Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Re: University Degree or CISSP

from [Bob Radvanovsky] Network Security [Permanent Link]
Subject: RE: Re: University Degree or CISSP
Date: Tue, 24 Jan 2006 15:50:32 -0600 
OK, time for my $0.02 worth of commentary.

Ladies, the outcome from all of this bickering is simple: you need both.

I have several degrees that are both business and computer related, along with 
slightly over 2 dozen certifications.  Realistically, the ONLY reason for 
having a certification is so you can: (1) either promote yourself better within 
your company to acquire or move to a higher paying position, or (2) move onward 
to another company, demonstrating your knowledge and skillset.

This goes back to my original analogy of Dr. Suess's story of the "Star-Bellied 
Sneeches".  The eventual outcome was that neither was better than the other, 
and they needed each other to band together.  Simply having the CISSP 
certification does have some merit because of its length in the industry and 
how some recruiters consider it prestigious.  That may be.  However, I know 
people who, not only have the CISSP, but other security-specific 
certifications, and couldn't perform a risk assessment, penetration analysis, 
case study, or even a simple audit without consulting the "Auditing for 
Dummies" book (there isn't one that I'm aware of, but I am simply being 
demonstrative for this case).

Consequently, I've known college students that got almost straight "A's" 
throughout college.  And 'ya wanna know what they're doing today?  Unemployed.  
Yup.  And the reason why?  They can't *apply* what they know, because they 
never really studied, only memorized, the material.

It is a balance of having both items.  If you look closely at many job 
requirements, it's something to the effect of cert plus degree, or degree with 
experience, or cert with experience.  Simply having them both is no guarantee 
that you'll get the job, and consequently, having experience but no degree or 
cert won't get you the job, either.

A friend of mine pointed something out to me in very simple terms.  Recruiters 
are nothing more than order takers, very similar to those order takers from 
fast food restaurants, such as McDonalds.  Most of them have very little 
knowledge of the industry, knowing just enough of the terms and buzzwords to be 
dangerous, but have practical knowledge in how to read and comprehend people.  
What they're good at doing is filling slots for companies -- nothing more.  
Companies give the orders on what they want filled, and what are the 
requirements.  The recruiters try and attempt to fill the slots as best as 
possible.  And any recruiter that tries and tells me that there's more to this 
is crazy.  For example, we had ONE job position available here in Chicago 
recently.  The next day, 24 recruiters attempted to state "unique job 
opportunity", all funneling into that ONE job position that had opened up.  
Also, these recruiters used the exact same job posting boards that you and I 
use: Monster, AllJobs, USAJobs, HotJobs, etc.  So, how is that helping you out? 
 They'd like to say that they have their own selective search database and that 
their service is unique and comprehensive.  Rrrrrrr-ight.  Many of them *share* 
data between each other.  It goes back to filling slots and them getting their 
commission checks -- nothing more.  In fact, most recruiters would rather that 
people move from job to job to job more regularly, because they'd get a fatter, 
bigger bonus.  I know several long-time colleagues from the IT industry 
recruitment field (about 15 years now), and they occasionally come to me with a 
job req., asking if I'd be interested.  It's always the same thing, doing the 
same crap, day in, day out, and offers nothing more than a lateral move for me. 
 BUT...what it does do is give me a little bit more insightful information as 
to how their recruiting process works.  Recruiters try and get people to sign 
up with them for their *EXCLUSIVE* search database, almost stating that they'd 
GUARNTEE you a job.  HINT: if you listen carefully, and have done this as long 
as I have, you'll never actually hear them "guarantee" you a job.  To do that 
would be misleading, and I'm pretty sure that it might even be on the border of 
illegal, too.

Here's my advise of getting a job.  If you have ZERO experience, DO NOT expect 
to get that $80K/year job -- you'll have to stand in line for guys like me 
who'll want it.  Companies want EXPERIENCED people these days, and folks who 
have intelligence, ambition and ideas are good, but won't give or offer those 
lead positions.  Start small and work your way up.  Sooner or later, you'll get 
noticed by someone and get that job that you wanted.  Chances are, that job 
wasn't what you wanted, anyways.  And...many lead roles have some risk to them. 
 If you f*** up, you might get fired -- as the chances are for those who work 
in the financial sectors (banking, trading, funds, etc.) or the healthcare 
sector.

If you have SOME experience, and have an A.S. degree, finish getting you B.S. 
degree, but settle for that job doing PC repair.  Build up some experience some 
more, and learn people skills, communication skills, and techniques, and polish 
them for when you graduate with the B.S.  Chances are, you'll get a better job 
than you've realized after you've received your B.S.

