CISSP: When to certify?
I got my CISSP last month and have since been trying to transition out of my network admin position and into a fully-focused security role.
Study material: Shon Harris' all-in-one, CBK study guide, learnkey CBTs, and cccure.org online test sim. I sifted through several other CISSP books at the local bookstore as well during my self-study.
Ok... Here's my situation.
I've been doing net admin for quite some time (paid my dues at helpdesk) and have come to a point in my career where I want to get away from building servers, administering windows backoffice products, or supporting PDAs and laptops for frantic execs.
With the CISSP title, I've gotten a lot of leads via recruiters and internal HR folks to various companies. However, I had to decline most of them for lack of deep practical experience. Basically, I need to have already been a security engineer for several years to qualify. I qualify for the CISSP exam because of my 4-year degree and 3 years working within several domains of the CBK (common body of knowledge).
Sample interview question: Given a raw packet log from an IDS, can I decipher it and explain what kind of attack is taking place?
Well, I don't have a guru level firewall, IDS, VPN, or Auditing skillset and unfortunately I won't be able to with my current employer. (no funds)
I think the CCSP from Cisco is the cert to have to get yourself started in the security field. I went from SEC+ to CISSP because job descriptions have been listing 'CISSP required' or preferred. Yes, the CISSP isn't a technical hands-on type of cert, but I tell you - my last few interviews wanted both CISSP in knowledge and plenty of hands-on.
Long of the short: If you haven't been titled a security engineer (I haven't), going for the CISSP may be premature. I'm looking at the CCSP now, but it won't be self-studied.
Sorry about this long post... just wanted to share my views and offer a second opinion if you're thinking about getting into security especially if you feel having the CISSP is the end-all be-all answer.
-Xevious
Study material: Shon Harris' all-in-one, CBK study guide, learnkey CBTs, and cccure.org online test sim. I sifted through several other CISSP books at the local bookstore as well during my self-study.
Ok... Here's my situation.
I've been doing net admin for quite some time (paid my dues at helpdesk) and have come to a point in my career where I want to get away from building servers, administering windows backoffice products, or supporting PDAs and laptops for frantic execs.
With the CISSP title, I've gotten a lot of leads via recruiters and internal HR folks to various companies. However, I had to decline most of them for lack of deep practical experience. Basically, I need to have already been a security engineer for several years to qualify. I qualify for the CISSP exam because of my 4-year degree and 3 years working within several domains of the CBK (common body of knowledge).
Sample interview question: Given a raw packet log from an IDS, can I decipher it and explain what kind of attack is taking place?
Well, I don't have a guru level firewall, IDS, VPN, or Auditing skillset and unfortunately I won't be able to with my current employer. (no funds)
I think the CCSP from Cisco is the cert to have to get yourself started in the security field. I went from SEC+ to CISSP because job descriptions have been listing 'CISSP required' or preferred. Yes, the CISSP isn't a technical hands-on type of cert, but I tell you - my last few interviews wanted both CISSP in knowledge and plenty of hands-on.
Long of the short: If you haven't been titled a security engineer (I haven't), going for the CISSP may be premature. I'm looking at the CCSP now, but it won't be self-studied.
Sorry about this long post... just wanted to share my views and offer a second opinion if you're thinking about getting into security especially if you feel having the CISSP is the end-all be-all answer.
-Xevious
Comments
-
Ten9t6 Member Posts: 691That is a good post. I agree that it is not the end all cert. As a matter of fact I don't believe that there is an end all cert in most situations. The CISSP, like you said is a management cert. And it is one that a lot of people are focused on right now. It is one of those buzz words, so there are many companies that will through that word in the mix. It is kind of like saying they want a CCIE, but your really doing CCNA or NP level stuff.(CCIE is another one of those buzz words)....They ask for a CISSP, but most of them are wanting a security engineer in the trenches...I agree with you...getting other vendor security certs (Cisco, Sans, Check point) will help compliment the CISSP....It will make you that much stronger.
