Re: Doubt regarding Sec+

[Jason Thompson <securitux () gmail com>]

I have somewhat of a different opinion on some of this. I have a CEH,
will hopefully have the CISSP when I am done Dec 10, and have heard of
the Security+.

The CEH is a technical cert which is great if ethical hacking and pen
testing is what you are getting into, or if you are getting into
incident handling or intrusion detection. I do a lot of work in
ethical hacking / pen testing, and the CEH actually got us more
business. The idea that management doesn't like the word 'hacker' is a
bit of a flawed premise. Some don't like it, but they are in the
minority I believe. At least in my experience. There is a pen testing
cert by the same organization called the LPT I believe. I don't think
the CEH is what you want though, it's pretty technically detailed in a
specific field.

The CISSP is currently considered the defacto standard for overall
information security. It is an inch deep and a mile wide. It covers
every aspect of infosec but not in depth. Management loves it, more
often than not it will get you more money and more opportunities, and
it is a professional designation. It doesn't take much searching to
realize that most infosec jobs ask for it. But a CISSP has little
technical merit, it is a management-like certification. It's a 6 hr
exam which is apparently quite nasty from what I have heard. It also
requires 4 years of full time infosec experience in the workplace, or
3 years plus a degree.

The Security+ is just what Adam said, basic. I think it would probably
give you what you want, a security cert under your belt and a bit more
knowledge of the field. You could probably go for it, and then maybe
look at the CISSP.

Do you have the budget, company or otherwise, to take SANS / GIAC
certifications? Those, IMO, are probably the best out there for
knowledge. I have a GCIA and it was an excellent course and cert. If
there was a choice between the GSEC (GIAC's basic security course) and
Security+, I'd do the GSEC. It is expensive though. You have to do 2
exams and if you want the new 'Gold' cert you need to do a practical.
It's more work, but worth every bit of it. If you actually want to
learn something :) you can't beat the SANS / GIAC courses.

Hope this helps.

-J

On 11/22/05, Adam Jones <ajones1 () gmail com> wrote:
> On 19 Nov 2005 05:39:22 -0000, kota_44 () yahoo com <kota_44 () yahoo com> wrote:
> > HI All ,
> >
> > I have a question regarding Security + exam .
> > I have a about an years experiance on working on Application Security and now to widen my security knowledge base 
> > and also to get some relevant Security related certification under my belt
> >  I had a doubt of what to start of with so the first exam which many suggested is Sec+ but a large no of others 
> > gave a feed back that this one
> >  aint having a good value now and not worth the Time and effort and better to start of with something like CEH .
>
> Security+ is intended to give you a decent baseline in network and
> application security. It documents that you have demonstrated the core
> knowledge necessary to learn other security topics, and should be
> competent enough to not screw anything up too bad. In other words i
> agree that it is a good start.
>
> CEH looks like it sets you up to be a pen-tester. IMO it helps you
> learn processes, not concepts. In addition the term "hacker" in the
> title seems like it is there just to incite a response. They could
> just have easily went with "Certified Penetration Tester" and covered
> the same course material. Having "Ethical Hacker" in your title may be
> great to impress friends and kiddies, but I doubt too many hiring
> organizations will find it appealing.
>
> If you are looking at something where your work is either a) mostly
> solo, or b) done on contract (this is 80% of the jobs out there) then
> CEH is probably a bad idea simply for the reason that the term hacker
> has become synonomous for bad guy to everyone outside the computing
> community. In that sense calling someone an "ethical hacker" becomes
> akin to calling them an "ethical lawyer" or "ethical car salesman".
>
> > But other suggested this as a good base for CISSP .
>
> Based purely on name I think the CISSP would be a better second
> choice. I have not looked at the actual content of the certification,
> but it will look better on a resume than CEH. This obviously is not
> the only criteria with which you should be evaluating certifications,
> but I think it is an important one.
>
> >  So could you all who probably are familarized or taken Sec + can update me with pros/cons or why one should/ 
> > should not take it and its current value and what can be a good alternative to start off if not Sec + .
>
> Overall sec+ is fundamentals. Think of it as security 101. It gets you
> enough to let figure out where you want to learn more. There is enough
> information in there to allow you to be competent as a junior
> administrator with a little bit of software-specific training. It does
> not really teach you how to implement very much, but does teach you
> "best practices"
>
> CEH appears to be more in-depth in the specific field of penetration
> testing. It has the benefit of (hopefully) requiring more knowledge
> about security in general, but loses a lot of credibility with the
> management types due to the stigma on the name "hacker".
>
> CISSP seems like an unknown to me. It looks like a more
> advanced/practical sec+, but that is only after a relatively brief
> review of the cert.
>
> If I were to give you a suggestion on what to do it would be this:
>
> 1) get a sec+. At the least it makes sure that you have studied all
> the basics. Do your best to ace the test, as barely passing the cert
> means you didn't really learn the topic.
>
> 2) Avoid CEH. I will put in a caveat here that if you do not plan on
> getting a job where you deal with management, at all, then it probably
> is ok. I have yet to find any jobs like that, and should one appear
> you will probably be run over for it by people with more experience
> anyways.
>
> 3) Consider the CISSP. Look carefully at what it actually teaches, and
> try to find people that have taken it to give you feedback. (hopefully
> such a person will respond to this thread) Don't get it just to get
> it, make sure it really is worth the money.
>
> -Adam