Ask Slashdot: Worthwhile Security Training Courses? 70
ageoffri writes: I'm going to be able to take one, or maybe two, training courses next year and starting to figure out what would be a good course to take. While I'm not 100% sold on the concept of certs as the be-all and end-all of demonstrating knowledge and more importantly application of that knowledge, if someone else is going to pay for them I figure, Why not? Right now I'm leaning towards classes that have certs associated with them since HR drones look for letters. I also wouldn't mind a class that is just fun and interesting even if it isn't directly applicable to what I do currently. My short list is: CCSP by Training Camp (SEC503); Intrusion Detection In-Depth by SANS (GPPA cert); SEC504: Hacker Tools, Techniques, Exploits and Incident Handling (GCIH cert); and SEC550: Active Defense, Offensive Countermeasures and Cyber Deception (no cert). The first two directly apply to my day to day job. The third one just looks like fun, while the last one is also fun sounding, but I doubt I'd have much opportunity to put the skills to use. I'm curious what others here are thinking about for future training and other options to consider. I already have my CISSP, along with an MS in Information Assurance, so the two obvious choices are finished.
OSCP (Score:4, Informative)
Re: (Score:1)
+1 - Doing the class right now and having fun and learning a lot. You can take the class and test online, saving your company travel $$ too. Prices are very low - a lot of bang for the buck. As a CISO, I would look quite favorably on someone having the OSCP cert.
Re: OSCP (Score:2)
Having to take meds that cause drowsiness when taken and horrible withdrawal when not would, if it interfered with your ability to work, be a significant detractor.
You'll be looking for work where response time is not an important consideration.
Re: OSCP (Score:2)
Unless you're testing during holidays, off-hours, when key personnel are unavailable, you know, vulnerable times.
All that can be planned for.
What if they are auditing? or other? (Score:4, Interesting)
The real answer is that it "depends". Like "What should I get my degree in if I want to head to Law School?" Well, are you going into criminal law, tax law, constitutional law? Theoretically it should not matter, but in practice a History major makes a better Constitutional lawyer where a Business/Accounting major will do much better in Tax law. So what do you plan to get out of the certification or class?
CEH is one of my favorites because it covers lots of the legal aspects of white hat hacking, while teaching you how to hack. The first is more in depth for the CISSP so should be the easy part. OSCP is similar to CEH in that it focuses on the hacking aspects (pen testing). If you are looking to be more independent you may wish to forgo additional "Security" related certifications and get a RHCE/RHCA to provide some clout in that direction. Then as you note there are numerous non certified training camps which are very good to have if you just want to learn. If you plan on Law enforcement you could focus on forensics, cryptography for intelligence, low level network monitoring (in depth Ethernet, TCP/IP inspection), etc.. etc...
Then there is the DOD/GOV side which has different rules and certifications. You can start by looking up DISA, JAFAN, NISPOM (should most get you to .mil sites).
Re: (Score:2)
Re: (Score:2)
Easy! (Score:2)
DO NOT USE THAT ONE!!!!!
Re: (Score:2)
LOL that's exactly what i thought.
Re: (Score:2)
Re: (Score:1)
work on doctorate? (Score:3)
You have a masters... will work pay for you to keep taking courses to get a PhD ?
classes (Score:2)
Offensive Security
https://www.offensive-security... [offensive-security.com]
and a masters in CS
Re: (Score:2)
Maybe they're trying to be offensive.
Can't recommend this enough (Score:2)
http://www.aspectsecurity.com/... [aspectsecurity.com]
I've taken this class. Can't recommend it strongly enough.
General Security (Score:4, Interesting)
But as far as what bullshit security certification generates the most cash in your pocket? I'd guess CISSP [isc2.org].
Re: (Score:2)
If you bother to read the summary: "I already have my CISSP, along with an MS in Information Assurance, so the two obvious choices are finished."
So the question should really be what to take after being BS-certified by Microsoft and CISSP.
Re: (Score:2)
Re: (Score:3)
So the question should really be what to take after being BS-certified by Microsoft and CISSP.
I think "MS in Information Assurance" was referring to a Master of Science degree, and not a Microsoft cert. But don't let me get in the way of you telling off someone about their reading skills. :)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Whatever happened to having 10 to 20 years of general I.T. experience before entering InfoSec? A master degree is no better than a certification without the work experience.
