dynamik wrote: » Getting into pentesting is a big endeavor; you should set it as a long-term goal. While you might get a lucky break like Paul Boz and have a company train you, that's not the norm (granted, Paul busted his ass beforehand and already had a few pro-level Cisco certs).
I'd focus on developing a solid understand of *nix and/or Windows, networking, a programming language or two (Python would be a good place to start), and pentesting tools. You're not going to be able to adequately hack or secure something you don't fully understand, which is why it's imperative that you master the fundamentals first.
As far as pentesting certs go, I'd go CEH > OSCP > GPEN. It would probably be advantageous to add something broader like the SSCP in there as well.
UnixGuy wrote: » What's your job experience ?
Say if you are windows admin, get MCSE: Security, and then you can do security related tasks. It will be easier to move from that to Pen testing.
dynamik wrote: » v6 of the CEH came out a little while ago, and v5 gets retired at the end of this month, so it's about as up-to-date as can be reasonably expected. I don't think it has the reputation of being outdated as much as it does for lacking depth (which it does). It should be called something like, An Overview of Ethical Hacking or EH+ They include waaaay too many things to be able to go into adequate depth: Ethical Hacking and Countermeasures Course I think it's a good introductory cert to get. However, it's not going to make you an ethical hacker/pentester or land you a job on it's own. You should also start playing around with Backtrack and getting acquainted with those tools.
the_Grinch wrote: » I think CEH is an excellent start for trying to get into pen testing. It is great for teaching the methodology involved in a pen test. Dyn is correct that is it very broad, but so is security in general. Some of the information is old (such as viruses, backdoors, etc), but overall it is worth while. Rumor is the US Government will be using it as a gauge for the level of it's security people. OSCP (and now they have a Master level) is the best next step. Finally, the Wireshark Certification has actually begun so that might be a good one to look at.
As far as getting a job, getting a degree and having some security coursework will help you a lot. Experience is the most important thing though. I've interviewed for a couple of security positions and it always came down to experience (which kept me from getting the jobs). Final thing is to try to get an idea of what security area you'd like to focus on. Network (get Cisco or Juniper certs), Operating Systems (Linux and Windows Certs), looking over code (knowing a language helps), Physical Security (military experience helps), Risk Assessment, Disaster Recovery (those two usually go hand and hand).
Your military background, clearance, and IT job have you setup perfectly. Get a degree and certs, then you will be beating employers off with a stick. You are heading in the right direction and I believe you will be very successful. Good luck! (now let the security people on here give you the wisdom you seek!)
Hallucinate wrote: » 4 years as a network admin on W2k3 Server, Solaris, HP-UX (far more knowledgable with windows), XP, and 2k. I've been getting involved with IDS more and more lately. I also have about 80 college credits. Just took the MCP/Sec+ exams today. Is it still worth getting MCSE? My most recent plan is to stop working in August 2010 and be a full time computer science student at the University of Washington. Will MCSE still hold merit by then? If so, would it hold more merit than say working on C|EH and SSCP, and maybe a SANS cert (i can get a voucher for it)?
UnixGuy wrote: » ... CISSP will get you the money
![:\](https://community.infosecinstitute.com/resources/emoji/confused.png ":\"){kind=small}