Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Opinions on certifimication
Options
-
22-05-2011 2:15pm#1Hi all, I figured this was a better place for this stuff versus the IT Certification forum. I used to spend a lot of time in the company of people such as yourselves back when I was younger and spent hours reading and using stuff from astalavista plus other fun websites, but I've since grown up(sort of
) and gotten a career.
I'm getting back into it with the eventual goal of joining the InfoSec team where I work. What are your guys opinion of the ISC2 (CISSP etc.) versus EC-Council(CEH, LPT) and Offensive Security (OSCP, OSCE) certifications, if any?
I'm hearing industry wise, CISSP is king of the hill, EC-Council is mid level but the OSCP and stuff is actually far more practical and tests your skills rather than answering a bunch of questions.0
Comments
-
-
-
OSCP is very hands on and practical but not well recognised. It is a hacking course, it is not a course about company security policies or the best way to set up your firewalls. Its about finding vulnerabilities in an application or system and then tinkering with whats out there to exploit the system you have found exposed. It wotn teach you to be a pentester but it will teach you everything you need to know about the hacking side of pentesting. The exam has zero theory and is completely hands on, think as you go rather than learn a load of facts and re-create your notes on a page.
CISSP, from what I can tell as I havent studied it, is more of a management overview of security including policy requiremetns, physical securty options etc. Its much more "blobby" than OSCP and more theoretical.
CEH is the red headed step child of those two. Its a quite fundamental course (read: basic) and perfect for the newcomer to the field of security. However, you wont learn a lot of practical pentesting on the course. You'll see a lot of utilities and demo a few. It does teach you what you need to look to learn next.
ECSA (the follow on from CEH) is pretty much CEH 1.5 . *a lot* of the same material is covered. IDS etc are briefly described.
Both CEH and ECSA have a multi choice exam at the end. both are simple for people that can memorise slides or take good notes (or have an instructor that runs through "sample" questions). However at the end of the courses you are NOT ready to proclaim yourself a Pentester or Security Analyst. You have an idea of where to go to learn more but thats about it.
I havent sat any of the SANS courses so I cant comment on those but they look good and some do offer a practical path (I think).
I also have no experience of the CHFI course (chfi? cfhi?). its not necessary for the ECSA but I cant see it being too in-depth, not enough to be able to confidently say "I can run a forensic analysis on that dodgy machine over there" but again, I'm sure it would be a good baseline to start from.
The one thing that struck me most (and saddened me most) about the ECSA course was that once you pass the ECSA you just have to pay $500 and you get a pentesting "license" which supposedly shows that you are qualified to offer your services as a pentester.... I decided to see if I could practise what I thought I knew before I considered shelling out for that particular piece of paper and got a quite nasty shock when I found myself completely out of my depth and relying more on my own research (OWASP, forums and experience) than the material I had "learned" on either the CEH or ECSA courses.
so, yeah, CEH & ECSA, great pieces of paper to have because they are recognised in the industry and will get spotted on a CV but you better make sure you have the experience and skills to back it up.
OSCP: not well recognised but those that have it or have attempted it will attest to just how impressive it is.
CISSP: no idea but there were a few CISSPs on the CEH course I sat and they knew lesss than I did about pentesting (and I didnt know much) so I'd be tempted to say that it too is more of a CV adornment than a mark of an experienced Security professional.
footnote 1: I think this is more to do with the way CISSP and CEH/ECSA are taught and examined than it is to do with the course ocntent itself. If you study CISSP the way it is recommended - over a period of a year, honestly have the necessary experience - then it should be brilliant but I've seen "bootcamps" where people go from zero to CISSP in three to 7 days - one guy I spoke to on the ECSA course did CEH, CISSP and CCNA in one 7 day bootcamp, he had no prior security or networks experience but had worked in IT (helpdesk) for 2 years before that.
footnote 2: I saw your post earlier but RL etc got in the way of responding and rather than rush out a response I wanted to wait until I had time to fully answer your question as best I could. I'm sure many of th eother viewers were of the same mind and I'm sure more than a few were spambots and shill machines crawlign to see if there was anything in your post that they could chime in with an advertisement disguised as something helpful "Dont have your CISSP? Thats because your willy is too small. click here to fix that using purely natural ingredients!" etc. 0 -
Thanks for the response, honestly.
That very much sums up what I had assumed too after researching a little into a lot of the curriculum for the certs. Everyone I've spoken to goes on about the CISSP but from what I can see of the coursework it is extremely bloated and is a standout CV adornment.
I do plan on going for a CISSP at some point but I'm very aware that having it or any of these certs doesn't mean a thing in terms of being a very good or even good Security professional. I like the idea of the CEH specifically because it shows a large amount of the tools of the trade and that's as good a starting point as any imo. The OSCP kind of appeals to me above all of the others for the exact reasons you mentioned. I'm not worried that it isn't very well recognised at all as I think what you would learn along the way while trying to get that certificate is worth more than the certification itself.
I reckon CEH > OCSP to get my foot in the door (at the company I work for) and then hopefully experience as well as actually being good at this stuff will come with that.
If things go well, I'll look at other EC-Council courses at some point maybe.
Has anyone else done these or any of the other EC-Council courses that could give some more advice or share their experiences?0 -
-
Advertisement
-
I don't know anything at all about OCSP.
I hold SSCP and CISSP certs. It was pretty much expected as part of my current job. What I've learned is CISSP is widely recognised in many countries, and reasonably well respected. It is more "theory" and less "hands-on" ... especially when it comes to pen-testing, web app security and the likes. To pass you need a wide range of knowledge across 10 domains / common bodies of knowledge ... wide, but not deep or detailed on any one particular topic. SSCP is less well known. In my experience, SSCP is aimed more at security practitioners, and CISSP is aimed more at managers in fields related to security.
I looked at CEH / ECSA - at first glance they seemed quite interesting, but the devil is in the detail. You'd need to look at the syllabus and decide if it's pitched at the right level for you. To my eyes, it's very different to both SSCP/CISSP, so it's hard to compare or promote one over another.
You could also take a look at SANS certification. I know a few people with SANS certification - and they are without fail people that I would respect for their technical expertise. There are a variety of SANS courses, pitched at varying levels. I'm currently working through GSEC and I have access to GCFW courseware ... I think the courseware is quite excellent, broad & deep, much more detailed and specific compared with the ISC2 courses, but again you can't consider them equivalent. The SANS certs are aligned with particular specialisms (pen testing, firewall analyst, intrusion analyst ...) so if you have a particular interest, or your company has a particular need, this could be a good option for you in terms of (a) recognition and (b) actual learning.
In my experience, ISC2/CISSP is well regarded by Management and the various SANS certs are regarded by techies.
On the topic of hothousing and bootcamps, I'm a little dubious about how much you can learn in a week, no matter how intense that week is, and I'm even more dubious about how well you can retain what you've learned six months later. Holding a cert. is one thing ... actually having the knowledge, skills & expertise is a different thing. Being able, in an interview situation, to demonstrate that you really have that knowledge and those skills ... well, that's different again 0 -
Cheers trout. The SANS certs look very very interesting. I'm gonna take a look at their curriculum and how their modules are set up but they are very much on my agenda.
In terms of how things are going so far, I'm a few modules into the CEH courseware and have already learned some very interesting things... but then again, I'm a complete n00b pretty much.
Apart from looking at certifications specifically, has anyone else got any advice for a complete newcomer like me? I'm reading up on various blogs (thanks to the threads in this forum) too and some very interesting stuff out there, but I'm willing to take on board any and all suggestions.0 -
Advertisement