Security pathway help appreciated!

detroitwillfalldetroitwillfall Member Posts: 85 ■■■□□□□□□□
Whats the next logical pathway for someone wishing to continue their education and certifications after Sec+?

For me anything security related obviously really interests me, ive seen alot of mixed feedback on CEH. It definitely interests me, and i know the golden answer floating around here is get your feetwet with something in network which will help tie in security later. Thats fine for sure and definitely the route im eventually going to take. However i have the materials to study for ceh for just personal knowledge and the fee to test for it i can take it or leave it.

My "dream" or comfort job would be securing networks for a small/medium scale business helping prevent vulnerabilities, bugs, and attacks. Having an intimate knowledge with the practices of nefarious individuals who seek to exploit weaknesses is something i wish to stop.

And hence, that is what im most passionate about. I have adhd, so things that do not interest me i will have a hard time believing that i could fall in love with something less that security or network at a minimum.


Thanks!


Sorry for the long post! Just looking to hear from others! All thoughts and constructive criticisms of course appreciated.

Comments

  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    For a small/medium size business, you are going to have to know more than just infosec. More than likely you will need to know a little about everything because generally either consulting or large enterprises have pure infosec teams.

    Do you have Network+? I probably would pickup either a OS (MCSA / Linux) or Networkig cert (CCNA). I don't think Sec+ then straight to CEH would provide you with enough knowledge...you need that background knowledge.
  • detroitwillfalldetroitwillfall Member Posts: 85 ■■■□□□□□□□
    TechGuru80 wrote: »
    For a small/medium size business, you are going to have to know more than just infosec. More than likely you will need to know a little about everything because generally either consulting or large enterprises have pure infosec teams.

    Do you have Network+? I probably would pickup either a OS (MCSA / Linux) or Networkig cert (CCNA). I don't think Sec+ then straight to CEH would provide you with enough knowledge...you need that background knowledge.

    yeah ive taken the course a few months ago just havnt had a chance yet to test.. currently ive been in an MCSA program actually thats finishing up in a week. ive taken the windows 8.1 687 course, and the mcsa course for server 2012. the linux+ really interests me but i heard that net+ at minimum is suggested.
  • 27PAYBACK27PAYBACK Member Posts: 5 ■□□□□□□□□□
    I just got done with the (2) 32 hour HBSS ePO5.1 class and Pcap Analysis.
    Firehouse of Information. Next month I will be doing Arcsight ESM.
    This **** is Endless....
  • detroitwillfalldetroitwillfall Member Posts: 85 ■■■□□□□□□□
    I was thinking as a personal interest possibly in the not so distant future looking into OSCP?? But i would most likely need to take Linux+ it seems and brush up on a good handful of prereqs..
  • supasecuritybrosupasecuritybro Member Posts: 206 ■■■■□□□□□□
    It sounds like you are willing to receive input on the next step. A computing environment is best as mentioned. I would go into Linux personally. Whether a Linux + or RedHat its not a waste. The best thing to do is build the foundation nice and solid to grow from there. If the end state is pentesting... you have a long road. Between experience in the field as sysadmin or net admin to truly get your axe nice and sharp before you go into trying to go into that. I know no one wants to hear about the part where you have to build the base but if you don't you will be forced through it and not even know where to start. For example, to know why you need to use a certain exploit on a machine based on a vulnerability, you need to know why it is a problem and how it will circumvent the security on the OS so you can do what you want.

    Set your roadmap with the end in mind. If you want the OSCP, build up to it. Go into the OSs this year, next year really grow in networking, then the year after start getting those offensive security things out the park.

    In my organization, I hear a lot of the Help Desk guys wanting to get their certs so they can come to security but they are not skilled at handling a workstation problem without just reimaging it. They do not understand the nature of workstations in the domain, nor have exposure to servers/network stacks and expect to get a CEH and come into the security response team because they have a cert.

    I will say from personal experience, I walking into an interview for a vulnerability assessment team and they handed my a$$ to me in that interview because I wasn't well versed in computing environments and they were kind enough to encourage me to grow before trying to put myself out there again. I appreciated that and now I have built the roadmap (not only about certs) but of what I need to get my hands on to grow in knowledge and apply it to make it into wisdom.

