Frustrated in deciding on what security cert to get...!

gui4life

So I have been reading a bunch of threads on here on the many different security certs. I have read some insightful posts - and I keep on jumping back and forth on what cert I should be going for.

I currently have my A+/Network+/Linux+/Security+ and my Linux Professional Institute Certification Level 1 (LPIC-1). I have an Associates Degree in IT-Networking. I am currently taking classes part time to finish up my Bachelors Degree in the same thing (should be done in 2 years). I have been working in a diverse network operations center for the last five years (not a specific security focus).

I have always enjoyed the area of IT security and I have recently made the decision to specialize my career in it.

The problem I am having is I can't decide on what cert to go for. I want a cert that is worth studying for, help solidify my security knowledge, land me a security job, and will help propel my career to some better paying positions. But it seems like most (if not all) the certs require several years of experience specifically in security (CEH) or 5 years and your first born son (CISSP.)

It feels like I am stuck in a "chicken and the egg" scenario...

I am sitting on the fence about Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), or the Offensive Security Certified Professional (OSCP). My employer will pay for any training and the certificate IF I pass.

I want to help my company build up their security posture, identify areas needing improvement, and mitigate risks by implementing systems/policies/countermeasures. I foresee an even and good blend of managerial/pentest/tech work (such as implementing IPS), etc.

Help?

W Stewart

If I remember correctly, the cissp requires 5 years of experience in a specific domain of security. There are something like 10 domains but I haven't really looked into it. If you've been working with firewalls for 5 years then that should count. I've heard some people were able to use experience as a security guard to count towards the physical security domain. If you're not entirely sure which cert to go for and aren't sure if you have the experience for some of the security specific certs then I'd consider ccna security and ccnp security. Those are two certs that should be well respected and don't have specific experience requirements.

NovaHax

Well, you got the prerequisites for OSCP covered. The only expectation there is an understanding of TCP/IP and Linux.

Honestly, having done all three...you'll get a lot more out of that one that CEH or CISSP anyways.

wes allen

NovaHax wrote: »

Well, you got the prerequisites for OSCP covered. The only expectation there is an understanding of TCP/IP and Linux.

Honestly, having done all three...you'll get a lot more out of that one that CEH or CISSP anyways.

This. I have learned more and had much more fun so far with OSCP then with cissp.

Also, since you have sec+, you only need 4 years for CISSP, and you can take and pass the test without the experience, you just can't get the full CISSP endorsement until you meet the experience requirement. Depending on what your duties are currently, some of your time might count toward that requirement.

yzT

For knowledge's sake, go for OSCP.

Cold Titanium

https://www.youtube.com/watch?v=8DZkpynFhak

5ekurity

Cold Titanium wrote: »

https://www.youtube.com/watch?v=8DZkpynFhak

This is the only reason I carry two wallets

GoodBishop

W Stewart wrote: »

If I remember correctly, the cissp requires 5 years of experience in a specific domain of security. There are something like 10 domains but I haven't really looked into it. If you've been working with firewalls for 5 years then that should count. I've heard some people were able to use experience as a security guard to count towards the physical security domain. If you're not entirely sure which cert to go for and aren't sure if you have the experience for some of the security specific certs then I'd consider ccna security and ccnp security. Those are two certs that should be well respected and don't have specific experience requirements.

It's 5 years experience in 2 domains of the CISSP - https://www.isc2.org/cissp-how-to-certify.aspx

If you have a degree, one of those years is waived.

gui4life

The OSCP does seem very intresting indeed. If think some of my duties at my current employer could count toward the time on the CISSP. For instance I run the LAN and servers AV suite and I oversee it. We also have a DC and I provide escort acess for customers (logging and checking them in. )

I guess my big question is which cert... not nessairly the requirements of the tests. What are employers looking for. What is the better cert.

yzT

What are employers looking for? CISSP

What is the better cert? OSCP.

JDMurray

The CISSP an OSCP are apples and oranges. I wouldn't know how to compare them to determine what is the "better" cert.

impelse

If I was you I would go for OSCP (doesn't matter if you do not pass) and then go for CEH, with those two you will decide what other.

In the security field always will be the chicken and egg.....

Just begin with something, nothing is prefect. If you begin with OSCP you will feel that you need to know more of this and that. And it is the same for CEH because it is to wide.....

NovaHax

yzT wrote: »

What are employers looking for? CISSP

What is the better cert? OSCP.

I don't agree with either of these statements. CISSP is a very good cert, and if you actually know everything that is included in those 10 domains, you will make a hell of a security professional. OSCP is a completely different kind of cert. But I wouldn't say that either is better. Though there is something to be said for hands-on examination.

And company's that are looking for PenTesters specifically, generally know what they are looking for and will be more likely to give an OSCP the time of day, compared to a CISSP.

NovaHax

Of course, it doesn't hurt to have both

gui4life

Thanks for the input Nova. While I would love to have both, I do have limited available time to study. I do have full time work, school, and a family to take care of also. I want the best bang for my buck (and time spent!)

Hrmm.

