SC Magazine Awards 2007: Training Camp listed

Training Camp has been named a finalist in the SC Magazine Awards 2007 for the Best Professional Training Program category. According to SC Magazine, programs in this category are defined as those geared toward strengthening the expertise of IT security professionals, that provide educational programs, continued learning and certifications. 

Contact me to find out more about our award-nominated IT security Training Camps and why they’re the best of the best. Our IT security camps include:

Official (ISC)2 CISSP
Official (ISC)2 ISSEP
Official (ISC)2 SSCP
Certified Ethical Hacker
Forensics
Licensed Penetration Tester
CompTIA Security+
CISA
CISM

Security Certifications: DoD 8570

For Government workers doing any kind of computer security/information assurance, the new regulation, DOD 8570 is a very important document.

DOD 8570, Information Assurance Training, Certification and Workforce Management, requires that all government workers (active duty, govt civilian and contractors) doing security work have a security certification. The DoD is really trying to crack down on security.

Among the top security certification that you can get are the CISSP and the CISA

Getting the top certs and then further specializing could give you the edge. For example, CISSP with an CISA (auditor) would cover a lot of ground as would a CISA and an IDS/C&A/Architecture specialists. It would really kick ass to cover ALL ground. This would not be difficult. Not sure if each specialization would require further certifications.

Cost, Renown, Difficulty Comparisons:http://dmiessler.com/writing/infoseccerts/

Includes: GSEC, CISSP, CISA*note: GSEC is $800 and difficult

Security Certs and their levels according to 8570:http://taosecurity.blogspot.com/2006/01/dod-directive-8570.html

Tech level I-III & Management Level I-III*note: GSEC is Tech level II

Future Areas of IA Certification:

 

Certification and Accreditation

IDS and Analysts

Auditors

CND/SP members

IA architectures, engineers

NIST Slide on 8570 

(slide 10)On a recent FISC slide I saw Red team (pentesting/hacking) among these future specializations.

 

 

Certified Ethical Hacker Cert and Certified Pen Testing Expert

I'm going to go for the Certified Ethical Hacker Cert and eventually the Certified Pen Testing Expert Certification.  That is the direction that I'd like to go with my Information Security Career. 

As of right now, I have a CISSP.  I do a lot of Security Testing Evaluations and Authorization Agreement, Security Policy type work.  It pays well but I think Pen Testing would be more fun.  After getting the CISSP, I seriously considered going after the ISSEP, Information System Security Engineering Professional cert, which I heard was harder than the CISSP… I don't see how that is possible.

The CEH is a 125 question test that I've heard mixed reviews about.  I've taken the bootcamp and I love the material.  Its all hardcore hacking.  Not simply how to use Cane & Abel or NMap but how to code malware with notepad, methods of SQL injection, and firewall attacks.  I learned a lot.  It also scared the piss out of me.  If your already a hacker or hardcore pent tester than the class would be nothing more than a refresher.  Intermediates with pentesting will have a real treat.  Beginers will be decapitated.

I guess CPTE, Certified Pen Testing Expert is the lastest one.  From what I've read, it looks like it is a step up from the CEH.  Here is some more info on the CPTE.  From what I've read the CPTE is INSANE.  It looks like a practical exam completed in the presents of a pentesting expert.  It includes SQL injections, gathering data, compiling hacker applications, and FRICKING Lockpicking… I AM NOT READY. 

Training on Security+

I will be doing training on the Security+ for the ISSA-COS.  I'm
traing the Communcation Security portion of the test.  This is one
of my favorite sections. 

I told the ISSA guys I'd do it as long as I didn't have to train on Crypto which is one of my weaker subjects. 

I'm excited about the training because I feel like I will really be
able to help people ace this test.  Most security professionals
who have been IT for more than a couple of years won't have a problem
studying for it and passing it. 

It really is just basic technical information security
stuff.   There is also a lot of support on the Internet for
this test: practice tests, guidance on what to study, and
encouragement. 

Don't sweat this test.  Especially if you've studied.

The ISSEP: Information System Security Engineering Professional (ISSEP) certification

 

I've been thinking of taking the Information System Security Engineering Professional (ISSEP) certification.  Since the CISSP info is still fresh in my mind and much of the ISSEP are things I do or have to deal with daily it seems like a good idea. 

