Technical Security Certs.

Hello. I'm 20 years old, and I want to get into security; After I get a job in IT first. But it seems like all of these companies want management certs, by the looks of Monster.com, like CISSP. But I want to stay on the technical side of things.

I have my Security +, what's the next logical certification to tackle?

Find more posts tagged with

Comments

dynamik

SSCP

CEH

OSCP

JDMurray

What area(s) of information security are you interested in learning? Security+ is a good start, but knowing what areas you want to work in is necessary for knowing which InfoSec certification path to take.

dynamik wrote: »

SSCP CEH OSCP

This is a good path you would take if penetration testing is your interest.

unsupported

Sometimes I wonder if those companies that want a CISSP really want a CISSP, or they just believe that it is just a plain old security cert. I found one job posting in my area which required CISSP *OR* Security+. That is a huge gap there. Going along with JDMurray said, what is your goal? Do you want to become a pen tester (CEH), system admin specializing in security (MCSA: Security), a network admin who specializes in security (CCNA: Security), a malware researcher (Do programmers even get certs?)? I'll give you the same advice my mentor gave me. He had me look at the people in security that I admire and break down their skills. Basically, it boiled down to people who knew programming or networking. I suck at real programming and can only hack together some useful things I need from time to time, so I leaned towards networking. I think Net+ and Sec+ are a really good start. I don't think that any cert would hurt you in the long run. If you wanted to get something heavier than Sec+ until you decide what you want to do, maybe look for the SSCP (where you need one year experience in one of the domains). That would give you an intro to how ISC2 works, which is useful if you decide in the future if you want the CISSP. Also, depending on what you want to do SANS has a lot of specialized certifications for any security itch you may have (GIAC Certifications). Also, it is important to see what your market wants for certifications. Go on a pseudo job search to see what other certs people are looking for. Oh, and a degree would not hurt either. Stay in school, don't do drugs, take your vitamins and pray every night. Be a good lil' Security-maniac.

JDMurray

unsupported wrote: »

I found one job posting in my area which required CISSP *OR* Security+. That is a huge gap there.

Yes, I've seen that very same thing in recent job postings. It's like saying, "A Masters degree or an 8th-grade education is preferred." This is just HR boilerplate asking for someone who has some knowledge of information security., The people that wrote that job req really don't have any understanding of the magnitude of the certifications. I've also read here on TE about job reqs for a $13K/year tier-1 help desk jobs that required an MCSE.

unsupported wrote: »

a malware researcher (Do programmers even get certs?)?

Oh sure. Sun and Microsoft have developers certs. And SANS actually has a cert specifically for Malware researchers.

unsupported wrote: »

Be a good lil' Security-maniac.

You really need to enjoy your specialty in information security as a hobby. If it's something you like to keep up on in your off-hours (like programming projects or playing in your home network lab), then you'll like doing it for a living.

UnixGuy

unsupported wrote: »

Sometimes I wonder if those companies that want a CISSP really want a CISSP, or they just believe that it is just a plain old security cert. .

yes ! I have seen Networks engineer jobs say that CISSP preferred ? what for ?? it's a pure routing/switch job..! this is an example:

Skills

Requirement:

• Prior Education & Certification in Data Communications or Computer Engineering.
• Strong sense of responsibility, urgency, initiative and commitment.
• Resourceful, strong problem-solving skills with the ability to work independently and cope with pressure.
• A team player and excellent people management skills.
• Experience and capable to manage projects independently for service providers, Telco, government, banks and large enterprises.
• Dynamic, honest, responsible, and willingness to work under pressure.
• Good knowledge and hands on experience in any of the following areas:
- PABX, IP Telephony with certification from CISCO, Nortel or Avaya
- Wireless LAN Networking certification or experience.
- LAN, WAN technologies, VLANs, RIPv1/v2, OSPF, ISIS, BGP4, MPLS-TE, MPLS-VPN.
- Network security solutions such as firewalls, IPSec, VPN, antivirus gateway.
- Appliance based proxy solutions and anti-virus security gateway & UTM.
- Appliance based Server/firewall/WAN load balancers. WAN Optimization systems and Applications Acceleration systems.
- Firewall and network security setup, administration and testing.
- Experience at internal/external penetration testing, system remediation, and penetration auditing.
- Proficient understanding of the pre-sales engineering process and sales processes
- Certified Wireless Network Professional (CWNP) is a plus.
- Wireless LAN Design Specialist Certification is a plus.
- Certified Information Systems Security Professional (CISSP) is a plus.

UnixGuy

I mean, it doesn't look like a security management or technical position to me at all

JDMurray

That is a job req for a network admin, and having security certification is considered a plus that may put you ahead of some of the other job applicants. It's too bad that security experience and training isn't a sold requirement for the position.

cleanwithit

Thanks for the replies, and I'm sorry for such a late response, I've been studying hard. The first scope of Info-sec, that got me vaguely interested was penetration testing. After further research I found that programming was a big aspect of that. I don't have any programming knowledge, and have never tried to learn it, so I don't know if I will be good at it or not; I will assume the latter, because I suck at math, lol. I'm scared I will get overwhelmed if I try it.