    Good luck!
    Completed: CISSP, GPEN, GWAPT, CCSA R80, eJPT, CySA+, M.S. Information Security
    Current Goal: CCSE
    Continuous Education Plan:​ AWS-SAA, OSCP, CISM
    Book/CBT/Study Material:​ Max Power
  • detroitwillfalldetroitwillfall Member Posts: 85 ■■■□□□□□□□
    It sounds like you are willing to receive input on the next step. A computing environment is best as mentioned. I would go into Linux personally. Whether a Linux + or RedHat its not a waste. The best thing to do is build the foundation nice and solid to grow from there. If the end state is pentesting... you have a long road. Between experience in the field as sysadmin or net admin to truly get your axe nice and sharp before you go into trying to go into that. I know no one wants to hear about the part where you have to build the base but if you don't you will be forced through it and not even know where to start. For example, to know why you need to use a certain exploit on a machine based on a vulnerability, you need to know why it is a problem and how it will circumvent the security on the OS so you can do what you want.

    Set your roadmap with the end in mind. If you want the OSCP, build up to it. Go into the OSs this year, next year really grow in networking, then the year after start getting those offensive security things out the park.

    In my organization, I hear a lot of the Help Desk guys wanting to get their certs so they can come to security but they are not skilled at handling a workstation problem without just reimaging it. They do not understand the nature of workstations in the domain, nor have exposure to servers/network stacks and expect to get a CEH and come into the security response team because they have a cert.

    I will say from personal experience, I walking into an interview for a vulnerability assessment team and they handed my a$$ to me in that interview because I wasn't well versed in computing environments and they were kind enough to encourage me to grow before trying to put myself out there again. I appreciated that and now I have built the roadmap (not only about certs) but of what I need to get my hands on to grow in knowledge and apply it to make it into wisdom.

    Good luck!

    Yes ive certainly browsed through enough threads googled and asked alot of noob stuff, I've youtubed and emailed people and the common theme is just as you say. Get your foundation solid with networking and from there you learn defense. Only when I can protect myself and others will I begin to have fun 😀
  • eth0eth0 Member Posts: 86 ■■□□□□□□□□
    if you want work for small/medium companies you probably almost don't need anything to be honest :). I worked with man who don't know that 192.168.* is LAN and they work as pentesters for banks, also PoC for clickjacking for him is phishing etc. Really, you don't need very care, just learn and learn what you like and you will be very good tech skilled person. I work only few years and around 1y in each infosec job, because of this I have wide experience and almost there is no competition in job, funny but real. Most people don't care about IT, they just work there and that is all. In infosec most people are just noobs, if this will be your real hobby then for sure few years and you will work for some well known companies. My advice is just don't care about others what they think and say, when people irritate me then I quit job. When I can't learn anything new (80/20 rule!) then I look for another job. Maybe my CV because of this don't look great (1-1.5y and job changed) but my experience, projects, certificates etc are much more that this. Today after less that 5y of professional (have less that 30y) work I am specialized in both red and blue team with achievements (i.a. job in higher tech positions). If you want be good, just don't look on others, keep own rules because most of people and your collaborators are just noobs even when they have 20y experience because of sitting opposite PC :). Good luck!
  • detroitwillfalldetroitwillfall Member Posts: 85 ■■■□□□□□□□
    eth0 wrote: »
    if you want work for small/medium companies you probably almost don't need anything to be honest :). I worked with man who don't know that 192.168.* is LAN and they work as pentesters for banks, also PoC for clickjacking for him is phishing etc. Really, you don't need very care, just learn and learn what you like and you will be very good tech skilled person. I work only few years and around 1y in each infosec job, because of this I have wide experience and almost there is no competition in job, funny but real. Most people don't care about IT, they just work there and that is all. In infosec most people are just noobs, if this will be your real hobby then for sure few years and you will work for some well known companies. My advice is just don't care about others what they think and say, when people irritate me then I quit job. When I can't learn anything new (80/20 rule!) then I look for another job. Maybe my CV because of this don't look great (1-1.5y and job changed) but my experience, projects, certificates etc are much more that this. Today after less that 5y of professional (have less that 30y) work I am specialized in both red and blue team with achievements (i.a. job in higher tech positions). If you want be good, just don't look on others, keep own rules because most of people and your collaborators are just noobs even when they have 20y experience because of sitting opposite PC :). Good luck!
    Thank-you man!!
  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Good post eth0! I think it is crazy how many people in IT don't actually care to learn more. People who are on these forums, looking for ways to improve, are definitely in the minority from my experience.
  • detroitwillfalldetroitwillfall Member Posts: 85 ■■■□□□□□□□
    Good post eth0! I think it is crazy how many people in IT don't actually care to learn more. People who are on these forums, looking for ways to improve, are definitely in the minority from my experience.
    I'm just eager to learn, hungry and think the way the world is its ever increasingly important.
    Can never know "enough"
  • eth0eth0 Member Posts: 86 ■■□□□□□□□□
    Good post eth0! I think it is crazy how many people in IT don't actually care to learn more. People who are on these forums, looking for ways to improve, are definitely in the minority from my experience.

