I have somewhat of a different opinion on some of this. I have a CEH,
will hopefully have the CISSP when I am done Dec 10, and have heard of
the Security+.
The CEH is a technical cert which is great if ethical hacking and pen
testing is what you are getting into, or if you are getting into
incident handling or intrusion detection. I do a lot of work in
ethical hacking / pen testing, and the CEH actually got us more
business. The idea that management doesn't like the word 'hacker' is a
bit of a flawed premise. Some don't like it, but they are in the
minority I believe. At least in my experience. There is a pen testing
cert by the same organization called the LPT I believe. I don't think
the CEH is what you want though, it's pretty technically detailed in a
specific field.
The CISSP is currently considered the defacto standard for overall
information security. It is an inch deep and a mile wide. It covers
every aspect of infosec but not in depth. Management loves it, more
often than not it will get you more money and more opportunities, and
it is a professional designation. It doesn't take much searching to
realize that most infosec jobs ask for it. But a CISSP has little
technical merit, it is a management-like certification. It's a 6 hr
exam which is apparently quite nasty from what I have heard. It also
requires 4 years of full time infosec experience in the workplace, or
3 years plus a degree.
The Security+ is just what Adam said, basic. I think it would probably
give you what you want, a security cert under your belt and a bit more
knowledge of the field. You could probably go for it, and then maybe
look at the CISSP.
Do you have the budget, company or otherwise, to take SANS / GIAC
certifications? Those, IMO, are probably the best out there for
knowledge. I have a GCIA and it was an excellent course and cert. If
there was a choice between the GSEC (GIAC's basic security course) and
Security+, I'd do the GSEC. It is expensive though. You have to do 2
exams and if you want the new 'Gold' cert you need to do a practical.
It's more work, but worth every bit of it. If you actually want to
learn something :) you can't beat the SANS / GIAC courses.
Hope this helps.
-J
On 11/22/05, Adam Jones <ajones1@gmail.com> wrote:
On 19 Nov 2005 05:39:22 -0000, kota_44@yahoo.com <kota_44@yahoo.com> wrote:
HI All ,
I have a question regarding Security + exam .
I have a about an years experiance on working on Application Security and
now to widen my security knowledge base and also to get some relevant
Security related certification under my belt
I had a doubt of what to start of with so the first exam which many
suggested is Sec+ but a large no of others gave a feed back that this one
aint having a good value now and not worth the Time and effort and better
to start of with something like CEH .
Security+ is intended to give you a decent baseline in network and
application security. It documents that you have demonstrated the core
knowledge necessary to learn other security topics, and should be
competent enough to not screw anything up too bad. In other words i
agree that it is a good start.
CEH looks like it sets you up to be a pen-tester. IMO it helps you
learn processes, not concepts. In addition the term "hacker" in the
title seems like it is there just to incite a response. They could
just have easily went with "Certified Penetration Tester" and covered
the same course material. Having "Ethical Hacker" in your title may be
great to impress friends and kiddies, but I doubt too many hiring
organizations will find it appealing.
If you are looking at something where your work is either a) mostly
solo, or b) done on contract (this is 80% of the jobs out there) then
CEH is probably a bad idea simply for the reason that the term hacker
has become synonomous for bad guy to everyone outside the computing
community. In that sense calling someone an "ethical hacker" becomes
akin to calling them an "ethical lawyer" or "ethical car salesman".
But other suggested this as a good base for CISSP .
Based purely on name I think the CISSP would be a better second
choice. I have not looked at the actual content of the certification,
but it will look better on a resume than CEH. This obviously is not
the only criteria with which you should be evaluating certifications,
but I think it is an important one.
So could you all who probably are familarized or taken Sec + can update me
with pros/cons or why one should/ should not take it and its current value
and what can be a good alternative to start off if not Sec + .
Overall sec+ is fundamentals. Think of it as security 101. It gets you
enough to let figure out where you want to learn more. There is enough
information in there to allow you to be competent as a junior
administrator with a little bit of software-specific training. It does
not really teach you how to implement very much, but does teach you
"best practices"
CEH appears to be more in-depth in the specific field of penetration
testing. It has the benefit of (hopefully) requiring more knowledge
about security in general, but loses a lot of credibility with the
management types due to the stigma on the name "hacker".
CISSP seems like an unknown to me. It looks like a more
advanced/practical sec+, but that is only after a relatively brief
review of the cert.
If I were to give you a suggestion on what to do it would be this:
1) get a sec+. At the least it makes sure that you have studied all
the basics. Do your best to ace the test, as barely passing the cert
means you didn't really learn the topic.
2) Avoid CEH. I will put in a caveat here that if you do not plan on
getting a job where you deal with management, at all, then it probably
is ok. I have yet to find any jobs like that, and should one appear
you will probably be run over for it by people with more experience
anyways.
3) Consider the CISSP. Look carefully at what it actually teaches, and
try to find people that have taken it to give you feedback. (hopefully
such a person will respond to this thread) Don't get it just to get
it, make sure it really is worth the money.
-Adam
