Results 1 to 3 of 3

Thread: A Guide To Information Security Certifications

  1. #1
    Senior Member
    Join Date
    May 2004
    Posts
    274

    A Guide To Information Security Certifications

    hi all, i found the following writeup informational
    I’ve seen the question asked more than a few times recently about what the best information security certifications are. Some people already have one or more and are looking to expand, others are just getting started and want to know how to do so. This page will hopefully offer some help in this area. I’m going to highlight a few of the options and discuss who I think should be going for which, and why.

    I’ll be rating each one based on the criteria below:

    *Note: I only have the Security+, CISSP, and GSEC credentials. My comments on the others are based on information I have gathered from various sources.

    Difficulty - How hard the test itself is, i.e. study-time neeeded, etc.
    Who - Who should be looking at this as an option.
    Respect - Technical respect rating within the infosec-geek community.
    Renown - How well-know the certificate is throughout the industry.
    Requirements - What’s needed to get the cert, i.e. project, exam, etc.
    Cost: - What it’ll cost you (or your company) to sit for the exam.
    Pros - Positive comments about the certification.
    Cons - Downsides to the certification.
    Comments - My own input about the credential.
    *Note: Numbers are on a scale from 1-10 (10 being the highest)
    The Players

    Security+
    Sponsor: CompTIA
    Difficulty: 1
    Respectability: 2
    Renown: 4
    Requirements: Single Exam, +-100 Questions
    Cost: $225 USD (discounts available online)
    Who: This certification is for people just getting into the field. If you don’t have any other certifications, and your experience/skills are still developing, this is the certification for you.
    Pros: It’s a fairly easy cert to get and I understand it’s getting a decent amount of recognition within federal organizations. It’s also a fair, solid test that asks decent questions rather than a bunch of fluff.
    Cons: It’s entry-level and thus not strong as a standalone bargaining chip.

    SSCP (Systems Security Certified Practitioner)
    Sponsor: ISC2
    Difficulty: 4
    Respectability: 4
    Renown: 2
    Requirements: Single Exam, 125 Questions
    Cost: $350 USD
    Who: The SSCP is for serious, dedicated information security professionals who are not quite ready to take the CISSP exam. Only one (1) year of experience is required for this exam vs. 3-4 (depending on if you have your degree) for the CISSP.
    Pros: The SSCP is administered in a very professional fashion, just like the CISSP, and it thus carries some degree of the respect that goes along with that credential. It’s also from ISC2 just like the CISSP, so that helps it as well.
    Cons: Unfortunately, the certification that hurts the SSCP the most is in fact its older brother — the CISSP. If you check the job boards, precious few jobs ask for the SSCP. The reasoning there is that the experience requirement for the CISSP is much of what makes it so respectable. To take that away and ask half the number of questions diminishes the SSCP to a significant degree.
    Comments: If you can’t show the 3-4 years experience required for the CISSP, and someone else is paying, I’d say go for the SSCP. If nothing else, it will help prepare you for the CISSP that will surely be in your future. That being said, if you want to get a truly valuable credential that doesn’t require the experience, opt for the GSEC (covered below).

    CISSP (Certified Information Systems Security Professional)
    Sponsor: ISC2
    Difficulty: 5
    Respectability: 5
    Renown: 10
    Requirements: Single Exam, 250 Questions
    Cost: $500 USD
    Who: The CISSP is for serious, dedicated information security professionals who intend to stay in the field and grow. It says to employers that you are serious about your career and are familiar with the core basics of 10 seperate areas within the field.
    Pros: The CISSP is without a doubt the king of certifications right now. It’s the first infosec cert to recieve ISO recognition — a great acheivment not only for the certification itself, but also for the field as a whole. It commands a great deal of respect in many IT circles, and this can be clearly seen via job search results. It can help your chances greatly of getting high-paying jobs, and is an excellent addition to any resume. If you are only going to get one infosec cert, it should be the CISSP.
    Cons: While the CISSP is undoubtedly the king of information security certifications, it suffers from being thought of as something it isn’t. Many view it as proof that someone is an expert in the field, and that couldn’t be farther from the truth. ISC2 has explicitly stated in the past that the test is designed to test a broad base of general knowledge, not to certify someone as a master of their field. Despite the rumors of impossibility, the exam also supports over a 70% first-time pass rate.
    Comments: The CISSP is a great exam because it is not easy to take (experience in the field is required ), and once you are able to take it, it’s administered in a professional, controlled environment. What people fail to realize is that it’s for high-level security professionals such as managers. Obviously, anyone can go for it, but it’s not designed to test technical skills or the ability to actually perform in the trenches of an infosec environment. It’s a broad overview, basically — a test designed to ensure that you are familiar with some concepts. It’s when people lose sight of this that the confusion starts. As for the difficulty factor, I started studying for mine on a Monday and passed the exam on that Saturday — that’s with zero previous exposure to the CISSP study material. A buddy of mine just got his as well, and his study consisted of around 2 weeks of passively glancing at the material while leveling his WoW character. Again, that’s not to say it’s not an excellent cert, it’s just that the difficulty should not be overestimated.

