In July I wrote a short post about taking the CCENT to get my networking marketability back up. Well, I took it about one month ago and failed it. It is the first certification I failed. The bad the thing about this, is that it is the lowest level Cisco certification you can take! So, as you can imagine, I took the failure hard. But since I feel that failure is not an option, I have decided to take it again.
How is the CCENT? I would say it is easy. That may sound like a contradiction coming from a guy who just failed it, but allow me to explain. It covers all the basics of TCP/IP & Cisco switching and routing. If you have a year of experience doing routing and switching on Cisco equipment in small to medium environment, you will probably laugh at this test. If you are like me and have mostly an academic understanding of Cisco technology, you may struggle.
Where did I go wrong? I think I just didn’t put enough time into getting on the switches and routers I have at home. In fact, I am ashamed to admit, I put almost no time into it. I have been very busy for the last 7 months working on a very large project.. so I just don’t have a lot of spare time.
Anyway, I will be taking the test again soon.. Wish me luck.
About 7 years ago I got a CCNA certification. That is a Cisco Certified Network Associate. I got to use the full scope of my Cisco networking skills one time for four months and then didn’t touch another router or switch for 7 years. So I lost all but the very basic switching & routing skills.
I decided to start slow and start from nothing. I think it was a good choice because I have noticed that the CCENT, Cisco Certified Entry Network Technician is about as exhaustive as the old CCNA. From what my CCNA, CCNP, CCIE co-workers/friends and instructors have told me, all the Cisco tests are exponentially harder than they used to be.
My goal is the get my CCNA back. After that, I am not sure what direction I will go in. The CCNP is in very high demand but like I said, I heard the tests for CCNP are HELLA hard.
For now, its a simple enty level Cisco networking technician. In the end I am certain it will increase my marketability.
blogging, Certification, Certification/CISSP, Certification/Security+, Howto, Internet and Information Technology Security, Main Digg, security, Security Awareness, security experts, System security engineering
So do you have any suggestions for someone starting out in IT Security? What certifications, knowledge, training, forums, do you suggest? They will pay for the A+ cert, Network + and Security + certification. Do you have any suggestions for someone just starting out in security? After CompTia what should I focus on. Although I’m not sure yet of my final career goals, I’d like to first get a job very quickly in IT security, hopefully with the government, state, or any local government; when I say quick I mean within the next few weeks Thanks Rob for whatever info you can suggest
If you want a job fast I would suggest checking out simplyhired.com. I would also put my resume out on Monster.com, if you have not already done so. If you want a security job the security+ is the way to go, but also consider doing a search on monster and simplyhired to look at the skills and certifications that employers are looking for. Pay particular attension to keywords and phrases that they are using. You will know the keywords/phrase because they are repeated in nearly every resume for your chosen career path and/or job title.
How I get Jobs Fast
For example, in my career “system security engineer” and “information security officer” I see the following keywords/phrases over and over: security clearance, cissp, 8500, diacap. If noticed that when I have these keywords on my resume, I get calls almost DAILY from all over the US. Here is how you can do the same:
1) Find a good job title that fits what you do or what you want to do
2) Do a search for that job title [use google, simplyhired.com, monster.com, dice.com or any other search engine/job database]
– Read through the job results and try to find keywords/phrases that seem to be in most or all of the jobs listed
3) Try to get as many of the applicable keywords/phrases in your resume
– Either have the skills required for the chosen job title or begin working toward them
– I am not suggesting that you put lies on your resume, you’ll have to look for job titles that you have experience & skills in
– Don’t mess with stuff that completely out of your league or level of expertise, be honest on your resume
– Sometimes employers will take you if you are willing to learn the skills or earn the require certification/degree in a certain time frame. Put that on your resume.
4) Put your resume [with keywords/phrases in place] online, as many places as you can
Research Employer Demand in certain locations
I am from California and I have been trying for years to find a decent job (for what I do) there. They’ve got them in southern California but almost none in Northern. California seems to be lacking jobs and then they don’t want to pay comparable to the cost of living there. I noticed that Cali has a LOT of networking jobs. If you type in CCNP in simplyhired.com for Cali, you’ll find a lot of good paying jobs. The problem is that CCNP is a very difficult certification to get (or so I’ve heard).