What is the ISSEP?
The ISSEP was developed by the International Information System Security Certification Consortium (ISC)2 in conjuction with the National Security Agency/IAD. Where as the CISSP is an all encompassing general look at security, the ISSEP is a concentration on system security engineering process.  System security engineering has to do with ensuring that selected solutions
meet the mission or business security needs.  It is defined as “the art of and science of discovering users security needs, and designing and making with economy and elegance information
systems so that they can safely resist the forces they might be subjected to.”

System Security Engineers tasks:
  Discover Information Protection Needs
  Define system Security Requirements
  Design System Security Architectures
  Develop Detailed Security Design
  Implement System Security
  Assess Information Protection Effectiveness

Instead of ten Domains the ISSEP has four:
  System Security Engineering
  Certification and Accreditation
  Technical Managment
  U.S. Government Information Assurance Regulations 

Most of of the ISSEP's material comes from the Information Assurance Technical Framework (IATF). 

My co-worker recently took the test and he said it was more difficult than the CISSP.  The CISSP is easily THE most difficult test I've every done.  Although, since most of the information comes from the IATF, I'm not sure how it could be more difficult.
The CISSP is so broad that you could not possibly get all the information from a single source.

http://www.acsac.org/2003/case/thu-c-1530-Oren.pdf
http://www.nsa.gov
http://www.isc2.org

 

Information Security vs. Information Technology

In my experience Information Security as a career field is far superior
to Information Technology (IT).  I've done both for a number of
years.  IT seems to get worse every year and Information Security
seems to get better.

Overall Information Security pays better, has less competition from
competent professionals and usually doesn't have a lot of out of
country competition.  There are exceptions such as highly
specialized IT jobs and management posistions.  When I refer to
“IT” I'm speaking of basic network engineers and
System Administors not WAN engineering CCIE's, or IT guys with running
their own business contracts or very specialized software coders that
know assembly.  I used to be very excited about IT until I went
into the private sector for about a year.

Why does Information Technology suck as a career field?
Well it doensn't necessarily SUCK, but there are several reasons why I
will more than likely never go back to vanilla flavored IT: Too much work, Slave wages, competition.

Lets start with too much work.  Many business' that rely heavily
on their servers, routers, Data bases and other information systems
want their systems to be up 24/7 which requires on call workers. 
I used to be excited about getting the pager and/or corporate cellphone
until I got called a few times at the crack of ASS
on a weekend.  When a critical system goes down, the IT persons'
pager blows up.  This sometimes means working long hours. 
When you are on call, your free time is completely dependent on the
status of the Information System.  FYI, the system hardly
ever goes down when you're sitting at home thinking, “Damn, I'm bored!
I wish I could fix the server.”  It usually goes off when your
at your daughter graduation or in the middle of your mariage about to say “I DO” or in mid-stroke when you're about to orgasm.

Information Security specialists can also have a “digital leash.” 
But major virus' taking down an entire network is much more rare than a
system crash or user error.. especially if you have Windows
behind a good robust firewall.

Slave wages.. o.k. thats an overstatement, but unless you are
specialized, as stated above, you will be hard pressed to make over 55k
in a basic IT job.  Now 55k is pretty good, but in security you
can make as much as 100k (particulary in forensics).

The low wages are directly related to the amazing amount of competition
you will face as an IT guy.  Where I live there are a hand full of
military installations which crank out bright young service who are
willing to take the minimum that most companies will pay.  One of
the biggest competitors may not even come from your country of
origin.  In the U.S., global outsourcing has become an
epidemic.  India is one of the biggest competitors for American IT
jobs including help desk and software engineering.

Information Security typically hires within the host coutries
borders.  Many even require a secuirty clearance which greatly
limits not only international competition, but local competition as
well.  

The bottom line in Information Technology and Information Security is
specialization.  The more skilled you are at one particular trade,
the more certifications, licenses and degrees you have focusing on one
specialized skill that are in demand the better. They may just be
pieces of paper but consider them ammunition against the competition
that want YOUR job.  The specialization doesn't have to be in
Security it could be in Database Analysis or Network Management or some
programming language.         

