IT Security Certs (which to go for).

timetogo

I've just done the CISM last week so I'm looking around for the next cert to study. I want something technical.

My criteria is to learn something and to have something for the CV.

I've started looking at CEH but I'd have a reasonable stab at passing that now. Is it worth anything on the CV? I don't want to just do an exam for the sake of doing it.

I'm also having a look at OSCP but I've heard it is very difficult. I've done some pen testing but amn't brilliant at it. I am off work so I could dedicate a month to studying it. Is that enough for somebody who is reasonably technical but not an expert?

Are there any other certs that are worthwhile out there for the current market at the moment?

Itsdacraic

What course/study did you do for the CISM?

timetogo

Itsdacraic wrote: »

What course/study did you do for the CISM?

Just got the official study material and the sample test questions CD from ISACA. It's not hard but there's a lot to it.

The feckin exam had a lot of BYOD questions on it which, while not new to me from experience had shag all info in the book. The trouble with that is that frequently there are 4 right answers but you've the choose the BEST answer or the item you'd do FIRST.
My idea of BEST and CISMs BEST might differ

Itsdacraic

timetogo wrote: »

Just got the official study material and the sample test questions CD from ISACA. It's not hard but there's a lot to it.

The feckin exam had a lot of BYOD questions on it which, while not new to me from experience had shag all info in the book. The trouble with that is that frequently there are 4 right answers but you've the choose the BEST answer or the item you'd do FIRST.
My idea of BEST and CISMs BEST might differ

Thanks, is it considered a good certification to have?

timetogo

Itsdacraic wrote: »

Thanks, is it considered a good certification to have?

I suppose so, if you're looking at security management. I've done some security in previous jobs and the info in the CISM would have been handy for me. e.g. roles & responsiblities, policies, standards, procedures, handling incidents etc.
A couple of companies I've worked for have had vague ideas about security which leads to more hassle / stress than is necessary. There is no grey area when it's done right.

syklops

Well forget the CEH anyway. Load of sh!te.

Maybe a networking or systems one? RHCSA? There is a massive shortage of skilled Linux specialists out there.

Blowfish

timetogo wrote: »

I've just done the CISM last week so I'm looking around for the next cert to study. I want something technical.

My criteria is to learn something and to have something for the CV.

I've started looking at CEH but I'd have a reasonable stab at passing that now. Is it worth anything on the CV? I don't want to just do an exam for the sake of doing it.

There are a lot of companies that are either new to this whole security thing or haven't quite figured exactly they need when hiring. These or companies who want a more generalist person will tend to put a fair amount of stock (far more than they should really) behind the better known certs like CISSP/CEH. From that more HR-ish perspective, they are actually valuable to have.

More established houses or those specifically targeting pen test or practical ability will put a hell of a lot more weight behind the likes of OSCP/GPEN.

Ultimately it depends on what part of infosec you are aiming to get into. In relation to technical certs in the management/policy/auditing end, CEH is probably more than most would have, but in the pentest/practical end, CEH may not get you in the door but OSCP/GPEN definitely would.

Itsdacraic

timetogo wrote: »

I suppose so, if you're looking at security management. I've done some security in previous jobs and the info in the CISM would have been handy for me. e.g. roles & responsiblities, policies, standards, procedures, handling incidents etc.
A couple of companies I've worked for have had vague ideas about security which leads to more hassle / stress than is necessary. There is no grey area when it's done right.

I would be looking at more to enhance my existing IT Knowledge without going specifically down a purely security route.

Blowfish

Itsdacraic wrote: »

I would be looking at more to enhance my existing IT Knowledge without going specifically down a purely security route.

If you haven't done it, personally I'd say CCNA would be a decent one for that. There's not that many roles outside of solely management or development ones that knowing how networks operate isn't at least somewhat useful.

Keyzer

Blowfish wrote: »

There are a lot of companies that are either new to this whole security thing or haven't quite figured exactly they need when hiring. These or companies who want a more generalist person will tend to put a fair amount of stock (far more than they should really) behind the better known certs like CISSP/CEH. From that more HR-ish perspective, they are actually valuable to have.