Again, you have never heard about the degree. You do not even know the curriculum, and yet you question its validity? Information Assurance (IA) is more than IT security (just as security/enterprise security is more than just IT security.) Organizations and projects dealing with DOE and DOD contracts rely heavily in IA.
And why wait 10 to 20 years of general IT experience before entering InfoSec? Where did you get that from? If you, the generic you, pay close attention, you can get all you need in terms o
Re: (Score:2)
Re: (Score:2)
You simply lucked out or had the right connections to get on that project.
Not luck or connections. I had an impressive resume backed up by years of experience. Everyone else on my team also have similar backgrounds. Those who are faking it are fired within a month.
At some point you are going to have to be honest with someone, even if that someone is only yourself.
You sound full of yourself. Let me guess, you got a master degree?
Re: (Score:2)
That said I have worked with a bunch of CISSP certified people and as a collective skill group they are some of dumbest technical people around, for example I had to repeatly explain to them how to get a computer name when the logs only showed IP addresses for a computer.
Re: (Score:2)
Re: (Score:2)
Every cert you listed is basic (unless you're beyond ITIL Foundations). None of that comes close to requiring 10-20 years of experience, and all of those combined could be completed in a couple months. I've been in the business since the 70s, but almost none of my experience from over 10 years ago is applicable anymore because of the advances in technology.
Re: (Score:2)
Re: (Score:2)
Never heard of a master degree in Information Assurance.
We are all ignorant of something. That's ok. The important thing is not to be quick in jumping to conclusions without first checking our assumptions.
With that said, calling it an "East Coast" thing means what? You never knew about the degree, but you think you can call it names or something? Dude, expand your horizons. Ignorance is not bliss.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Could it be that you're working with the DoD, which has a requirement (8570) by the military? Sec+ is mostly useless unless you're required to have it for the job.
Re: (Score:2)
Could it be that you're working with the DoD, which has a requirement (8570) by the military?
I can neither confirm nor deny, but a lot of my coworkers are ex-military. With the DoD having the largest computer network in the world (or so I've been told), it wouldn't surprise me if the DoD set the standards for the rest of the government.
Sec+ is mostly useless unless you're required to have it for the job.
Isn't that true for any certification?
Re: (Score:2)
Sec+ is mostly useless unless you're required to have it for the job.
Isn't that true for any certification?
The point is that Sec+ doesn't show any useful knowledge. Anybody can pass it. The whole 8570 requirement is welfare for the testing companies.
Re: (Score:2)
Good idea (Score:3)
I heard it's a great time to get in to security research [slashdot.org]
Worthwhile Security Training Courses? (Score:1)
It's called hacking, once you get a few hundred under your belt, then you can call yourself a security professional.
courses (Score:4, Informative)
I took the SANS Intrusion Detection and Hacker Exploits courses 10+ years ago and they were very good. It was a long time ago, though, and I don't know what the courses are like now.
Re: (Score:1)
It's still excellent, but very expensive. I have SANS certs I am probably going to let expire because it's too hard to monetize the cert if you are not doing consulting or something where people actually look for certs...
SANS is great content, if expensive (Score:3)
I've taken the intrusion detection and incident handling courses, with certs in both (still have the latter). When considering them, try to align with what you figure you'll be doing job-wise, if you know. The intrusion detection stuff was great for grubbing through packets to figure out what's going on, where the hacker tools and incident handling gives you some hands-on playing and knowledge you'll want for incident response. I wasn't doing any network monitoring in my role though, so didn't keep up the intrusion analyst cert, but I did love the course.
Everything at OpenSecurityTraining.info... (Score:2)
OST doesn't cater to all topics (yet), because it's volunteer driven. Its primary volunteers thus far have come from a deep system security background. Its assembly, OS/BIOS internals, exploits, and malware curriculum tracks are the most developed, and far deeper than anything you'll (ever) find at SANS, since OST is not commercial and therefore doesn't have to pander to popularity and buzzwords and tr
Changes in global IT (Score:2)
Pack entry level classes with students interested in security and pick the best in the open se
From the horse's mouth (Score:2)
I just spoke to a recruiter in my company's MSSP division. Recommendations:
CISSP (you're all set)
OSCP
CEH
Tack on some SIEM certs or experience for good measure.