What is the wisest choice for a series of certifications for pentesting.

Stochastic13Stochastic13 Junior MemberMember Posts: 17 ■□□□□□□□□□
I'm interested in pentesting and was wondering what would be the wisest choice of certifications. I see a lot of people have CompTia A+, Network+, Sec+, if I'm interested only in pentesting do I need all three or is CompTia Sec+ sufficient? And after that is done should I go for the Sans pentesting of something else? And what is the most coveted pentesting cert?

Comments

  • hiddenknight821hiddenknight821 The whole Shebang! Member Posts: 1,209 ■■■■■■□□□□
    I'm interested in pentesting and was wondering what would be the wisest choice of certifications. I see a lot of people have CompTia A+, Network+, Sec+, if I'm interested only in pentesting do I need all three or is CompTia Sec+ sufficient? And after that is done should I go for the Sans pentesting of something else? And what is the most coveted pentesting cert?

    I think you ought to check out this thread. The creator of this thread would loathe you for asking this. You can't just learn how to pen-test by cert books or bootcamp. There isn't even a formal education program that can teach you how to pen-test. You need to become an expert on the networking basic in order to be able to get started on pentesting.
  • xenodamusxenodamus Senior Member Member Posts: 758
    Yea, you can't really jump into IT and "only do pentesting". That's really an area that you graduate to after becoming a good System/Network Admin and gaining tons of knowledge about both. All 3 of the CompTia exams you mention are good material for entry level knowledge, though.

    I would pick a more generic path toward Systems or Network Administration, and once you have some higher level experience start looking toward specializing further.
    CISSP | CCNA:R&S/Security | MCSA 2003 | A+ S+ | VCP6-DTM | CCA-V CCP-V
  • Stochastic13Stochastic13 Junior Member Member Posts: 17 ■□□□□□□□□□
    Thanks for the thread, it really puts things in perspective.
  • Bl8ckr0uterBl8ckr0uter Senior Member Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    xenodamus wrote: »
    Yea, you can't really jump into IT and "only do pentesting". That's really an area that you graduate to after becoming a good System/Network Admin and gaining tons of knowledge about both. All 3 of the CompTia exams you mention are good material for entry level knowledge, though.

    I would pick a more generic path toward Systems or Network Administration, and once you have some higher level experience start looking toward specializing further.

    I am going to be the black sheep here. If you have a ton of knowledge and skill and "aim" you career the correct way, possibly pick up a MS in CS or InfoSec and catch a few breaks you *could* become a pentester without going through the helpdesk>admin>security>pentest path*. Many pen testing jobs I have seen only want a few (like 2-3) years of experience.

    *I don't even think this path will be possible for much longer due to outsourcing/off shoring and compartmentalization of skills/people/roles. People on the helpdesk will live and die there and mid level admins will either die, go to consulting, or play the job hop game until they can break into the big leagues.

    I don't think a CEH, offensive security or even a GPEN will "make" you a pentester but they might be good places to start (after other certs like Security+/SSCP/GSEC and the like). More than anything you need a deep understanding of operating systems, networking, and a decent grasp of a scripting or programming language or two and some creativity. There is a very, very good post by a beast of an infosec pro here that will help guide you:

    http://www.infiltrated.net/pentesting101.html

    Read it. He writes here from time to time.
  • Stochastic13Stochastic13 Junior Member Member Posts: 17 ■□□□□□□□□□
    Thanks, that sounds a whole lot better than the traditional route that starts with help desk. I'm majoring in computer science with specialization in computer security, should I get a MS or a PHD after I get my BS, or should I do the two year sequence that was described in the link that you provided? Also I was thinking about taking the CompTia certs but since I'll be in school for 4 years more and they expire in three does it make sense to do so?
  • shaqazoolushaqazoolu InfoSec Analyst Member Posts: 259 ■■■■□□□□□□
    I clicked over and saw Sexion's wall of text in the other thread and I am too tired to read it so I will just say this...get your CCNA and buy Laura Chappell's Wireshark Network Analysis book. CCDA probably wouldn't hurt either. Read the Wireshark book cover to cover. By the time you finish this, you should have a pretty good understanding of the different network layers and how communications work. I thought the CCNA was a huge snoozefest and the Wireshark stuff has its ups and downs but you will HAVE to have this knowledge to be a pen tester.

    After that, buy access to the eLearn Security material. By the time you finish the eLearn material, you'll probably have a much better idea of which direction you want to go in and will probably know what to research to figure out what your next steps are on your own. This material is really good.

    This is a really simplistic view of where to head IMO. This is actually probably a good 2 years worth of work at the very least so don't take it lightly.
    :study:
Sign In or Register to comment.