Security certifications and career advice

timidobserver

I decided to make a separate thread, because my issue and current skillset is different than most of the threads I’ve read. Basically, I am in the early stages of my career. I’ve been working in an IT Help Desk capacity for a few years now. I’ll be finishing a bachelor’s degree in Computer and Information Systems this semester.

I am aware of the different branches of security, but I don’t really know which one would be most comfortable for me. I am interested in the entire broad area of security, but if I had a narrow it down I’d say I was most interested in secure software development, intrusion analysis, intrusion handling, intrusion handling, auditing, malicious code analysis, and forensics. Most of my college training has been based around system design, programming (c++, c#, java, .net.), and math. I do have digital forensics, intro to security, advanced security, and network security courses under my belt. I’ve been told by my instructor that the knowledge gained from those could easily get me through the Security+ Exam which I am studying for now. I am looking to head the direction that would be the most comfortable for someone with my background.

So the first question is to inquire which fields of security would be the most fluid for someone with my skillset.

What makes me different is that I am not looking to get to much further into debt after the degree. This means that I am not looking for anything like full blown CCNA, MSCA, or anything that requires multiple courses and moderate financial investments just yet( I will get there in the future hopefully once I have an employer or decent income to pay for it.) I am aiming at something that could either be self taught without extreme amounts of difficulty, or isn’t extremely expensive.

What I am looking for in this thread is the bare essentials to obtain an entry level Information Security position. From my job searches on various sites, there are literally thousands of infosec jobs out there, but it seems that qualifications are keeping many of them unfilled. I am looking to build my qualifications just a bit beyond my degree for that reason. I am looking for a cost effective way to add a few nice items to my resume as well as gain sone knowledge in order make myself into a more attractive candidate. I am also looking to compensate for a rather subpar gpa.

Security+ is a given. Anyone have any other cost effective recommendations to make me more appealing for an Entry Level Security career? I’ve considered a CEH cert, CWNA/CWSP, for starters. I am not aware of any secure programming certification, but if one existed I’d consider that as well.

Thanks for making it through my wall of text. I appreciate any responses.

nicklauscombs

picking up the security+ and the ceh would definitely make you a good candidate for an entry level position with the government or depending on your area a job in a SOC. the reality is that most people don't just jump into a security role right off the bat so also look for any sort of NOC/technician/sys admin work to get some more experience.

docrice

The problem with getting into information security in general is that "entry level" for infosec usually means "already have existing IT experience which somehow relate to security." This usually means having worked as a systems / network admin, etc.. While your classes have undoubtedly taught you good things, the reality is that many employers do not equate that to real-world experience, but your IT helpdesk experience should be a good start.

I think your programming background in school would definitely help as part of your security endeavors. Many of us who come more from a networking administration background wish we had that. As a generalization, infosec requires you to be adaptive in a lot of areas, but you should definitely have some Linux skills and networking.

A CCNA really shouldn't be too much of a stretch for you to obtain if I'm interpreting your current skill set correctly. While taking a class for it helps, I believe one can just buy cheap equipment off eBay and practice along some books. Cisco, while some may argue that they're not the best networking equipment vendor out there, is still extremely common and having CCNA-level knowledge really helps and can also be applied to other vendors in many ways. The cost of the exam isn't that expensive, especially if you're already considering CEH, etc..

If you really enjoy coding, maybe you're geared more for career as a software developer, creating good products, and doing code reviews. I think that's absolutely necessary in today's day and age. The problem with most software shops that I see is that security design and mindset takes a back seat to "time to market" and "get it out the door as cheap as possible and patch later." If you really care about security, you might find that attitude in the corporate world frustrating.

Turgon

timidobserver wrote: »

I decided to make a separate thread, because my issue and current skillset is different than most of the threads I’ve read. Basically, I am in the early stages of my career. I’ve been working in an IT Help Desk capacity for a few years now. I’ll be finishing a bachelor’s degree in Computer and Information Systems this semester.

