Path to web and systems security - CCIE or CISSP?

kabooter

Folks
Please advise me.
I am MCSE and have worked in a help desk role with a fortune 500 company for past 15 years. My exposure to IT has been sort of peripheral, a lot but not in depth.
I am contemplating a change of career. Ideally I would like to try for something that is very much in demand and pays big bucks.
CCIE, CCIE - security and CISSP seem to fit the bill very well.
However where do I start from?
CCENT/CCNA and so forth?
or is there a different patch that may start on the patch to web and systems security in a better way?
Please advise.
Thanks in advance.

Grafixx01

CISSP to me, unless you are going into a management job, is not worth it. It really is all about management and nothing really technical.
CCIE, I know that Cisco has changed their pathways so I don't think you have to start from the CCENT now but I'm not 100% sure.

I guess it just depends on what your long-term goals are. Do you want to be a tech guy? Or would you eventually rather be in a management role overseeing the tech guys?

Master Of Puppets

Grafixx01 wrote: »

CISSP to me, unless you are going into a management job, is not worth it. It really is all about management and nothing really technical.
CCIE, I know that Cisco has changed their pathways so I don't think you have to start from the CCENT now but I'm not 100% sure.

I guess it just depends on what your long-term goals are. Do you want to be a tech guy? Or would you eventually rather be in a management role overseeing the tech guys?

I will have to disagree with you here. The CISSP is a check box and a must have for everyone in security, regardless of whether they are in a technical position or in management. It will open a lot of doors and definitely improve your value on the market. Taking into account the OP has 15 years of experience, he should meet the requirements(even in help desk, for so long you probably have the years required in two of the domains). As far as the CCIE - there are no prerequisites. Cisco will take your money any time if you think you're tough enough. However, unless you have a lot(and I really mean a lot) of experience and in depth knowledge, it is kind of far-fetched. If you are not proficient at networking and Cisco technologies, starting at the CCNA level and building up would be the most sensible thing to do.

IMHO, you should get the CISSP(since you should meet the requirements) and go for CCIE after that if you really want to. It is a big decision though and it will be a long ride(take a look at the CCIE section here and you will see how much work and effort people put into it). Also, think about the ROI when it comes to CCIE. Bear in mind not only the money but also the time. For some people getting the CCIE is more of a professional and personal goal rather than something that is going to significantly increase their salary. In some cases it is enough to have a CCNP or two. This is, by no means, supposed to dissuade you from doing it because it really is a great accomplishment that has its benefits. My point is that it is something worth thinking about before starting.

sieff

CISSP may be easier to attain. At my job we support our CCIE candidates with lab gear and exam cost up to two attempts (travel, hotel, fees, etc). One guy passed CCIE R&S on his SEVENTH attempt. Another colleague passed CCIE-Security on his 2nd go at it.

W Stewart

CCIE Security is a pretty long road to take just to get into security. Considering you've already put 15 years in, I would also go the CISSP route. I think CCNA security or CCNP Security would be more than enough unless you really wanted to be a networking guru and go for the CCIE.

tpatt100

I have come to appreciate my CISSP later as I find myself having to explain/rationalize security issues with management.

kabooter

Hey Guys
First of all, thanks everyone for sparing some time and replying.
I do like management stuff a bit more than technical one so perhaps CISSP will be more suitable for me, to start at least.
Also lets also keep in mind that I dont intend to quit my current job. And I also have a kid/wife/other interests and a bit of life (in that order)
so at best, I will be able to spare only so many hours per week for the studies.
CCIE seems like a solid, challenging exam to clear, the one that certainly can not be aced just be reading and does cost quite a bit if ne can not clear it quickly.
However, this brings us to following questions:
1. What should be the patch to CISSP for someone with zero security knowledge/ certifications?
2. Are there any other "overview" type courses that a person should join first so as to understand what web/systems security is all about and also to gain at least some understanding of concepts? or are they going to be covered during path to CISSP anyways?
3. Will gaining CCENT and CCNA help while persuing CISSP? (I mean should I jump onm these two and crunch them first)


Finally I have a question for those of you who know SAP professionals.

How is SAP certification/courses path as compared to Security, in terms of money, plenty of jobs, technical complexity etc etc.?

Again, thanks all. Much appreciated

antielvis

Thoughts:

- Consider taking the CCENT, then the CCNA Security (you don't need the CCNA R&S first). All things point back to networking on the internet

- There are many paths in security. Do you want to be in offensive security or defensive? Offensive security is more of a white hat hacker aka penetration testor. Defensive security would be part of a team that hardens a corporate network. CISSP and SSCP really focus on policy, procedure & best practice. From a client standpoint, these are incredibly important.

- Learn Linux. Almost all the best hacking tools are on Linux. Download a copy of Kali Linux, install it & then learn to use the tools like airmon, yersenia, john the ripper, etc. CBT Nuggets has a 40 video course on using Kali. It's good stuff and will teach you how to use & understand the tools.

