Should I skip GSEC and go right into the more specialized courses?

SolomonGrundy · August 2018

Hello. Newbie question here.
I am a college student, working on my bachelors and masters in computer science, with a concentration in cyber security.

I am in the Scholarship for Service Cybercorps program, and I get to take a free certification.

Since I am likely getting just the one:
Would it be better to take the GSEC, and get a wide range of knowledge(a good portion, I am worried, might be covered in my studies, and be a waste of a cert) with good recognition but not so much depth

or

Take the Security+ for wide knowledge and resume recognition(won't be as in depth as a GSEC, I know), and use my free certification to take something more specialized?

And if the latter, are there any recommendations? I'm not really interested in red teaming, but the forensics things and system hardening things I have done have been interesting so far.

I'm sorry if this seems a basic question. I just don't want to waste a chance.

LionelTeo · August 2018

my take for GSEC course is that the course mainly useful for those who are looking into securing and administrating windows ad and linux/windows servers. It also touches on certain areas such as security policies, introduction to incident response and packet analysis. If securing and administrating windows ad and linux/windows servers isn't something you are looking at as part of your career objective, it is totally okay for you to go into those more specialized courses.

I highly recommend considering SANS courses that are heavier on the hands-on since you are going to pay the same amount of money. Might as well spend the money on a course with more hands than a course that is more theory based. Most of these courses are related to packet analysis, penetration testing, memory forensic and reverse malware engineering.

SANS Incident Response course (504/course for GCIH) is also a great course for new aspiring professionals to learn about how those common attacks operate and get a good understanding of the common defence against threats. The downside for the GCIH course is that it has much lesser hands-on labs as opposed to the course for GCFA, GREM, GXPN, GPEN, GCIA. While it is more theory based, I highly recommended for those who are new to the industry to pick up as it is definitely the course that gets into a good overview of the security understanding that any new professional should need for breaking into various cybersecurity career path.

TechGuru80 · August 2018

You should take the assessment exam FIRST... https://www.sans.org/assessments/security-essentials

That will help you determine your knowledge level. I would hesitate on directing you to a higher level certification without any experience...especially if you do poorly on that exam. If I had to guess your course work has been very introductory to cyber security at best, since CS is usually heavy in programming anyways.

How long until you graduate and will be entering the work force? Ideally an MCSA, CCNA, and Security+ gives you a really solid foundation before you start to really dive in...maybe around a year of studying give or take. GSEC has some of the early knowledge you need but it’s not meant for somebody brand new and the higher level certifications from GIAC/SANS assume you have a certain level of knowledge...that you probably don’t have right now. Also if you do the plan I said with MCSA + CCNA + Security+...you might be able to skip GSEC and get a little more bang for your buck with the free certification.

One last question...when you say free certification, does that include the $6,000 SANS training or is it an exam attempt? These are two VERY different things.

gespenstern · August 2018

I suggest you skip. GCIH is arguably the most recognized and in demand GIAC cert, as LionelTeo said, I'd go after it if I was you.

TechGromit · August 2018

SolomonGrundy wrote: »

Take the Security+ for wide knowledge and resume recognition(won't be as in depth as a GSEC, I know), and use my free certification to take something more specialized?

If you have a really solid understanding of Security+, and passed the Exam with a good score, than I think you can skip SANS 401 and go for the SANS 504 instead. Just be aware SANS 504 is a tougher course and GCIH tougher exam. I think I benefited not just from the knowledge gained from taking SANS 401, but refining my study, indexing and study methods for GSEC help me pass the GCIH. The 500 level courses are harder than the 400 level courses and the 600 level courses are insane, and forget about level 700 courses, I can only imagine.

LionelTeo · August 2018

I probably recommend GCIH, then again I had worked with individuals who are so talented that they benefit more by going for higher tier course such as GREM directly.

So it's on you to understand your own capabilities and take the appropriate tier course. For the generic individuals, you should be good at doing 504 (GCIH). Some talented individual with top GPAs can go for 508/610 or course GPEN/GCIA if that is something you are looking at.

SolomonGrundy · August 2018

In regards to the assessment test, I got a 74%. I really need to learn more about subnetting and the octet conversions with chmod, I think. Taking that test showed me a lot of things I need to learn. A lot of my answers were gut guesses. I need to get into the nitty gritty more, as well as learn more of the terminology of incident handling. Thank you.