I am aware of the different branches of security, but I don’t really know which one would be most comfortable for me. I am interested in the entire broad area of security, but if I had a narrow it down I’d say I was most interested in secure software development, intrusion analysis, intrusion handling, intrusion handling, auditing, malicious code analysis, and forensics. Most of my college training has been based around system design, programming (c++, c#, java, .net.), and math. I do have digital forensics, intro to security, advanced security, and network security courses under my belt. I’ve been told by my instructor that the knowledge gained from those could easily get me through the Security+ Exam which I am studying for now. I am looking to head the direction that would be the most comfortable for someone with my background.

So the first question is to inquire which fields of security would be the most fluid for someone with my skillset.

What makes me different is that I am not looking to get to much further into debt after the degree. This means that I am not looking for anything like full blown CCNA, MSCA, or anything that requires multiple courses and moderate financial investments just yet( I will get there in the future hopefully once I have an employer or decent income to pay for it.) I am aiming at something that could either be self taught without extreme amounts of difficulty, or isn’t extremely expensive.

What I am looking for in this thread is the bare essentials to obtain an entry level Information Security position. From my job searches on various sites, there are literally thousands of infosec jobs out there, but it seems that qualifications are keeping many of them unfilled. I am looking to build my qualifications just a bit beyond my degree for that reason. I am looking for a cost effective way to add a few nice items to my resume as well as gain sone knowledge in order make myself into a more attractive candidate. I am also looking to compensate for a rather subpar gpa.

Security+ is a given. Anyone have any other cost effective recommendations to make me more appealing for an Entry Level Security career? I’ve considered a CEH cert, CWNA/CWSP, for starters. I am not aware of any secure programming certification, but if one existed I’d consider that as well.

Thanks for making it through my wall of text. I appreciate any responses.

Everyone is hammering Security + these days so take that. CCNA need not cost you much money. GNS and books will suffice, you do not need expensive classes so make a start. Contact all the IT companies that offer 3rd party security services in your state and try to get on as an intern. You can grow with that company or move to another after a year. Alternatively with the commercial exposure you will get to their clients you could go contracting later as a security consultant or try out for a permanent security job with a company that has a fulltime security professional opening. Do learn the fundamentals of programming and packets well.

SephStorm

As for secure programming, EC-Council does have a cert track for it. ECSP:

https://www.eccouncil.org/certification/ec-council_certified_secure_programmer.aspx

JDMurray

The only way to know what education, certification, and experience is required to get you an entry-level InfoSec job is to look at job postings and see what hiring managers are asking for. After looking at a few dozen posting of the same type of job, you will see an average baseline emerge of what your skill set should be. Start with dice.com and go from there.

timidobserver

Thanks everyone for the responses. They contain a lot of good information. The general consensus seems to be that Networking is a requirement to really get into security on the hardware end of things. I suppose I'll take a look at the books out there to see just how hard it would be to obtain a cisco cert without any classes.

SephStorm wrote: »

As for secure programming, EC-Council does have a cert track for it. ECSP:

https://www.eccouncil.org/certification/ec-council_certified_secure_programmer.aspx

Hmmm, this is really useful. Thanks a lot. I've looked on that site before, but for some reason I didn't see that cert. There are a lot of things that I'd like to do, but this is one is realistically obtainable and actually to my skill set.

JDMurray wrote: »

The only way to know what education, certification, and experience is required to get you an entry-level InfoSec job is to look at job postings and see what hiring managers are asking for. After looking at a few dozen posting of the same type of job, you will see an average baseline emerge of what your skill set should be. Start with dice.com and go from there.

Well, I know that there are a lot of experienced people on this forum, so I am curious about what they can sum up as the average educational/ work experience requirements for the average entry level security job that they see. Looking at job postings will only get me so far since most security job postings are vastly different.

darkladdie

For the job, SOC Security Analysis, I currently have we basically look for the following:
- College grad (if you have no experience)
- Network related certifications (if you have no experience)
- basic understanding of TCP/IP (biggest deal breaker for my job)
- written/oral communication skills (you will be surprised at how lacking many candidates are)
- 4-5 years experience in a Help-Desk, system admin, or network admin role

Those are just the core requirement before they give a second look at a resume.
The biggest problem we have in recruiting is the total lack of understanding TCP/IP.
Most applicants have no knowledge of common TCP/UDP ports, what a three-way handshake or TCP flag is.

