Advice Needed: Solaris And Security

Hey guys, I am an old reader and newly registered

To be brief,

I have a humble experience in Sun Solaris, and there's a security certification in Solaris SCSECA , which I can take anytime soon.

I seek your advice on how to combine Solaris (and Unix in general) experience with security experience ???

and what good is it to have CISSP with Solaris experience ??

I mean, you security guys, do you see it a good combination to have both knowledge ??

of course from Unix Engineering/Design point of view, it's a big plus to have security background. But is there any rewarding specialization there ??

Im thinking of Security+ then CISSP, is this good ? do you have any other suggestiongs??

Find more posts tagged with

Comments

sprkymrk

Hi Unixguy, welcome to the forums.

I don't actually have an answer for you, but thought I'd bump your topic so it doesn't get buried. Sundays can be a little slow. Let's see if Keatron (Security Moderator) or one of the other guys can give you some pointers.

dynamik

Are you working with Solaris now?

Security is a critical component of IT. Gaining security knowledge and experience will do nothing but help you.

The CISSP is a very well-respected cert, and looks great just on it's on. It'll definitely compliment your other certifications. Keep in mind that they have a 5-year experience requirement. You can knock a year off of that with a qualifying certification, like the Security+, and another year with a qualifying degree. The SSCP is something else you may wish to consider; there is only a 1-year requirement for that.

If you don't have a great deal of security experience, the Security+ is a great place to start. Although, you could probably go right to the Solaris security specialization without too much trouble, given your background.

It would probably help to give a more complete description of your background and what your ultimate goal is.

Just out of curiosity, what did you use to prepare for the Solaris certifications? I have the SCSA book by Sanghera. Any other suggestions?

shednik

dynamik wrote:

Are you working with Solaris now?

Security is a critical component of IT. Gaining security knowledge and experience will do nothing but help you.

The CISSP is a very well-respected cert, and looks great just on it's on. It'll definitely compliment your other certifications. Keep in mind that they have a 5-year experience requirement. You can knock a year off of that with a qualifying certification, like the Security+, and another year with a qualifying degree. The SSCP is something else you may wish to consider; there is only a 1-year requirement for that.

If you don't have a great deal of security experience, the Security+ is a great place to start. Although, you could probably go right to the Solaris security specialization without too much trouble, given your background.

It would probably help to give a more complete description of your background and what your ultimate goal is.

I'd definitely have to agree with dynamik here, unless you have a heavy background with security already I'd start with Security+ and the Sun Security Cert best of luck to you!

dynamik wrote:

Just out of curiosity, what did you use to prepare for the Solaris certifications? I have the SCSA book by Sanghera. Any other suggestions?

Just out of curosity what certification aren't you interested in dynamik

dynamik

shednik wrote:

Just out of curosity what certification aren't you interested in dynamik

Apple. 'bout it

UnixGuy

sprkymrk wrote:

Hi Unixguy, welcome to the forums.

I don't actually have an answer for you, but thought I'd bump your topic so it doesn't get buried. Sundays can be a little slow. Let's see if Keatron (Security Moderator) or one of the other guys can give you some pointers.

Thank you so much man, this is very nice of you. I've read many of Keatron posts and other posts by other members here, and you guys really helped me to make right decisions, and you convinced me to be patient to get work experience

UnixGuy

dynamik wrote:

Are you working with Solaris now?

Security is a critical component of IT. Gaining security knowledge and experience will do nothing but help you.

The CISSP is a very well-respected cert, and looks great just on it's on. It'll definitely compliment your other certifications. Keep in mind that they have a 5-year experience requirement. You can knock a year off of that with a qualifying certification, like the Security+, and another year with a qualifying degree. The SSCP is something else you may wish to consider; there is only a 1-year requirement for that.

If you don't have a great deal of security experience, the Security+ is a great place to start. Although, you could probably go right to the Solaris security specialization without too much trouble, given your background.

It would probably help to give a more complete description of your background and what your ultimate goal is.

Just out of curiosity, what did you use to prepare for the Solaris certifications? I have the SCSA book by Sanghera. Any other suggestions?

Mmm thanks.

Ok my background, I studied computer engineering in a reputable university, where I took heavy networking and programming courses. I also took Networks security course and computer security course.

