Challenge - "study_group" in WHITSEC domain(s)

Ctrl Alt Del

Hello,

I’m trying to reach a personal agenda and I “dare” any other interested person to come aboard…
I apologies in advance for using so much the word “I” or “myself” but that’s the way I see the scheduler and I like to follow-up with strict timing and with little derailments.
First, after reading so much of the Information Security and IT Certification AND after recent IT trends in the market and in my business I decided is time to shift the boat in to a different direction while been in the same sea territories.

Planning study:

January:
Linux+, Network+, Security+
Coursera Cyber_Security Course
February:
Start / Complete CCNA and/or CCNA Security
March
Start / Complete CEH
April
Start CISSP
May
Complete CISSP
June
Start Kali Linux Course
Summer time
OSCP

Along with them, spread across weeks and /or months:
Programming in C, JAVA and Python (at a minimum working / hands-on level)
PHP, MySQL / SQL (at a minimum working / hands-on level)


Milestones:
January: Begin course / training learning
April: Open Day at ITB for IT Security course
July: Application for Degrees in ITB course
September: complete all courses and start degree course
On-going: keep up to date with security challenges

Strategy / Personal / Group interests:
Short Term strategy -1 year: Start / complete the above training
Medium Term Strategy – 2years: Complete ITB Degree in IT Security
Long term strategy – over 2-3 years: IF study group successful, maybe start a small business / company with a good group of participants

Study materials / resources:
We will access to Udemy, Coursera, Lynda, You Tube and other online eLearning platforms.
Also, buying lots of books on eSecurity related domains.

Minimum conditions to participate:
Full CV and photoID if decided and agreed to participate in the study group after first meeting
Full personal details and achievements / objectives to be made public, in the group, in the second meeting
Willingness to study and to succeed, full commitment
Minimum age at around 30?
Minimum budget of €1,000 for courses and books
A laptop running Windows and/or Linux

Please note that any activities not related to study will be discussed in the group and the user may be excluded from. Also, any “black hacking” tendencies will be banned and user excluded on the spot!!

I have access to hardware / software equipment such as PCs, servers and networking gear.
I have access to a 10 seats meeting room with smart board,laptop and projector.No internet access ,if needed i suggest mobile phone tethering OR group purchase of a 4G dongle.
We can setup a lab in the meeting room and work under the principle of “makeit_breakit-fixit”
I suggest registering a website where we can share the info, public or private way and setup a discussion board for the progress.

All above subject to change, please feel free to suggest improvements.

First meeting, face-to-face, on the 7th of January at 7PM around Dublin 15.
I have few locations in mind, I need to know on how many people I can expect to set the tea/coffees.

Looking forward to your feedback.
Thanks in advance.

Kinet1c

If I hadn't started my BSc earlier this year I'd probably be on for some of this. If people have been in the IT industry for a few years, then I'd skip the Network+/Security+ as a good chunk of it will be repeated in more depth in CCNA R&S/Sec. Linux+/LPIC1 appears to have some weight with employers (at least recruiters) as I'm getting spammed a lot more since passing it.

Based on the budget, I'm assuming you're not going to be taking the exams? If you are, your budget would be blown in the first month based on the cost of the CompTIA exams.

I'd be a little concerned with burnout and actual comprehension of the material covered. If you're just passing the exams to boost your CV, unless you understand the material you'll be found out quick enough. If you're definitely looking at setting up the company down the line, then I'd go all in for the OSCP and have it as a selling point.

moc moc a moc

As an established security professional, I have some feedback for you:

Ctrl Alt Del wrote: »

Full CV and photoID if decided and agreed to participate in the study group after first meeting
Full personal details and achievements / objectives to be made public, in the group, in the second meeting

Sorry, you're trying to organise a group of people to train to be mindful of security and you want them to hand over a bunch of personal information on days one and two?

Ctrl Alt Del wrote: »

Minimum age at around 30?

Explain this one. I work with 25-year-olds who have a better understanding of security than most people with the paper certs you list, and I myself began in security in my teens.