    GSEC (General Security Essentials Certification)
    Sponsor: SANS
    Difficulty: 7
    Respectability: 7
    Renown: 5
    Requirements: Research Paper, Two 100-Question Exams
    Cost: $800 USD (Cost of exam without training)
    Who: The GSEC is for highly-technical, serious information security professionals who actively work with infosec technology on a day to day basis. Those who are looking to show considerable technical knowledge over a large number of infosec subjects would be well-served by attaining this credential.
    Pros: The SANS organization is universally recognized as a top-notch infosec organization. Any certification from them commands a decent degree of respect.
    Cons: The CISSP currently owns the majority of the spotlight in this arena. Few employers are aware of the GSEC, and even if they are they view the CISSP as just as valuable.
    Comments: The GSEC does not show expertise in a given subject; it shows that the cert-holder is technically-oriented and has a wide base of infosec knowledge. No certs at this level demonstrate true mastery. One particular thing to note with this exam vs. the CISSP is that the actual exam portions are taken from home and open-book, meaning you can use anything you want during the exams. Critics rave that this makes the exam less respectable than the CISSP since the CISSP is taken under supervision and no study materials may be used. I argue that precisely the opposite is true. Infosec professionals are not databases. We don’t pride ourselves in not having to consult external resources when solving problems; in fact, we do it constantly. To imply that an exam that tests your ability to solve problems in precisely this fashion is somehow less respectable is, in my view, a grave mistake. The GSEC exam structure represents the real world — you’re faced with a difficult problem, you find the answer and solve it. You don’t see consultants losing contracts because they had to Google for solutions that saved their clients money. Ultimately this debate comes down to an old argument: hands-on vs. academic. When evaluating someone that’s supposed to have the actual know-how to solve infosec problems in the real world, there’s no doubt in my mind that the average manager is going to prefer the former.

    GCFW, GCIA, GCUX, GCIH
    Sponsor: SANS
    Difficulty: 8-9
    Respectability: 8-9
    Renown: 4
    Requirements: Research Paper, One Or More Exams
    Cost: $800 USD (Cost of exam without training)
    Who: These various SANS certs are the mid-level offerings from the organization. They are more indepth and difficult than the GSEC, and they focus on one area specifically. GCFW is for firewalls and VPNs. GCIA is for IDS/IPS, GCUX is for Unix security, and GCIH is for incident handling. These are just a few of those that are offered, and these are geared towards veteran infosec professionals who have already specialized into an area. If you fit this bill, I’d say that pursuing one of these certifications would be ideal.
    Pros: The SANS organization is universally recognized as a top-notch infosec organization. Any certification from them commands a decent degree of respect, and these specialized certs say to an employer or client that you are truly profficient at what you do.
    Cons: There are very few holders of these more advanced certifications, and as such many employers may ask questions like, “Is that like a CISSP? Is that the same as a GSEC?” The good news is that it should be fairly easy to explain the situation to them.
    Comments: These certifications do show some degree of mastery of a subject. It doesn’t mean that everyone with one is great, or that those who don’t have it aren’t. It does mean, however, that the odds of someone with one of these certifications being a good fit for a job in that area are extremely high. Think of these as more difficult, more focused GSECs.

    CISA (Certified Information Systems Auditor)
    Sponsor: ISACA
    Difficulty: 5-6 ?
    Respectability: 6
    Renown: 8
    Requirements: Single Exam
    Who: The CISA credential is ideal for anyone already doing, or looking at getting into information security auditing.
    Pros: The credential is highly recognized and sports even more hits than the CISSP in monster.com and other job searches. It’s highly sought after due to the onslaught of regulation hitting the infosec industry as a whole.
    Cons: Again, many jobs that request CISA also will take a CISSP. Certain jobs ask for CISA specifically, but most are just looking for this “class” of cert, and will accept a CISSP in its place.
    Comments: This area (auditing) is growing like mad. Due to SOX and other new legislation, this will do nothing but continue to accelerate. Adding a CISA to your resume is definitely a good move.

