Degree Program(InfoSec/PenTesting) - Advice Please

Santa_Santa_ Member Posts: 131 ■■■□□□□□□□
Refer to my original thread; http://www.techexams.net/forums/jobs-degrees/76592-advice-needed-degree-choice.html

So I pretty much decided the best option, I would like to find get my feet drenched in is Information security. Now as discussed, I will be going back to school at a local community college.

Major: Computer & Information Sciences: Computer Science Transfer Option (designed to transfer to a four year program in CS)


- Database Management
- Information Security
- Web Design I
- Computer Science I
- C Programming
- C++ Programing
- Computer Science II
- English Comp I
- English Comp II
- Calc I
- Calc II
- Huamnities/Social Science Electives

Now I noticed that my C.C. also offers a Computer Foresnics Basic Certificate; would this be something I should look into? Only would require 4 (1 semester) more classes, or would it not serve any purpose in the InfoSec field?

- Information Secuity (Same as above)
- Computer Forensics (Course needed)
- Modern Pollicing (Course needed)
- Criminal Law (Course needed)
- Intro to Info Tech(I have completed this class)
- English Comp (Same as above)
- 1 Criminal Justice Elective (Course needed)

^ Then I would have the certificate in Computer Forensics.

Now by doing research, here and there over the interwebz I found out which path I would need to take.

CompTIA
  • Security+
  • CASP
Cisco Systems
  • CCNA Security
  • CCSP
  • CCIE Security
EC-Council
  • ENSA
  • CEH
  • CHFI
  • ECSA
  • LPT
  • CNDA
  • ECIH
  • ECSS
  • ECVP
  • EDRP
  • ECSP
  • ECSO
ISACA
  • CISA
  • CISM
  • CGEIT
  • CRISC
(ISC)²
  • SSCP
  • CAP
  • CSSLP
  • CISSP
  • ISSAP
  • ISSEP
  • ISSMP
Offensive Security
  • OSCP
  • OSCE
  • OSWP
Now obviously there might be a few that won't be needed, but I thought I would list everything. Listed in-order starting with the Comptia Secuity+ then working my way down.


Originally I thought network/sys admin would be the best fit for me, but after more searching and some soul-searching I think InfoSec/Pentesting is the field I'd like to get myself into. Any one on these forums have prior experience or are current in the field can chime in? I'd greatly appreciate your words of wisdom.

I've checked out Ethical Hackers website, haven't searched around much as of yet, but will in the upcoming days.


My main goal would be attaining my degree(BA/BS CS) of course, but also in my spare time study for certifications focusing on the area of interest.

I'm currently waiting for an interview from a potential employer, who is IT focused -- Plumchoice. They are offering me a position working on their secuity systems, but it's not what you may think it is. I would be doing help support for their security webcams, troubleshooting, configuring, etc for existing and newly acquired customers. I believe in the phone interview he mentioned I would be using Citrix, and this would be done remotely from home. Full-time, decent base pay, $13.50, benefits, etc.


Would this be a good path to take on top of the career choice/certfication path?

Comments

  • tr1xtr1x Member Posts: 213
    Looks like a pretty good plan. I want to get into the field myself, and I've found that the most valuable thing is experience, so make that your top priority. Other than that, the cert list is completely unrealistic, you'll probably want to narrow it down to 10% of that, but I wouldn't worry about them until later anyway. Don't worry so much about the paper, just get experience right now.

    Also, that certificate might be a good way for you to pick up a little experience (like if you really know nothing about basic hacking methods and tools) otherwise you're better off putting that time into your degree so you can get that out of the way. That's my 2 cents.
  • Santa_Santa_ Member Posts: 131 ■■■□□□□□□□
    Well I plan on getting my AA at my community college, but based on the fact that I only require 4 classes to acquire the computer forensics certificate I thought it would be nice to attain and attach to my skill set.

    As for the certs, I'm aware they're unrealistic at the moment, but it does not mean it isn't possible. Its just a general outline that I could always take, but baby steps are required first
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    Take a step back on the certifications. You can't do everything. You shouldn't even do half of everything. Few roles, even generalist roles, will have you so involved in every aspect of security that you would want to look at all that. CCIE security, OSCP, and CISA server very different roles. You'll need to take a step back and figure out where you want to specialize. Or, you will want to figure that out sometime into your career. So look at it from a near-future and a generalist perspective.