I would recommend checking out what sort of IT skills employers are looking for in the area you want to work. For example, even though I have lots of certifications, most of the ones that I have [that are still active lol] won’t help me for moving back to Northern California. I researched it and found that they are mostly looking for Network Engineers [as of 2006-2010] and my Cisco routing and switching skills are still developing.
Play Capitalisms Game: Start a Business
Another option is to start your own business. This may sound daunting, but believe it or not my website elamb.org qualifies as a business. It took me about 1 year to get it making money, but now it makes between $400 – 800/month without me even looking at it. It has made as much as 2k and I know people who make more in a month then many people make in a year with their blogs. It is becoming harder and harder to be an employee. Companies do the bare minimum to take care of employees, the economy goes in a recession (or worse) and hard working people can not find a job and the value of the dollar flutuates on a downward spiral. It seems the only way to be comfortable in this new “capitalism” is to have multiple streams of income.
If you are interested, start at your states business page and here
UPDAT: 2014 – Risk Management Framework for DOD IT released.
I’ve been scheduled to go to DIACAP Essentials + IA Control Validation training. It is the same training that is given to validators at AFCA, so I guess it is pretty serious stuff. I was very reluctant to go until I realized that I actually really need the CPE’s to maintain my CISSP.
Since I’ve been doing the DIACAP stuff for about 2 years now, I’m not certain there is any new information for me to learn.
The Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) Essentials course blends lecture and hands-on
exercises to introduce students to DIACAP policy (to include FISMA
requirements of a comprehensive, repeatable, and auditable Information
IA Control Validation In-Depth – 3 Days
The IA Control Validation In-Depth course takes the students DIACAP
education and turns the view from an implementor to a Validator perspective
and involves the students in the validation process for the IA Controls
What I am hoping to get from the course is a better handle on the FISMA process.
I don’t feel like I really have a handle on what is supposed to happen with it.
I’ve been reading Ray Kurzweil’s The Singularity is Near. Its been blowing my mind. Its a detailed account of how, when and why artificial intelligence will out do humanity (as it is now) in every way in about 20-30 years.
The book is the real deal. Its over 600 pages with 100 pages of notes. Its a college course and a 10 course meal.
The first thing you have to realize about Ray is that he is not some kook with a sci-fi idea. His ideas are NOT some sci-fi “original movie” trash cooked up by a team of ex-dungeon master, fanboy geeks. Kurzweil is a world class inventor who created the first omni-font optical character recognition system. He is the brains behind text to speech, and next generation of music synthesizers (the one that are able to sound like any instrument).
He is the father of the Law of Accelerating Returns that details about the exponential growth of technological progress and change.
So far, the most startling idea I’ve read in his book is something I read from a Vernor Vinge article a few years back. Eventually, computers will be sentient and a trillion times smarter than us. I’m not just being sarcastic and throughout ridiculous numbers (bajillion kajillion) to get an over inflated point across, I mean LITERALLY the will be a trillion times smarter. If you subscribe to the Howard Gardner theory of Multiple Intelligence computers will able to out do us on everyone of them (plus a plethora of some we don’t yet have the capacity to conceive of). If that doesn’t stir you.. how about this? They will eventually build systems (AI) smarter than themselves. That is when they will be so far beyond us that we (in our current capacity) will not be able to comprehend them fully.
Kurzweil is definitely not gloom and doom. He does not predict (for example) that the machines will send Arnold Schwarzenegger back to 1984 to kill Sarah Connors (Linda Hamilton is still safe). In fact, the book is about “when humans transcend biology”.
Now just think about that… “transcend biology”. It gets me thinking of some sort of “Ghost in the Shell” type world where most people are cybernetically enhanced in a hundred ways. Ghost in the Shell is among my favorite anime franchises because it goes to great lengths to describe its cybernetic world. The singularity is a reality in the world of Ghost in the Shell.
Its a world in which an AI can hack and/or possess anyone/thing with a cybernetic central nervous system. A world where the line between physical and virtual are blurred by visual enhancements and the definition of humanity must be expanded to allow people who are now 90% robotic.