If you want a really hands on look at the code involved in these attacks....or the ins and outs of the tools used for or against your systems, check out the CEH. It was a pretty good cert..now that version 3 is out.Kenny
A+, Network+, Linux+, Security+, MCSE+I, MCSE:Security, MCDBA, CCNP, CCDP, CCSP, CCVP, CCIE Written (R/S, Voice),INFOSEC, JNCIA (M and FWV), JNCIS (M and FWV), ENA, C|EH, ACA, ACS, ACE, CTP, CISSP, SSCP, MCIWD, CIWSA -
Ten9t6 Member Posts: 691Also, that book that you used is a great book...it is the one I used. I really liked the cd of questions with it. I recently picked up the CISSP Prep Guide second Edition.."Mastering the CISSP and ISSEP exams". It seems to be really good also. I am planning on taking the ISSEP exam on the 28th.Kenny
A+, Network+, Linux+, Security+, MCSE+I, MCSE:Security, MCDBA, CCNP, CCDP, CCSP, CCVP, CCIE Written (R/S, Voice),INFOSEC, JNCIA (M and FWV), JNCIS (M and FWV), ENA, C|EH, ACA, ACS, ACE, CTP, CISSP, SSCP, MCIWD, CIWSA -
xevious Member Posts: 59 ■■□□□□□□□□I purchaed the coureware from EC-Council not too long ago. It includes 2 large binders with lab assignments, a study book, and 2 knoppix CDs. No plans to CEH certify any time soon, but I hear ya.
Good luck on the ISSEP...
-Xevious -
Ten9t6 Member Posts: 691Know the tools on the resources cd. Also use the powerpoint presentation to point you to the areas of focus. The book is really good. If you know the ins and outs of the powerpoint presentation in the binder...with quite a bit of practice on the tools mentioned, you should do ok on the exam. I was suprised on the difficulty of the exam. It was harder than I thought it would be. The certification card is pretty cool also. It is like the Knoppix cd..only stripped down to fit on a credit card cd.haha..it is more useful than my Microsoft card.Kenny
A+, Network+, Linux+, Security+, MCSE+I, MCSE:Security, MCDBA, CCNP, CCDP, CCSP, CCVP, CCIE Written (R/S, Voice),INFOSEC, JNCIA (M and FWV), JNCIS (M and FWV), ENA, C|EH, ACA, ACS, ACE, CTP, CISSP, SSCP, MCIWD, CIWSA -
lopezco Member Posts: 38 ■■□□□□□□□□I have spent a few time reading posts and try to understand what is best for me, CISSP is the highest and most reconized certification, I would really like to get it one day, but it seems it is a bit far from me.
Then i will focuse myself in CEH first and will keep reading CISSP material for my personal satisfaction. I spent one year taking CCNA curriculum but never took the test, maybe it would be good for me prepairing for CCNA.
It would be also good to get a higher IBM cert?
And then to think in CISSP?
I m still really confused in my carrer path.
I will sure appreciate any help from you guys!
Thank you in advance.DAL
"If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees." — Kahlil Gibran -
Munck Member Posts: 150If you want to be able to decifer actual network traffic, I don't think CEH is up to par. GCIA from SANS would probably be a better choice. My 0,02ct
-
lopezco Member Posts: 38 ■■□□□□□□□□Munck wrote:If you want to be able to decifer actual network traffic, I don't think CEH is up to par. GCIA from SANS would probably be a better choice. My 0,02ct
I have not read that much about SANS certs, I will spend sometime to see how good they are for me.
Thank you for your help.DAL
"If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees." — Kahlil Gibran -
Ten9t6 Member Posts: 691Munck wrote:If you want to be able to decifer actual network traffic, I don't think CEH is up to par. GCIA from SANS would probably be a better choice. My 0,02ct
You would be suprised on what you have to "decifer" in this exam. And it is not the exam that I consider being the great part of this process...If you study / practice for this exam, like you should, you will have no problems, decifering network traffic / attacks.Kenny
A+, Network+, Linux+, Security+, MCSE+I, MCSE:Security, MCDBA, CCNP, CCDP, CCSP, CCVP, CCIE Written (R/S, Voice),INFOSEC, JNCIA (M and FWV), JNCIS (M and FWV), ENA, C|EH, ACA, ACS, ACE, CTP, CISSP, SSCP, MCIWD, CIWSA -
dissolved Inactive Imported Users Posts: 228The CISSP is a managerial cert, nothing more. Packet analylization is something that you learn from experience. Even the SANS stuff isnt all that great IMHO. I've taken 2 tracks and don't understand what all the fuss is about their certs. Anyway,remember that companies want someone who can do everything nowadays so they can spend less money, while you work your balls off.
Most guys with CISSPs sit around and write policies or dial into boring teleconferences to discuss standards and fake terrorist alarming systems for the internet -
silentc1015 Member Posts: 128Thanks for the info, xevious. I'm in a similar situation. I am in a Sysadmin position, and I'm looking to transition into security. I just recently passed my Security+ certification, and I'm about 2 or 3 weeks from being capable of passing my CISSP.
After passing CISSP, I plan on studying for and passing the CEH. Then I'm really going to get serious about finding a security position, even if I have to relocate (to anywhere). I have 6 years of IT experience, but nothing security specific. If I have trouble finding a position due to lack of experience I plan on looking into training seminars and doing some lab work on my own.
I definitely think the chicken and egg problem of transitioning into a new IT field can be overcome with determination and smart career choices. I'm not too worried, and I don't think you should be either yet. Just keep it up and work hard. You'll get there. -
keatron Member Posts: 1,213 ■■■■■■□□□□dissolved wrote:The CISSP is a managerial cert, nothing more. Packet analylization is something that you learn from experience. Even the SANS stuff isnt all that great IMHO. I've taken 2 tracks and don't understand what all the fuss is about their certs. Anyway,remember that companies want someone who can do everything nowadays so they can spend less money, while you work your balls off.
This is wrong. The CISSP does not define an individual or what an individual does. It's not just a managerial cert. If you think you won't have to decipher network traffic, or explain what types of encryption do what, then you're going to be in for a big surprise. It is my opinion that people can't positively say "what" the CISSP is without having gotten it. Those of us who have it will attest that it's much much more than a "management" cert. Most of my work is pen testing, forensics, and training. My CISSP body of knowledge has helped me in all three of those areas tremendously. The problem is a lot of people go for certs and never have the opportunity to utilize the skill sets gained from studying for the cert. Then they lose them.dissolved wrote:Most guys with CISSPs sit around and write policies or dial into boring teleconferences to discuss standards and fake terrorist alarming systems for the internet
Again I have to disagree with you here. I like how you put us all in a box and say "most guys with CISSP does this and does that". I only know of a few CISSP's who do what you're describing. In fact MOST of us are doing complex security systems design, security systems consulting, or any of the other things I named concerning myself. So not thrashing you here, but just be careful when making statements about CISSP's or any qualification for that matter, unless you have first hand experience with it. Besides, you probably wouldn't want the entire CISSP group to put you on our radar would you? (just kidding).
Keatron. -
kmcnees Member Posts: 4 ■□□□□□□□□□silentc1015 wrote:Thanks for the info, xevious. I'm in a similar situation. I am in a Sysadmin position, and I'm looking to transition into security. I just recently passed my Security+ certification, and I'm about 2 or 3 weeks from being capable of passing my CISSP.
After passing CISSP, I plan on studying for and passing the CEH. Then I'm really going to get serious about finding a security position, even if I have to relocate (to anywhere). I have 6 years of IT experience, but nothing security specific. If I have trouble finding a position due to lack of experience I plan on looking into training seminars and doing some lab work on my own.
I definitely think the chicken and egg problem of transitioning into a new IT field can be overcome with determination and smart career choices. I'm not too worried, and I don't think you should be either yet. Just keep it up and work hard. You'll get there.
__________________________________________________
Perhaps you should consider getting your CISA. I would say about 40 to 55% of the CISA exam is very close to the CISSP exam. Passing the CISA opens lots of doors. Check out www.isaca.org for more information. Highly recommended cert. Good luck.Ken -
silentc1015 Member Posts: 128kmcnees wrote:Perhaps you should consider getting your CISA. I would say about 40 to 55% of the CISA exam is very close to the CISSP exam. Passing the CISA opens lots of doors. Check out www.isaca.org for more information. Highly recommended cert. Good luck.
Thanks for the advice. I looked into the CISA a bit after reading your reply, and it does seem like a security cert worth having.
Basically for my next cert (after CISSP), I want something that will give me more practical experience. I want the labs or classwork that I do in my studying to give me a little bit more of that practical experience that employers so desire. Any recommendations? CEH seemed to involve that, so, thats why I was interested in that particular cert next. -
keatron Member Posts: 1,213 ■■■■■■□□□□The C|EH would be a good choice for getting hands on, but only hands on as far as ethical hacking (intro to penetration testing). The tough part about getting into security is that concerning a large part of it, it's hard to get hands on without actually doing it. For example, the only hands on for writing security policies is to write some and have them tested against a real company. The best way to get hands on with IDS rules an such is to write some and see how they hold up in the real world. The truth of the matter is, because of lack of training and skill in most of the defensive side of information security, admins rarely are able to simulate anything close to a real attack. This is why companies spend millions on IDS, IPS and other border defenses and still end up being owned.
