SSCP vs CEH vs CASP

Zomboidicus

Hello, nice to meet you all. There was no place for introduction, so I'll use this place to introduce myself.

Currently I'm studying for CCNA security, and planning on taking it at the end of November.
My plan is to move onto CCNP and CCNP security after I am done with CCNA:S.
However, I do not want to limit my security certs to only Cisco, so I'm trying to figure out which cert take in between CCNP and CCNA:S.

My goal is to work with technical stuff like Network security (Firewalls, VPN, IDS, NAC, authE servers, etc) within 2-3 years from now, take CISSP when I have the required 5 years experience and land a managerial position like security manager (or information security officer) down the road. But prior to taking CISSP, I also want to broaden my security knowledge besides Cisco device security. I'm also interested in pen testing or a security analyst type of job where I asses the security condition within an organization.

Currently I have about 1.5 years of Help Desk/System Admin assistant experience, and wanting to move to bigger things. I also passed sec+ about a year ago, and graduated with a Network Security B.S. degree.

So my question would be, what would be the recommended path?

After taking my CCNA:S, which certification would make more sense?

SSCP? CEH? CASP?


Thank you for reading and any advice you may have.

ajs1976

SSCP over CASP - SSCP is from ISC2 and is more recognized. CASP is newer, but may become more popular over time.

Zomboidicus

OK, thanks for the input. I'll look into SSCP as opposed to CASP.

Where does CEH fit into this dilemma? If I am to get CEH, I think I need to get Linux+ beforehand. Which cert would you say would increase the chance of me getting my foot in the door into network security, SSCP or CEH?

redz

Zomboidicus wrote: »

getting my foot in the door into network security, SSCP or CEH?

Welcome to TE!

That's kind of a tough question.

The C|EH is highly valued by hiring managers, and provides a solid understanding of the hacker methodologies and tools, past and present. I believe it requires ~2 years of information security experience unless you attend an EC-Council accredited course (I may be wrong on this). I don't know what your SysAd role(s) have encompassed - this may not be the best route for you to take. I consider it over-valued, but that's more of a good thing when searching for a job than a bad thing

The SSCP is a lower level certification than the C|EH, though I would recommend it over the CASP. I believe it also has experience requirements (at least a year of which will probably be waived for the degree or Security+), but I'd need to take a look at isc2.org to be sure. I do know that I've seen it growing in demand, albeit slightly, over the past few years.

Take a look around Dice.com - Job Search for Technology Professionals, check out some network security positions and things you feel you'd be interested in (location irrelevant) and start building your certification checklist and priorities to mirror the certification requirements (and preferences) for those positions. Then, once you have them and you're ready to move on, start looking for positions similar to them again. It should provide you with some insight into how to start off.

veritas_libertas

Although I don't have a lot of respect for the CEH, I would take it over the SSCP for the same reason as Redz, recruiters love it. I wouldn't take the CASP at this time. It's just not popular enough.

Zomboidicus

Thank you for your insight.

I'm more of an assistant than an actual admin as half of responsibilities only consist of typical desktop/user support for our organization. Also, my job does not directly relate to security. But on the other hand, I've created and managed VPN accounts, installing physical security devices such as badge scanner and cameras, going through security logs for our Windows 2008 server, malware removal, etc. Even if it's indirect experience (as security it is not my primary responsibilities), would I be able to make a case to the ISC2 representative with stuff like that? If not, I'd feel like I'd be stuck in a chicken and egg situation.

Also, I haven't even looked through the CEH book, but a solid understanding of Linux and command line is also required for CEH, correct? Obtaining Linux+ would be preferred, or at least make my CEH studying much easier?

da_vato

To my understanding the SSCP and sec+ are equal as far knowledge level goes so since you have one I personally wouldn't waste the money on the other. Unless your job is paying for it, I think the test delivery could hep prepare you for taking the CISSP.

Zomboidicus

da_vato wrote: »

To my understanding the SSCP and sec+ are equal as far knowledge level goes so since you have one I personally wouldn't waste the money on the other. Unless your job is paying for it, I think the test delivery could hep prepare you for taking the CISSP.

I didn't realize that...maybe I'll spend money and time on other things then. So at this point, it seems that CASP isn't worth it because not many recruiters know about it, I'm currently under-qualified for CEH, and SSCP does not add a lot of value if I already have Sec+.

