Security+

[Brian Sierakowski]

Hey all,

Just trying to figure out if Security+ is a good use of time. What happens is I pay out of pocket for certifications, and then get reimbursed from my company some time later. I've managed to keep a nice rolling effect by taking the reimbursement for my last cert and applying it to my new one.

So, is it worth it? I'd really like to get into CEH, but while its a MUCH shorter path, its also much more expensive (likely prohibitively so.)

If you passed, what resources did you use to study?

Any information would be very helpful.

Thanks!

-B

[digininja]

I'd say if you've got the cash go for SANS. Really expensive but really good quality.

[Brian Sierakowski]

Sans as in this stuff: http://www.sans.org/training/courses.php ?

Do you know what average cost is? There's definitely a fairly LOW ceiling on what my company will reimburse, that's why CompTIA has been so attractive, $200-$300 certs with self study.

Have you attended any of those courses?

Thanks,

-B

[digininja]

I've done two SANS courses, one where I found local funding through a training scheme and the second as a volunteer so you get in really cheap but have to work the week when you are not training.

Both were very good courses, 617 wireless and 504 incident handling and hacking.

[SomethingToChatWith]

Sec+ is great to start out with. You can get the 2009 Security+ exam objectives here, detailing all knowledge domains you should study for in order to be prepared to pass the exam, most of which deals with basic cryptography concepts. For studying I'd recommend MeasureUp, though there are some free resources online as well.

[Brian Sierakowski]

Awesome, thanks!

[efk]

I actually just took this test, and I must admit, it's worthless. I would say go for the anything non-comptia.

[Machstorm]

I actually just took this test, and I must admit, it's worthless. I would say go for the anything non-comptia.

I can tell you are lying because you are using an absolute with no explanation. however, if you do please elaborate.

I am Sec+ certified too and I found nothing "Worthless" about it.

[Brian Sierakowski]

Yeah, I'm not so sure about worthless, but what do I know?

I'm studying for the test now, and I'm finding that I don't know a lot of the material, and in general the material is pretty interesting. I just did the section on cryptography, and if they would have made math that cool in school, I wouldn't have avoided it at all cost.

Sec+ gets a thumbs up from me thus far :).

-B

[RobLoos]

I got the same problem. I would love to get some more classes & start work on getting certified but it's WAAAY above my budget. Luckely i'm getting CCNA at my college, it's not a lot but it's something :)

[Signal Hacker]

I got my company to bankroll me for the SSCP (Systems Security Certified Practioner) exam. It's from (ISC)2, the same org that does the much-coveted CISSP, which I'll go for once I have the necessary years of working experience under my belt.

Honestly, I kinda wish I'd done the CompTIA Security+ instead.

Not because I think it's a better exam, I actually think the SSCP is really good for beginning security specialists, especially because you're required to continue your professional education in under to maintain it and you have to have at least 1 year of IT security experience to get it.....the problem is that (ISC)2 doesn't freakin' market the SSCP cert like they do their others, so more companies know what Sec+ is vs. the ones that know about SSCP.

To be brutally honest, if you're looking for a job, Sec+ is probably better to have because there's a better chance that whatever security-ignorant HR person is combing through resumés will actually recognize it.

I'm in the same boat as far as the CEH. I really reeeeaaaaally wanna attend this hacker boot camp the InfoSec Institute offers (gets you both the CEH and Certified Penetration Tester)....but the classroom course is ~$4000 and the online course is just under $2000, even after my company discounts. Good luck getting that past the training budget coordinator :(

[Brian Sierakowski]

Ha, dude, we're coming from the exact same page.

I'm thinking since I'm going to have 3 certs this year, I'll beg and plead that my reward be funding for CEH. Ideally, I'd like to do Sec+, then do CEH, and then after a few years go for CISSP (once they decide to let me in that is).

Above all, being able to whip out your cert and be like "Everyone remain calm, Certified Ethical Hacker here" is basically bad ass. Plus, if you do their classes you get through it in a week, compared to the 2 months I'm taking on Sec+.

But, I digress, we'll see what happens when I get there, I haven't heard from anyone that CEH isn't good.

[Signal Hacker]

CompTIA certs are nice and cheap...if you have to bite the bullet and pay for Sec+ yourself, but through some miracle get your employer to sign off on CEH....DO IT!!!!!!! I hope both of us have the luck to get our respective companies to pay for it!

I've heard some people opine that GPEN (the GIAC Penetration Tester cert) is the superior one...but check any job site for how many employers are asking for CEH vs. how many are seeking GPEN, and there again you have the same situation as I have with Sec+ vs. SSCP. But that's kinda beside the point.....CEH is a good cert, by all accounts I've heard.