And please remember, before you get to advanced with the certs, nail down the basics. I find it quite amusing that the average self proclaimed security expert can't even explain the "three way handshake". Getting the fundamentals down now will ensure that you have a minimal amount of knowledge gaps when you do reach your pinnacle.
Keatron. -
silentc1015 Member Posts: 128keatron wrote:The C|EH would be a good choice for getting hands on, but only hands on as far as ethical hacking (intro to penetration testing). The tough part about getting into security is that concerning a large part of it, it's hard to get hands on without actually doing it. For example, the only hands on for writing security policies is to write some and have them tested against a real company. The best way to get hands on with IDS rules an such is to write some and see how they hold up in the real world. The truth of the matter is, because of lack of training and skill in most of the defensive side of information security, admins rarely are able to simulate anything close to a real attack. This is why companies spend millions on IDS, IPS and other border defenses and still end up being owned.
And please remember, before you get to advanced with the certs, nail down the basics. I find it quite amusing that the average self proclaimed security expert can't even explain the "three way handshake". Getting the fundamentals down now will ensure that you have a minimal amount of knowledge gaps when you do reach your pinnacle.
Keatron.
Thanks for the info, Keatron. It is very helpful to me, and I'm sure many others. Penetration tester is ultimately the job I am seeking. While I've got some great experience implement firewall rulesets, ACL's, IDS's (snort, tripwire, etc...), I don't have enough knowledge and experience to actually get a job in penetration testing. I lack the practical experience and probably the credentials. I only have entry-level certs and I'm still finishing up a BS in comp sci.
As I finish up that BS in comp sci, I'm trying to do what I can to get a job as a pen tester or security auditor as soon as possible. My plan was to go for CISSP then CEH, while doing as much practical work on both as I can during my studies.
Do you think it would be wise and beneficial to spend some money on some training classes and seminars on actual penetration testing and advanced networking? Do employers respect this kind of training and experience? -
drakhan2002 Member Posts: 111As I finish up that BS in comp sci, I'm trying to do what I can to get a job as a pen tester or security auditor as soon as possible. My plan was to go for CISSP then CEH, while doing as much practical work on both as I can during my studies.
As a security professional for a Fortune 500 bank, I can tell you that the CISSP requires 4 years of documented experience in one of the ten domains of the CISSP. 3 years with a Bachelor's. You can knock 1 year off with either the Security+ or a Master's degree in Information Security (from a National Center of Excellence). Therefore, the most experience you can write off is 2 years. How long do you have to go before you get your B.S.?
I say this because you may want to consider getting your C|EH before your CISSP due to the requirements of the CISSP.
And a note to "dissolved" - I think you're comments are rather offensive to those of us who are pursuing and/or are senior level IT personnel. You seem like you're just starting out in your career - I think in a few years you'll season into a mature, productive IT professional. But for now, it is probably best if you just sit back and read these forums.[/quote]It's not the moments of pleasure, it's the hours of pursuit... -
silentc1015 Member Posts: 128drakhan2002 wrote:As I finish up that BS in comp sci, I'm trying to do what I can to get a job as a pen tester or security auditor as soon as possible. My plan was to go for CISSP then CEH, while doing as much practical work on both as I can during my studies.
As a security professional for a Fortune 500 bank, I can tell you that the CISSP requires 4 years of documented experience in one of the ten domains of the CISSP. 3 years with a Bachelor's. You can knock 1 year off with either the Security+ or a Master's degree in Information Security (from a National Center of Excellence). Therefore, the most experience you can write off is 2 years. How long do you have to go before you get your B.S.?
I say this because you may want to consider getting your C|EH before your CISSP due to the requirements of the CISSP.
quote]
I've got 6 years of experience administrating RADIUS authentication servers and hardening Unix-like OS's. I've also got my Security+. So, from my understanding I should be more than qualified to take the CISSP. Being capable of passing is another question altogether.