Ctrl Alt Del wrote: »

Please note that any activities not related to study will be discussed in the group and the user may be excluded from. Also, any “black hacking” tendencies will be banned and user excluded on the spot!!

Sorry mate, but I'm not interested in having a beginner in the field tell me how to behave. If you want people to join you in your endeavour, I suggest making it sound more like a collaboration than you setting up your own little fiefdom.

Ctrl Alt Del

Kinet1c wrote: »

If I hadn't started my BSc earlier this year I'd probably be on for some of this. If people have been in the IT industry for a few years, then I'd skip the Network+/Security+ as a good chunk of it will be repeated in more depth in CCNA R&S/Sec. Linux+/LPIC1 appears to have some weight with employers (at least recruiters) as I'm getting spammed a lot more since passing it.

Based on the budget, I'm assuming you're not going to be taking the exams? If you are, your budget would be blown in the first month based on the cost of the CompTIA exams.

I'd be a little concerned with burnout and actual comprehension of the material covered. If you're just passing the exams to boost your CV, unless you understand the material you'll be found out quick enough. If you're definitely looking at setting up the company down the line, then I'd go all in for the OSCP and have it as a selling point.

Thanks for feedback,i understand and "feel" your message !


Re COMPTIA,i just really needed to get a refresh at layer 1 as i may have forgot so many things.You may be right re N+/S+ and the overlap with CCNA,i will review it later this week,thanks for pinting it out.Re Linux,definitevely a basic and intermediate level(s) are required...

Re budget,you are correct,the estimated amount is only for courses,online learning and some books.
Exams is a different game altogether and the price may vary...i paid recently for Udemy and for Lynda,also for Courseware and i want to get the ISACA as well.
Fees for exams are at the individual level,if they feel confident in doing it.
I have the budget as i am taking it off my business training' expenses budget.
Realistic speaking,i guess that by September that budget it will be 3 times the €1k.

Re burn-out...i know and i am willing to take a chance / challenge for which i have allocated 1 year.
Degree in ITB is easier and i have done it in the past,family is passed on the third level after work and the study.
I advise in isolating in a room or corner for at least 1 hour a day ,more at weekend and keep reading and refreshing at weekend.IT needs full commitment and if not dedicated,forget it,do something else that does not require so much attention.

I am in IT for almost 17 years ,i know what is the value of a cert and not.
I plan in doing as per books/manuals/labs with much more hands-on.
I have access to all the needed resources,software,hardware,study materials...my personal issue is that i am easily side tracked by external factors and i need a really good time scheduler and feedback/performance reviews,exams,tests,milestones to keep me under pressure and on the track.

IT is well worth it...

B00MSTICK

Agreed with Kinetic and moc moc especially

Kinet1c wrote:

I'd be a little concerned with burnout and actual comprehension of the material covered.

The timelines seem very strict - I assume you're not working a 9-5 on top of all this? You'd literally have no downtime which I don't think would suit many.

Not sure why you have a minimum age? To ensure maturity? I would have thought students/young part-time workers would have been primary candidates given the time commitments. Like moc moc, I know people well under 30 that have more experience and knowledge than most.

If you want to do the OSCP then I think the CEH isn't worth the expense - especially if you won't be sitting the exam. Most people that actually work in IT security know the CEH is used to impress recruiters/HR and little else.

What's your end goal here? Set up a business providing IT security training/workshops? Do you have any experience in this domain?
Big difference between doing the OSCP and doing an internal pentest of a bank for instance, scan the wrong IP and suddenly you have a HSM off the network. Even from a war stories perspective being able to recount tales of actual tests is engaging.

If you have all those certs after 1 year what is the motivation to go to ITB?
I don't know the course but I would imagine you would have 99% of it covered and much more in greater detail.

You could use that year to get some practical experience. Lots of work available at the moment.

You'll need a very dedicated group to get through all that and the strict timelines you posted would be very difficult for people with full time jobs and families.