I don't know what else I'm interested in per se, because I haven't worked with anything physically. I've read about wireless, firewalls, and IDS/IPS, and it's interesting to me. I want to take a route that can get me into security, but the ultimate goal is to do penetration testing.

The only thing I have done is messed with, Wireshark, Nmap, Nessus, Netcat, Metasploit, etc. I have a lab setup; Windows 2003 server, Ubuntu, XP, Backtrack. I have cracked my wireless router a million times just to get the technique down. I really think wireless is neat technology.

About being the "little security maniac", I play in my lab, and read daily, but I don't do any programming. I'm studying for the C|EH at the moment, I got the Kimberly Graves review guide, and after reading Counter Hack Reloaded twice it's sort of a review. Oh yea, I always pray, take my vitamins, and never ever do drugs :P

JDMurray

A couple of things you need to realize is that there are all kinds of programming, and only a very few of them have anything to do with complex mathematics. Pen testers get by learning shell and scripting languages and more programmer-friendly languages, like Python. To get good at programming, like anything else, is just practice, practice, practice.

Having your own lab, teaching yourself to learn the tools, going for the popular pen testing certs, and having a hobby-level interest in pen testing is a great start. People usually get into it as a profession by starting in a netadmin job where network pen testing and host vulnerability analysis is just part of the job. After building up several years of professional experience, you can find opportunities for doing pen testing full-time.

Also consider the possibility that you will discover that working as a full-time pen tester is not for you. It is not a glamorous job, and it can be down right boring, much the same way software testing is boring. If you end up not wanting to pen test for a living, be prepared to have other InfoSec interests to fall back on.

UnixGuy

I agree with JD on this, and would like to add that it will be good that you get a job in systems administration or networking...it's good for you to have this background, maybe.

cleanwithit

JDMurray wrote: »

A couple of things you need to realize is that there are all kinds of programming, and only a very few of them have anything to do with complex mathematics. Pen testers get by learning shell and scripting languages and more programmer-friendly languages, like Python. To get good at programming, like anything else, is just practice, practice, practice.

Having your own lab, teaching yourself to learn the tools, going for the popular pen testing certs, and having a hobby-level interest in pen testing is a great start. People usually get into it as a profession by starting in a netadmin job where network pen testing and host vulnerability analysis is just part of the job. After building up several years of professional experience, you can find opportunities for doing pen testing full-time.

Also consider the possibility that you will discover that working as a full-time pen tester is not for you. It is not a glamorous job, and it can be down right boring, much the same way software testing is boring. If you end up not wanting to pen test for a living, be prepared to have other InfoSec interests to fall back on.

So, I guess I will start to learn the shell, in other words that is called bash scripting, correct? It's just I'm spending so much time learning about security, and right now I don't think it's the best time to start learning to script, or program.

Yea, I'm hoping to get a network administrator job after I graduate. Hopefully with having a few security certifications I can do security-like tasks to get some experience.

Lets say I wanted to start my career in the firewall, IDS/IPS's, and wireless part of Infosec, what certifications should I start out with. Would SSCP > CCSP > CWNA > CWSP >, be my path? Then eventually move into penetration testing later on, because I'm still young and have plenty of time.

Thanks for all the help

JDMurray

cleanwithit wrote: »

So, I guess I will start to learn the shell, in other words that is called bash scripting, correct? It's just I'm spending so much time learning about security, and right now I don't think it's the best time to start learning to script, or program.

If you want to start on Linux then bash is a popular shell that is on most Linux boxes. There are dozens of shells and their scripting languages are not all the same, so start with learning a popular shell script like bash.

If you want to learn scripting on Windows, start with what you can learn in the Command shell (cmd.exe) and then move on to PowerShell. You'll also need to learn VBScript to work on Windows boxes because a lot of legacy scripts are written using it.

cleanwithit wrote: »

Lets say I wanted to start my career in the firewall, IDS/IPS's, and wireless part of Infosec, what certifications should I start out with. Would SSCP > CCSP > CWNA > CWSP >, be my path? Then eventually move into penetration testing later on, because I'm still young and have plenty of time.

Because you will be starting out on the netadmin path, you want certs that will get you a job managing networks. The CCNA, CCNA Security, CCSP route is a good one to follow. You can do the CWNA and CWSP in parallel with the Cisco certs. There are also certs from several firewall vendors. SANS has very good certs for everything InfoSec, but they are very expensive. If you need a break from the networking certs, that's when you should start digging into the CEH.

cleanwithit wrote: »

Thanks for all the help

That's what we're here for!

cleanwithit

Thanks JD for the quick response. So, Bash & VB Script then Powershell. It doesn't matter Linux or Windows I'm comfortable using both; but I prefer Linux

Well since I won't be starting my CCNA until September, I think I will start to study for the CWNA/CWSP, How difficult are these tests? I will not think about C|EH at this point and time. Yea Sans is ridiculously expensive, but I guess you get your moneys worth.

Again, Thanks for the help!