I did a quick term search on Dice.com and monster.com

Dice:
OSCP: 38 results
CEH: 137
CISSP: 1306 results

Monster:
OSCP: 21
CEH: 43
CISSP: 749

Is this just a HR thing not listing OSCP/CEH on job postings... Or do these people really want to see the CISSP?

da_vato

gui4life wrote: »

I want to help my company build up their security posture, identify areas needing improvement, and mitigate risks by implementing systems/policies/countermeasures. I foresee an even and good blend of managerial/pentest/tech work (such as implementing IPS), etc.

CISSP is a defensive posture while OSCP is a offensive posture (I suppose technically you can throw CEH in this category also). Based on what you said I think CISSP would be a better ROI for you since you want to guard your company. If you wanted to work for a firm that tests other organizations security posture I would say OSCP.

Ultimately you need to pursue a cert based on the job you want to do (because that is the knowledge you will need) not chase a cert based on what people think is better.

Khaos1911

da_vato wrote: »

Ultimately you need to pursue a cert based on the job you want to do (because that is the knowledge you will need) not chase a cert based on what people think is better.

Realest ish I ever read on this board!!! That's a line I wish everybody on this site would take to heart. Please post this in the Cisco forum, lol!

gui4life

da_vato wrote: »

CISSP is a defensive posture while OSCP is a offensive posture (I suppose technically you can throw CEH in this category also). Based on what you said I think CISSP would be a better ROI for you since you want to guard your company. If you wanted to work for a firm that tests other organizations security posture I would say OSCP.

Ultimately you need to pursue a cert based on the job you want to do (because that is the knowledge you will need) not chase a cert based on what people think is better.

I would think that learning the tactics that hackers use to compromise systems - would be the best way to learn how to prevent them from doing it. The best offense is the best defense egh?

Good point though...

I was just about to purchase the "Penetration Testing with Kali Linux (PWK)" online training for $800 - as that is a prerequisite before taking the OSCP.... Now you got me doubting myself again.

I feel like a tennis ball.

da_vato

Personally I would say go for the PWB because yes understanding what an attacker is looking at and knowing how they exploit it is great knowledge to have.... BUT!..... Defense and offense each have their own methods and tactics. So based on what you said your goal is I would still say you are describing CISSP.

You need to understand that there is more to information Security than guarding an organization against attackers. What about disaster recovery and business continuity? If an attacker is successful the organization is dependent upon returning to normal business as soon as possible. Is an offensive approach going to provide that?

gui4life

After much debate I am going to go for the OSCP.

diggitle

These are the charts I use to guide me.

https://www.cool.navy.mil/ia_documents/ia_iat_flow.htm

https://www.cool.navy.mil/ia_documents/ia_cnd_flow.htm

My pen-testing path so far is;

BS information security --> Security+ ---> CEH (currently here) ---> SSCP ---> one or multiple (OSCP | GWAPT | GPEN | eWPT | eCPPT)---> CISSP

If you're more focused on being offensive and technical I'm finding web app is the way. That means learning Python, C, Bash, Ruby, etc.. seems to have a very promising career outlook, and job security aspect. Not too many doing this route. I'm finding most companies don't need basic pen testers, because they can just do it themselves, or pay a small company $1200 to do a basic pen test. Dice.com shows only 16 jobs for pen tester. Web app shows 19,608. So I'm going all out web app.

If you're more focused on all around security and want to be a ISO or even just a Sr. Security person then plan on working towards getting a CISSP + MSIS and MBA... In the next few years im sure it will be PhD's because things never seem to be enough. I see so many people having to get ABC soup just to stay in their positions. Where as a programmer, web developer/tester just has to stay well versed on programming.

JDMurray

diggitle wrote: »

BS information security --> Security+ ---> CEH (currently here) ---> SSCP ---> one or multiple (OSCP | GWAPT | GPEN | eWPT | eCPPT)---> CISSP

You actually have two parallel tracks there. After your BS, consider doing these tracks at the same time:

Security+ ---> SSCP ---> CISSP
CEH ---> one or multiple (OSCP | GWAPT | GPEN | eWPT | eCPPT)

diggitle wrote: »

Dice.com shows only 16 jobs for pen tester. Web app shows 19,608. So I'm going all out web app.

How about being a WebApps pentester? That a very specialized field that very much in demand by all organizations with a deep, online presence. You also get to show customers why an IPS, WAF, and SSL aren't going to solve all of their Website hacking problems, and how proper software design and coding is how to prevent new vulnerabilities from sneaking in to their systems.

gui4life

The big reasons for me choosing the OSCP cert is that:
A) It is real world practical knowledge test. Its just not a brain **** test where you read a bunch of books and regurgitate seemingly superficial information. The feedback from everyone that I can find on the internet (blogs and such) consider their OSCP in very high regard. There is a very strong consensus that the cert is very challenging but very rewarding in the knowledge and experience they get from it. C) The people taking the CISSP don't think the same way. Many of them dislike their CISSP cert and don't even care about it enough to renew the cert. They treat their CISSP as a "I guess I gotta have for HR resume checkbox purposes" cert vs a cert where "I WANT to have cert and proud of having it!". D) I may not want to do pen testing in the end - but knowing how hackers/baddies operate is half the battle in knowing how to prevent it. E) Hacking has always interested me - and I want to learn how to do it. F) The way the OSCP test is given (24 hours in a lab environment hacking systems to gain enough points to pass) is very interesting vs a "I took a long test where I have to fill little boxes in with a #2 pencil."