I'm not familiar with your background so maybe not all is applicable btw, just my 2c.

Ctrl Alt Del

moc moc a moc wrote: »

As an established security professional, I have some feedback for you:



Sorry, you're trying to organise a group of people to train to be mindful of security and you want them to hand over a bunch of personal information on days one and two?



Explain this one. I work with 25-year-olds who have a better understanding of security than most people with the paper certs you list, and I myself began in security in my teens.



Sorry mate, but I'm not interested in having a beginner in the field tell me how to behave. If you want people to join you in your endeavour, I suggest making it sound more like a collaboration than you setting up your own little fiefdom.

Hi,

Again,thanks for feedback.
Good points.
Cant multi quote reply,sorry.

Re PhotoID...not sure re photo ID but a CV will be nice.
I see it more as a filter rather than a physical,moral barrier.Also,i need to know that the person that is embarking on the boat is really who is it.I am not going to photo copy and keep them in so called "secure cloud" but is nice to have it.I gues the group will feel better if they know that as well.
Is more like trying to setup a free event for a charity and asking for an entrance fee of €10. A filter... !?

Re age,as well,a barrier,an entry filter for differentiating a child from a grown-up mature person ?

Re "little fiefdom"...not quite understanding the expression,i have to get more details.If you are not happy about my requirement and as explained in old plain English that any activities not related to study are banned,then please feel free to skip my challenge.
I never said anything about behavior,is just the same thing that you do when you get aboard a bus or plane:normal,common sense ,decent behavior.The last thing that i want is to attract issues related to one individual and the repercussions to affect the whole group.
Please note that I'm not seeing myself as the ruler,every person in the group will explain his main domains of interest and he will be "named" project manager of that area.He will manage the domain,the technology and we will work together.There is no hierarchy or anyone to respond or reviews to be handed out.
You know and understood very very well what lines and boundaries im trying to setup here,but i guess you are just trying to challenge me...at personality level

Well,if we meet and agree on the challenge,then a set of collaboration rules will be defined,discussed and agreed.Hopefully,followed as well.
I'm not seeing an issue as the final target ,main motivation is personal gain, on a pure personal path,completed by a personal satisfaction.
IF you personal dont enjoy it...drop it.

Already...I'm feeling tired.

Thanks.
Regards

Ctrl Alt Del

B00MSTICK wrote: »

Agreed with Kinetic and moc moc especially

The timelines seem very strict - I assume you're not working a 9-5 on top of all this? You'd literally have no downtime which I don't think would suit many.

Not sure why you have a minimum age? To ensure maturity? I would have thought students/young part-time workers would have been primary candidates given the time commitments. Like moc moc, I know people well under 30 that have more experience and knowledge than most.

If you want to do the OSCP then I think the CEH isn't worth the expense - especially if you won't be sitting the exam. Most people that actually work in IT security know the CEH is used to impress recruiters/HR and little else.

What's your end goal here? Set up a business providing IT security training/workshops? Do you have any experience in this domain?
Big difference between doing the OSCP and doing an internal pentest of a bank for instance, scan the wrong IP and suddenly you have a HSM off the network. Even from a war stories perspective being able to recount tales of actual tests is engaging.

If you have all those certs after 1 year what is the motivation to go to ITB?
I don't know the course but I would imagine you would have 99% of it covered and much more in greater detail.

You could use that year to get some practical experience. Lots of work available at the moment.

You'll need a very dedicated group to get through all that and the strict timelines you posted would be very difficult for people with full time jobs and families.

I'm not familiar with your background so maybe not all is applicable btw, just my 2c.

Hi,

Thanks for feedback.

Again,these are my memory dump executed yesterday in a matter of few minutes.
I dont have all the answers and i dont want to enforce it.

All what i have is a meeting room in a public place with 10-15 seats for which i have to pay or we have to pay for renting and insurance.Or,i end up doing free IT Consultancy for them...so is my time !

I'm not fully sure re all the terms and certifications,i just compiled and added at my understanding level,based on readings,emails,feedback,posts here on boards.

