Re: Doubt regarding Sec+

[Adam Jones <ajones1 () gmail com>]

On 19 Nov 2005 05:39:22 -0000, kota_44 () yahoo com <kota_44 () yahoo com> wrote:
> HI All ,
>
> I have a question regarding Security + exam .
> I have a about an years experiance on working on Application Security and now to widen my security knowledge base and 
> also to get some relevant Security related certification under my belt
>  I had a doubt of what to start of with so the first exam which many suggested is Sec+ but a large no of others gave 
> a feed back that this one
>  aint having a good value now and not worth the Time and effort and better to start of with something like CEH .

Security+ is intended to give you a decent baseline in network and
application security. It documents that you have demonstrated the core
knowledge necessary to learn other security topics, and should be
competent enough to not screw anything up too bad. In other words i
agree that it is a good start.

CEH looks like it sets you up to be a pen-tester. IMO it helps you
learn processes, not concepts. In addition the term "hacker" in the
title seems like it is there just to incite a response. They could
just have easily went with "Certified Penetration Tester" and covered
the same course material. Having "Ethical Hacker" in your title may be
great to impress friends and kiddies, but I doubt too many hiring
organizations will find it appealing.

If you are looking at something where your work is either a) mostly
solo, or b) done on contract (this is 80% of the jobs out there) then
CEH is probably a bad idea simply for the reason that the term hacker
has become synonomous for bad guy to everyone outside the computing
community. In that sense calling someone an "ethical hacker" becomes
akin to calling them an "ethical lawyer" or "ethical car salesman".

> But other suggested this as a good base for CISSP .

Based purely on name I think the CISSP would be a better second
choice. I have not looked at the actual content of the certification,
but it will look better on a resume than CEH. This obviously is not
the only criteria with which you should be evaluating certifications,
but I think it is an important one.

>  So could you all who probably are familarized or taken Sec + can update me with pros/cons or why one should/ should 
> not take it and its current value and what can be a good alternative to start off if not Sec + .

Overall sec+ is fundamentals. Think of it as security 101. It gets you
enough to let figure out where you want to learn more. There is enough
information in there to allow you to be competent as a junior
administrator with a little bit of software-specific training. It does
not really teach you how to implement very much, but does teach you
"best practices"

CEH appears to be more in-depth in the specific field of penetration
testing. It has the benefit of (hopefully) requiring more knowledge
about security in general, but loses a lot of credibility with the
management types due to the stigma on the name "hacker".

CISSP seems like an unknown to me. It looks like a more
advanced/practical sec+, but that is only after a relatively brief
review of the cert.

If I were to give you a suggestion on what to do it would be this:

1) get a sec+. At the least it makes sure that you have studied all
the basics. Do your best to ace the test, as barely passing the cert
means you didn't really learn the topic.

2) Avoid CEH. I will put in a caveat here that if you do not plan on
getting a job where you deal with management, at all, then it probably
is ok. I have yet to find any jobs like that, and should one appear
you will probably be run over for it by people with more experience
anyways.

3) Consider the CISSP. Look carefully at what it actually teaches, and
try to find people that have taken it to give you feedback. (hopefully
such a person will respond to this thread) Don't get it just to get
it, make sure it really is worth the money.

-Adam