Certs for Security Professional

JasonP03 · April 2013

I'm getting into the security industry, currently perusing a degree in networking/security and wondering what certifications should I have? Should all my certifications be centered around security or should I also demonstrate competency in Windows, Linux etc. If so, what certs would you recommend?

I currently have A+ and I'm going for CCNA (and possibly CCNA Security) in a few months.

Thanks.

SecurityThroughObscurity · April 2013

CCIE Security would be enough.

YuckTheFankees · April 2013

@SecurityThroughObscurity,

I have read the last few of your comments and just like this one, they are not helpful..please only post if you are actually being helpful. Telling a new person to get the CCIE: Security is just not smart.

@JasonP03,

First decide what you want to do in security? (malware analyst, security analyst, pentester, computer forensic, researcher, etc) After you figure that out, I can give a more useful answer.

chrisone · April 2013

Yuckthefankees I dont think he is there yet. At least you steered him into the right direction and now he knows there are more tracks and security spans more than just cisco certs.

@securityobsecurity - CCIE Sec is not enough and just encompasses cisco technologies. A good security engineer should have their networking equipment brand security certs/experience, penetration testing certs/experience, threat management and policy procedures experience, oh and did I mention experience? :P

SecurityThroughObscurity · April 2013

YuckTheFankees wrote: »

@SecurityThroughObscurity,

I have read the last few of your comments and just like this one, they are not helpful..please only post if you are actually being helpful. Telling a new person to get the CCIE: Security is just not smart.

@JasonP03,

First decide what you want to do in security? (malware analyst, security analyst, pentester, computer forensic, researcher, etc) After you figure that out, I can give a more useful answer.

He wrote about his skills and preference (network+security). I wrote the best path.
Malware analyst/computer forensic/etc - more low-level programming, almost no networking.
Information security - CISA, CISSP, etc - more "papers", less networking.
Network Security/etc - Cisco and Juniper - pure security networking.

Master Of Puppets · April 2013

Security is one of the hardest things. You have to have the certs because they will get you the interviews but not the job as with other professions.IMHO, to be a good security engineer you need to know networking, programming, operating systems etc., regardless of whether you're a pen tester or analyst. Maybe not get all the certs but study the material.

paul78 · April 2013

Hello Jason - welcome to the forums. You may want to check the sticky threads in Security Certification section of TE here - Security Certifications Forums You will see several discussions about various certifications and paths.

One thing that I would echo - is that IT security like other aspects of IT is very broad.

As to your question about which certifications - you "should have" - there is no such thing. As far of certifications go - the only common certification that most people in IT security hold is the CISSP. But that's a certification that you would not sit for until you have at least 5 years of actual security experience.

We had a discussion recently about security certifications and the general consensus among a few folks who are in IT security is that security certifications don't really mean a heck of a lot. They are very common in IT security, but for the most part, there are probably just as many very competent and successful people with no certifications. For me, I probably know more people without any certifications in IT than I know people with them.

If you question to more about which certifications you may want - perhaps look at some of the more broad level certifications - I would not necessarily think that a narrow certification like CCNA:Security would be worthwhile at this point in your career. The one certification that I think maybe something you want to explore is ISC2's SSCP - https://www.isc2.org/sscp/default.aspx

Good luck on your journey as you start your career.

JasonP03 · April 2013

Thanks for the comments everyone. SecurityThroughObscurity, I am in a "Networking & IT Security" program but as I move forward in the program I will be moving further towards security than pure networking.

I'm more interested in systems/application security and low level offensive/defensive security. I'd like to do code auditing, exploit development etc. What discipline within infosec would you suggest specifically with this in mind?

Paul78, Thanks for the advice. I've been looking into SSCP actually, and it's probably where I'll go until I have the experience for CISSP.

Thanks for your time guys.

N2IT · April 2013

CCNA - CCNA Security sounds like an excellent start.

docrice · April 2013

I'll try to be brief, but as I work in network security and deal with this every day (and I do mean every day at this point), I might start rambling again.

"Network security" is a very broad area. You could be talking about firewalls, IDS systems, router hardening, etc., but you could also be referring to software applications which are network-oriented and if they're web-based apps, you get into web application firewalls, web server configuration, and so on. Then you have network-based infrastructure services (Active Directory, DNS, etc.) which fit into this bucket. Then you have wireless. Then you have vulnerability assessment and penetration testing. It goes on and on.

Unless you're going only for a very select niche of the above (which is nice if you want to be a specialist, but with the danger of being left behind when the technology changes and becomes less relevant), everything comes together at some point - clients, servers, applications, data, policy, software lifecycle, hardware, network devices, etc..

A CCNA and CCNA Security isn't a bad start, but the related Cisco training teaches you how to work with Cisco technologies. Not bad, but certainly not enough if you want a good overview of how things work. You can't really be effective at network forensics investigations or incident response if all you know is putting Cisco networks together and troubleshooting them. As far as I can see on the Cisco track, you won't learn the attack tools and techniques which justify why the security features are what they are. It's a one-sided view. The CCNA Security will cover some of the ideas, but certainly won't get into the details.

While knowing the tools and how to use them are important, many aspects of infosec are still based on manual review of data and analyzing things. If you want to learn how to configure Cisco security devices like the ASA, set up router ACLs, harden switches, set up tunnels, etc., doing the Cisco security track is fine. But at the end of the day, while you're technically involved in network security, you'd have a relatively limited understanding of the nature of it all. Cisco is primarily a general networking company, not a security specialist. You can either be an appliance monkey, or you can go further and learn the ins and outs of defense, offense, and everything else in between.