    Get:
    Security+
    SSCP or GSEC
    A specialist cert (e.g. C|EH, GISP, G2700, GCFE, CCNA Security)
    CISSP
    A specialist cert (e.g. GCFW, GSLC, ISSAP, OSCP, CCSP)
    More specialists certs as needed/desired

    With that in mind, you didn't mention arguably the 2nd most important infosec cert vendor, which is GIAC.

    Another tip is that with everything I've read from real infosec professionals on this board and elsewhere, C|EH and EC-Council in general are bad news. The cert is a horrible collection of tools, syntax memorization, and other nonsense. The company has some extremely shady practices. Some full-time pentesters like C|EH because it helps validate their skills with those tools, but even then, OSCP and GPEN seem like "better" certs (granted, any GIAC cert is absurdly expensive, even to challenge without taking the SANS course). CASP also really has no place. It's not as "advanced" as CISSP (if a bit more technical) and not as valued as SSCP. It really has no place in the market.

    The whole Cisco line is really for Cisco specialists. If you want to do network security specifically, they're the way to go. If you will do network pentesting or network security part-time, they might be worth pursuing, but probably not as your main focus.

    As far as school goes, I don't know if I would bother with the forensics certificate. I'm not saying it doesn't have value, but I think even a semester's worth of credits and your time could be better spent elsewhere. A Master's degree is something that should be considered. There are several good, reputable information assurance MS degree available online from public, non-profit, regionally accredited schools. That would be a better use of that semester. On the other hand, if you can get that certificate's credits to count towards something else, it's useful; I just wouldn't spend a full semester on just that.

    Ultimately, the best thing you can do for yourself is gain real experience. That is more valuable than the certifications and the degree. Part of the big reason CISSP is so valuable in the marketplace is that you have to have at least four years of verifiable infosec experience. For many, maybe most infosec positions, CISSP + experience is really all you need to qualify. Don't get me wrong, the ridiculous volume of other infosec certs are, for the most part, valued in the market place, but CISSP is ultimately what most employers are looking for.

    For your undergrad, CompSci is for sure the way to go. Having acquired an "infrastructure" degree, I can tell you that there is good reason CompSci and EE degrees are generally more highly regarded in the market place (thought not by that much; almost any four-year has good value). With security in particular, especially technical security, the foundation provided by a CS degree is absolutely the best thing for you.

    For the record, all of this is coming from someone who is not a full-time infosec professional. My jobs over the last five years have involved security in some fashion or another, but not as my primary responsibility. I am very interested in the subject, and I'm strongly considering a career shift into a security specialization. I, too, have opted to finish a four-year Computer Science degree. I've been looking on TE and the web a lot to try to make informed choices on the subject, and that's where a lot of these opinions are coming from. The certification path I listed is roughly what I'll be doing, although I'm still deeply entrenched in infrastructure and am focused on Microsoft stuff at the moment (not that that hurts me for a security position).

    Anyway, I'll end this post with a recent thread I started on this subject. Docrice has a long, but worthwhile read:
    http://www.techexams.net/forums/jobs-degrees/77043-getting-your-foot-security-door.html
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    Remember that you also have to pay AMF's and apply CPE's /CE's to those certs. In the long run you may you may pay
    a grest deal of time and money to maintain those credentials.
    I would reccomend the following certs. You must take the exams to recertify for the Cisco certs.
    Once you specialize you can add as you wish.


    CompTIA
    • Security+
    • Network + (needed for DoD 8570)
    • CASP
    Cisco Systems
    • CCNA Security
    EC-Council
    • CEH
    • CHFI
    • ECSA
    • LPT
    • CNDA (CEH for government contract or employee)
    ISACA
    • CISA
    • CISM
    (ISC)²
    • SSCP
    • CISSP
    Offensive Security
    • OSCP
  • Santa_Santa_ Member Posts: 131 ■■■□□□□□□□
    Sorry, I'm unfamiliar with the abbreviations, AMF, CPE/CE. If you can enlighten me on those please and thank you.

    And thanks for mentioning about the GIAC, I thought I had listed it, but while editing the OP through my phone it must have removed the GIAC portion. -.-

    good to know about the EC-Council and C|EH reputation. Ill look more into that.

