Next step for first security job

I just got my Security+ and I'm trying to specialize in network security.. I know I may have to wait a while to do CISSP and get sponsor and what not..

Is CEH worthwhile getting? is it recognized to perspective employers?

Are there any other course material I should try? (i don't want to do cisco until I have to re-up in 2.5 years)

Find more posts tagged with

Comments

docrice

What kind of network security? Pentesting? Auditing? Firewalls? VPNs? Intrusion analysis? Endpoint management?

levensailor

vulnerability assessment scans, patch management, audits.
i am ultimately going to go for cissp but i want to do an intermediate cert and there are just a LOT of them out there.. CEH sounds like something i'd want to do as far as material, just didn't know what its stigma was

Bl8ckr0uter

levensailor wrote: »

I just got my Security+ and I'm trying to specialize in network security.. I know I may have to wait a while to do CISSP and get sponsor and what not..

Is CEH worthwhile getting? is it recognized to perspective employers?

Are there any other course material I should try? (i don't want to do cisco until I have to re-up in 2.5 years)

By EC owns numbers, they are the most popular security cert. I am taking a different approach to doing the CEH. I plan to do the Elearnsecurity Penetration testing training course course and use that as to help me prepare for the CEH. At about 600 bucks, I think it will be worth while to me. I think that the CEH is "worth it" only if you A: Have the skills that a CEH should have and B: Are looking into a job in infosec/info assurance. I don't think a DBA would go after this one (although the sql injection awareness could be very, very helpful for a security oriented dba). I don't know, I could be talking out my @$$ here but after some careful consideration, I think that it is worth $250 dollars, even though many of the jobs around here are looking for SANS certs.

You can do the CISSP and become an associate of CISSP while you are still working on gaining experience. Or you could do the SSCP. CISSP is way more popular just so you know.

Offensive security looks pretty awesome as well http://www.offensive-security.com/online-information-security-training/ It is way more affordable than doing a SANS course. 900 bucks is probably the very edge of affordable for me. There are plenty of other courses out there. Of course if you can afford/get you job to pay for a SANS course jump on it. Also check out your local OWASP group. The one in my neck of the woods is pretty decent.

docrice

Having the enthusiasm for infosec is great, but you also have to realize that you need good foundations in order to understand what is actually happening while you perform vulnerability assessments, etc.. Knowledge of systems, networks, and protocols is important, otherwise you're just running tools. Having a CCNA and some Windows / Linux experience comes in very handy.

Employers are generally not going to strictly look at the certifications an individual holds when considering candidates. Knowledge and wisdom comes after a lot of trial-and-error through experience, and having a network / systems admin background really helps to put things into perspective.

For example, port-scanning a target provides a list of ports. But how do you exploit them? What does Kerberos do? How does it function within a large network and how could you leverage access to the service? What about LDAP? How about general network architecture design and typical firewall implementations? Tools like Nmap or Nessus may give you readings, but you still have to separate out what's a real issue versus a false-positive.

Putting things in context is important. When you perform an (authorized) pentest, you'll have to convey the risk levels that an organization faces with each potential vulnerability discovered and suggestions on their mitigation.

BTW, I think the eLearnSecurity course is great also. I went through most of it, and part of me is entertaining the idea of paying up for a challenge attempt (because I'm way past the first few months after sign-up). There's also the Heorot.net courses as well, and the first course is relatively inexpensive.

http://heorot.net/

I'm under the impression that in the past, the CEH was considered mostly a "tools" course and if you take a formal course it's a hit or miss depending on the instructor. The new version 7 of CEH is supposed to be much superior, which raises my curiosity a bit.

Update: didn't see your existing certifications list, so it looks like you already have some sys / net background.

Bl8ckr0uter

docrice wrote: »

BTW, I think the eLearnSecurity course is great also. I went through most of it, and part of me is entertaining the idea of paying up for a challenge attempt (because I'm way past the first few months after sign-up). There's also the Heorot.net courses as well, and the first course is relatively inexpensive.

Heorot.net

I forgot about heorot. I haven't heard much about their courses...

rogue2shadow

docrice wrote: »

Having the enthusiasm for infosec is great, but you also have to realize that you need good foundations in order to understand what is actually happening while you perform vulnerability assessments, etc.. Knowledge of systems, networks, and protocols is important, otherwise you're just running tools. Having a CCNA and some Windows / Linux experience comes in very handy.

Employers are generally not going to strictly look at the certifications an individual holds when considering candidates. Knowledge and wisdom comes after a lot of trial-and-error through experience, and having a network / systems admin background really helps to put things into perspective.

For example, port-scanning a target provides a list of ports. But how do you exploit them? What does Kerberos do? How does it function within a large network and how could you leverage access to the service? What about LDAP? How about general network architecture design and typical firewall implementations? Tools like Nmap or Nessus may give you readings, but you still have to separate out what's a real issue versus a false-positive.

Putting things in context is important. When you perform an (authorized) pentest, you'll have to convey the risk levels that an organization faces with each potential vulnerability discovered and suggestions on their mitigation.

BTW, I think the eLearnSecurity course is great also. I went through most of it, and part of me is entertaining the idea of paying up for a challenge attempt (because I'm way past the first few months after sign-up). There's also the Heorot.net courses as well, and the first course is relatively inexpensive.

Heorot.net

I'm under the impression that in the past, the CEH was considered mostly a "tools" course and if you take a formal course it's a hit or miss depending on the instructor. The new version 7 of CEH is supposed to be much superior, which raises my curiosity a bit.

Great advice from you and BRouter

In terms of version 7, I'll definitely have to put up a review of the training for it; my boot camp class test date is the day of the version change but they said they'll train us for both versions. I heard its less about the outdated tools and definitely geared to more modern tools and exploits.

docrice

Nothing against Heorot, but I'm not that surprised. The course that I took was great in that I got a good feel for what a process-driven pentest would be like in the real-world, but I think it didn't have that polished presentation / bling that eLearnSecurity has. But for the relatively low-cost of their Shodan course, it would be a good start for someone absolutely new to the world of pentesting.