SSCP and CISSP Question

mbock7

I am close to graduating from my university with a Bach in Network Security and i am currently studying for my Security+. The job that i would like is a Security Analyst, but i am curious no what certs to get. I do see CISSP being required by alot of differnt security analyst jobs, so i guess my question is do you think after security+ i should go for my SSCP and then CISSP?

undomiel

You may want to check out the experience requirements for those. 1 year of experience for the SSCP and 5 years for the CISSP though your degree or Security+ would waive 1 year of the requirement for the CISSP.

RTmarc

undomiel wrote:

You may want to check out the experience requirements for those. 1 year of experience for the SSCP and 5 years for the CISSP though your degree or Security+ would waive 1 year of the requirement for the CISSP.

Exactly. CISSP requires more than just taking a test.

bcairns

Forgive my horrible spelling it is late and I am trying to cram a lot of information into this reply...

As some of the other folks have stated, CISSP is a lot more then "just security", you have to be a jack of all trades, know a lot about just about everything.

That being said...I would recomend you get a bunch of certs in a lot of different categories. Some recomendations would be:

(in no special order)
A+ - good starter cert, best to do this first
Network+ - should be your next stop after A+
Server+ - not to many people do this one, personally I think it should be required learning
Security+ - Manditory for any IA / INFOSEC position
Linux+ - matter of personal taste, I have not done this one (yet)
MCP - You get this by passing one microsoft exam
MCSA - This is for mid level Microsoft Server Admins
MCSE - This means you are an expert in Microsoft windows server 2003
MCITP - The newer version of MCSE for Windows Server 2008
MCPD - Microsofts programmer certification track
CCNA - Entry level Cisco cert (but a HARD test)
SCJP - Suns Java Programmer Certification

And get a little programming skills under your belt...you would be amazed how many computer experts have never written a line of code in their life.

Recomended languages:

HTML - easy to learn
Python - easy to learn
VBScript - easy to learn
Java - medium difficulty
VB - medium difficulty
C# - medium difficulty
C++ - probably one of the hardest to learn

Now don't get overwhelmed, you need a minimum of five years experience in two security domains just to take the CISSP exam. The easiest way to get that experience is...well you guessed it, get a job And during your daily grind at the keyboard you are cramming fro certifications (that most employers pay for) and learning real world skills.

Get the certifications, and start programming, you will be amazed how much you learn and find things you never would have thought you liked. And before you know it, you have five plus years experience and can take the CISSP exam.

You have to remember that CISSP is a very high level certification, and you will need a long term plan to get it...consider CISSP another college education (a five year degree). Once you have the CISSP certification, your knowlege of computers will be frightening to say the least.

But I can tell you from personal experience...once you have the CISSP, life gets much easier.

Good luck, and don't quit!

dynamik

C++ isn't that bad, until you start working with things like pointers. Then it's time to put down the programming book and move on to things like Windows Server because it has a pretty GUI. *YAY*

Actually, I just wanted to complement bcairns on the nice writeup, but I felt I should add something insightful as well.

UnixGuy

good reply, thanks !!


C#/C++...I have history with these in college..thousand lines of codes...sleepless nights, and endless cups of coffee


C++ pointers..

you should see "C" pointers, that's crazy ****

UnixGuy

Dear bcairns,

you didn't mention any certificate or experience regarding SAN storages, tape libraries, disk arrays, NAS

Also some Unix



from you CISSP experience, do you think these are necessary or not ??

RTmarc

Being familiar with an extensive number of products and technologies is never going to hurt; especially when looking to the security aspect of things. That being said, CISSP does not require you to have familiarity with the things you mentioned. Remember, the CISSP is "a mile wide and an inch deep". It is more of the theory of security rather than the minute details. Minutia would come in with your more specialized training and certifications, CEH or someone specializing in secure programming of a given language for example.

I'm not trying to say one should not be well versed in a diverse collection of technologies but rather that you do not have to be an expert in every domain of the CISSP. Personally, I'm strong in certain domains and weaker in others. The good part about this, which is also part of the ISC2 Code of Ethics, is knowing in which areas you are most adept and not perpetuating yourself in the areas you are not.

undomiel

What's wrong with pointers? Pointers make the world go round!