Turgon

maughc wrote: »

The biggest problem we have in recruiting is the total lack of understanding TCP/IP.
Most applicants have no knowledge of common TCP/UDP ports, what a three-way handshake or TCP flag is.

This is a massive problem in security and networking today. People are not doing the necessary reading or getting schooled properly. Many people cannot either run a snoop on a UNIX box or a tcpdump or follow the output. Same for firewall logs. Same for network debugs at layer 1,2,3,4

veritas_libertas

GIAC has some software security certifications:

Information Security Certification - GIAC

onesaint

maughc wrote: »

The biggest problem we have in recruiting is the total lack of understanding TCP/IP.
Most applicants have no knowledge of common TCP/UDP ports, what a three-way handshake or TCP flag is.

Turgon wrote: »

This is a massive problem in security and networking today. People are not doing the necessary reading or getting schooled properly. Many people cannot either run a snoop on a UNIX box or a tcpdump or follow the output. Same for firewall logs. Same for network debugs at layer 1,2,3,4

This is flabbergasting to me. With all the CCNA candidates I see and the basic GSEC (I've hear referred to as the overinflated Sec+) covering all of this, how can an entry level security professional not know about firewall logs, tcpdump, etc.? I can't fathom braindumps going that far. How are these people getting positions? The Security+ seems a bit theoretical and doesn't delve into such details, but really? Is the security candidate pool that bad?

ETA: timidobserver, you could always apply for the DHS's program for cyber security professionals if you're in the DC area.

Turgon

onesaint wrote: »

This is flabbergasting to me. With all the CCNA candidates I see and the basic GSEC (I've hear referred to as the overinflated Sec+) covering all of this, how can an entry level security professional not know about firewall logs, tcpdump, etc.? I can't fathom braindumps going that far. How are these people getting positions? The Security+ seems a bit theoretical and doesn't delve into such details, but really? Is the security candidate pool that bad?

ETA: timidobserver, you could always apply for the DHS's program for cyber security professionals if you're in the DC area.

Going by the difficulty we have had lately recruiting good enough people I would say it's pretty bad. No shortage of qualified people out there to look at but at the protocol layer many are clueless. A CCIE failed our technical interview recently on fundamentals. Partly this isn't the candidate's fault. The general Cisco certification tracks are poor on TCP/UDP training, a real problem when firewalls, proxies, SSL accelerators, VPN concentrators and load balancers come into play, just to name a few things. Add to that problems interpreting a syslog report and we see a lot of engineers capable of joining things up but lacking insight on how they actually work. I think canned configs are another reason why this us the case and the general trend to separate out operations and design using standard templates. Back in the day you had a lot of people who were schooled because it was a lot of work to get something relatively simple working and you were responsible for procure, design, build and support. This encouraged more hands on, trial and error and importantly patient observations skills and reading. The search engines didn't throw back a lot of helpful config, so you were often using the internet not to grab a config but to workgroup online with people who has similar headaches and the insights gained by hours of painstaking work were shared. And this was only possible if you had put in enough of your own work to keep up with and understand the technical conversations. If you look at the quality of some of the detailed posting on groupstudy from 1999 to about 2002 you will see what I mean. This has changed and not for the better.

To some degree a lot of engineers are deskilled today due to lack of access and the push to automate and standardise. A lot of the good Univeristy professors who were old school at the frame and packet level have also retired. I recall it took us months to get through the OSI model with our lecturer standing up and explaining just TCP sockets and handshaking. Prior to that we were way deep in CSMA/CD. Some years after that layer 3 became all the rage at the expense of layer 2/4 theory.