As a network security engineer, I spend a lot of time doing exactly the above with ACLs, device configuration review, and setting up tunnels. The Cisco training I've had thus far has greatly helped as the concepts apply to just about any vendor. However, I have to understand the limits of these technologies and learn beyond them or else risk being just another button-pusher. Knowing how attackers evade the defenses, doing traffic baselining and analysis, carving out relevant bits in the data stream during an investigation, etc. is something that is not an optional requirement in the environment that I work in. In addition, I also need to piece together relevant context which includes knowing at least the basics of operating systems, applications, data, user behavior, and so on.

I think it's healthy to have a combination of vendor-specific and generalized security training. I say this because I've interviewed too many people who think they know security because they can configure an appliance. People like that will have no place on my team because they don't understand how the attackers work and the methods in which they break in and pivot around the inside zones. You can't effectively defend unless you have a solid understanding of what's real today and be able to keep up with new developments.

I'll mirror paul78's comments about the recognition of security certifications. They're nice to show you have motivation, but they're not qualifiers for a job. The dynamics of the work involved entails too many moving parts and constant changes in the threat landscape. This is why experience and the accumulated wisdom along the way is key to surviving the workload. The training and (perhaps optional) certs will get you pointed in the right direction, but without the attitude and aptitude you'll fall behind.

There's a shortage of good infosec professionals in the industry today, but in many cases new graduates or those without a sufficient baseline understanding / experience still won't get in. The risk of introducing someone with less-than-desirable competency into the operations room is high since exposing sensitive data and allowing configuration changes without a solid understanding of the subject areas is asking for damage to the organization's reputation as well as potential legal ramifications to existing third-party contracts and whatnot. And learning to walk the fine line of "secure" and "convenient availability" and "secure enough" is a never-ending juggling act.

I don't mean to be blunt, but in my corner of the world infosec is a fast-evolving, constantly-engaged activity and burnout is only a few steps away. Not many people understand this until they actually get into the game and face the shower of digital warheads always flying towards them.

...

I see that I exceeded the average word-count again, so I'll just stop now. Hope this helps puts things into perspective a bit.

JasonP03 · April 2013

I appreciate all the responses.

I'm mostly interested in application security, and I can exploit vulnerabilities such as buffer overflows, format strings vulns etc. while evading common defense mechanisms like ASLR and non-executable stacks. My web-based skills set is also decent, I've setup labs and exploited many many web-based applications with a wide variety of vulnerabilities. With that said, I'm passionate about security, and I think I'll be fine with "keeping up".

With my interests, would you suggest pen-testing?

I plan on getting the CCNA and CCNA Security because studying for it would help me become more well-rounded (which I think you need to be in security) but ultimately (thanks to your responses) I will probably go with SSCP to help give me a boost when I go for an interview after University.

JDMurray · April 2013

It sounds like you should look into the certs for app pen testing, such as the OSCP and GWAPT, and Java and Microsoft certs for Web programming.

chrisone · April 2013

agreed^

docrice · April 2013

The GWAPT (and corresponding SANS SEC-542 training course) isn't bad, but I have the impression that the OSCP is the more respected choice. eLearnSecurity might also be a good option. The latter two are much cheaper also.

Humbe · April 2013

SecurityThroughObscurity wrote: »

CCIE Security would be enough.

Lol... this made me crack up!

If you want to go down the network/security path you should consider the following:

A+
N+
S+
CCNA
CCNA Security
CASP
SSCP
CISSP
CCNP
CCNP Security

Thanks,
Humbe

JasonP03 · April 2013

Thanks everyone I'm really happy with your responses. I'll be doing CCNA and OSCP this summer. CCNA Sec in the new school year.

jasong318 · April 2013

@docrice is right on the money. Also realize that a lot of time will be spent writing reports and sitting in meetings, but that's probably true for most jobs. Echoing what others have said, I think the OSCP (and the OSCE with time) are good preps for what you're apparently wanting to do. Don't get too focused on just getting certs though, they help bypass the HR filter but most infosec pro's have, lets say, a less than favorable view on the alphabet soup

Not trying to discourage your from obtaining them though, I think the CCNA will definitely give you a good introduction to networking and the CCNA Sec does introduce some general security topics that are not strictly Cisco oriented.

Feel like I'm starting to ramble myself

Also, one of the most important things you can is network with your peers. Go to cons, look up local infosec groups (OWASP, DC, etc.) and attend their meetins, find a mentor, etc. Participate and be part of the conversation, knowing people in this field helps alot!

Enough procrastination, off to finish a report... and then a meeting...

JasonP03 · April 2013

@jasong318 Would it be worth it to take OSCP now or should I wait until they update it for Kali? Thanks.

bobloblaw · April 2013

Pen testing is an ongoing thing. It's like buying a tv. If you wait for the next best one to come out, you'll be waiting forever. I say when you're ready to get after the OSCP after your other certs, just go for what's out there.

JDMurray · April 2013

FYI: You can now take the CCNA Security after only completing the CCENT (ICND1).

jasong318 · April 2013

Honestly, I don't think the course will change that much will the intro of Kali. The methods and techniques are universal across distro's, just different tools. You're learning how to think and act like an attacker, not how to use Backtrack

Certs for Security Professional

Comments