So back to my original question. Do you think it is worthwhile to invest in some of these training workshops and things like that to actually get more practical security focused experience? -
keatron Member Posts: 1,213 ■■■■■■□□□□For the C|EH and pentesting into;
Get yourself a copy of Virtual PC or VMware. Load a couple of Server OS's and maybe an XP or 2. The load at least one Linux distro (doesn't matter which one). Next, come here and ask questions about exploits, vulnearbilites, etc. Do some security research and find out how to carry out some of the exploits. An example would be to go to MS website, look at the critical security updates. See if you can find ways to exploit these holes (before applying any service packs and patches). If you spend some hours searching and can't find out how, come back here and post some more questions (we'll give you better hints at that point ). Do this for all the operating systems you have. Learn how to launch attacks both from Linux as well as win32. After you have successfully exploited the unpatched machines, start applying service packs and patches. Then try all the exploits you were successful with before. If they're not successful now, document what patch ACTUALLY fixed what. I say this because you will find that some updates and service packs don't fix all the holes they are supposed to.... Keep repeating this process (after every wave of patches). Make sure you apply the patches in the order they were released. Start with the oldest patches, then exploit exploit exploit, then go the the next wave of patches after the first ones, then exploit exploit exploit again. Do this all the way up to the latest patch levels, and by now you should be able to find at least one successful exploit that works against the latest service packs and latest patches. This will do several thing for you; It'll get you comfortable exploiting vulnerabilities, and it'll give you a good history lesson in security developments over the last 3 or 4 years. If you can't code, get a few of the *** For dummies progamming language books. After you graduate from them, get a real book (like the Llama book for perl).
Once you understand a language or two (basic understanding), start constructing your own exploits (it's ok to look at how script kiddie stuff works, and then build your own based off some of the same concepts).
After this, either get someone to teach you, or get a few more books and learn how to write small windows device drivers (it's not as tough as it might sound). Once you're able to do this, you're about one sneeze away from being able to create simple rootkits, and you'll have a solid foundation for seriously entering the penetration testing world. Taking an official CEH class will be very good for learning how some of the tools out there already work, and getting your mind ready for the types of things you'll need to be able to construct. Things like Nmap, Metasploit, etc will become special friends of yours. It sounds like a lot, but if you want a serious look from any reputable penetration testing firm, you'll need the skills I named above.
For CISSP
Read all of the most highly recommended exam prep books. Keep in mind, this is ONLY the beginning. Now after reading these books, nail down ALL of your weaknesses. Once you know what they are, go buy books that deal specifically your weak areas and read on those topics until you understand them well. I often tell people that I read 4 or 5 books on just cryptography (including applied cryptography and a few others), and did so for a couple of other domains. It was a lot of work and reading, but now I have no problem discussing crypto with most security professionals (bar the crypto math gods at NSA and other places). This is what it takes. No one two or even three EXAM PREPS will truely prepare you for the CISSP. You need to have the experience (which it sounds like you do) but you also need to have exposure to a very wide range of topics.
Keatron. -
silentc1015 Member Posts: 128Wow! Thanks for the info, Keatron. I can't begin to tell you how much that helps! I appreciate both your information about CISSP specifically and (most especially) your career advice. It helps so much to have a more experienced person help light the career path.
Speaking about the CISSP specifically, here's what I'm doing to prepare:-
Study Guide published by Sybex
CBT Nuggets Training Videos
LearnKey Training Videos
5-10 practice tests
I've been nearly evenly spreading out my time between all 4 methods. I just completed the book, and I'm nearing the end of the training videos. I really think I'm almost ready! I'm probably going to study for another 2 or 3 weeks. I'll tell you guys how it goes when the time comes -
keatron Member Posts: 1,213 ■■■■■■□□□□silentc1015 wrote:Wow! Thanks for the info, Keatron. I can't begin to tell you how much that helps! I appreciate both your information about CISSP specifically and (most especially) your career advice. It helps so much to have a more experienced person help light the career path.
Speaking about the CISSP specifically, here's what I'm doing to prepare:-
Study Guide published by Sybex
LearnKey Training Videos
5-10 practice tests
I've been nearly evenly spreading out my time between all 4 methods. I just completed the book, and I'm nearing the end of the training videos. I really think I'm almost ready! I'm probably going to study for another 2 or 3 weeks. I'll tell you guys how it goes when the time comes
For completeness, add Shon Harris All-in-one and ISC2 official guide, (get the latest one by Hal Tipton and Kevin Henry.
And you're always welcome concerning career advice. -
drakhan2002 Member Posts: 111Consider heading over to http://www.cccure.org, they have a large test bank of sample test questions. Their download section has a ton of goodies for those preparing for either the CISSP or CISA exams.It's not the moments of pleasure, it's the hours of pursuit...