What do I think the Singularity will mean to security? That is a bit of a ridiculous question. Its like asking.. if the sun explodes, what will happen to all the plants. The answer is the same thing that will happen to all of humanity. Perhaps the sun exploding is a bad analogy.. because I don’t think the Singularity will feel the sudden need to enslave all humanity, turn us into batteries and lock us in a matrix like virtual world. I think it will be more of a collaboration between super computer and abacus, Rancher and cattle, Shepard and sheep but not at all like master and slave (well at least not a BAD master). Those of us unwilling and/or unable to change will be like a novelty item, neo-Amish. The Singularity will hack us and herd us like consumer, technology dependent sheeple we have become. And we will do nothing but smile and enjoy our everyday prices.
Speaking of novelty, I can help but think of Terrence McKenna’s mention of an acceleration of everything in his Timewave Zero theory.
The graph shows at what times, but never at what locations, novelty is increasing or decreasing. According to the timewave graph, great periods of novelty occurred about 4 billion years ago when Earth was formed, 65 million years ago when dinosaurs were extinct and mammals expanded, about 10,000 years ago after the end of the ice age, around late 18th century when social and scientific revolutions progressed, during the sixties, around the time of 911, and with coming novelty periods in November 2008, October 2010, with the novelty progressing towards the infinity on 21st December 2012 – wiki
The rate of change is both inevitable and necessary to our nature.
Once again, security is a piss ant in relation to the upcoming changes predicted by these modern mathematical prophets, but I will say this lately things in the Certification & Accreditation world have been changing drastically every 6 months, with each changes bringing in a wave of rumor of yet MORE change. The current rate of change is keeping me very employed.
Ok, I admit it. I have totally slacked off on getting that CEH certification. I’ve had the boot camp, I’ve amassed lots of great books and resources, I’ve even talked to some people who have passed it, but I still haven’t been consistent about studying. For a while I was pretty consistent. I read the Official Study Guide and started working on an Unofficial one.
Why don’t I have that cert yet? I suppose I just don’t feel I have a reason to have it. It would just be for show because I don’t really do pen testing. ’d like to, but in my job, I don’t usually have the opportunity to do it or reason to do it. I’ve already got the CISSP so I don’t need the CEH for some kind of prestige. Many hackers piss on certifications they are not impressed with them and are willing hurt anyone who flashes the credentials. The CISSP trumps most certification. The only real benefit for me getting it is that it would force me to get more familiar with tools like netcat and Snort which I don’t use enough. I am interested in cyber kung fu. Lately, I have been more drawn to the scientific and mathematical side of technology.. the side where the innovation are born, not just mastered. I’ve been sharpening up my math skills and plan on getting into Computer Science, Electrical Engineering or physics.
I haven’t decided whether I want to take the CEH because I want to do something that has more depth. I suppose I could complete the CEH, go through Computer Science and specialize in security/crypto/info assurance and follow in the foot steps of Bruce Schneier and Steve Gibson. In the beginning, certifications were definitely a step up, but I’m in a place now where they are just ornaments, flashy bobbles I could decorate my name with when I need an ego boost. If my wife and kids are giving me lip I can say, “don’t you know I am a CISSP, A+, B, C, D, E, F, G. You MUST respect my awesome test taking ability!”
I’ve said it before, I think certifications can be of great value. If you work for the Department of Defense in IT you pretty much MUST have one (per DoD 8570). Certifications can give you that extra edge against competing employees in the private sector. Problem arise when the IT certifications value is taken out of context. Like the 8570 which makes it mandatory to have a certain certification regardless of your experience and/or degrees. That is a bit much. Not everyone who passes the CISSP can configure a firewall properly. But perhaps thats the reason the DoD wants system specific certification.
Warning: Shameless promotion of a kick ass product!!
I recently got a chance to test drive uCertify’s IT certification software. I loaded the CY0-101, Security+ PrepKit. I must say I like the software and I am thinking of getting the MCSA from them (think I only have to take two test to complete it). It features the usual breakdown of how you performed in each of the tests objectives. It also has Flash cards that allow you to type in answers to key points on the test… I don’t recall seeing that feature on other certification software.
The pricing depends on the tests you get. But its in the double digits so its a cool little investment toward a bright future. For those of you who are serious about certifications you know that the software (such as transcender – aka the software that must not be named), boot camps and training material can cost 100’s or even 1000’s of dollars.