Taking the CISSP: part 1

I took the CISSP.  I really don’t know what to say about it aside from acknowledging that it was extremily difficult.  Andrew Briney’s article is the most accurate description of the CISSP test.  Briney says, “It’s a mystery wrapped in riddle inside an enigma.”

His other very true point:

The exam is best characterized as an ‘inch deep and a mile wide.’ Whether this makes it easy or difficult is a matter of perspective.”

For me the hardest part were the answers.  I feel like I’ve mastered the art of studying for a test.  The fact that there is so much knowledge crammed in a 250 question test makes my study techniques watered down.  Its very difficult to cover all 10 domains effectively.

I’m not one of those bastards that can walk into a test cold (no studying, no worries) finish in half the average time and pass.  If I don’t study, I fail.  I’ve learned to live with this.  I know my weakness.  I just second guess myself too much on every answer.  I’m one of those guys that does not believe that everything is black and white but that everything is a million shades of gray.  For me that is where the difficulty lies.  The CISSP wants you to choose the “best” answer.  So while many or even ALL of the answers might be true, there is only one BEST answer.  But my best might not be your best.

I’ve taken many certifications.  They have become almost a hobby of mine.  In June, I took the Security+ hoping it would help prepare me for the CISSP.  First of all let me just say comparing the the CISSP and the Security+ is like comparing Lennox Lewis’ fighting style to that of some 12 year old girl from John C. Still Middle School.  There is NO freakin’ comparison… NONE, do you hear me!  The preparation that I put into the Security+ is what help me in my CISSP success.  That being said, there were about 6 very similar questions from the Security+ that were on the CISSP but the CISSP contains ALL of the domains of the Security+ on a comprehensive level.

As I said, I’ve taken many certs.  And I DO NOT think that taking a test will make anyone instantly smarter or more technically skilled then some “l33t hacker” that has been cracking databases since age 12, but I DO believe some certifications have great value to the IT and Security industry.  With the possible exception of the CISA, the CISSP is the most exaulted security cert you can get right now.  Many say that any dependency on certification is what is lowering the amount of IT and security professionals with skills.  While there maybe truth to that, I say it is just another way for employers to gauge whether or not they are investing in a skilled employee.  Whether they choose the right candidate will ultimately be decided (just like anyone else) by time.

NO certification I have taken comes within an Astronomical Unit of the CISSP.  Of course I’m not an MCSE or a CCNP (though I’ve tasted the fruits of both) so perhaps there is a match in its level of difficulty.

Having taken the test I don’t feel I was fully prepared even though I have legitamate experience in nearly all aspects of security, I read a book and studied on and off for a year before taking the test.  I tell you, this test beat the shit out of me.  They give you 6 hours to complete the test and I finished in 5 1/2 hours.  When I was done, I was sure I’d failed.  I started trying to think of ways I’d pay the company back since they would not pay for a failed certification.  I also started studying for the repeat.  I was pleasantly surprised when I got the “congradulations” email.

Adequate study for me would have consisted of reading no less that two “600 page” books and going to a boot camp. 

This is the best online CISSP resource I have found: http://www.cccure.org.

 

Special Shout outs go to the ISSA COS chapter and Mr. Proeller, so long and thanks for all the bagels.. bad, bad joke…42.

Is The Security+ Still Worth It?

I took the Security+ test a few weeks ago. I think the process of learning all of the security nuaces in preparation for the test is a really good start of begining security professionals and IT folks wanting to round out their resume. If you prepare for the test it is easy.. I don't think that it is a walkin' off the street type test but it is not that hard.

How relevant is it? Just do as Michelle Rowton did and do a search for it on Monster or Dice.. compare those results to other certs that employers are looking for.

I was taking the Security+ to prepare for the CISSP. As I've been studying for the CISSP the Security+ seems to have been a drop in the ocean. While I was able to draw on my years of experience to pass the Security+ (and not study as much) the CISSP is spread so thin over so MANY domains that it requires much more dedication.

Comment from DIGG:

In my opinion the Security+ certification is over-rated and is no more than another logo and a cert on the wall. Several people probably take the test as a stepping stone to the CISSP, or they take it for the simple fact that it?s a cheap certification that they never have to renew.

read more | digg story

1 2 3 4