If you have ALOT of experience, get a few certs -- it can't hurt.  CompTIA is 
good one for starters.  Once taken, they're good -- FOR LIFE.  They're NOT 
senior or lead level certs, but they show that you have a rudimentary 
understanding in whatever field of interest you want.  Their SECURITY+ is OK, 
but combined with a NETWORK+ and an A+, shows that you have basic knowledge in 
IT networking, hardware support, and know how to spell and say "security".  
Some certs to be wary of: CISSP.  It is aimed for the "average manager" who 
know very little of security, and has been thrown into the role of security.  
It is VERY broad-based, and covers mostly management concepts in security.  A 
comparable cert to the CISSP that's gaining attention is the CISM from ISACA.  
It focuses more on the auditing and forensics aspects of security, which are 
the up-n-coming areas of interest within the security industries.

Other certs that you'd want to pay more attention to, are more specialized, and 
in most cases, much, much more technical.  Those would be the Cisco CCNA (don't 
waste yer time with the CCNP, get the CCNA, but be prepared for ALOT of 
studying about routers and the routing protocols -- also their tests are brutal 
and require ALOT of practical over memorization of concepts; Cisco WANTS to 
make sure that you KNOW "networking"), the SANS GIAC (I liked their certs 
pertaining to firewalls, IDS, general network security, and the one on policy 
management), CIW (if you're a web designer, you should have this one), CIFI (an 
IT forencs management cert, esp. if you're a police officer or involved with 
law enforcement, this is a good one to have), CIPS (a new certification 
pertaining to "Critical Infrastructure Protection", offered by the Office of 
Infrastructure Preparedness, and deals with emergency management, disaster 
recovery and planning, and homeland security -- all very good if you work for a 
critical instructure company), and perhaps the CISA (also by ISACA), which 
focuses entirely on IT auditing.  Also, consider getting a few other specialty 
O/S certs: IBM, HP, Sun, Red Hat, Microsoft, Novell -- all offer comprehensive 
operating system certs for their O/S's.

In closing, a degree demonstrates that you "know where to look for 
information", and a cert demonstrates that you "know how to look for 
information".  Neither one, in my opinion, demonstrates the "what" or "why" 
clearly.  That, to me, comes from experience.  So, if experience is the third 
factor, you'll need 3 factors: a degree, 3-6 certifications (have a vast 
richness in certs, say a CCNA, CISSP, maybe a CISA, a NETWORK+, a LINUX+, and 
perhaps a forensics or CIPS cert), and 3-5 years experience.

-rad

----- Original Message -----
From: Ken Kousky [mailto:kkousky@ip3inc.com]
To: "'Huang, John, GCM'" [mailto:John.Huang@rbsgc.com], 
security-basics@securityfocus.com
Subject: RE: Re: University Degree or CISSP



This is the craziest conversation I ever heard of - there is NO comparison
between a REAL degree and CISSP. CISSP is great, valuable and vital but it
isn't in any way comparable. 

Simply put, if you don't have a degree - get one and get the best one you
can.

-----Original Message-----
From: Huang, John, GCM [mailto:John.Huang@rbsgc.com] 
Sent: Monday, January 23, 2006 1:41 PM
To: security-basics@securityfocus.com
Subject: RE: Re: University Degree or CISSP

Degree or CISSP? It depends on where you are in life. A degree helps you
in the door and advancement into a management position usually require a
college degree. But if you're already in the field and don't have a
college degree, a CISSP cert is easier to obtain in a shorter amount of
time, and provide more immediate benefit since you can put the things
you learn into use.

-----Original Message-----
From: shyaam@gmail.com [mailto:shyaam@gmail.com] 
Sent: Friday, January 20, 2006 10:25 PM
To: security-basics@securityfocus.com
Subject: Re: Re: University Degree or CISSP

Yes,
Very true. Nothing counts equivalent to experience, but experience comes
only when someone starts somewhere. I have seen one big thing happening
around. People in the industries shifted from technology to business,
that is the point when they lost the security and created more loopholes
in their own products as they reduced the time needed, reduced budgets
and spent more on advertisements and marketing. 
How does that reflect on people. They need people already with
experience. But how is that possible. Everybody needs to start
somewhere. So experience does count, but I would say some foundation,
some added qualification and some experience is good for a cool job. For
a startup job, some degree and some cert is essential.

PS: This is my opinion, I am not pointing out any company or any private
organization.

-S-

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
-----------------------
********************************************************************

This e-mail is intended only for the addressee named above.
As this e-mail may contain confidential or privileged information,
if you are not the named addressee, you are not authorized
to retain, read, copy or disseminate this message or any part of it.

********************************************************************


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Snort as Firewall (WinXP), shrek-m@gmx.de
Next by Date:  Re: router question..., Mike Sweeney
Previous by Thread:  Re: Re: University Degree or CISSP, George Koshy
Next by Thread:  RE: Re: University Degree or CISSP, Jas Chase
Indexes:  [Date] [Thread] [Top] [All Lists]