I get my masters in cybersecurity in two years, so I have time. I was thinking about trying to get a Security+ and CCNA within a year, but had not considered a MCSA, that is an excellent idea.

The program pays for my training as well, though if I apply for a time extension, that would be out of pocket.

johndoee · August 2018

SolomonGrundy wrote: »

Hello. Newbie question here.
I am a college student, working on my bachelors and masters in computer science, with a concentration in cyber security.

I am in the Scholarship for Service Cybercorps program, and I get to take a free certification.

Since I am likely getting just the one:
Would it be better to take the GSEC, and get a wide range of knowledge(a good portion, I am worried, might be covered in my studies, and be a waste of a cert) with good recognition but not so much depth

or

Take the Security+ for wide knowledge and resume recognition(won't be as in depth as a GSEC, I know), and use my free certification to take something more specialized?

And if the latter, are there any recommendations? I'm not really interested in red teaming, but the forensics things and system hardening things I have done have been interesting so far.

I'm sorry if this seems a basic question. I just don't want to waste a chance.

So, are you a college student fresh out of high school..or a more aged college student going to school in his/her later years that already has real world experience I think knowing that would cater my answers. A lot of people skipped school and waited later in the years but worked and gained experience until they eventually got a degree.

Either way, I will give you my input.

What good is a "incident handler" certification if you have 0 experience. Not even help desk experience unlocking an account in Active Directory?. I feel that the (GCIH) certification alone with 0 experience is useless. I don't see a person hiring you (for incident handling) with a GCIH certification ( and degree) alone and you have no fundamentals. You won't be able to do the most basic of basic tasks. GCIH is a popular certification on job boards. Buttt, it's still an incident handler certification.People don't usually count college as experience unless you did an internship. Even that most of the time is only a few months.

So, I would say no to the GCIH certification if all you have on your resume is a degree and no experience.

I would say that Security+ is a good fundamental security certification. I would suggest just doing a self study. Buy a book read it in 2-3 weeks and take the test out of pocket.

That leads me to the GSEC. I would suggest it because it's broad. It's going to cover a lot of topics that'll lay the foundation for higher certifications GCIH or any other certification body.

Thinking you are to smart for a cert, without experience, knowing that the GIAC exams are open book...and thinking you can pass a higher leveled exam could possibly lead to failure. I thought I was to smart for my own good and shot up the GIAC certification chart and failed an exam. Going to any higher level training and certification because it's free doesn't mean you are going to pass the exam. Then you have to pay the outrageous re-take cost.

Nothing is a waste if it didn't come out of your pocket.

LionelTeo · August 2018

johndoee wrote: »

So, are you a college student fresh out of high school..or a more aged college student going to school in his/her later years that already has real world experience I think knowing that would cater my answers. A lot of people skipped school and waited later in the years but worked and gained experience until they eventually got a degree.

Either way, I will give you my input.

What good is a "incident handler" certification if you have 0 experience. Not even help desk experience unlocking an account in Active Directory?. I feel that the (GCIH) certification alone with 0 experience is useless. I don't see a person hiring you (for incident handling) with a GCIH certification ( and degree) alone and you have no fundamentals. You won't be able to do the most basic of basic tasks. GCIH is a popular certification on job boards. Buttt, it's still an incident handler certification.People don't usually count college as experience unless you did an internship. Even that most of the time is only a few months.

So, I would say no to the GCIH certification if all you have on your resume is a degree and no experience.

I would say that Security+ is a good fundamental security certification. I would suggest just doing a self study. Buy a book read it in 2-3 weeks and take the test out of pocket.

That leads me to the GSEC. I would suggest it because it's broad. It's going to cover a lot of topics that'll lay the foundation for higher certifications GCIH or any other certification body.

Thinking you are to smart for a cert, without experience, knowing that the GIAC exams are open book...and thinking you can pass a higher leveled exam could possibly lead to failure. I thought I was to smart for my own good and shot up the GIAC certification chart and failed an exam. Going to any higher level training and certification because it's free doesn't mean you are going to pass the exam. Then you have to pay the outrageous re-take cost.

Nothing is a waste if it didn't come out of your pocket.