I work with executive partners of Sun Microsystems, as a support engineer for critical environment. what I have is 6 months experience only. However in those 6 months I learned millions of things because there was (and still) too much pressure on me, so I learned things the hard way.

about the SCSA, the company here gave me trainings, which helped alot. I read paul sanghera and never liked it. I read another book by the author bill calkings and No. Those books are outdated and Sun upated their exams. I recommend the official sun documents (Intermediate System Administration and Advanced Systems administration). Those are the best for both getting certified and facing real life problems. I mean, 90% of real life problems solutions can be found there.

I heard about the 5 yrs experience requirement of CISSP, but I can easily take sec+ because of university knowledge and my reading. It looks simple. And how can CISSP confirm that I have 5 yrs experience in security ?? should I ask my boss to write this ?

UnixGuy

shednik wrote:

dynamik wrote:

Are you working with Solaris now?

Security is a critical component of IT. Gaining security knowledge and experience will do nothing but help you.

The CISSP is a very well-respected cert, and looks great just on it's on. It'll definitely compliment your other certifications. Keep in mind that they have a 5-year experience requirement. You can knock a year off of that with a qualifying certification, like the Security+, and another year with a qualifying degree. The SSCP is something else you may wish to consider; there is only a 1-year requirement for that.

If you don't have a great deal of security experience, the Security+ is a great place to start. Although, you could probably go right to the Solaris security specialization without too much trouble, given your background.

It would probably help to give a more complete description of your background and what your ultimate goal is.

I'd definitely have to agree with dynamik here, unless you have a heavy background with security already I'd start with Security+ and the Sun Security Cert best of luck to you!

dynamik wrote:

Just out of curiosity, what did you use to prepare for the Solaris certifications? I have the SCSA book by Sanghera. Any other suggestions?

Just out of curosity what certification aren't you interested in dynamik

I see, thanks. The Solaris security certificate is nothing but how to audit logs, permission policies, and some solaris security features. If you know Solaris you can just read the books and go for the exam. Sun exams aren't tricky if you know your stuff.

Schluep

UnixGuy wrote:

I heard about the 5 yrs experience requirement of CISSP, but I can easily take sec+ because of university knowledge and my reading. It looks simple. And how can CISSP confirm that I have 5 yrs experience in security ?? should I ask my boss to write this ?

When registering for the exam you are required to identify your experience as well as the Domains of the CISSP CBK that are a part of that experience and include your resume information. After the information you provide is reviewed and determined to be sufficient you can sit for the exam. After passing the exam you will be required to submit an endorsement form where a current (ISC)² credential holder endorses you experience to be true and correct. After passing the exam this information is all subject to audit prior to your being awarded the certification. If audited your employer/employers will likely be contacted and any qualifying degrees/certifications (can waive up to one year for each) will be verified.

I would assume that you would never ask anyone to write something that is untrue on your behalf, but just in case please be aware that the CISSP is a very highly valued certification in the InfoSec world because it maintains its integrity better than other exams. It does this through the detailed process above of trying to verify work experience and limit the ability of unscrupulous individuals from posting brain **** type information (many versions of written exams and long/detailed questions). If someone did try to **** on their work experience for the CISSP certification the likelihood is far higher that they would be caught and they would be unlikely to hold the CISSP any time soon if that happened.

You do have the option of becoming an Associate of (ISC)² by registering to take the exam with this intention and providing information regarding the work experience that you do have. Once you meet the work experience requirement you can submit the endorsement form to (ISC)² and would be subject to the audit at that time. Provided that everything checks out your Associate of (ISC)² status would automatically be upgraded to a CISSP certification holder. This is what I did and I am very glad that I took the exam even though I do not have the 5 letters next to my name.

Since you work heavily with Solaris they would definitely seem like good first steps before going Vendor neutral. Certifications are a way to verify your competence with a given technology, so it only makes sense to certify in things you use on a daily basis and are very comfortable with. Of course vendor neutral exams such as the CompTIA Security+ or CISSP can be good things to look at since there is no specific technology product being tested, but they also will require a wider range of knowledge since it isn't as focused.

If you have read many of the excellent Keatron posts on this forum you will have noticed he typically recommends Security+ across the board. If you are considering the other exams it should be a very easy one to pass anyway and does count as one of the eligible certifications to waive a year on the work experience requirement for the CISSP exam at this time.

UnixGuy

Schluep wrote:

UnixGuy wrote:

I heard about the 5 yrs experience requirement of CISSP, but I can easily take sec+ because of university knowledge and my reading. It looks simple. And how can CISSP confirm that I have 5 yrs experience in security ?? should I ask my boss to write this ?