Hmm...maybe there are other certs that go well with my CCNA instead of security certs then.

Zomboidicus

Thank you : D

I took your advice and went through Dice and Monster. It seems even though the role consists of configuration and maintaining networking equipment, they want certs such as MSCA/CE, VCP, and Junos. Maybe I'll worry about security certs for later, and diversify my knowledge set in the system engineering, or second language in networking with Juniper. So that way, at least I can go either higher in the SysAd role, or become more marketable as a network engineer.

I'm not sure, touch choices.

JDMurray

Also realize that CEH covers topics that less than one percent of IT people use in their daily duties, while Security+, CASP, and SSCP are far more broad and practical in their coverage of InfoSec topics. Honestly, if you get into a job that some some InfoSec-related duties, I would skip SSCP, CASP, and CEH and go straight for CISSP. That's the best recognition for your dollar these days.

the_Grinch

Personally, I wouldn't waste my time with the CEH. I had it and without the experience behind it you won't get much out of it. SSCP is the way to go in my opinion and based off of your experience you should meet the requirement, if not they give you time to get the experience.

da_vato

CEH can aid in giving you a different perspective of your current networking knowledge (which I think is valuable). Just don't expect that you will come out ready to be a true pentester for that you woul need to take the OSCP. As Redz has said CEH is popular amongst recruiters and it could help to obtain a job. You seem to be young in your career so no matter what direction you go you've got a bit of an investment to make.

To be honest of your three that you presented the CASP is going to give you the most knowledge for the cheapest price in the area you are trying to go, the downside is that is not heavily recognized outside of the DoD.

redz

Zomboidicus wrote: »

I took your advice and went through Dice and Monster. It seems even though the role consists of configuration and maintaining networking equipment, they want certs such as MSCA/CE, VCP, and Junos. Maybe I'll worry about security certs for later, and diversify my knowledge set in the system engineering, or second language in networking with Juniper. So that way, at least I can go either higher in the SysAd role, or become more marketable as a network engineer.

Many of the most talented security individuals that I know (not all) were experts in another area of IT before moving to security. Security is something you can always move into, as all your prior experience will retain a level of relevance.

I'm not trying to dissuade you, I know quite a few people who successfully moved into security very early in their careers, but it will be more difficult to get into without some security-related responsibilities or several years experience in another area.

Zomboidicus

redz wrote: »

Many of the most talented security individuals that I know (not all) were experts in another area of IT before moving to security. Security is something you can always move into, as all your prior experience will retain a level of relevance.

I'm not trying to dissuade you, I know quite a few people who successfully moved into security very early in their careers, but it will be more difficult to get into without some security-related responsibilities or several years experience in another area.

I see. I think my solution is to focus on networking then, as I loved what I learned while I was studying for CCNA. I should look into ways to get myself a job in networking, as securing such devices should also part of the job. Perhaps after I obtain CCNA:S, I should look into CCNA wireless as you probably can't get away from security while you are dealing with that topic.

Based on everybody's advice, I think I'll buy the book for CASP and use it reference to gain knowledge from it, but nothing more than that. Perhaps same goes for CEH, unless I really struggle to obtain a security job down the road, I'll take it to see whether it'll at least help me get a job. I'll take SSCP after CCNA:W & S but only get a practice on the ISC2 testing environment and style, and to help me refresh my memory on what I learned with Sec+.

I'd like to thank you all for your advice.

bobloblaw

Having just taken the CEH, I can say it's a good introductory to tools and some InfoSec methodology. One thing it doesn't make you is a hacker. You don't complete your CEH with a high level of knowledge in Wireshark, nmap, tcpdump, Nessus, Linux, snort, etc. It's entry level. Put simply, there are books for just Wireshark and just Snort that are much bigger than the All-in-One CEH book. I did enjoy the reading, though.

Like was said before, you'd be better off getting the CISSP or SSCP simply because they're recognized. I think the CASP will bridge the gap between Sec+ and CISSP, but it's not recognized yet. CEH would do more for you than the CASP as well. It's just not out there yet and widely recognized by HR.

Good luck in your studies.

NovaHax

Don't do CASP. CompTIA has established a name for itself as the leader in entry-level IT certs. Unfortunately...that means that most people have a hard time recognizing them as anything but.