I appreciate your input and thoughts, but I wasn't sure why you would think TC is looking into a certification for landing into a particular role as opposed to getting the knowledge out of the course. Therefore, I would like to clarify the misconception of getting a certification for the sake of landing on a particular role against getting a certification for the learning purpose. I would fully agree with you if we are talking about getting a certification for getting into a specific role, but based on TC questions, I am getting the impression that TC is looking at getting the best learning value from a paid a course/certification for the knowledge and not the role itself.

The GCIH course, ironically, is useful for new security professionals as it covers various attacks and the common defence in practice against them. This core knowledge is very useful for various career paths, such as going into pentesting, system and network forensics, system hardening and even auditing. Understanding the common attacks actually almost essential for any career paths in cybersecurity, as being professional in this fields require us to understand how all this attacks works and being able to identify and understand the symptoms when we come across them. Think of it as a doctor basic requirement to able to identify and cure various common sickness.

The "GCIH" certification had a branding issue since the certification was created more than a decade ago, and was not changed as it being the first GIAC popular certification. Based on the written post from Richard Bejtlich's blog, people within the industry does know that the knowledge for this GCIH certification alone cannot be used for handling an incident, and the certification was kept the way it is since the creation a decade ago.

This is a problem for three reasons. First, I have met people and heard of others who think they know how to "handle incidents" because they have the GCIH certification. "I'm certified," they say. This is dangerous. Second, respondents to the latest SANS 2008 Salary Survey considered their GCIH certification to be their most important certification. If you hold the GCIH and think it's important because you know how to "handle incidents," that is also dangerous. Third, SANS offers courses with far more IR relevance that that associated with GCIH, namely courses designed by Rob Lee. It's an historical oddity that keeps the name GCIH in play; it really should be retired, but there's too much "brand recognition" associated with it at this point. If you want to learn IR from SANS, see Rob.

source: https://taosecurity.blogspot.com/2009/04/speaking-of-incident-response.html

And here is Stephen Northcutt response in the post comment himself, confirm that this decision was made to expand the hacking course into the incident response path...

Stephen Northcutt said...
Well for what it is worth, if I am not the guilty party, I am "a" guilty party. It was a decision Ed Skoudis and I made jointly in London, sorry can't remember the year.

Background, and hope this is not too much info. My first book was Incident Handling, some of you may still have the .pdf version.

The hottest two selling courses in 2001 were both hacking, one was Hacking Exposed ( perhaps you remember the all black costumes, nehru collars and dry ice smoke) and the other a hacking course put together by Ed Skoudis and Eric Cole. Skoudis/Cole was outscoring the other by about 1/10th of a point and we were more comfortable with it.

We felt there were two directions we could take the course if we expanded it, one down the response path, the other down the pen test path. We chose response and did not add the pen test course until 2008.

I feel that incident response is largely a process that can be taught in a day, but that to be effective you need a number of skills. A large number of those skills involve malware and exploits, because success with those tools is often why you are responding.

I also feel incident responders are akin to EMTs "first response" and this is why forensics should be a separate discipline. We have an obligation not to make it hard for digital forensics examiners to do their job by mucking up the evidence, but those are separate skills in my view.

I would be happy to open a dialog as to what we should do or say, but don't expect radical changes. There are about 4k certified folks and many more have taken the course and seem to enjoy it. It is fine to tell us we are wrong, but we have spent years tuning both the course and the concept. Still, always happy to be schooled, feel free to drop me a note stephen@sans.edu and when we get the messaging tuned, I am happy to forward to Ed for consideration.

...

Some more quotes from Taosecurity blog on GIAC Certified Inicdent handler...