Agree 100%

timetogo

I'm leaning towards OSCP as the next one. Had a quick google today and on the forums of people who've passed they're coming from a low enough level i.e. not mad security or programming experts to start with.

The CEH seems like something I can do in my spare time.

timmywex

syklops wrote: »

Well forget the CEH anyway. Load of sh!te.

Maybe a networking or systems one? RHCSA? There is a massive shortage of skilled Linux specialists out there.

I'd disagree. I'd say get the CEH - it's reasonably cheap cert to get if you can do the self study option - plenty of materials available online for it. It also looks great for any HR type people or for proposals in work.

Ultimately the OSCP is the creme de la creme at the moment technically. It does take alot of work though and is very much think outside the box. Even the exam is 24 hours with a further 24 to write a report. The OSCP holds a lot of weight with anyone in the security industry looking at it a CV etc, but very little outside.

CEH will teach you alot of the intermediate level things, but is theoretical in nature - can completely book study and pass. OSCP is advanced and very hands on. There are of course a world of other certs not specifically pen testing certs that may be more valuable to you depending on where you want to go

Blowfish

timetogo wrote: »

I'm leaning towards OSCP as the next one. Had a quick google today and on the forums of people who've passed they're coming from a low enough level i.e. not mad security or programming experts to start with.

One tip I'd say is to run through Metasploit Unleashed before hand. You won't be able to use the full Metasploit in the OSCP exam, but it gives a handy little primer on some of the concepts.

[edit] Also, sort yourself out with decent note taking software/strategy as you'll need to keep track of a fair amount of stuff at once.

zweton

any of you guys working in security management at the moment?
what do you think of the whole GRC (governance,risk,compliance) side of things? thinking of going down this route. i guess the cism would be one to do at some stage if looking to go down that road.

hmmm

zweton wrote: »

any of you guys working in security management at the moment?
what do you think of the whole GRC (governance,risk,compliance) side of things?

The trouble with those certs in Ireland is there are only a handful of companies big enough to hire a dedicated GRC person. It would be useful as an add-on, but get a CISSP first and then either a technical cert or something like CISA depending on the direction you want to take.

syklops

zweton wrote: »

any of you guys working in security management at the moment?
what do you think of the whole GRC (governance,risk,compliance) side of things? thinking of going down this route. i guess the cism would be one to do at some stage if looking to go down that road.

Different horses for different courses I suppose. GRC puts me to sleep.

zweton

timetogo wrote: »

I've just done the CISM last week so I'm looking around for the next cert to study. I want something technical.

My criteria is to learn something and to have something for the CV.

I've started looking at CEH but I'd have a reasonable stab at passing that now. Is it worth anything on the CV? I don't want to just do an exam for the sake of doing it.

I'm also having a look at OSCP but I've heard it is very difficult. I've done some pen testing but amn't brilliant at it. I am off work so I could dedicate a month to studying it. Is that enough for somebody who is reasonably technical but not an expert?

Are there any other certs that are worthwhile out there for the current market at the moment?

how long did it take you to study for the CISM?

Keyzer

syklops wrote: »

Different horses for different courses I suppose. GRC puts me to sleep.

Boredomville...

Ctrl Alt Del

Hi,

Trying to register for CTP on the Offensive Security...

https://www.offensive-security.com/preregistration.php?cid=26

But,i dont have a Registration Code and/or Secret Key so i click on the link to get a reg code...asks me to bypass the registration by inserting correct security string !

http://www.fc4.me/

But...where is the string ? Is that a challenge or im i missing something at this time of the day !
Is the "Friday 19th of December 2014" correct ??

Thanks.

Ctrl Alt Del

Found a nice article here,may be of help for others...

harney

If you intend working in the UK at any stage, then pen testing wise you'd be better off looking at CREST.

http://www.crest-approved.org/index.html

It was more for government testing at first, but has expanded over the years to essentially set the bar of expectations for companies hiring somebody.

There are two levels. The Registered tester level is a 4'ish hour exam split in two parts. The first part is closed book theory, while the second part is a practical exam. You bring your own laptop, so it can be loaded with whatever scripts you normally use.

