Ask Slashdot: Worthwhile Security Training Courses?

← Back to Stories (view on slashdot.org)

Ask Slashdot: Worthwhile Security Training Courses?

Posted by timothy on Thursday October 22, 2015 @06:35AM from the just-fill-out-this-form dept.

ageoffri writes: I'm going to be able to take one, or maybe two, training courses next year and starting to figure out what would be a good course to take. While I'm not 100% sold on the concept of certs as the be-all and end-all of demonstrating knowledge and more importantly application of that knowledge, if someone else is going to pay for them I figure, Why not? Right now I'm leaning towards classes that have certs associated with them since HR drones look for letters. I also wouldn't mind a class that is just fun and interesting even if it isn't directly applicable to what I do currently. My short list is: CCSP by Training Camp (SEC503); Intrusion Detection In-Depth by SANS (GPPA cert); SEC504: Hacker Tools, Techniques, Exploits and Incident Handling (GCIH cert); and SEC550: Active Defense, Offensive Countermeasures and Cyber Deception (no cert). The first two directly apply to my day to day job. The third one just looks like fun, while the last one is also fun sounding, but I doubt I'd have much opportunity to put the skills to use. I'm curious what others here are thinking about for future training and other options to consider. I already have my CISSP, along with an MS in Information Assurance, so the two obvious choices are finished.

70 comments

Min score:

Reason:

Sort:

OSCP by bluefoxlucid · 2015-10-22 06:42 · Score: 3, Informative

Get the OSCP.

--
Support my political activism on Patreon.
1. Re:OSCP by Anonymous Coward · 2015-10-22 07:36 · Score: 1
  
  +1 - Doing the class right now and having fun and learning a lot. You can take the class and test online, saving your company travel $$ too. Prices are very low - a lot of bang for the buck. As a CISO, I would look quite favorably on someone having the OSCP cert.
2. Re:OSCP by Anonymous Coward · 2015-10-22 08:00 · Score: 0
  
  The 24 hour exam is prejudicial against people with medical conditions
3. Re:OSCP by Anonymous Coward · 2015-10-22 08:02 · Score: 0
  
  This; I just retook the class with updated course material, first time I took it was in 2008. Great learning class, you need a lot of self motivation to pass it.
4. Re:OSCP by Anonymous Coward · 2015-10-22 09:39 · Score: 0
  
  The 24 hour exam is prejudicial against people with medical conditions
  Sorry, but "not knowing your ass from a hole in the ground" is not recognized as a Medical Condition.
5. Re:OSCP by Anonymous Coward · 2015-10-22 09:42 · Score: 0
  
  Having to take meds that cause drowsiness when taken and horrible withdrawal when not is a medical condition.
6. Re: OSCP by rickb928 · 2015-10-22 11:26 · Score: 1
  
  Having to take meds that cause drowsiness when taken and horrible withdrawal when not would, if it interfered with your ability to work, be a significant detractor.
  You'll be looking for work where response time is not an important consideration.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
7. Re: OSCP by Anonymous Coward · 2015-10-23 01:35 · Score: 0
  
  Response time is not a critical factor for enterprise penetration testing exercises
8. Re: OSCP by rickb928 · 2015-10-23 03:05 · Score: 1
  
  Unless you're testing during holidays, off-hours, when key personnel are unavailable, you know, vulnerable times.
  All that can be planned for.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
9. Re:OSCP by Anonymous Coward · 2015-10-23 10:51 · Score: 0
  
  I have know the OffSec guys for a long time, they are fine and caring people. In addition to caring about their students, they care about whether you are learning and the reputation of their certifications.
  If you have a genuine medical issue, I can guarantee that they will bend over backwards to accommodate you. If you are a lazy whiner, well, as we all say "TRY HARDER"
Easy! by slashdice · 2015-10-22 06:43 · Score: 2

Slashdot Deals: 98% off on Cyber Security Professional Training & Certification Bundle.
DO NOT USE THAT ONE!!!!!

--
Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
1. Re:Easy! by zlives · 2015-10-22 07:07 · Score: 1
  
  LOL that's exactly what i thought.
2. Re:Easy! by Anonymous Coward · 2015-10-22 07:35 · Score: 0
  
  It's literally $39. That costs less than the time I spend pooping each week.
3. Re:Easy! by __aaclcg7560 · 2015-10-22 07:39 · Score: 1
  
  If you're not pooping gold bricks each week, you're not doing it right.
4. Re:Easy! by Anonymous Coward · 2015-10-22 07:41 · Score: 0
  
  I poop in your mouth. LOL!
5. Re:Easy! by slashdice · 2015-10-22 08:08 · Score: 1
  
  Like they say, shit in one hand, get a slashdot cybersecurity degree in the other. Both look and smell the same!
  
