Degree Program(InfoSec/PenTesting) - Advice Please

Refer to my original thread; http://www.techexams.net/forums/jobs-degrees/76592-advice-needed-degree-choice.html

So I pretty much decided the best option, I would like to find get my feet drenched in is Information security. Now as discussed, I will be going back to school at a local community college.

Major: Computer & Information Sciences: Computer Science Transfer Option (designed to transfer to a four year program in CS)

- Database Management
- Information Security
- Web Design I
- Computer Science I
- C Programming
- C++ Programing
- Computer Science II
- English Comp I
- English Comp II
- Calc I
- Calc II
- Huamnities/Social Science Electives

Now I noticed that my C.C. also offers a Computer Foresnics Basic Certificate; would this be something I should look into? Only would require 4 (1 semester) more classes, or would it not serve any purpose in the InfoSec field?

- Information Secuity (Same as above)
- Computer Forensics (Course needed)
- Modern Pollicing (Course needed)
- Criminal Law (Course needed)
- Intro to Info Tech(I have completed this class)
- English Comp (Same as above)
- 1 Criminal Justice Elective (Course needed)

^ Then I would have the certificate in Computer Forensics.

Now by doing research, here and there over the interwebz I found out which path I would need to take.

CompTIA

Security+
CASP

Cisco Systems

CCNA Security
CCSP
CCIE Security

EC-Council

ENSA
CEH
CHFI
ECSA
LPT
CNDA
ECIH
ECSS
ECVP
EDRP
ECSP
ECSO

ISACA

CISA
CISM
CGEIT
CRISC

(ISC)²

SSCP
CAP
CSSLP
CISSP
ISSAP
ISSEP
ISSMP

Offensive Security

OSCP
OSCE
OSWP

Now obviously there might be a few that won't be needed, but I thought I would list everything. Listed in-order starting with the Comptia Secuity+ then working my way down.

Originally I thought network/sys admin would be the best fit for me, but after more searching and some soul-searching I think InfoSec/Pentesting is the field I'd like to get myself into. Any one on these forums have prior experience or are current in the field can chime in? I'd greatly appreciate your words of wisdom.

I've checked out Ethical Hackers website, haven't searched around much as of yet, but will in the upcoming days.

My main goal would be attaining my degree(BA/BS CS) of course, but also in my spare time study for certifications focusing on the area of interest.

I'm currently waiting for an interview from a potential employer, who is IT focused -- Plumchoice. They are offering me a position working on their secuity systems, but it's not what you may think it is. I would be doing help support for their security webcams, troubleshooting, configuring, etc for existing and newly acquired customers. I believe in the phone interview he mentioned I would be using Citrix, and this would be done remotely from home. Full-time, decent base pay, $13.50, benefits, etc.

Would this be a good path to take on top of the career choice/certfication path?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

tr1x

Looks like a pretty good plan. I want to get into the field myself, and I've found that the most valuable thing is experience, so make that your top priority. Other than that, the cert list is completely unrealistic, you'll probably want to narrow it down to 10% of that, but I wouldn't worry about them until later anyway. Don't worry so much about the paper, just get experience right now.

Also, that certificate might be a good way for you to pick up a little experience (like if you really know nothing about basic hacking methods and tools) otherwise you're better off putting that time into your degree so you can get that out of the way. That's my 2 cents.

Santa_

Well I plan on getting my AA at my community college, but based on the fact that I only require 4 classes to acquire the computer forensics certificate I thought it would be nice to attain and attach to my skill set.

As for the certs, I'm aware they're unrealistic at the moment, but it does not mean it isn't possible. Its just a general outline that I could always take, but baby steps are required first

ptilsen

Take a step back on the certifications. You can't do everything. You shouldn't even do half of everything. Few roles, even generalist roles, will have you so involved in every aspect of security that you would want to look at all that. CCIE security, OSCP, and CISA server very different roles. You'll need to take a step back and figure out where you want to specialize. Or, you will want to figure that out sometime into your career. So look at it from a near-future and a generalist perspective.

Get:
Security+
SSCP or GSEC
A specialist cert (e.g. C|EH, GISP, G2700, GCFE, CCNA Security)
CISSP
A specialist cert (e.g. GCFW, GSLC, ISSAP, OSCP, CCSP)
More specialists certs as needed/desired

With that in mind, you didn't mention arguably the 2nd most important infosec cert vendor, which is GIAC.

Another tip is that with everything I've read from real infosec professionals on this board and elsewhere, C|EH and EC-Council in general are bad news. The cert is a horrible collection of tools, syntax memorization, and other nonsense. The company has some extremely shady practices. Some full-time pentesters like C|EH because it helps validate their skills with those tools, but even then, OSCP and GPEN seem like "better" certs (granted, any GIAC cert is absurdly expensive, even to challenge without taking the SANS course). CASP also really has no place. It's not as "advanced" as CISSP (if a bit more technical) and not as valued as SSCP. It really has no place in the market.

The whole Cisco line is really for Cisco specialists. If you want to do network security specifically, they're the way to go. If you will do network pentesting or network security part-time, they might be worth pursuing, but probably not as your main focus.

As far as school goes, I don't know if I would bother with the forensics certificate. I'm not saying it doesn't have value, but I think even a semester's worth of credits and your time could be better spent elsewhere. A Master's degree is something that should be considered. There are several good, reputable information assurance MS degree available online from public, non-profit, regionally accredited schools. That would be a better use of that semester. On the other hand, if you can get that certificate's credits to count towards something else, it's useful; I just wouldn't spend a full semester on just that.

Ultimately, the best thing you can do for yourself is gain real experience. That is more valuable than the certifications and the degree. Part of the big reason CISSP is so valuable in the marketplace is that you have to have at least four years of verifiable infosec experience. For many, maybe most infosec positions, CISSP + experience is really all you need to qualify. Don't get me wrong, the ridiculous volume of other infosec certs are, for the most part, valued in the market place, but CISSP is ultimately what most employers are looking for.