A cert is only as good as how valuable management-types think it is and how much more they're willing to pay you for having it!

[Brian Sierakowski]

A cert is only as good as how valuable management-types think it is and how much more they're willing to pay you for having it!

Well, there is a small component of how much you actually learn from the course :).

I think you want to say a cert is only as lucrative as how management types think it is. It's only as valuable as how much you learn.

Not that that isn't stating the obvious for everyone on the board :).

[Signal Hacker]

Stating the obvious too, experience is always better than any cert. Which is why I want that CEH/CPT course, since I get a nice lab to actually do this stuff (experience), and not just buy a $50+ book and vomit back up the info on a $400+ exam sheet. SSCP is a good cert, but I can't really say I learned much new that I didn't know already, now I just get to prove I know by placing a pretty little acronym after my name...same with Sec+, as much as I've looked at what it covers and the sample exam questions.

My company used to be really really anti-cert, their philosophy being, "The experience you gain here is better than any certification!" But my company is a consulting one, so eventually they had to back down when clients start asking for CISSPs, CCNAs, etc. by name to work their projects. But they're still resistant, so you really have to sweet talk them to get them to pay for anything expensive (over $500).

[Brian Sierakowski]

Yeah, I feel its foolish for a company to be anti-certification. I mean, this is why we do these things, get certifications, get college degrees, etc. No prospective employer or client has the time to sit down with you for a week or two and find out what exactly you know or don't know.

So, whilst people turn up their noses at getting certified as "real world experience is the best," I would rather be the certified idiot who gets the job instead, and then I can learn OTJ.

[Signal Hacker]

Can't argue with that :)

[Myk3]

I am currently SEC + certified.. I can say just studying for the exam was nice.. It brought to light a lot of different vulnerabilities that most people are unaware of. (even if they are out dated) My company paid for the training and the test.. They also are sending me to CEH (well there is talks of it) and then down the road to end goal of Licensed Penetration Tester (LPT)

[Myk3]

Can't argue with that :)

Just an odd question.. i see you name / picture is "Signal Hacker" was you in the army.. what MOS? I was a 31F

[CrashZilla]

I would agree that it is a good place to start but the only reason I got the Sec+ is to add the security+ to my MCSE. I don't know if I would have gone for it if it wasn't just an add on. I think there are better certs out there but they jump in cost pretty fast. I too enjoyed the section on crypto it was something I always wanted to study. Good luck to you in whatever you choose.

[Brian Sierakowski]

I would agree that it is a good place to start but the only reason I got the Sec+ is to add the security+ to my MCSE. I don't know if I would have gone for it if it wasn't just an add on. I think there are better certs out there but they jump in cost pretty fast. I too enjoyed the section on crypto it was something I always wanted to study. Good luck to you in whatever you choose.

I'm about 75% on my way through studying, I'm taking the test on 8/14, so we'll see how that goes :).

[matt2k4]

Did anyone here get the CBT Nuggets video for Security+? If so, was it worth it?

Also, what books would you guys recommend? Exam Cram?

[Brian Sierakowski]

Did anyone here get the CBT Nuggets video for Security+? If so, was it worth it?

Also, what books would you guys recommend? Exam Cram?

Testout seems to be far and away the best study software.

The book that comes in the Sec+ voucher bundle is pretty good too, its made by ILT i think.

[Signal Hacker]

Just an odd question.. i see you name / picture is "Signal Hacker" was you in the army.. what MOS? I was a 31F

25A...but National Guard, not active duty.

Nowadays, your old MOS (now called 25F) is in pretty high demand with a hefty bonus. Wanna re-enlist? ;)

I don't think it's as bad as 25B though...active duty Army is hurting for them so bad that we can't even slot anyone for it for the next year.

For any non-military following this convo:

25A - Signal Officer

25F/formerly 31F - Net. Switching Systems Operator

25B - Info Systems Operator

[Signal Hacker]

I'm still pursuing the CEH cert. Still don't have a chance in hell of getting the company to pay for the bootcamp (though I did try out for the CEH web course contest TheAcademyPro.com had), so I applied for the self-study option and got my eligibility number...haven't scheduled yet. Got the ExamPrep book, which had better reviews on Amazon than even the official course material .

Don't know when the hell I'll get enough to finish studying and take the exam. I'm pretty swamped right now with an ISO 27001 project where I'm the only guy whose ever even touched it and the rest of the team is clueless.