://certification.comptia.org/docs/default-source/downloadablefiles/it-certification-roadmap.pdf?sfvrsn=2

    See the top section for IT Security Certifications

    +1 but there is no companies like OS, eLS etc
  • SuramyaBakshiSuramyaBakshi Registered Users Posts: 2 ■□□□□□□□□□
    Hello everyone,

    I am new to techexams and Infosec. I have read many threads here (Keatron's coke can analogy) and some other blog posts (e.g Lesley Carhart's) about how to proceed your career in Infosec with the help of certifications and my sincere thanks to everyone. But I think each one has a different situation (or atleast think they are in), so let me ask you all experts on how should I proceed in terms of certifications.

    My background: I worked in software development for around 5 years and recently moved to Infosec exactly a year ago. I work as an Identity Access Management consultant deploying/enhancing new or existing IAM solutions.Also I have a Masters degree in CS.

    My Goal: I want to see myself in managerial/leadership role in IAM or other infosec projects. As far as I understand CISSP would be my goal 3-4 years later when I attain the required experience.

    So what certifications can help me in short term for IAM and long term for infosec overall?

    Thanks.
  • Charper0873Charper0873 Registered Users Posts: 2 ■□□□□□□□□□
    CyberSEC First Responder (CFR) is a must add to your list.
  • SuramyaBakshiSuramyaBakshi Registered Users Posts: 2 ■□□□□□□□□□
    Thanks @Charper0873. Is CFR a basic level certificate or is it something parallel to Security+ and other certification path?
  • martyn747martyn747 Member Posts: 5 ■□□□□□□□□□
    Hello all. Like Suramya above I am looking to move my career into InfoSec and this forum has been invaluable to my research over the last year or so. Please could I get some up-to-date advice and also as I am in the UK, some UK relevant advice? :)

    Unlike most here I do not have a technical background. I have grown up with computers and have always been technically adept. I regret with hindsight not taking a computer science related degree, but I saw my life going a different way and I studied a non-technical degree. I have 7 years experience in law enforcement and I am looking to change career into information security/risk management in the private sector. I am completely dedicated to this, and I hope that if I gain technical qualifications combined with all of my transferable skills from the police force (risk assessment, project management, counter terrorism training, high attention to detail, the list goes on), hopefully an employer will give me a chance.

    The amount of courses and certifications available out there are a minefield and its hard for an outsider to set a pathway in stone.

    I am currently studying for my Network+. I also have booked a ISO27001 Certified ISMS Foundation training course through ITGovernance.

    Any advice on what I should do next after that? I was thinking Security+. I see myself more in a consultancy/project management career than purely technical but all of the vacancies I've looked at require technical knowledge and qualifications.

    Of interest, have any of you made successful career changes to InfoSec from the police or any non-technical background? It would be great to hear some constructive advice.

    Thanks for your time, I really appreciate it.

    Martyn
  • martyn747martyn747 Member Posts: 5 ■□□□□□□□□□
    Any input at all, no matter how slim? :)
  • zcarenowzcarenow Member Posts: 110
    i've doing windows systems admin work for a while and was interested in knowing what basic security certification do i need to study? thoughts? thanks.
  • zcarenowzcarenow Member Posts: 110
    JDMurray wrote: »
    I would start out by studying the Security+ material. Not having formal experience in the fields of Information Security, you may not be sure if it's of any interest to you for a career track. Security+ will give you an idea of the many areas of knowledge that you must have to be a well-rounded information security practitioner. If you find InfoSec not to your liking, you can pivot into some other area of technology for your career that is more to your interests. If you do find InfoSec material appealing, you can then decide to go on and get the Security+ cert (recommended for the knowledge and resume) or going instead for the SSCP or CASP. Jumping straight to the CISSP is recommended for someone that already meets the education/experience requirements for full CISSP certification.

    I am a windows systems admin. So security+ is what you recommend for newbies? What exactly is a security+ certification? What are the best books/learning materias to start off with? Thanks.
  • ElpecaElpeca Registered Users Posts: 1 ■□□□□□□□□□
    Great advice from Stephen Covey's 7 habits of successful people. Unless you know where you are headed how can you know where to start? If it's a particular job you have as your goal then I recommend you look at what that job requires and work backwards from there to find your start point. This may save you setting off on the wrong path.
  • RitualRitual Member Posts: 66 ■■□□□□□□□□
    eth0 wrote: »
    +1 but there is no companies like OS, eLS etc

    eth0 I'm curious, you have all the certifications I hope to get in the next couple of years.

    what do you do for employment if you don't mind sharing.

    also what are your goals now as far as certifications? you going to get into more reverse engineering type certifications like the OSCE eventually?
    2016 goals - eJPT, MCSA Windows 10, something Linux
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    zcarenow wrote: »
    What exactly is a security+ certification? What are the best books/learning materias to start off with? Thanks.
    I recommend reading our Security+ discussion forum and Security+ info page. ;)
Sign In or Register to comment.