If you want to get into Offensive Hacking there are many courses like the Certified Ethical Hacker (basics on pen testing) and more serious courses at the Kali Linux website or Concise-Courses online. You'll become an ethical hacker who is hired to test a network. Generally you work in what's called a "Red Team" where each member has a certain set of skills (that make me a nightmare for people like you LOL). One may be a Windows specialist, another great at scripting, another good at routing/CISCO.

Big plus is that you're a seasoned veteran of IT. This will make the progression into security much easier & smoother for you. Another great place for information is Twitter & places like Hacker News. Follow security accounts & I'd recommend following black hat hackers (Anonymous, Lulzsec, etc) . Many advertise their "accomplishments" and you'll get a feel for how that community ticks.

Master Of Puppets

CCENT and CCNA won't help you with CISSP directly but familiarity with networks is a must. So, in short, - I don't think it is going to help with getting the CISSP but it likely will with everything else Also, IMHO, if you don't have solid knowledge in networking, skipping CCNA:R&S isn't the best idea. You need to know what you're securing and how the network works.

The idea of learning linux is a great one but do your self a favor and don't start with Kali. This distribution is not for learning purposes, this is for when you know what you're doing. For example, constantly hanging out in root is not the optimal way to learn the os. Start with CentOS, for instance. I'm sure you can find a lot of info on distros you can start with on the web so I'm not going to go into that.

The CISSP will not make you a security expert. You will probably never use some of the stuff you will need to pass the exam. What you will need to learn depends on the area of security so I don't feel I can give reasonable recommendations for courses, books etc.

instant000

This is what I would do: Find a job description that appeals to you. Now, you have to find out what that job will be looking like a year from now. The job description would probably reference the following: 1 - Web server 2 - OS 3 - DB 4 - Programming Language 5 - Scripting Language What is also important is understanding hacking: 1 - Socially (Most important, trust me) 2 - Technically A good defender studies the offense. A good offensive player studies the defense. Make sure that you know how to attack a stack, as well as how to defend it. Not just from the application side, but also from the hardware side. If you want to be in the forefront on this, you will end up joining forums and mailing lists that concentrate on the area of security that you are interested in. If you can, get involved in research into certain aspects of the stack you are securing. Also, make sure to maintain a wide base in that stack, so you won't be clueless about everything else. If you're just looking at this from the side of certs, then I would recommend these: Security certification, CompTIA Security+ certification https://www.isc2.org/CISSP/Default.aspx Information Security Certifications The ethical hacker curriculum is OK, if you want to use it as a knowledge base, but the certification is expensive, and not worth it unless a job requires it. You probably understand systems well, or not so well. It depends on the nature of work and learning you have been doing for the past fifteen years. As others have suggested, looking at the Security+ > CISSP track might make more sense at this point. (At least, it would allow you to transition to security without necessarily having a drop in income.) Hope this helps.

antielvis

>>Master Of Puppets

I should have been more clear in saying to first get the fundamentals of linux down (CentOS, Ubuntu, etc) then move into Kali Linux. One of the difficulties in learning Kali Linux is that many of the tools have very little formal documentation. I think you'll see more as the field of security grows.

edit: And do "live" this life. Security is one of those lifestyle based careers where you probably do it because you love it. Security guys are great in that they love to share information. On the other side, hackers are great because they love to share their exploits and success. Learn to understand the hacker mind and culture (because there is definitely a culture).

Good choice for a future gig. I'm off the opinion security is about to explode especially with all the high profile attacks & with the revelations about the NSA, etc.

PS. Enjoy your first Defcon lol

Master Of Puppets

Very well said! I feel like adding something that I forgot to mention - make sure you motives for making this move are adequate. Right now security is very hot and everybody wants to do it but most people have no idea why or what it actually is.

010101

CCIE - Security seems weird to me.
What does a router company know about security?????
I mean they have firewalls, but being a firewall expert and and a white hat hacker are two COMPLETELY different things.

Master Of Puppets

I don't think it is intended to make you a white hat hacker. This is not the like the OSCP. But they do know about network security and, IMHO, do a very good job at teaching the material.

kabooter

Master of Puppets, 010101, antielvis, instan000 - Thnk you so much for clarfying some of the stuff for me.
I have a much clearer picture of where to start.
I took at CCNA Security book by cisco press - quite a bit of stuff in there.
I am wondering if there is any sorta - security for dummies - type book out there that can give me a quick and simple overview of "security" field so that I am better prepared to dive in. By a simple book I mean something like 50/60 pages that introduces the security concepts/applications and what is involved in being a security professional.
Does anyone have any reccs?

YFZblu

CCIE Security is overkill, and the CISSP will not prepare you for a technical role in security.

IMO you should get the "50/60 page" thing out of your mind. To me that sounds like a hint of laziness. Here are some books I recommend:

-The tao of network security monitoring
-The network security bible
-Counter hack reloaded
-TCP/IP Illustrated Vol. 1 (1993) - Not a security book, but TCP/IP is the foundation of network security and you need to know it.

Enjoy