I think that software such as uCertify is a good start toward attaining a new cert (although you can never replace a solid year of experience).
As for the CY0-101.. I believe Security+ will be changing their objectives sometime in 2008. Hopefully, uCerty will keep up with that. Comptia sent me a few surveys about the change and a couple of co-workers that are being pushed to get the Security+ told me that they want to get it before it changes.
My honest opinion is that software like uCerts Prepkits are great for gauging your level of preparation. I also recommend that you use more than one gauge (particularly on the bigger tests such as CISSP).
Honestly, you probably could get away with a Security+ for a while (if your already in a govt security position) because the 8570.01M indicates the need for a Security+ at the very least at IAM 1.
But if your position actually requires you to take an IAM roles at the Field Operating Agency enlcave systems or some other MAJCOM equivalent level than you should go for the CISSP. The DoD is talking about requiring an **Information System Security Engineering Professional certification, ISSEP (a certification that actually requires the CISSP to even take the test) for enclave systems.
This table is taken straight from the DoD 8570.01M:
from tao security
More on the 8570:
**Notes: The 8570 FAQ mentions that “Future updates to the Manual will incorporate specialized elements of the IA workforce. Chapters on System Architecture and Engineering and Computer Network Defense Service Providers have been drafted and are currently entering the formal DoD staffing process.” I haven’t been able to find the new 8570 Draft that refers to ISSEP, ISSAP (specialized CISSP) but I’ve been seeing it in slides and at briefing for about a year now.
Here is what is being proposed. This would actually affect me (I may have to get an ISSEP or ISSAP). Security+ will not cut it if this passes in the next DoD 8570 Draft.
Chapter 10: Information Systems Security Architects/Engineers
Level IASAE I IASAE II IASAE III
Certs CISSP CISSP ISSEP
Chapter 11: CND Service Providers
Role CND Analyst CND
Support CND Incident Responder CND
Auditor CND SP Manager
Certs GCIA MCSA Security
Ref: http://www.disa.mil/conferences/2007/briefings/iatool_training.ppt (slide 19 from DISA Conference)
If you can, get the CISSP, don’t waste your time with anything else. You don’t have to make it your last cert, but (if you can) make it your first. It has become the gold standard that gives you “just add-water” credibility. You can slap those initials at the end of your name and flash a badge with your ISC2, CISSP number on it.
The statement above will piss off a lot of security people, but it is the truth.. the inconvenient, sad and pathetic truth. To all you skilled hackers and IS pro’s, don’t hate the blogger, hate the game. I didn’t create the rules, I just hack them.
Old school hackers and security geniuses talk MAD shit about the CISSP, but what they fail to realize is that “to hack ‘the man’, you have to be ‘the man'”. What I mean is that playing the game is essential to your financial need$. There are always exceptions: Adrian ‘homeless hacker’ Lamos, Steve ‘I write entire apps in assembly’ Gibson, Gordon ‘I created nmap’ Lyon, Jeff ‘i created defcon and sold it in 2005 for 14mil’ Moss, Bruce ‘i decrypted code as a fetus’ Schneier..
For average bastards like you and me, the CISSP is way to go.
I do agree with DMiessler and Mckeay:
“I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.
More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge – not for testing whether or not you’d be qualified to actually do anything.” — dm
“..the CISSP is not a technical certificate! It is not now, nor was it ever meant to be, a technical certification.” — mckeay
Though you may see a couple of technical questions on the test, the over all test is pretty high level, unlike the Certified Ethical Hacker or the CCNA that ask specific technical questions about specific technical issues.
So what should you go for on the Security Certification front:
Go directly for the CISSP (if you can). The fact of the matter is that most companies, the government and foreign organization look for the CISSP. Aside from the CCIE, I don’t know of any other technical cert that will give so much credibility (even if you don’t deserve it).
A NOTE of caution: If you get it, be real with your self. The CISSP does not instantly make you an expert in all ten of its domains. It will not put an “S” on your chest and make you impervious to Kryptonite. Its just a test. Its not an I.Q. test or the Bar. Its just a test. If you have passed, congradulations… now the real work begins. Good security professionals are ALWAYs learning (even more so than your average IT guy, because we have to know the latest in IT as well as policies, some law and even some level of management). A real CISSP should be a “jack of all trades, Master of ONE“.
