What Certs to add to CISSP

geek4god

Okay, I am a grad student in Information Assurance and will be done in December. My Goal is to get the CISSP late this fall just before graduation. I work for a small organization and have 12 years of very general experience (very wide but not very deep). I have the time, energy and money to pick up a few certificates before I graduate. What certifications do you view as most valuable to go with CISSP? I will be looking for an entry level job as I have no real security experience so I want some breadth and flexibility to go with the CISSP..

[Deleted User]

The user and all related content has been deleted.

geek4god

sabooher wrote: »

Unless you can account for at least 5 years of experience covering 2 or more of the 10 domains, you will only be able to achieve the associate of (isc)2 designation. You will then have to wait to gain the experience before being endorsed. Nothing wrong with thw associate, you just couldn't officially call yourself a cissp. You may want to consider the security+ as well or the sscp.

I was aware of that.. But the associate covers DOD Directive 8570 and that is what I am concerned with. I have security+ now and SSCP seemed redundant with the CISSP and I would be an Associate in it as well..

rogue2shadow

geek4god wrote: »

I was aware of that.. But the associate covers DOD Directive 8570 and that is what I am concerned with. Have security+ and SSCP seemed redundant with SSCP and I would be an Associate in it as well..

True that. DoD or not, I'd say do Security+ first since you're looking for an entry level security job. Once you're on the job, go for the CISSP associate after about a year or two. Having the associate would never count against you as the difference between you and a full CISSP is the experience but when it comes to actually being granted higher level jobs, a lot of companies are going to look at the candidate with the full CISSP and specialized experience first.

EDIT: Didn't see the Sec+ :P

ibcritn

What do you want to do in IA? Answering this question will help you understand some certs to go for.

Security+ is a great cert to start with...id also consider GSEC.

JDMurray

geek4god, you already have the Security+, right?

There is a very large gap between the Security+ and CISSP certs and not many mid-level InfoSec certs to fill it. The SSCP, GSEC, and CEH are good examples of InfoSec certs that are in that range that are also on the 8570.01 list. Of those, the SSCP is the best one to prep you for the CISSP. The CISA and CISM certs are very relevant to the CISSP too, and you can take those exams without having the required experience just to practice for the CISSP.

As others on this thread have pointed out, the best thing you can do for yourself is to understand your career goals. This is the major determinate factor for which certification you will choose to achieve.

geek4god

JDMurray wrote: »

geek4god, you already have the Security+, right?

There is a very large gap between the Security+ and CISSP certs and not many mid-level InfoSec certs to fill it. The SSCP, GSEC, and CEH are good examples of InfoSec certs that are in that range that are also on the 8570.01 list. Of those, the SSCP is the best one to prep you for the CISSP. The CISA and CISM certs are very relevant to the CISSP too, and you can take those exams without having the required experience just to practice for the CISSP.

As others on this thread have pointed out, the best thing you can do for yourself is to understand your career goals. This is the major determinate factor for which certification you will choose to achieve.

Understood. It is a little cart before the horse and I know that. Problem is I am looking at it from the outside as far as picking a specific field. A lot looks good but so did the bag of pork rinds I tried this weekend that left me gagging.

Career goal #1 is get a job in Security. Until I am in and around it I will not be sure of what I want to do. I also need the experience regardless of the nature of the security job. So to that end I am trying to make myself as marketable as possible to as many types of entry level security jobs as possible. I am 43 so I will be at a disadvantage when looking at entry level and lack the experience IMO to swing much more.

The Masters is showing me that the variety within security is staggering. Lots of things look appealing to me, but so far the most appealing are penetration testing, followed by wireless/network security. Again that is coming from someone not in the industry. I also would prefer to be in or around the DoD either as a contractor or a direct hire, but that is secondary to goal number 1.

Right now I have Network+ Security+ and will be MCDST Monday. The goal (not sure how realistic it is) has been to add MCSA or MCITP: Server Administrator (leaning towards the later) then get Linux+, CCENT, CEH, CWNA (maybe), and finish with CISSP so that as an associate I will have most of 8570 covered. I have a year to do it, no life and can spend several hours a day at work prepping.

geek4god

ibcritn wrote: »

What do you want to do in IA? Answering this question will help you understand some certs to go for.

Security+ is a great cert to start with...id also consider GSEC.