    As of right now I have signed up for my A+ 702. Once that's out of the way I'll start studying my security+/network(I'd still like to attain it)
  • reppgoareppgoa Member Posts: 151
    You need to relax, and focus on one thing at a time. You will completely overwhelm yourself if you aren't careful. I know its fun to think about having all of those certs, but I don't think you understand the time commitment its going to take to fully adsorb that knowledge. Sure you, could potentially pass them all in a short time, but take that same cert exam a month later, I bet you fail it miserably. Brain dumping is useless.
  • alxxalxx Member Posts: 755
    Don't rule out EE/Software engineering.
    Doing an embedded systems subjects/course can be useful.

    Increasing amounts of work on device and systems security especially on industrial systems and utility systems. Scada systems and plc's are the current big vulnerability

    Knowing how to program and a few languages well, can help with tracing security bugs/holes in software/systems. Python with scapy and other packages can be rather handy(packet injection etc).
    Make sure to learn how to debug properly in all the languages you learn.

    Focus on the degree and the skills you will learn and do the certs yourself.

    Do a few certs from different areas and find which you like best then focus on that.
    e.g linux+ , security+ , ccna
    Having to many certificates can be a disadvantages especially if you don't have experience to go with them.

    Need to know operating systems and how to configure them properly for security and not just pc operating systems.

    INE has their ccna and ccna voice available for free (streaming) at the moment.
    CCNA Associate Course - 640-802

    Get your degree, do the first few certs in the breaks or spare time and go from there
    Goals CCNA by dec 2013, CCNP by end of 2014
  • ChooseLifeChooseLife Member Posts: 941 ■■■■■■■□□□
    Santa_ wrote: »
    I'm unfamiliar with the abbreviations, AMF, CPE/CE. If you can enlighten me on those please and thank you.
    AMF - annual maintenance fee - recurring charge required by some certs
    CPE/CE - continuing (professional) education (units/credits) - additional recognized activity required by some certs (usually includes taking classes, writing papers, attending conferences, taking more certs, etc)
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    GetCertified4Less
    - discounted vouchers for certs
  • dt3kdt3k Member Posts: 64 ■■□□□□□□□□
    No offense, but you are living in a dream world.
  • reppgoareppgoa Member Posts: 151
    dt3k wrote: »
    No offense, but you are living in a dream world.

    Finally, someone with some sense...
  • itsgonnahappenitsgonnahappen Member Posts: 95 ■■■□□□□□□□
    I'll second what the first poster said... you're certification list is completely unrealistic... this includes it being financially unrealistic...do you realize the cost of those exams?...

    As far as the job...I would certainly accept the security cam position as this will certainly account for something.

    Also, the forensics certificate will be good to get exposure to some of the tools and terminology, but may not hold much value to an employer.
  • jasong318jasong318 Member Posts: 102
    I would forgo the forensic cert unless that is something that just really, really interesets you. Concentrate on finishing the degree first.

    As for the other certifications, CISSP, OSCP, Security+ would probably benefit you the most. The ECCouncil certs are good to have just to satisfy DoD 8570 but the Security+ and CISSP would also do that and carry a little more weight.

    The OSCP will give you good, hands-on experience and demonstrate to potential employers that this is a field that you are truly dedicated and interested in. Same thing for the CCIE, but as others have mentioned, it is a huge time and monetary investment. I'm getting mine as I work for a Cisco partner, so I have a lot of the equipment for the lab mockup. Otherwise you're looking at $350 for the written, $1500 for the lab attempt plus the cost of books, equipment, materials, etc.

    I also work full-time as a network security engineer which involves pentesting and vulnerability assessments, while it's fun and rewarding, it's not super-sexy hacking all the time. The majority of my time is spent in meetings and writing reports. Lots and lots or reports....

    Also, you're never done learning. You are going to be constantly having to renew your skillset to keep up with the field. Which, hey, means never a (too) dull day though!
  • Santa_Santa_ Member Posts: 131 ■■■□□□□□□□
    Thank you for all of your input. I will put the feedback provided into good use.

    I signed up for the 220-702 in the upcoming 2 weeks. Once that is knocked out, I'll do Network+ and then Security+, then CCNA and go from there.

    Cheers! icon_study.gif
Sign In or Register to comment.