You should also consider that there is simply no replacement for a good degree except for experience. The good thing about the CISSP is that it requires you to have a certain amount of experience before you even attempt it.
Building to the CISSP:
Beginner: if you’re just starting, you want Comptia’s Security+ certification.
Now, if your just trying to the guy who looks at audit logs all day and report what they see, then your golden. But if you’re serious about security, then you need to play the game, get the damn CISSP (do not pass go, do not collect $200). It pays better than a Security+… much better.
Get into any kind of Information Security position and earn some “street cred“. You may even be in a typical IT position on a filthy help desk (sorry, I’ve done it and it sucks) you can still use it to your advantage by working your way into security tasks. If your in the military, volunteer to be the COMSEC guy or an IAO (it’ll be easy because nobody else wants to do it). Volunteer to work with the security guys and learn from them. The goal is the get into the security mindset and also rack up some experience. A degree will help to with a school that allows you to set up a lab.
After a solid year of security experience you should go for the Systems Security Certified Practitioner (SSCP®). Why the SSCP? It will help you build toward the CISSP. At this point, if you haven’t done so already I would recommend joining the Information System Security Association (ISSA). You’ll begin to network with other security folks from everything from forensics to the pentesters to information security managers (who don’t even know how to set up a network). By this time, you should have some idea what you’d like to specialize in. The CISSP is a great foundation as certification credibility goes, but you will need to specialize.
I found the test challenging. You don’t want to take it twice that is for damn sure. Just make sure your ready. You’ll have to have about 5 years total security experience.
Now checks this out:
“Effective 1 October 2007, professional work experience requirements for the CISSP® will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP® CBK® domains.” –ISC2
Even a Masters degree will only replace a maximum of 1 year of experience (sounds like *NS to me):
Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master’s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master’s degree, you may only apply for a one year waiver of experience.
|Found a good review of Mike Greggs book, Certified Ethical Hacker Exam Prep from Amazon reviewer, N. Rossino (NY) :
The previous poster did bring up a good point: this book will not teach you how to hack. It WILL help you pass the CEH exam. It lays a very good foundation, and the only reason I give it 4 stars was because it was lacking the detail and depth to be fully comprehensive.
Keep in mind, that this book is meant for people who do have an administration background and who happen to be pretty familiar with Linux and Windows. The book is written for that group of people because without that experience, you probably won’t have the experience necessary to be a CEH.
I happen to read all 3 books for the CEH that are listed on Amazon. The Sybex book, the EC-council book, and this book. By far, this book was the best out of the 3. The Sybex book was a waste of money as it wasn’t as good as this book and it had even less depth. The EC-council book had a bit more detail in some topics, although it lacked cohesion and was poor at presenting the thought behind it. I think this book and the EC-council book compliment each other, and give you a pretty good idea of what you actually need to know. I would start with this book and finish up with the EC-council book and/or courseware. My reasoning is that you should set the foundation first and this book does that.
Also, as with hacking, google is an excellent resource. These two books won’t be enough to fill all the holes, but the internet is a damned good filler.
In conclusion this book provides for pretty good preparation for the actual test, and is a comfortable read.
ABOUT THE TEST:
150 questions, you have 4 hours. I took only 2 and scored an 86%. 70% is passing. I studied for only two weeks, but have extensive background in the subject area.
The test is very specific, and you are expected to know the material in detail – NOT just concepts. The test is geared towards people with security experience, and the test questions are true to that purpose. It will be very difficult to pass if you:
1) Don’t know linux
2) Don’t understand Microsoft’s OS and operations
3) never actually used any of the hacking tools
Linux is not a MAJOR part of the test, but there are enough questions on linux command line operations to make a difference.
Keep in mind, just reading alone will not let you pass this test. It is very important that you try out the most popular and important tools (firsthand!). You will be asked about specific commands, and be expected to know them. Know nmap, snort, hping2, tracert and tcpdump down cold. Know the ICMP codes and types. The only way you learn this stuff is to actually practice it.