  --
  Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
work on doctorate? by i.r.id10t · 2015-10-22 06:43 · Score: 2

You have a masters... will work pay for you to keep taking courses to get a PhD ?

--
Don't blame me, I voted for Kodos
Enjoy your state job by Anonymous Coward · 2015-10-22 06:43 · Score: 0

Since no private sector job does training. You're welcome.
C|EH? by Anonymous Coward · 2015-10-22 06:45 · Score: 0

Also an option for fun/value
classes by JohnVanVliet · 2015-10-22 06:51 · Score: 1

Offensive Security
https://www.offensive-security...
and a masters in CS

--
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
1. Re:classes by Anonymous Coward · 2015-10-22 07:02 · Score: 0
  
  I'm sure it's a very good product, but that website! Argh! I scroll and some things things shrink and and others zoom in from nowhere! Good god, the sooner we can move on from this Web 2.0 crap the better!
  Sorry, nothing really to add to the topic at hand.
2. Re:classes by karnal · 2015-10-22 07:12 · Score: 1
  
  Maybe they're trying to be offensive.
  
  --
  Karnal
3. Re:classes by Anonymous Coward · 2015-10-22 07:15 · Score: 0
  
  It's an offensive website, all right.
4. Re:classes by Anonymous Coward · 2015-10-22 07:28 · Score: 0
  
  Will add one thing. I've been aware of metasploit for some time but never used it. Getting past the website design annoyances, there's a neat intro guide for using metasploit on the site GP linked. I think I might try my hand at it this evening on a server I'll be offlining in a few weeks that wasn't kept up to date as well as it should have been.
  Mod GP up.
5. Re:classes by Anonymous Coward · 2015-10-22 08:30 · Score: 0
  
  What good would a CS masters do? That is like a Senior ME learning how to deep sea weld aluminum. Might be fun. Might be insightful, but god damn is the cost-benefit nowhere close to being viable.
Can't recommend this enough by meloneg · 2015-10-22 06:56 · Score: 1

http://www.aspectsecurity.com/...
I've taken this class. Can't recommend it strongly enough.
General Security by jon3k · 2015-10-22 07:08 · Score: 3, Interesting

Generalized security is mostly bullshit. It's all an inch deep over a broad area. For it to be worth a shit you need to be a specialist who understands a particular area and knows enough about it to understand how to secure it.

But as far as what bullshit security certification generates the most cash in your pocket? I'd guess CISSP.
1. Re:General Security by __aaclcg7560 · 2015-10-22 07:12 · Score: 1
  
  If you bother to read the summary: "I already have my CISSP, along with an MS in Information Assurance, so the two obvious choices are finished."
  So the question should really be what to take after being BS-certified by Microsoft and CISSP.
2. Re:General Security by jon3k · 2015-10-22 07:17 · Score: 1
  
  Yeah way too many words, not that interested. But with that said, I'd say specialize in something. Just getting "security training" with no particular objective or aim is kind of a waste of time.
3. Re:General Security by nharmon · 2015-10-22 07:23 · Score: 2
  
  So the question should really be what to take after being BS-certified by Microsoft and CISSP.
  I think "MS in Information Assurance" was referring to a Master of Science degree, and not a Microsoft cert. But don't let me get in the way of you telling off someone about their reading skills. :)
4. Re:General Security by __aaclcg7560 · 2015-10-22 07:33 · Score: 1
  
  Never heard of a master degree in Information Assurance. Looks like an East Coast thing. I was puzzled why another commentator referred to a master degree when no master degree was mentioned in the summary. I thought it was an obscure Microsoft (MS) certification.
5. Re:General Security by Anonymous Coward · 2015-10-22 08:08 · Score: 0
  
  depends on who is giving you the reach around, i assume you are working in some sort of .gov where alphabets matter "and you must try to catch them all" or are looking at jumping ship to greener pastures. find some specific area to focus now that you have the bs covered.
6. Re:General Security by Anonymous Coward · 2015-10-22 08:10 · Score: 0
  
  Not just the East Coast - I picked one up at UNM. https://msisa.mgt.unm.edu/
7. Re:General Security by Anonymous Coward · 2015-10-22 08:35 · Score: 0
  