Anyone working a complex service provider environment that needs an MPLS layer 3 upgrade (there are many of them) will have plenty of layer 2 loop avoidance issues they are struggling with and need to design out. You need people who know what they are doing across protocols to accomplish that and that doesn't mean someone who has just passed a few exams with MPLS covered. You really need to understand protocol state machines properly i.e how it really works and what problem it is designed to solve and then take that into configuration options. Too much learning today is locked into learning configs without understanding. I looked at the CCIP Bosons recently and was left cold by the overload of acronym testing as opposed to mechanics and configuration examples. A case study of the problem in terms of the shift from 'detail to deployment' is the All in One CCIE guide by Roosevelt Giles, a book which I dont think has ever been bettered at least in terms of its ambition on the breadth of detail on protocols. The book was slated on amazon, was poorly written, had many errors and was badly received by students, but that was probably the last attempt by anyone to really work at the frame level other than Clark and Stallings. Putting the deficiencies of the Giles book to one side, there were many, the point was well made on myself based on what I witnessed in the field from 2000 onwards i.e...people just wanted to get qualified and start plugging things together. There was a minimalist approach to learning, 'just what I need to know'. Understandable given the IT dash in 1999!

timidobserver

maughc wrote: »

For the job, SOC Security Analysis, I currently have we basically look for the following:
- College grad (if you have no experience)
- Network related certifications (if you have no experience)
- basic understanding of TCP/IP (biggest deal breaker for my job)
- written/oral communication skills (you will be surprised at how lacking many candidates are)
- 4-5 years experience in a Help-Desk, system admin, or network admin role

Those are just the core requirement before they give a second look at a resume.
The biggest problem we have in recruiting is the total lack of understanding TCP/IP.
Most applicants have no knowledge of common TCP/UDP ports, what a three-way handshake or TCP flag is.

Thanks this is a good response and exactly the kind of thing I am looking for. I have base understanding of TCP/IP thanks to a Data Communication and Networking course I was required to take, but I will brush up on it as I move forward. I can do everything you have listed above except for the 4-5 years of Help-Desk or System Admin experience. One of my co-workers is the most unpleasant person on the planet and the pay simply isn't enough to get me through tolerating him for 5 years. I've set myself a limit of 1 year on this job, but I aiming to move on within 6 months.

I've been doing some research based on the posts here. I probably cannot self-study for CCNA, so that is getting put on the backburner for now. However, I am pretty sure that I can self-study myself for a CCDA since it apparently doesn't require any actual equipment. I am a good learner, but I am not in any position to acquire equipment(Although, I suppose that VMs might do the trick.)

From prior knowledge and education, it probably won't be too hard for me to obtain A+, Network+, or Security+ certifications. I suppose I will also look into Linux+, but that will likely take longer than the others since I don't have a great deal of Linux experience. Once I have 2-4 of those certs I will get back in the job hunt.

In the mean time, I will be brushing up on C# .Net just in case any Junior Dev jobs show up in my area. I was looking to get away from coding, but I am wondering if it wouldn't save me a lot of time to just self-study a Microsoft Developer Cert since I've been coding in various languages for years now. I could get a MCTS in one exam that I am likely already 50-70% prepared for.

nicklauscombs

timidobserver wrote: »

However, I am pretty sure that I can self-study myself for a CCDA since it apparently doesn't require any actual equipment. I am a good learner, but I am not in any position to acquire equipment(Although, I suppose that VMs might do the trick.)

don't let me discourage you (i'm assuming here you don't have the cisco hands on work experience and maybe i misread/misunderstood your initial post.....) but there is some expectation to have at least CCNP level switching knowledge for the CCDA exam and CCNA level knowledge.

cisco.com wrote:

There are no prerequisite certifications for CCDA, however knowledge at the CCNA level and the CCNP level for switching is recommended to pass the CCDA exam.

that exam isn't exactly a walk in the park and i would hate to see you get frustrated as a lot of people find the material rather dry. with that said......

I would highly encourage you to shoot for the CCNA instead as it will be much more applicable to any job you would be applying for and show employers you have the hands on skills. you can make a very minimal investment in gear (couple hundred bucks at most) and be able to practice all the hands on commands necessary.

azjag

timidobserver wrote: »

I suppose I'll take a look at the books out there to see just how hard it would be to obtain a cisco cert without any classes.

While I am certain this can be done provided you have the hardware to work on, some really good sims or previous experience. Otherwise I would really consider taking a class since they include hands on training with physical equipment. At least the classes I took did. Otherwise you run the risk of wasting money on exams you are not prepared for.

Just my $.02

azjag

timidobserver wrote: »

I am not aware of any secure programming certification, but if one existed I’d consider that as well.

Here is another one. https://www.isc2.org/csslp/default.aspx

Sorry for the double posting.