I want to be 90% hands-on,with manuals,documentation and proper understanding.It will be fully exposure on the software and hardware backed by theory.Is hands-on,make-it_break-it_fix-it !

Re age,i assumed and agreed that is gonna be a long journey and it needs a full financial commitment.I guess that by September,the reviewed "spent" budget could reach around €3-5k per person,impossible for a student to accommodate it.

Also,i will like to add some Data Practice courses with ICS, as i guess we need to be aware of that as well.They are doing good 1-3 days courses.Again,money and commitment.
Not sure about mobile phone communications,GSM,3G,4G,XG...i guess is going to be a hot topic in the near future...I cant find any material on that tech security.

Re my time,i'm self employed,working 24/7 anyway...
Here is my LinkedIn profile.
I have a willing to succeed and get all the Security Challenge done in 1st year and ITB in following 2 years.Mainly for my personal gain.Not planning to do training but if a group of us decide to setup own business,please take my CV and referrals.

You're welcome...
Regards

B00MSTICK

That's fair enough - you have a lot to think about and even more to research, I think starting on the 7th is way too ambitious.
Asking people to spend any amount for a study group is going to be difficult, even if you have a clearly defined plan in place.

Good luck anyway

Kinet1c

I'd decide on where you want to be in 12 months before starting anything. All of the above courses/certs would be great if you were in the security industry and hoping to move upwards/onwards/laterally but as you're self employed then I'd question how much value they'll add to your business. I know when I was self employed doing the exact same thing, no client ever asked about my education/certs/credentials, they simply wanted to know if I could do the job at hand.

As B00MSTICK mentioned, passing the OSCP/CEH/CISSP does not a security guru make. Same with all certs tbh.

Personally I'd review your list. I'd go with Linux+, CCNA R&S & OSCP. I'd also throw in the ITIL Foundation course as it's highly sought after and won't take too long to study for. That's 5 exams (2 for Linux+, 1 for CCNA (possibly 2 if you split it), 1 for OSCP and 1 for ITIL-F) which imo, is kind of pushing it for a 12 month period unless you have zero hobbies/family stuff going on outside of work.

syklops

April
Start CISSP
May
Complete CISSP

Like the CISSP or hate it. Its a lot of material to go through. A colleague of mine completed it recently and he said a couple hours study a week required 6 months to complete it. He is a senior security consultant with a few SANS courses under his belt and he is an ex Pen Tester.

I'd echo another poster and say if the end goal is the OSCP, don't bother with the CEH. Anyone who respects the OSCP isn't going to give bonus points to you for the CEH.

Along with them, spread across weeks and /or months:
Programming in C, JAVA and Python (at a minimum working / hands-on level)
PHP, MySQL / SQL (at a minimum working / hands-on level)

Which is it,weeks or months? Also, I wouldnt bother doing all three. You don't have the time. I'd choose C and Python, and drop php, Java. MySQL, I'd read enough basics to teach SQL injection, and nothing more.

Is this an attempt to get a handful of security enthusiasts into a room and then kill them by summer? Thats where you are heading with this workload.

Please note that any activities not related to study will be discussed in the group and the user may be excluded from

Any activities like what? Sleep?

Personally I'd review your list. I'd go with Linux+, CCNA R&S & OSCP. I'd also throw in the ITIL Foundation course as it's highly sought after and won't take too long to study for. That's 5 exams (2 for Linux+, 1 for CCNA (possibly 2 if you split it), 1 for OSCP and 1 for ITIL-F) which imo, is kind of pushing it for a 12 month period unless you have zero hobbies/family stuff going on outside of work.

Don't forget a prerequisite for the OSCP is the Web App Pen testing with Kali course. Not sure if there is an exam but its still a ~400 page book to read.

Kur4mA

It's a good list alright and would make your CV look great and hopefully open up a few doors but personally, I would rather go with CTF's and start working through some of the easier VM's on vulnhub.com and work your way up to certifications from there.