  They are very popular right now to the point that people who are just entering anything over entry-level itsec won't get a job without it. Specialized programs with focus. Think of CS as a general studies for tech while IA is razor focused on security.
8. Re:General Security by Anonymous Coward · 2015-10-22 08:44 · Score: 0
  
  Why should anyone listen to a man that does not have the attention span to get to the end of a paragraph? Maybe the reason you think everything is low depth bullshit is that you never get far enough to see anything else.
9. Re:General Security by __aaclcg7560 · 2015-10-22 08:59 · Score: 1
  
  Security+ and ITIL are popular in my department. Since we are a Windows shop, Win7 and Server certs are nice to have.
10. Re:General Security by Anonymous Coward · 2015-10-22 09:07 · Score: 0
  
  I think 'MS' in this context is to mean 'Masters of Science'.
11. Re:General Security by __aaclcg7560 · 2015-10-22 09:20 · Score: 1
  
  Whatever happened to having 10 to 20 years of general I.T. experience before entering InfoSec? A master degree is no better than a certification without the work experience.
12. Re:General Security by luis_a_espinal · 2015-10-22 09:24 · Score: 1
  
  Never heard of a master degree in Information Assurance.
  We are all ignorant of something. That's ok. The important thing is not to be quick in jumping to conclusions without first checking our assumptions.
  With that said, calling it an "East Coast" thing means what? You never knew about the degree, but you think you can call it names or something? Dude, expand your horizons. Ignorance is not bliss.
13. Re:General Security by luis_a_espinal · 2015-10-22 09:32 · Score: 1
  
  Whatever happened to having 10 to 20 years of general I.T. experience before entering InfoSec? A master degree is no better than a certification without the work experience.
  Again, you have never heard about the degree. You do not even know the curriculum, and yet you question its validity? Information Assurance (IA) is more than IT security (just as security/enterprise security is more than just IT security.) Organizations and projects dealing with DOE and DOD contracts rely heavily in IA.
  And why wait 10 to 20 years of general IT experience before entering InfoSec? Where did you get that from? If you, the generic you, pay close attention, you can get all you need in terms of experience within a decade? 20 years, then you have been doing something wrong.
14. Re:General Security by __aaclcg7560 · 2015-10-22 09:34 · Score: 1
  
  A Google search came up with a bunch of East Coast schools with that degree program. Since I'm on the West Coast (California, in particular), it's an easy assumption to make.
15. Re:General Security by Anonymous Coward · 2015-10-22 09:45 · Score: 0
  
  Once upon a time you had to be an academic mathematician for a decade or two to even be able to decide what code ran on a computer let alone program for it. Then we made a degree that was relevant to programming.
  Now there is a degree relevant to information security.
  As for this:
  
  A master degree is no better than a certification without the work experience.
  Doth protest too much methinks.
16. Re:General Security by __aaclcg7560 · 2015-10-22 09:50 · Score: 1
  
  I was hired on for a nationwide I.T. security project a year-and-a-half ago. Everyone who got hired on had 10 to 20 years of general I.T. experience. Everyone has the basic certs: A+, Network+ and Microsoft Windows. Our project leads has 20+ years of general I.T. experience, the basic certs, and Security+ or higher certifications. I'm studying for the Security+ and ITIL certifications (DoD favorites). I was hoping that the requirement 10 to 20 years of general I.T. experience, which you need to complete the basic certs if you follow the recommended guidelines for each one, would save me from dealing with the idiots who have a degree or certification but no experience.
17. Re:General Security by Anonymous Coward · 2015-10-22 15:36 · Score: 0
  
  You are working on Sec+ and others. Good for you, but that is sophomoric material for specialists. You simply lucked out or had the right connections to get on that project. Nothing more.
  Your willful ignorance (how can you claim to have experience and not know what an advanced degree in IA is?) merely being a way to protect you from feeling inadequate compared to specialist competitors in their own field. I do not believe that is a solid plan.
  Maybe you have the talent to convince the less-knowledgeable that generalist experience can replace advanced, specialized degrees and a little experience (you don't honestly think a valid masters program doesn't have an experience requirement do you?) long enough for you to roll into retirement. Maybe you are playing the social loafer long game. At some point you are going to have to be honest with someone, even if that someone is only yourself.
18. Re:General Security by will_die · 2015-10-22 18:04 · Score: 1
  
  The major security one that wants you to have years of experience is CISSP however that is easy to get signed off on go to any security group and ask for someone to sign off and you will get a copy of people that will.
  That said I have worked with a bunch of CISSP certified people and as a collective skill group they are some of dumbest technical people around, for example I had to repeatly explain to them how to get a computer name when the logs only showed IP addresses for a computer.
19. Re:General Security by dcw3 · 2015-10-22 23:24 · Score: 1
  
  Every cert you listed is basic (unless you're beyond ITIL Foundations). None of that comes close to requiring 10-20 years of experience, and all of those combined could be completed in a couple months. I've been in the business since the 70s, but almost none of my experience from over 10 years ago is applicable anymore because of the advances in technology.
  
