GPEN & GWAPT & GAWN or Bachelor degree?

YuckTheFankees

I was speaking with my parents and they gave me an option..pay for me to finish my bachelors or..pay for 3 SANS certs.

#1) I just started my NOC/ linux support position..so by the end of next year I would have 15 months experience and maybe 3 SANS certs..

or
#2) I could finish my bachelors

What would you guys do?

Could I get some type of info sec/ jr pentest gig with option 1?

the_Grinch

Go for the degree. Once you have that BS it doesn't expire and a lot of companies want to see you have a four year degree. College will give you a great foundation in theory that you can then apply to your certification studies. Since you're working, you can always save up and get the certs. Avoid the student loans and all the fun that comes with them!

idr0p

Yes finish your B.S. that should get you a chance at a Jr. Pen testing gig. May i ask what the degree is in and how many classes you have left.

Usually the only way you can get away without having a B.S. in IT/IS is if you have 5-10 years exp. Even with certifications.

YuckTheFankees

hey idr0p, I didnt know you were on this forum too. Im probably around 80 credits away..but if I went to WGU I could probably finish by next December. But..I really want to take those SANS courses..blahh

idr0p

Hmm... Maybe your WGU advisor can help you with figuring if you can replace the left courses with some SANs stuff.

UnixGuy

Definitely the degree

Joshsevo

I say dropout of school and don't do the certs either. I know a good bridged that has some free cardboard boxes left and you and I can live under them rent free.

Bl8ckr0uter

Do you have any college credit? Will you be starting a 4 year program as a freshman? What school? If they are saying that they will pay for the training with the SANS exam, how about doing 1 test and then doing a session a WGU. You'll probably gain better INFOSEC knowledge doing the sans training and they could directly benefit your job search now. If you are 2-4 years away from getting school done, I suggest doing the SANS exams.

I think you may be able to get that type of job with option one.

YuckTheFankees

bl8ckr0uter,

If I went to WGU, I could probably do it in a year. But it would take me around 2 years if I went to a state unviersity.

Tackle

Lucky...wish my parents would have chipped in for some of lifes expenses.

I'd go with degree. It will benefit you for the rest of your life.

Bl8ckr0uter

YuckTheFankees wrote: »

bl8ckr0uter,

If I went to WGU, I could probably do it in a year. But it would take me around 2 years if I went to a state unviersity.

Where do you on going?

YuckTheFankees

For my bachelors WGU and then a State university for my masters. But if I received all 3 SANS certs and had I'm a junior or Senior on my resume, would that help out at all?..for the company to know I'm in school..?

idr0p

You know SANs has a masters degree you can get your masters while completing SANs certs.
MSISE: Master of Science Degree in Information Security Engineering

the_Grinch

SANS is currently not fully accredited by the Department of Education. They have been pre-accredited, but that does not mean they will ultimately be accredited. You can spend the $34000 and go somewhere that already is accredited....

YuckTheFankees

Yeah I spoke with the director of the program last week and she informed that most likely they will be accredited late 2013/ early 2014. But I would prefer a state university for my master's. I think at one point the SANS master will be regarded highly but it will take time.

Bl8ckr0uter

YuckTheFankees wrote: »

For my bachelors WGU and then a State university for my masters. But if I received all 3 SANS certs and had I'm a junior or Senior on my resume, would that help out at all?..for the company to know I'm in school..?

I would mix and match and maybe get one SANS exam and get school done. I still standby what I said. WGU will NOT prepare you for a pen testing job directly.

Just taking a look at a few pen test jobs:
http://www.indeed.com/jobs?q=pen+tester&l=

I looked at the first four jobs. 2 said degrees a plus and 2 didn't mention a degree (just skills, experience and certs).

UnixGuy

YuckTheFankees wrote: »

Yeah I spoke with the director of the program last week and she informed that most likely they will be accredited late 2013/ early 2014. But I would prefer a state university for my master's. I think at one point the SANS master will be regarded highly but it will take time.

I would go for a state university for masters too if I can. Go for the best B&M university you can afford for MSc

docrice

My first instinct is to say go for the degree, but I also like the idea of doing a little of each as well. From a potential employer's perspective who is looking to hire pentest engineers, I'd almost like to lean on seeing the GIAC certs which shows motivation. A degree on the other hand holds perception of maturity. My impression though is that security foundations such as previous work doing systems and network engineering and blue team work would be more valued in the hiring since I've heard from a number of customers of perimeter assessment engagements that services were rendered from consultants who lacked grasp of the basics.

YuckTheFankees

docrice wrote: »

My impression though is that security foundations such as previous work doing systems and network engineering and blue team work would be more valued in the hiring since I've heard from a number of customers of perimeter assessment engagements that services were rendered from consultants who lacked grasp of the basics.

Who was lacking the basics? individuals with GIAC certs?

SephStorm

the_Grinch wrote: »

SANS is currently not fully accredited by the Department of Education. They have been pre-accredited, but that does not mean they will ultimately be accredited. You can spend the $34000 and go somewhere that already is accredited....

