How to decide on this "best" security certification?

lister · March 2012

I guess that I can answer this question myself in that you first decide what error you wish to get in?

If I told you PenTesting then I should consider:

CompTIA
Cisco Systems
EC-Council
GIAC
ISACA
(ISC)²
ISECOM
Offensive Security
Mile2 Certification
CERT
eLearnSecurity

Which one of these jumps out to you?

sexion8 · March 2012

None of them are the best "pentest" certification. Pentesting is more than just firing off tools which is what those certs will teach you. Becoming a pentester involves a lot of different avenues such as networking, programming, applications engineering and design, sociology as well as psychology. Let me ask you... If I ran to SEARS, purchased every single tool associated with cars, took them home, would it make me a mechanic?

In order to be successful, you have to be versatile and you definitely need to know and understand systems. Their design, their engineering, their interconnections not only with other machines, but the interconnections that people have on this machines. This involves understanding applications, their purposes and so forth. From there, you need to understand the NETWORKING connections to a science. Then comes topics like programming (stack/heap/buffer over and underflows) and the others. Those certs you list will simply cost you in the long run and having them all does not make you an uber pentester.

So re-ask this question: "What route should I choose to become a solid pentester?" As this questions comes across as: "What certs are in demand that would appeal to an HR person?!" Many of the top pentesters I know and have come across have zero certs and quite frankly don't need them and never have needed them.

swild · March 2012

I am just starting down this path, but I have two quotes that seem to ring true to me:

"The more I learn, the less I know" - Socrates

"Ignorance is bliss" - Proverb

When you start out, it is a sexy, alluring field. Then you get into it and realize that you will never be good enough. I think to myself, "How could I possibly put my reputation on the line and certify someone's network as safe when I know that someone will be able to get past me."

Pentesting is a vast, ever-growing, ever-evolving field. You will never be able to know everything. The only way to be successful is to desire to pentest. It is not a 9-5. It is not a get-rich-quick-scheme. Expect to spend no less than half of your time just reading industry news about new exploits. And when you find an article that applies to your network, freak the f**k out and patch that hole, or spend a few sleepless nights until the patch is released, if it is even possible to patch it without a major update.

That being said, you have to know how everything works, down to the binary bits of data. You will need to choose a specialty and try to learn everything about it. No matter what specialty, you will need to know networking at no less than a CCNP level. You will need to be able to rip apart a packet and determine what action is being sent to which application. I am personally shooting for CCIE. You will need to learn how routers, switches, firewalls, IDS/IPS's work and where their flaws are. More flaws are discovered daily.

The CISSP is fairly renowned as the security certification. It is a good overview of the encompassing breadth of security. But it is only a start. I have a CISSP and I will tell you that I know nothing about security, but I probably know more than anyone without that cert. It is like a bachelor's degree. It may get you a job, but it doesn't mean you can do it.

The CEH is a total waste of money to get certified in. Unfortunately, most people don't know that, so you may wind up going this way. It's a good introduction to a few good tools of the trade, but it is just an intro. You need to follow it up by learning how the tools work, not just how to use the tools. Generally, the tools are just a shortcut to something you can do without them.

Now it's time to look at a specialty. I'm currently studying databases, so let's look at that. You need to know how databases are stored, the OSs used, the DBMSs used by the admins, and the programs that are interfacing with the database. You will need to be fluent in scripting and SQL. Another programming language or 5 would be useful as well. I would expect you to be as highly certified as possible. Microsoft Certified Master in SQL Server is a choice.

Now let's say you have all of those and have more knowledge than even those certifications show. You then have to be able to convince several people that 1) you can protect their billion dollar company's database and 2) that they can trust you not to destroy them from within, because you can. There is no certification for this. My boss once told me that he is always nervous giving someone new "all the keys to the kingdom" and to not make him regret it.

The bottom line is you can never have enough certifications/education for Pentesting. For every ounce of knowledge you learn, you find out about another 20 tons you need to learn. Then you realize how good this idea looked before you knew enough to know better. You will never be able to be paid what you are worth, because you will have have a set of knowledge that doesn't apply to your current job.

Now, if you are still excited about pentesting, you may have chosen the right field, if you can hack it (pun intended). After all, the only secure system is the one that's unplugged.

JDMurray · March 2012

swild wrote: »

"The more I learn, the less I know" - Socrates

I'd like to see this quote written in its original Greek. I'll bet Socrates meant, "The more I learn, the more I realize how little I know." That certainly sums up my experience in IT.

docrice · March 2012

I agree with everything swild said. It seems there are far too many who get pulled into the allure of being a professional network assassin / ninja / samurai / [insert cliché warrior description] without understanding that there's a wide array of low-level fundamentals that's required in order to do the work. Even getting a job as a junior security analyst requires at least some experience in non-security roles.

To succeed in infosec, you really need the drive, personal interest / motivation, and be able to sustain a constant cycle of staying current through research (reading, practicing) and the self-inflicted pain of pushing your limits. As a non-pentester working on the blue team, I'll tell you that it's a lot of self-investment if you want to be / remain competent. I've never spent so much concentrated time / money / effort on keeping my head above water as I have in the last few years of my life. Worth it for me, but only because the allure of discovery keeps that carrot firmly planted just out of reach in front of me and I'm a sucker for the unknown.

Being a script kiddie is easy, whether that means just relying on automated tools or pushing config buttons on an appliance (firewall monkey). Knowing what you're doing is something entirely different and you'll be really tested on this during client interactions. Certifications aren't a bad thing, but they don't necessary prepare you for the real world in many ways. I'm a walking example of someone who has done the cert route yet still pulling my hair out at work. Certs are fine, but aim for connecting as many of the the billion dots as you can while knowing you'll never score perfectly. It's a demanding field, perhaps much more so than other areas of IT, but it's also because people in security have to be especially trusted with the information they handle.

In short, for aspiring pentesters I'd recommend knowing the platforms you are attacking very well in addition to knowing the attack tools and methodologies. You won't learn that within a year or two, else you'll end up being a pentester with shallow skills with little value to offer.

swild · March 2012

JDMurray wrote: »

I'd like to see this quote written in its original Greek. I'll bet Socrates meant, "The more I learn, the more I realize how little I know." That certainly sums up my experience in IT.

This is exactly how I take this quote. It's scary to think that I am a Subject Matter Expert at anything. It's like all of a sudden, the wool has been lifted and I'm an adult, exposed to the delicate construct we see as society.

Daniel333 · March 2012

I'd love to hear more about your existing expereince and objectives here?

With what limited information I have on you, Ill just say there is no best, ever, in anything.

You need to align your financial and personal goals with your existing talent, social network to create an organic and adaptive learning path.

That is to say there are no quick and easy answers. Knock out your core certs (A+ etc), build up some experience, reevaluate yourself then.

I tend to blanket fire out MCSE:Security, CCNA:Security and Linux+ as ideal starting points for those going into the security world. Since they give you a core skill set in general IT and open doors into the security certification realm. After you finish them, and get a couple years experience reflect.

Hope that helps.

Balantine · March 2012

May want to read some recent peer-reviewed journals about the unsecurability of computer systems being a direct result of an as of yet unresolved problem in philosophy of language, weird systems, dual meanings, etc., as well as Schneiers recent book about trust, humans, and his Secrets and Lies book too.

Frankly I would disregard all of them and get the best training I know of - SANS institute Masters degree.

How to decide on this "best" security certification?

Comments