    CEH (Certified Ethical Hacker)
    Sponsor: EC-Council
    Difficulty: 3
    Respectability: 2
    Renown: 2
    Requirements: Single Exam, +-100 Questions
    Cost: $250 USD (discounts available online)
    Who: This certification is for those who want to prove that they have the skills do perform some of the more offense oriented infosec activities, i.e. break into systems.
    Pros: It’s an easy certification to get and you get to brush up on a few interesting tools while studying for it.
    Cons: The cons for the CEH exam are legion. First of all, it’s designed to show competence in perhaps the most advanced branch of information security — pentesting. To even imply that learning some command options on a set of tools will make someone a pentester is scandalous. Furthermore, and more to the point, the certification is not really respected to any significant degree. Anyone who’s looking for a pentester and has an idea of what one is, is actually likely to think less of someone who mentions that they have this cert. In other words, anyone who claims to have skills based on the fact that they hold this credential, probably doesn’t.

    GSE (GIAC Security Expert)
    Sponsor: SANS
    Difficulty: 10
    Respectability: 10
    Renown: 3
    Requirements: You must currently have five (5) GIAC certs (one of which must be with honors), and then pass the GSE exam.
    Who: The GSE is something to be pursued by those who have literally mastered a number of areas within information security, and have superior talent.
    Pros: If you encounter anyone who knows what all the exam involves, you’ll earn some instant respect.
    Cons: You aren’t likely to find any of those people.
    Comments: The GSE credential is the final destination for anyone pursuing certification with information security. It’s a goal in and of itself to me since I don’t see someone with the skills to attain it hurting for a job or having trouble getting raises.
    Boiled Down
    Let me try and break it down the way I see it. If you are just getting into security and you don’t have much experience with networking and such, get a job where you can work with computers and start pursuing your CCNA. Study, practice, learn everything you can pertaining to operating systems, networking, and security. Once you feel your skills are fairly strong in the security realm, start studying for and take the Security+ exam.

    If you have been in networking and/or security for a while now (4 years or so), and you feel your skills are pretty strong, you should be looking at the CISSP. Ignore people who say it’s too easy or that it doesn’t mean much — it doesn’t matter. The fact of the matter is that it’s more beneficial to have a CISSP right now than any other cert in its class.

    After getting your CISSP, and if you’re a technical person, I suggest you look at the GSEC. It’s the perfect compliment to the CISSP. The CISSP covers the 10 domains from a manager/birds-eye view, and the GSEC gets down to some technical detail within the same areas of study — policy, encryption, etc.

    Another option once you have your CISSP is to go for the CISA instead. If you’re more of a manager anyway, and/or looking to head that way, then it may not be necessary to show technical prowess. If that’s the case then opt for the CISA instead of the GSEC. The certification is absolutely on fire right now, and the odds are good that with a solid resume and a CISSP/CISA combination you could command around $90K/U.S. fairly easily.

    If you have been in infosec for a long time, i.e. 5-10 years or more, and you are a geek at the core, start knocking down SANS certs being aware of the fact that you need honors for one of the 5 that are required for the GSE. To me, the GSE is a major accomplishment in its own right, and I don’t really see it being a money-maker. In my view, anyone who can get a GSE already pulls a healthy check anyway.
    Conclusion
    When trying to measure how popular a credential is, remember to look to the source. Mine the resume sites for hits on the certs you’re looking to get. If you don’t get a ton of hits for the one you’re considering, think about going with a different one. Remember, certifications are for other people’s perception of you, and as such, the weight that those “other people” give a given credential is what matters most.

    I hope this short summary of my thoughts on these credentials has been helpful. Feel free to contact me if I have made any errors, if there is something you think I should add, or if you just want to comment on anything said.:
    source: http://dmiessler.com/writing/infoseccerts

    Thanks
    Excuse me, is there an airport nearby large enough for a private jet to land?

  2. #2
    I would like to add some tips to your beautiful post.

    First of all there are many people starting their IT carrer that want to have all certs, and wasting lots of money and they really don't need them. What I say (this is a subjective suggestion only) is that for example if you are new to this (let's say 18 yrs old) start studying for the A+ exam but don't do it!. Just buy, download, get a library loan or whichever books about this subject but don't make the exam. If you really need it, if you are thinking in a job and the employer want the A+ as a requisites then do it.

    Why I say this? A lot of problems that new guys (like me) have is that they don't know what to study, where to begin, etc. Well a good way (I am only talking about security stuff, but there are other things you should know, like programming) to do your "study line" is studying for certs and not doing them but study as hard as possible because you only do it (at leas I do it) for your knowledge thirst. Then if you need the certs do the test.

    Well, that's all....see ya.

  3. #3
    Oh...and I loved this post so much that I bookmarked it!! Really good stuff!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •