Is this a good path to become a pen-tester/security analyst?

I'm assuming a 'security analyst' is basically a pen-tester that works with security engineers, and a 'security engineer' is a developer? I'm a beginner, so I don't entirely understand the differences.

Starting a 2-year InfoTechSec program at my community college this fall and it should help prepare me for Network+ -> Security+ -> Linux+.

Also helps me prepare for the A+ and cisco-related certifications, but I plan to skip those and just take the 3 I mentioned above.

After I get my AD and baseline certs, I'll transfer to uni to get a bachelor's degree in Cyber Security while working on the following:
CEH -> CISSP -> OSCP -> OSWE -> OSCE.

I'm aware that there's quite a huge gap between some of these certifications and a lot of motivation is required. I just want to know a proper order to learn in, so I don't end up all confused. Not sure what the specific 'specialties' are for security analysts but websites seem to be my main area of interest. Currently, I'm learning more about the OSI model and messing around with Python/JavaScript.

Any certifications I should add/remove or take one before another?
Thanks

Find more posts tagged with

Comments

cyberguypr

Rule #1 is that titles mean nothing and vary from enterprise to enterprise. For example, at my current company a security analyst is a blue team person who does a lot of log analysis and correlation, forensics, reporting, security awareness, and a myriad other things. The security engineers maintain existing solutions (IPS, NSM, Data Analytics, etc.) and solve security problems. We listen to the needs of the business and come up with solutions. In some other places a security analyst would be expected to know red + blue team tasks, firewalls, proxies, SIEM, DLP, reverse engineering, etc.

I suggest you start here to get an idea of what some of the roles do. Also, go to Indeed.com an search for those titles so you can see what actual companies in your area are looking for. Getting that idea in your head of which direction you want to go will definitely help shape your course of study.

TechGuru80

Your path is pretty good for any route but having Microsoft and Cisco certifications can help you in knowing how everything works. CCNA and MCSA would fit somewhere around the time of CEH. Also, everything I have seen on OSWE says it is a lot easier than OSCP so I would probably do it first.

Remember that path is just a plan...plans always change. For instance if you end up in a SOC, there are several GIAC certifications that would serve you well. Remain open minded on your journey because everybody ends up down different paths and you don't want to shut out a road too early.

Nightangel

I'm in a similar situation but I've found this website to be pretty usefull,
How to Become a Security Analyst | Requirements for Security Analyst Jobs

TheFORCE

Start using linux and Kali linux as your primary OS if you want to become a pen tester, also you will need to learn about Windows too, so you might have to get some Microsoft certifications. Alsoas mentioned earlier, Security Analyst doesny doesn't mean the same thing in different companies.

beads

Skip the certifications in security until you learn how to write real scripts in real languages like Java, C++ and C#.

That is all...

- b/eads

dry

TheFORCE wrote: »

Start using linux and Kali linux as your primary OS if you want to become a pen tester, also you will need to learn about Windows too, so you might have to get some Microsoft certifications. Alsoas mentioned earlier, Security Analyst doesny doesn't mean the same thing in different companies.

I've tried to set up a Linux distro as my main OS and tweak it to my liking, but it's always a hassle getting it to feel as comfortable as a Windows environment is since it's less GUI based. Installing the GPU drivers to get it to run 144hz and feel less choppy was my last challenge, and an annoying one at that. It was dealing with errors after errors, so I just ended up reverting back to Windows. Wasting time learning how to install GPU drivers rather than running pen-testing tools is sort of how I see it, but then one would typically say "No, you're learning how to navigate around the cli and solve problems." Am I? Seems less efficient to me.

Isn't it better to use a GUI environment because it's more convenient? Or at least, for some. Each person has his/her preferences I suppose.
I've been running Kali Linux on a virtual machine on my main OS, and I'll probably try to set up ArchLinux on a laptop to see if I can tweak it to my liking.

Thanks for the replies everyone.

dry

beads wrote: »

Skip the certifications in security until you learn how to write real scripts in real languages like Java, C++ and C#.

That is all...

- b/eads

The program I'm enrolling in does have prerequisites (computer concepts, introduction to software engineering/networking, etc) before it gets to the 'security' stuff, so I'm assuming it's not too quick into specializing or meant for experienced people.

Chitownjedi

dry wrote: »

Isn't it better to use a GUI environment because it's more convenient? Or at least, for some. Each person has his/her preferences I suppose.
I've been running Kali Linux on a virtual machine on my main OS, and I'll probably try to set up ArchLinux on a laptop to see if I can tweak it to my liking.

Thanks for the replies everyone.

It's those that are willing to do the things that others find inconvenient that tend to separate them from the pack.

TheFORCE

dry wrote: »

I've tried to set up a Linux distro as my main OS and tweak it to my liking, but it's always a hassle getting it to feel as comfortable as a Windows environment is since it's less GUI based. Installing the GPU drivers to get it to run 144hz and feel less choppy was my last challenge, and an annoying one at that. It was dealing with errors after errors, so I just ended up reverting back to Windows. Wasting time learning how to install GPU drivers rather than running pen-testing tools is sort of how I see it, but then one would typically say "No, you're learning how to navigate around the cli and solve problems." Am I? Seems less efficient to me.

Isn't it better to use a GUI environment because it's more convenient? Or at least, for some. Each person has his/her preferences I suppose.
I've been running Kali Linux on a virtual machine on my main OS, and I'll probably try to set up ArchLinux on a laptop to see if I can tweak it to my liking.

Thanks for the replies everyone.

There are things even in Windows that can be done far easier using the command line than using the Windows GUI. As an example, if I asked you to give me a list with the contents of a folder than contains different file types and that folder has over 200 files, how would you do it? Windows Explorer or the Windows GUI doesn't give you a way to do that. Instead if you access the directory of the folder through the command line you can easily export the list into a file. The same applies to Linux and Windows, a true Security professional does not use an OS or a tool only because they are comfortable of familiar with it, they use the tool or method that is best for the job.

dry

TheFORCE wrote: »

There are things even in Windows that can be done far easier using the command line than using the Windows GUI. As an example, if I asked you to give me a list with the contents of a folder than contains different file types and that folder has over 200 files, how would you do it? Windows Explorer or the Windows GUI doesn't give you a way to do that. Instead if you access the directory of the folder through the command line you can easily export the list into a file. The same applies to Linux and Windows, a true Security professional does not use an OS or a tool only because they are comfortable of familiar with it, they use the tool or method that is best for the job.

Oh, I'm aware that understanding the CLI is pretty much a requirement for pen-testers. I know how to navigate around it on a very basic level.

I'm just wondering if there's any reason I'd specifically want to use Linux over Windows as my main OS. I'll have to understand both systems, so wouldn't it be better to just run a Linux VM and use Windows as my main OS as it's more relaxing/convenient for when I'm not doing work-related stuff.

doctorlexus

From my research, OSCP will make the biggest impact for a pen tester. I plan to do OSCP eventually, once I have the extra money. But it's more of a personal interest for me rather than for career advancement.

I think you could skip CEH and probably OSWE (it seems more like an elective with a web-specific focus on things you'll already learn in OSCP). CISSP may be important if you want a more managerial role, but if you'd rather focus on the technical side of things, OSCP should be sufficient on its own. From their website, they say "A solid understanding of TCP/IP, networking, and reasonable Linux skills are required. Familiarity with Bash scripting along with basic Perl or Python is considered a plus." so once you feel you have that, I'd just jump right into OSCP. I think that'll be the fastest and most efficient way to your goal.

As for OSCE, that looks like a serious challenge that requires a deep understanding of exploits. Not something I'll ever do, but I'm sure it's worthwhile for anyone in the field.

UnixGuy

My *personal* opinion is that Kali Linux might not be the best desktop/laptop main OS distro to use for various reasons really. (I used Solaris and Ubuntu as my main desktop distros for a long time - and I don't recommend it). Use your Windows or MacOS as your main OS and use VMware to have instances of Kali Linux and CentOS. There is nothing special about Kali, if you know how to use Linux then you know how to use Kali, Kali is just a Linux distro with tools installed on it ready for you to use. I'm all for saving your time and having the tools ready installed.

OSCP is king when it comes to Pentesting...Having said that, I personally met many pentesters with professional experience who do not have the OSCP. eLearnSecurity has solid Pentesting courses, and SANS GPEN/GWAPT are solid as well.

Cyberguypr is right on the money, titles vary a lot and responsibilities vary a lot.

beads

dry wrote: »

The program I'm enrolling in does have prerequisites (computer concepts, introduction to software engineering/networking, etc) before it gets to the 'security' stuff, so I'm assuming it's not too quick into specializing or meant for experienced people.[/QU

Constantly say things like this because there is a difference between running Nessus, NMap and so many other pieces out there that generate me a report telling me "this could be used for bigger and better attacks by an attacker..." No only is the English poor but doesn't show me the ability to ACTUALLY exploit the code or resource in a meaningful way. What do you do after you get root access to the DB? Without knowing how to exfiltrate data out of the network your pen test "skillz" look real weak - real fast.

Theory is nice to know too!

- b/eads