JDMurray

undomiel wrote:

What's wrong with pointers? Pointers make the world go round!

People that have trouble with pointers have never studied assembly language, where you can't get away from memory references. Once you are competent in assembly, pointers in C/C++ will be quite familiar to you because you will be thinking like an assembly language programmer as you design and code in C/C++.

Anyway, the original question in this thread is SSCP vs. CISSP. undomiel is correct that the first thing you should look at is how much documented work experience you have in at least two domains of the CISSP CBK. With a cert or a college degree, you will need four years of related InfoSec experience to become CISSP-certified. If you don't have that now, consider getting the Security+ followed by the SSCP. That will help you get an InfoSec-related job.

bcairns

UnixGuy wrote:

Dear bcairns,

you didn't mention any certificate or experience regarding SAN storages, tape libraries, disk arrays, NAS

Also some Unix



from you CISSP experience, do you think these are necessary or not ??

Just my $0.02 worth, anything you learn has value.

That being said I think your time would be better spent focused on the server / network / code side of things.

As for programming, I have written billions of lines in C++ / VB / C#, all programming languages are similar, it is more important to become competient at programming concepts, the language is just a tool. Once you learn one language you can take that knowlege and use it tward your next language (makes things easier).

Also knowing how programs work will be a HUGE help in automating boring parts of your job or figuring out what is going on under the hood of your computer when it freaks out and crashes.

As a CISSP you should (in my opinion) be familiar with programming because sone of the biggest threats is malicious code. By there are plenty of CISSP holders that have never written a line of code...having knowlege and experience in programming will make life as a CISSP that much easier.

And the three major operating systems you would want to be familiar with are:
Windows
Linux
Solaris

undomiel

bcairns wrote:

As for programming, I have written billions of lines in C++ / VB / C#, all programming languages are similar, it is more important to become competient at programming concepts, the language is just a tool. Once you learn one language you can take that knowlege and use it tward your next language (makes things easier).

Also knowing how programs work will be a HUGE help in automating boring parts of your job or figuring out what is going on under the hood of your computer when it freaks out and crashes.

I just wanted to second this. I think that studying programming while I was in grade/high school is what has given me the biggest edge in tech support and systems administration. Maybe just because crash **** don't scare me. Though I did think it was hilarious very early in my IT career where we were having to read off MAC addresses to the systems administrator and the two guys with me on the contract were doing the reading and they were arguing with the admin on the phone over whether that was a zero or the letter O in one of the characters. It had my jaw on the floor that they didn't understand that MAC addresses were in hex!

UnixGuy

bcairns wrote:

UnixGuy wrote:

Dear bcairns,

you didn't mention any certificate or experience regarding SAN storages, tape libraries, disk arrays, NAS

Also some Unix



from you CISSP experience, do you think these are necessary or not ??

Just my $0.02 worth, anything you learn has value.

That being said I think your time would be better spent focused on the server / network / code side of things.

As for programming, I have written billions of lines in C++ / VB / C#, all programming languages are similar, it is more important to become competient at programming concepts, the language is just a tool. Once you learn one language you can take that knowlege and use it tward your next language (makes things easier).

Also knowing how programs work will be a HUGE help in automating boring parts of your job or figuring out what is going on under the hood of your computer when it freaks out and crashes.

As a CISSP you should (in my opinion) be familiar with programming because sone of the biggest threats is malicious code. By there are plenty of CISSP holders that have never written a line of code...having knowlege and experience in programming will make life as a CISSP that much easier.

And the three major operating systems you would want to be familiar with are:
Windows
Linux
Solaris

Thanks ! actually most of my time is spent on Solaris, Sun servers hardware, and storages! Maybe not the best way to climb the ladder to CISSP, but I like it so far

undomiel wrote:

... two guys with me on the contract were doing the reading and they were arguing with the admin on the phone over whether that was a zero or the letter O in one of the characters. ..

lool !

undomiel

Oh yeah I forgot to mention the worst part of it. They decided that it was an O. Then a bit later they were calling up the admin because the computer wasn't pulling an IP. Sad, sad.