You will find that the CISSP is probably the strongest candidate for
serious entry into information security. Is it going to give you
useful technical information? Definitely not. It's one of those
generic certs that looks VERY good on the resume. Yes it requires work
experience but the requirements are so general you could work as an
electrician inside a server room and you would qualify. With a
Bachelor's degree it cuts the required work experience down. It's one
you WILL want to get eventually once you get some experience under
your belt.

I've done the CEH but do the course for sure with the exam... the
instructors teach you the practicality the exam does not. The
certification doesn't stay very current, uses old tools, some of which
are pretty archaic and ineffective on OS's patched beyond 1999. And it
is mostly a tools exam, it's not going to teach you to pen test. I
have the CEH and I will say that. Now I got it in 2006 so maybe
somethings changed but when I did it the course and the exam didn't
sync up much, which was a good thing! The instructors are excellent
and realize the shortfalls of the exam, and they teach you real pen
testing. Don't worry, they spend like 1/2 the last day prepping you
for the tools exam. I will say this, I would never do an EC-Council
exam on its own. Course? YES! Exam? No.

The SANS courses are excellent. Back in the day when GIAC didn't
succumb to whining paper cert kiddies the certifications required
practicals and actual knowledge not memorization, which is what most
other IT certs are. Therefore the courses have been built around
teaching you real world application and proper theory applied to
practical situations. Of all the courses I have done, I found the best
to be the SANS ones. You get your money's worth with them. Your brain
gets a full on assault of information though :) I just renewed my
GCIA, and I did the GWAS certificate. Both were excellent, even though
GWAS was still being developed at the time. There's lots of course
delivery methods too, so if cost is a concern...

You might want to check out the courses offered at Black Hat. They are
$$$ but apparently they are good. I have never been but will be in
2008. But maybe its assumed they are good only because they are

CompTIA is VERY basic but might be ok to crack out that first cert...
I can't say anything about it really, I've never thought much of the
'+' exams because its all memorization, and bad experience with A+
(wouldn't trust someone with an A+ with a desktop). Security+ I hope
is different, and I do hear ok things about it.

I help make decisions on hiring for our engineering dept and I will
say SANS impresses me, puts up a flag. This is because you have to be
serious about the material, their exams aren't a walk in the park. You
need to know your stuff. You'd love them, you seem like you're pretty
serious about this field if you've done some work on your own.

Oh, and vendor certifications aren't worth your time... You don't need
to pay Cisco $300 for them to tell you how great they are (there are
literally questions on the CCNA that make you tell Cisco why they have
the best router, I am not kidding). I have vendor certs but only
because I get paid for them. Otherwise I couldn't care less. And I
don't pay attention to them at all when measuring a security
professional, especially the ones who tattoo them after their name
like they are PhD's :)


On Dec 17, 2007 7:44 AM, <infolookup@xxxxxxxxx> wrote:
Good day all,

I know this is not really a tech-pentest question however I wanted to get some feed back as to what certs/skill set one need to acquire in order to break into the pentest/information assurance/computer forensics job market.

I am a about to graduate with my BA in computer system next semester, and I am tring to get into a security related field, I did very little vul-testing/pentesting for friends, or on a few work servers and wifi network.

And that was very interesting, but with so many certs and paths out there I wanted to know which ones you guys took so I can get an idea.

Thanks in advance.
Sent via BlackBerry from T-Mobile

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!