For your undergrad, CompSci is for sure the way to go. Having acquired an "infrastructure" degree, I can tell you that there is good reason CompSci and EE degrees are generally more highly regarded in the market place (thought not by that much; almost any four-year has good value). With security in particular, especially technical security, the foundation provided by a CS degree is absolutely the best thing for you.

For the record, all of this is coming from someone who is not a full-time infosec professional. My jobs over the last five years have involved security in some fashion or another, but not as my primary responsibility. I am very interested in the subject, and I'm strongly considering a career shift into a security specialization. I, too, have opted to finish a four-year Computer Science degree. I've been looking on TE and the web a lot to try to make informed choices on the subject, and that's where a lot of these opinions are coming from. The certification path I listed is roughly what I'll be doing, although I'm still deeply entrenched in infrastructure and am focused on Microsoft stuff at the moment (not that that hurts me for a security position).

Anyway, I'll end this post with a recent thread I started on this subject. Docrice has a long, but worthwhile read:
http://www.techexams.net/forums/jobs-degrees/77043-getting-your-foot-security-door.html

bigdogz

Remember that you also have to pay AMF's and apply CPE's /CE's to those certs. In the long run you may you may pay
a grest deal of time and money to maintain those credentials.
I would reccomend the following certs. You must take the exams to recertify for the Cisco certs.
Once you specialize you can add as you wish.

CompTIA

Security+
Network + (needed for DoD 8570)
CASP

Cisco Systems

CCNA Security

EC-Council

CEH
CHFI
ECSA
LPT
CNDA (CEH for government contract or employee)

ISACA

CISA
CISM

(ISC)²

SSCP
CISSP

Offensive Security

OSCP

Santa_

Sorry, I'm unfamiliar with the abbreviations, AMF, CPE/CE. If you can enlighten me on those please and thank you.

And thanks for mentioning about the GIAC, I thought I had listed it, but while editing the OP through my phone it must have removed the GIAC portion. -.-

good to know about the EC-Council and C|EH reputation. Ill look more into that.

As of right now I have signed up for my A+ 702. Once that's out of the way I'll start studying my security+/network(I'd still like to attain it)

reppgoa

You need to relax, and focus on one thing at a time. You will completely overwhelm yourself if you aren't careful. I know its fun to think about having all of those certs, but I don't think you understand the time commitment its going to take to fully adsorb that knowledge. Sure you, could potentially pass them all in a short time, but take that same cert exam a month later, I bet you fail it miserably. Brain dumping is useless.

alxx

Don't rule out EE/Software engineering.
Doing an embedded systems subjects/course can be useful.

Increasing amounts of work on device and systems security especially on industrial systems and utility systems. Scada systems and plc's are the current big vulnerability

Knowing how to program and a few languages well, can help with tracing security bugs/holes in software/systems. Python with scapy and other packages can be rather handy(packet injection etc).
Make sure to learn how to debug properly in all the languages you learn.

Focus on the degree and the skills you will learn and do the certs yourself.

Do a few certs from different areas and find which you like best then focus on that.
e.g linux+ , security+ , ccna
Having to many certificates can be a disadvantages especially if you don't have experience to go with them.

Need to know operating systems and how to configure them properly for security and not just pc operating systems.

INE has their ccna and ccna voice available for free (streaming) at the moment.
CCNA Associate Course - 640-802

Get your degree, do the first few certs in the breaks or spare time and go from there

ChooseLife

Santa_ wrote: »

I'm unfamiliar with the abbreviations, AMF, CPE/CE. If you can enlighten me on those please and thank you.

AMF - annual maintenance fee - recurring charge required by some certs
CPE/CE - continuing (professional) education (units/credits) - additional recognized activity required by some certs (usually includes taking classes, writing papers, attending conferences, taking more certs, etc)

dt3k

No offense, but you are living in a dream world.

reppgoa

dt3k wrote: »

No offense, but you are living in a dream world.

Finally, someone with some sense...

itsgonnahappen

I'll second what the first poster said... you're certification list is completely unrealistic... this includes it being financially unrealistic...do you realize the cost of those exams?...

As far as the job...I would certainly accept the security cam position as this will certainly account for something.

Also, the forensics certificate will be good to get exposure to some of the tools and terminology, but may not hold much value to an employer.

jasong318

I would forgo the forensic cert unless that is something that just really, really interesets you. Concentrate on finishing the degree first.

As for the other certifications, CISSP, OSCP, Security+ would probably benefit you the most. The ECCouncil certs are good to have just to satisfy DoD 8570 but the Security+ and CISSP would also do that and carry a little more weight.

The OSCP will give you good, hands-on experience and demonstrate to potential employers that this is a field that you are truly dedicated and interested in. Same thing for the CCIE, but as others have mentioned, it is a huge time and monetary investment. I'm getting mine as I work for a Cisco partner, so I have a lot of the equipment for the lab mockup. Otherwise you're looking at $350 for the written, $1500 for the lab attempt plus the cost of books, equipment, materials, etc.

I also work full-time as a network security engineer which involves pentesting and vulnerability assessments, while it's fun and rewarding, it's not super-sexy hacking all the time. The majority of my time is spent in meetings and writing reports. Lots and lots or reports....

Also, you're never done learning. You are going to be constantly having to renew your skillset to keep up with the field. Which, hey, means never a (too) dull day though!

Santa_

Thank you for all of your input. I will put the feedback provided into good use.

I signed up for the 220-702 in the upcoming 2 weeks. Once that is knocked out, I'll do Network+ and then Security+, then CCNA and go from there.

Cheers!