I'm guessing some of you might recognize GCIH as the SANS "GIAC Certified Incident Handler," which actually doesn't have much to do with "incident handling." That's a topic for another day, but it does show GCIH benefits from decent branding.

source: https://taosecurity.blogspot.com/2012/12/the-value-of-branding-and-simplicity-to.html

As you can seen from Stephen response, the incident handling part was a decision made by him and Ed Skoudis back then when deciding about expanding the course. However, if we are to look at the course materials itself. The content cover in the course is invaluable for anyone as they have to understand how this common attacks work to be able to address them. Knowing the materials is useful for anyone who is looking into branching into various career path in the future.

https://www.sans.org/course/hacker-techniques-exploits-incident-handling

It is not that GSEC is not useful. If there is anything more important than the certification course itself, is about getting an idea on the material itself and ensuring that the material is useful to the career progression. Since I had the GSEC materials on hand and had gone through it, this is definitely a good course for those who would want to look into securing ADs, managing keys, Windows and Linux servers as based on the contents from the materials.

https://www.sans.org/course/security-essentials-bootcamp-style#results

In summary, I would definitely agree with you and against anyone looking at taking a particular certification as a paper weigh to land a particular role. Rather, people should be taking the course based on their intended career progression and acquire the necessary knowledge while working towards that. Therefore, this is why I am laying out the information in this manner as transparent as possible as it is useful for TC and anyone else discussing in this thread to understand the significance of knowledge vs certifications, and selecting the appropriate knowledge to learn while working towards their ideal career.

SolomonGrundy · August 2018

johndoee wrote: »

So, are you a college student fresh out of high school..or a more aged college student going to school in his/her later years that already has real world experience I think knowing that would cater my answers. A lot of people skipped school and waited later in the years but worked and gained experience until they eventually got a degree.

Either way, I will give you my input.

What good is a "incident handler" certification if you have 0 experience. Not even help desk experience unlocking an account in Active Directory?. I feel that the (GCIH) certification alone with 0 experience is useless. I don't see a person hiring you (for incident handling) with a GCIH certification ( and degree) alone and you have no fundamentals. You won't be able to do the most basic of basic tasks. GCIH is a popular certification on job boards. Buttt, it's still an incident handler certification.People don't usually count college as experience unless you did an internship. Even that most of the time is only a few months.

So, I would say no to the GCIH certification if all you have on your resume is a degree and no experience.

I would say that Security+ is a good fundamental security certification. I would suggest just doing a self study. Buy a book read it in 2-3 weeks and take the test out of pocket.

That leads me to the GSEC. I would suggest it because it's broad. It's going to cover a lot of topics that'll lay the foundation for higher certifications GCIH or any other certification body.

Thinking you are to smart for a cert, without experience, knowing that the GIAC exams are open book...and thinking you can pass a higher leveled exam could possibly lead to failure. I thought I was to smart for my own good and shot up the GIAC certification chart and failed an exam. Going to any higher level training and certification because it's free doesn't mean you are going to pass the exam. Then you have to pay the outrageous re-take cost.

Nothing is a waste if it didn't come out of your pocket.

To clarify, I am an older student(early 30's) going back to school. I am in an accelerated program, and get my BS in May, and my MS the may after.
I don't have security job or internship experience, unfortunately. I interned at my university over the summer(and continuing) in the Networking and Server and Storage departments. I did things like auditing server ownership and security levels, working in Lansweeper, processing help tickets for networking issues. Configuring smaller(2960C's) switches for use in classrooms, assigning IP's and making vlan changes for the bigger switches. Did some installs for 9407's, 6880's, and 3850's, and set up some servers in racks. Did auditing of networking closets, used splunk and as-builts to track down some IP's. More the networking side than the security side.

I've competed in several cyber competitions. CCDC, Cyber Panoply, the DOE's CyberForce competition.
I have no illusions that this has prepared me for actual security work. I want to expand my knowledge in the areas, pick up a security related internship next summer.

Other people in the program went to GPEN or above, but I have noticed they've been having, shall we say, problems with balancing that with a school load.

It does seem like the more general level, GSEC and GCIH, might be the better route. Get a better base to build on, and also get well recognized certs that can land a good internship. The advanced stuff, it sounds like, can come later.

sb97 · August 2018

It really depends on your background. I am mentoring an analyst at work who is getting a SANS class next year. He has a Security+ and a CISSP (With a waiver for not having the 5 years of experience). In his case, I steered him away from the GSEC because he already has "baseline" certs. I pushed him towards one of the more skill based ones In his case, he is going to go for the GCFA and moving down an incident response track.

UnixGuy · August 2018

gespenstern wrote: »

I suggest you skip. GCIH is arguably the most recognized and in demand GIAC cert, as LionelTeo said, I'd go after it if I was you.

+1 That's what I would do too

Should I skip GSEC and go right into the more specialized courses?

Comments