Is there an effective way to do GIAC without doing the SANS boot camp stuff? I have looked at several that look appealing but the cost of the SANS boot camps are scary! Especially if I am talking having to take several.. 301 is $3,525 and 401 is $4,095 and there are about 5 others that look great to me. 501, 503, 504, 560 etc.

ibcritn

geek4god wrote: »

Is there an effective way to do GIAC without doing the SANS boot camp stuff? I have looked at several that look appealing but the cost of the SANS boot camps are scary! Especially if I am talking having to take several.. 301 is $3,525 and 401 is $4,095 and there are about 5 others that look great to me. 501, 503, 504, 560 etc.

Sadly, the only way to get course work directly for the course that I have seen is through SANS. I am self studying for GCIH by looking at whats tested....you could do the same for GSEC, but I agree that isn't as easy.

Based on your goals I would strongly suggest standing up a lab environment if you haven't already (VMware ESXi server base) then connect over with a laptop or another computer. You can setup MS 2003/2008 (test upgrades/replication) and then use Packet Tracker for the Cisco side of the house.

As far as CEH Insecure.Org - Nmap Free Security Scanner, Tools & Hacking resources is a great resource for some of the top tools and there are tons of write ups online.
Podcasts are a huge way to gain knowledge:
Home Of PaulDotCom Security Podcast
www.isdpodcasts.com
Irongeek.com

For security start playing with (and understanding methodology to follow why the tools are used) for the following:
Vulnerability Scanners (Nessus, Retina)
Intrusion Detection (Snort)
Packet Analysis (TCPdump/Windump)
Exploit Frameworks (Metasploit)

You can list all this under "Lab Experience" on your resume. This allows you to market the skills you have achieved on your own, and makes you stand out from the crowd as someone who is actively going after skills.

Good luck!

JDMurray

geek4god wrote: »

Career goal #1 is get a job in Security. Until I am in and around it I will not be sure of what I want to do.

Consider that you may need to find a "security-related" profession and transition from it to a true InfoSec position. From your cert plan, you are headed towards being a Microsoft SysAdmin, and a lot of InfoSec people have started from just that. If you can get a job that gives you a DoD clearance then all the better.

geek4god wrote: »

I am 43 so I will be at a disadvantage when looking at entry level and lack the experience IMO to swing much more.

Hey, I know what that's about. I started my Masters in InfoSec at 41 in an effort to steer my career away from (primarily) software engineering. I'm still looking for a proper InfoSec position and not just something "security-related." However, what I'm fighting is not my age, but my resume and salary requirements. I wish that I could just start over in some little $50K entry-level position, but I can't.

And the final word for all of us is, "Regardless of your educations and certs, experience is still The King."

geek4god

JDMurray wrote: »

And the final word for all of us is, "Regardless of your educations and certs, experience is still The King."

One of the reasons I don’t want too pick a narrow area and pile all of my time and cert effort into it. In the end it does not matter if I have 10 certs in pen testing related areas if I have little or no experience. I would hate to lose out on a security related network or admin job because I put all my eggs in one infosec basket.
My advantage is I can take the 50k job (depending on location) and I can move literally anywhere in the world. When I am done in December I will start my job search by looking overseas first, then anywhere in the US. My expectations are I am going to have to take a step back or two, but I am in this for the long haul..

geek4god

ibcritn some good stuff in there.. I have been using Backtrack4 for some class stuff and they even have some certs for it. How widely used is it?

geek4god

JDMurray wrote: »

geek4god, you already have the Security+, right?

There is a very large gap between the Security+ and CISSP certs and not many mid-level InfoSec certs to fill it. The SSCP, GSEC, and CEH are good examples of InfoSec certs that are in that range that are also on the 8570.01 list. Of those, the SSCP is the best one to prep you for the CISSP. The CISA and CISM certs are very relevant to the CISSP too, and you can take those exams without having the required experience just to practice for the CISSP.

As others on this thread have pointed out, the best thing you can do for yourself is to understand your career goals. This is the major determinate factor for which certification you will choose to achieve.