At the end of the exam you have to leave your HDD. They will securely wipe it and send it back to you.

timetogo

zweton wrote: »

how long did it take you to study for the CISM?

About a month. The last week was about 6 hours a day studying. The book is extremely dry.

zweton

ah thats handy enough, yeah i can imagine i have read a few reviews on it:D what am i trying to get into:D

zweton

harney wrote: »

If you intend working in the UK at any stage, then pen testing wise you'd be better off looking at CREST.

http://www.crest-approved.org/index.html

It was more for government testing at first, but has expanded over the years to essentially set the bar of expectations for companies hiring somebody.

There are two levels. The Registered tester level is a 4'ish hour exam split in two parts. The first part is closed book theory, while the second part is a practical exam. You bring your own laptop, so it can be loaded with whatever scripts you normally use.

At the end of the exam you have to leave your HDD. They will securely wipe it and send it back to you.

not looking to get into pen testing, more i.t risk/compliance roles. anyway i need to get the cissp first, who knows how long that will take.

timetogo

I've signed up for the OSCP. I'm "between" jobs so I'm taking a month to do this exam and will start looking again then. My 30 days starts on Sunday at 00:00 so by Sunday morning once I get the material I'll know if I'm fuked or not

timetogo

zweton wrote: »

not looking to get into pen testing, more i.t risk/compliance roles. anyway i need to get the cissp first, who knows how long that will take.

I did the CISSP a few years ago. It's handy enough (or was anyway when I did it). It's more technical than the CISM but nothing too hectic. It took a couple of months with a couple of hours during the evening and studying through lunch breaks.

At the time I was working in an American company. Our American counterparts all failed it the first time they took it. The Irish guys all passed it first time. Plenty of slagging handed out when we did that.

B00MSTICK

timetogo wrote:

I've signed up for the OSCP. I'm "between" jobs so I'm taking a month to do this exam and will start looking again then. My 30 days starts on Sunday at 00:00 so by Sunday morning once I get the material I'll know if I'm fuked or not

You probably have had a look at it by now but there seems to be quite a lot to cover over the course if you include the Lab manual, videos and associated exercises not forgetting the actual lab environment. You'll need to document all of those too of course and then do the exam on top of all that! I'd say it's doable over the 30 days as you're between jobs - I went for the 90 days myself (lucky enough to have a company that values this kind of thing!) and would find the 30 day pretty difficult (without sacrificing all my down time!) whilst working.

I should have around 70 days left so need to pull my socks up after the xmas break. There's some decent material/scripts out there which might make life easier too, you probably have them already but feel free to give me a PM if you want. Best of luck!

Keyzer

timetogo wrote: »

I did the CISSP a few years ago. It's handy enough (or was anyway when I did it). It's more technical than the CISM but nothing too hectic. It took a couple of months with a couple of hours during the evening and studying through lunch breaks.

At the time I was working in an American company. Our American counterparts all failed it the first time they took it. The Irish guys all passed it first time. Plenty of slagging handed out when we did that.

CISSP is definitely one of the sexier certs for recruiters and hiring managers. Some people say its a joke of a cert but I think its definitely worth doing. The material to be studied is highly relevant for those looking to go down the security management route.

My problem with the cert is the exam itself. Some of the questions are absolutely ridiculous, seemingly written by half wits who are intentionally trying to make you slip up and composed terribly.

That said, I'm currently studying for the CISSP. After that I'll do the CEH, ISO 27001 lead implementor, CISM and PRINCE2. I work in the cyber security industry helping companies improve & transform their security posture so a good mix of tech and general certs is what I'm aiming for.

Hibernosaur

Would the CCNA Security and Follow on CCNP Security not be another option if networking is your thing? Or are we talking project management/design exclusively?

Keyzer

Hibernosaur wrote: »

Would the CCNA Security and Follow on CCNP Security not be another option if networking is your thing? Or are we talking project management/design exclusively?

Absolutely, great certs to have but specific to networking.

Itsdacraic

Would rather do the CISM via a 3/4 day bootcamp + a bit of self study.
Is there any providers regularly offering these bootcamps?
Could you do the bootcamp + exam in a week or would that be pushing it?