When registering for the exam you are required to identify your experience as well as the Domains of the CISSP CBK that are a part of that experience and include your resume information. After the information you provide is reviewed and determined to be sufficient you can sit for the exam. After passing the exam you will be required to submit an endorsement form where a current (ISC)² credential holder endorses you experience to be true and correct. After passing the exam this information is all subject to audit prior to your being awarded the certification. If audited your employer/employers will likely be contacted and any qualifying degrees/certifications (can waive up to one year for each) will be verified.

I would assume that you would never ask anyone to write something that is untrue on your behalf, but just in case please be aware that the CISSP is a very highly valued certification in the InfoSec world because it maintains its integrity better than other exams. It does this through the detailed process above of trying to verify work experience and limit the ability of unscrupulous individuals from posting brain **** type information (many versions of written exams and long/detailed questions). If someone did try to **** on their work experience for the CISSP certification the likelihood is far higher that they would be caught and they would be unlikely to hold the CISSP any time soon if that happened.

You do have the option of becoming an Associate of (ISC)² by registering to take the exam with this intention and providing information regarding the work experience that you do have. Once you meet the work experience requirement you can submit the endorsement form to (ISC)² and would be subject to the audit at that time. Provided that everything checks out your Associate of (ISC)² status would automatically be upgraded to a CISSP certification holder. This is what I did and I am very glad that I took the exam even though I do not have the 5 letters next to my name.

Since you work heavily with Solaris they would definitely seem like good first steps before going Vendor neutral. Certifications are a way to verify your competence with a given technology, so it only makes sense to certify in things you use on a daily basis and are very comfortable with. Of course vendor neutral exams such as the CompTIA Security+ or CISSP can be good things to look at since there is no specific technology product being tested, but they also will require a wider range of knowledge since it isn't as focused.

If you have read many of the excellent Keatron posts on this forum you will have noticed he typically recommends Security+ across the board. If you are considering the other exams it should be a very easy one to pass anyway and does count as one of the eligible certifications to waive a year on the work experience requirement for the CISSP exam at this time.

Thank you very much for the detailed explanation

Of course I won't ask my boss to write something fraud and he will not do this anyway!

The thing is, we work on daily basis with many issues and security is among them. This is why I asked whether my boss can verify this.

I'm interested in Sun itself more, so I thought CISSP would be a great plus to my career. And I thought maybe there's a room in security for people who are specialized in Unix. Because from what I saw so far, many security auditing companies do audit Solaris systems and give wrong recommendation due to lack of knowledge in Solaris and Sun Hardware.

Schluep

UnixGuy wrote:

I'm interested in Sun itself more, so I thought CISSP would be a great plus to my career. And I thought maybe there's a room in security for people who are specialized in Unix. Because from what I saw so far, many security auditing companies do audit Solaris systems and give wrong recommendation due to lack of knowledge in Solaris and Sun Hardware.

Those problems often aren't specific simply to Sun equiptment. A lot of companies generate cookie-cutter reports following a specific plan or testing methodology and referencing it against a list of vulnerabilities. If they are simply auditing and not involved in the configuration at all it will be your companies job (or possible another third party) to determine which vulnerabilities on the report need to be addressed. Some things listed as vulnerabilities may be neccessary for your system to function and others may not be cost efficient to correct depending on the risk or asset value involved.

UnixGuy

Schluep wrote:

UnixGuy wrote:

I'm interested in Sun itself more, so I thought CISSP would be a great plus to my career. And I thought maybe there's a room in security for people who are specialized in Unix. Because from what I saw so far, many security auditing companies do audit Solaris systems and give wrong recommendation due to lack of knowledge in Solaris and Sun Hardware.

Those problems often aren't specific simply to Sun equiptment. A lot of companies generate cookie-cutter reports following a specific plan or testing methodology and referencing it against a list of vulnerabilities. If they are simply auditing and not involved in the configuration at all it will be your companies job (or possible another third party) to determine which vulnerabilities on the report need to be addressed. Some things listed as vulnerabilities may be neccessary for your system to function and others may not be cost efficient to correct depending on the risk or asset value involved.

yes this is what precisely happened couple of days ago. Some auditing companies simply run softwares that reports all open ports. And that other day some ports were used by necessary applications.