Tried to send you a private message just so I did not keep spamming the boards, but did not see the option.. Been looking at the SSCP some more and it has some appeal as I can be full SSCP with one year experience. Plus as pointed out it builds on the CISSP. So here is my question are there guidelines for the endorser for evaluating your experience? I ask because my current job (one man [mostly] show in a 300 user environment) touches on “Security Operations” and “Administration and Networks and Communications”. I am also the guy that responds when someone gets a virus, admins the firewall, admins the secure wireless network, etc, but all of this is just part of what I do. The ISC2 site says “your professional experience has to be in one or more of these seven”. Then when you dig a little deeper you see “one year of direct full-time security work experience in one or more of these seven domains of the..”. Since you mentioned you were in a security related field I thought I would ask for you interpretation of this? Big difference between “professional experience” and “direct full-time security work experience”! Not sure how anyone in a security related field ever gets this.. If 1/3 of your job is "Access controls" and 2/3 is sysadim, but you have 10 years at it you might not ever meet the requirements of “direct full-time security work”. Maybe that is the point!

ibcritn

geek4god wrote: »

ibcritn some good stuff in there.. I have been using Backtrack4 for some class stuff and they even have some certs for it. How widely used is it?

Backtrack itself is merely a Linux distribution compiled of many common tools. So if you can use Backtrack you can use any tool BT has....so even if it isn't used the tools inside BT will likely be used.

The OSCP is a very challenging certification that wont get you much notice from HR, but will get you notice for the Technical peps.

JDMurray

geek4god wrote: »

Big difference between “professional experience” and “direct full-time security work experience”! Not sure how anyone in a security related field ever gets this.. If 1/3 of your job is "Access controls" and 2/3 is sysadim, but you have 10 years at it you might not ever meet the requirements of “direct full-time security work”. Maybe that is the point!

You are looking at the requirements too strictly. Marketing-wise, the SSCP is aimed at people who have very little InfoSec work experience and are typically newly (1-3 years) out of college. So the (ISC)2 is not expecting CSO-level experience for the SSCP. Theoretically, an entry-level help desk tech who has spent a year doing nothing but resetting passwords would be endorasable for the SSCP (under the domain of Access Control). So you don't even need the word "Security" in your title to be acceptable--otherwise I wouldn't have passed the audit.

SephStorm

IMO, I think way too many pass the audit. He may be able to qualify, I personally dont think they should. (not the OP personally.)

Out of the CISSP's that I have met over the last year and a half, maybe two had direct security experience, and many of the ones I know attempting the exam havent had hands on experience in years. In my mind, CISSP is an HR tool, nothing more. (sorry about the rant, no offense to any CISSP's)

JDMurray

SephStorm wrote: »

In my mind, CISSP is an HR tool, nothing more.

There's a lot of truth in this opinion. If you think of how certs are used by employers, it's mostly to determine who to bring in for an interview. Certs are also occasionally used for fulfilling contractual obligations (e.g., "You must have at least one CISSP on the project") and marketing purposes (e.g., "All of our technicians are Cisco-certified"). For employees, cert are a vehicle for gaining and demonstrating knowledge.

This is why certs are important for everyone, and a leg of the education/certification/experience triad.

geek4god

JDMurray wrote: »

You are looking at the requirements too strictly. Marketing-wise, the SSCP is aimed at people who have very little InfoSec work experience and are typically newly (1-3 years) out of college. So the (ISC)2 is not expecting CSO-level experience for the SSCP. Theoretically, an entry-level help desk tech who has spent a year doing nothing but resetting passwords would be endorasable for the SSCP (under the domain of Access Control). So you don't even need the word "Security" in your title to be acceptable--otherwise I wouldn't have passed the audit.

First want to thank everyone for the help and input! This has all been very helful!

The SSCP brings up an intresting thought. I had pretty much decided that I was going to skip the SSCP. I did not think I had the year of experince they were looking for and having a SSCP as an associate and a CISSP as an associate seemed a little redundent. I still think from what I am seeing the CISSP associate is still > than the full SSCP from an HR/DOD standpoint. However SSCP would help prepare for the CISSP. I have an endorcer who is a CISSP and if I could get SSCP with my experience without gaming it I think it might be worth doing.
As a side note I have been realy enjoying the wireless class I am in and the pen testing we have been doing with it. I have decided to skip the Microsoft admin certs for now and will start working on CCENT tomorrow. Goal being CCENT -> CCNA -> CWNA -> CEH -> then SSP or CISSP.

JDMurray

You might consider the CCNA:Security too.

flt0nujr

JD, thanks for listing this. I was at first worried that I wouldn't meet the requirements for SSCP job experience, but reading your recent post I realize that in my current CDN Engineer position that I've held for 3 years I realize I have most of the experience their requesting. I'm so glad I found Techexams.net. This has really opened my eyes to the infosec world.

JDMurray

Hey, glad to have you on board!