IDT many people care about the accreditation of your Master's, its a Master's. my biggest thing, IMO, degrees are only going to loose value over the next hundred years (i.e your lifetime.) That doesnt mean they aren't worth pursuing, but GSE would speak volumes on a resume, especially with the Gold's on there. Give yourself a few years at the NOC, and work with the Security guys as much as possible, I would say.

Bl8ckr0uter

Probably those people who just went and got a degree or did certs without learning the core skills needed. Like I said, most degrees won't teach you what you need to know to be a pentester. At best, you will learn concepts that you can build upon (like programming or operating systems) at worst you will be wasting your time.

SephStorm wrote: »

IDT That doesnt mean they aren't worth pursuing, but GSE would speak volumes on a resume, especially with the Gold's on there. Give yourself a few years at the NOC, and work with the Security guys as much as possible, I would say.

GSE would be dope BUT you will probably be spending at least some time telling people what it is. It doesn't have the name recognition as some other "expert" level certs. All this talk abou SANS really makes me want to try to get my job to send me to pay for the GCFW course.

YuckTheFankees

Bl8ckr0uter,

I know a degree doesnt prepare me for a pentesting career thats why I'm debating doing the SANS certs ..then finish my degree. After I finish CWNA, I might move onto wireshark cert, CWSP, CEH, or OSWP.

UnixGuy

YuckTheFankees wrote: »

Bl8ckr0uter,

I know a degree doesnt prepare me for a pentesting career thats why I'm debating doing the SANS certs ..then finish my degree. After I finish CWNA, I might move onto wireshark cert, CWSP, CEH, or OSWP.

A general degree in Computer Science/Engineering doesn't prepare you to become a Pentester, but nowadays there are many Master degrees that focus on InfoSec, with plenty of pentesting courses. You can go for the MSc directly without the Bachelors. If I were you, I'd get a Bachelors from the most prestigious university I can afford, and get certifications meanwhile. General IT/Networking/Systems experience and knowledge is required to become a successful Pentester. A fair knowledge of programming is also needed. All respectful universities have programming and networking courses in the curriculum that gives you a solid foundation.

YuckTheFankees

UnixGuy wrote: »

You can go for the MSc directly without the Bachelors.

You can? How?

Bl8ckr0uter

YuckTheFankees wrote: »

You can? How?

I am curious about this as well. I know many programs let you go from BS to PhD with no MS but I have never heard of AAS to MS.

UnixGuy

YuckTheFankees wrote: »

You can? How?

Yes you definitely can. You need to search individual universities for this. Some universities will accept your MSc admission request if you have some years of experience. Some don't have such requirement. But I think It's a better idea to get a general bachelors in Computer Science/Engineer. It will give you a good background on many topics, then you can take MSc later.

YuckTheFankees

I couldnt find any, could you list one?

rogue2shadow

Bl8ckr0uter wrote: »

I am curious about this as well. I know many programs let you go from BS to PhD with no MS but I have never heard of AAS to MS.

Me either.

idr0p

Honestly,

If you really want to be a pen tester, i am sorry to say but there is no shortcut to this route. There is pretty much no way you are going to get a pen tester job without a degree, unless you are recognized in this field when you apply 1) you will be ignored 2) you will be asked to prove yourself. Now, You may think that the SANs Courses will give you "all that you need" to do well in the industry. I am sad to say you are wrong, SANs is a great certification board and lays great methodologies and ground work for pen-testing (I know, I hold 4 of them, I actually just passed my GWAPT today ). However to be in the very competitive profession of a pen test (everyone wants to be the bad guy), you need more then just the methodologies.

1) You need basic business knowledge (project management, communication..etc) - Most people get this from college
2) You high level of computer and networking knowledge - College, Work exp. or Certs (CCNA and such) I see you have this
3) A High Level of Computer Security knowledge - Sometimes College but mostly Work exp and Certs (GSEC, CEH, CISSP)
4) Programming, Scripting and Web development proficiency - Sometimes College or Work/Personal exp.
5) Pentesting Methodologies - Work/Personal exp or Certs (GPEN, GWAPT, OSCP, LPT..etc)
6) Real Life exp - Work/Personal exp or Wargames Like stuff (Netwars and PWB)

Basically what i am saying is to be a good pen testers which I assume you thrive to be and not just become a vulnerability assessor, you really need to master every aspect or security then learn how to translate it to business, Pen testing is 90% Homework (network mapping, code review and report writing) and 10% exploitation., This is why alot of pentesting companies look for people with Degrees, certifications and 3+ years of exp. They need to have it all.

So like i said i would get your degree out of the way, that will most likely close the door on your at most companies. then work on the certs as i see you have a job that can rack you up some exp. Also i am pretty sure most engaged employers would question why you have a MSc and no a B.S. because it chalks up in their eyes to (2 yrs for AAS + 2 yrs MS) = 4 years edu as opposed to (4 yrs AAS/B.S. + 2yrs MS) = 6 years of structured education.

YuckTheFankees

thanks idr0p,

does your company pay for your SANS training?

idr0p

yup and I get a bonus