    thanks, this is just real life, people as we are - who take care about carrer and want have certificates is almost noone, there is sometimes few people who say like this but most of them don't do anything, only talk about that :)
    I'm just eager to learn, hungry and think the way the world is its ever increasingly important.
    Can never know "enough"

    most important is to do this long time - you can't be hacker in 3 years. I started when was 13y old with hacker wannabe and that was reason why people look at me in short time as some kind of expert, because I got real practical knowledge how it all work. I am also not very nerd, have girl friend and normal life because most time I don't spend around PC. Most important as above is long time interest about infosec, not to spend whole life researching something. Remember also that you don't need best, you need only be better that avg people and will never have problem with job. You don't need work for Google/Facebook, you can work for well known banks and same way it will be very prestige.

    For example I am not good with math and programming, so I started with PHP (stupid and easy language :D), today I know few script languages and can do a lot helpful tools (i.a. in pentester job). Some of my friends started with C and today they still don't know almost nothing about programming and doing tools. As above, just don't look on others, think your self and don't care :). Of course I also know people who started with C and are better but they are good in math etc, so you know as above, you don't need best, there is a lot job positions and best people is very small group so you don't need really care about them.

    Also please remember when your first language is English then you are always on better position that for example me as you see with my very high language skills ;)... you can easy found job in half of world. Travel and work is my dream to be honest...
  • detroitwillfalldetroitwillfall Member Posts: 85 ■■■□□□□□□□
    eth0 wrote: »
    thanks, this is just real life, people as we are - who take care about carrer and want have certificates is almost noone, there is sometimes few people who say like this but most of them don't do anything, only talk about that :)


    most important is to do this long time - you can't be hacker in 3 years. I started when was 13y old with hacker wannabe and that was reason why people look at me in short time as some kind of expert, because I got real practical knowledge how it all work. I am also not very nerd, have girl friend and normal life because most time I don't spend around PC. Most important as above is long time interest about infosec, not to spend whole life researching something. Remember also that you don't need best, you need only be better that avg people and will never have problem with job. You don't need work for Google/Facebook, you can work for well known banks and same way it will be very prestige.

    For example I am not good with math and programming, so I started with PHP (stupid and easy language :D), today I know few script languages and can do a lot helpful tools (i.a. in pentester job). Some of my friends started with C and today they still don't know almost nothing about programming and doing tools. As above, just don't look on others, think your self and don't care :). Of course I also know people who started with C and are better but they are good in math etc, so you know as above, you don't need best, there is a lot job positions and best people is very small group so you don't need really care about them.

    Also please remember when your first language is English then you are always on better position that for example me as you see with my very high language skills ;)... you can easy found job in half of world. Travel and work is my dream to be honest...


    Great response Ethos, i truely and honostly love Technology and will be doing everything in my power to see i dont get burned out. Its all about balance, and your absolutely right i dont have to be the best, just better then the other guy applying :D
Sign In or Register to comment.