  --
  Just another day in Paradise
20. Re:General Security by dcw3 · 2015-10-22 23:28 · Score: 1
  
  Could it be that you're working with the DoD, which has a requirement (8570) by the military? Sec+ is mostly useless unless you're required to have it for the job.
  
  --
  Just another day in Paradise
21. Re:General Security by __aaclcg7560 · 2015-10-23 02:34 · Score: 1
  
  You simply lucked out or had the right connections to get on that project.
  Not luck or connections. I had an impressive resume backed up by years of experience. Everyone else on my team also have similar backgrounds. Those who are faking it are fired within a month.
  
  At some point you are going to have to be honest with someone, even if that someone is only yourself.
  You sound full of yourself. Let me guess, you got a master degree?
22. Re:General Security by __aaclcg7560 · 2015-10-24 05:07 · Score: 1
  
  When I did help desk for Google, I had to walk a newly hired graduate from Stanford University in turning on his desktop computer. He apparently never owned his own computer and used the computer labs extensively at school, where someone was always around to turn on the computers and made sure that they work. I welcomed him to the real world.
23. Re:General Security by __aaclcg7560 · 2015-10-24 05:26 · Score: 1
  
  I've known people who blitzed through their certifications and couldn't get a job because they had no actual work experience. I got my experience before I got my certifications, which made taking the exams easier. While the specific details of technology changes over the years, troubleshooting users and technology doesn't change.
24. Re:General Security by __aaclcg7560 · 2015-10-24 05:33 · Score: 1
  
  Could it be that you're working with the DoD, which has a requirement (8570) by the military?
  I can neither confirm nor deny, but a lot of my coworkers are ex-military. With the DoD having the largest computer network in the world (or so I've been told), it wouldn't surprise me if the DoD set the standards for the rest of the government.
  
  Sec+ is mostly useless unless you're required to have it for the job.
  Isn't that true for any certification?
25. Re:General Security by dcw3 · 2015-10-24 12:15 · Score: 1
  
  Sec+ is mostly useless unless you're required to have it for the job.
  Isn't that true for any certification?
  The point is that Sec+ doesn't show any useful knowledge. Anybody can pass it. The whole 8570 requirement is welfare for the testing companies.
  
  --
  Just another day in Paradise
26. Re:General Security by __aaclcg7560 · 2015-10-25 07:36 · Score: 1
  
  MS = Microsoft, M.S. = Masters of Science
Good idea by viperidaenz · 2015-10-22 08:05 · Score: 2

I heard it's a great time to get in to security research
Worthwhile Security Training Courses? by Anonymous Coward · 2015-10-22 08:14 · Score: 1

It's called hacking, once you get a few hundred under your belt, then you can call yourself a security professional.
What if they are auditing? or other? by s.petry · 2015-10-22 08:28 · Score: 3, Interesting

The real answer is that it "depends". Like "What should I get my degree in if I want to head to Law School?" Well, are you going into criminal law, tax law, constitutional law? Theoretically it should not matter, but in practice a History major makes a better Constitutional lawyer where a Business/Accounting major will do much better in Tax law. So what do you plan to get out of the certification or class?
CEH is one of my favorites because it covers lots of the legal aspects of white hat hacking, while teaching you how to hack. The first is more in depth for the CISSP so should be the easy part. OSCP is similar to CEH in that it focuses on the hacking aspects (pen testing). If you are looking to be more independent you may wish to forgo additional "Security" related certifications and get a RHCE/RHCA to provide some clout in that direction. Then as you note there are numerous non certified training camps which are very good to have if you just want to learn. If you plan on Law enforcement you could focus on forensics, cryptography for intelligence, low level network monitoring (in depth Ethernet, TCP/IP inspection), etc.. etc...
Then there is the DOD/GOV side which has different rules and certifications. You can start by looking up DISA, JAFAN, NISPOM (should most get you to .mil sites).

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
1. Re:What if they are auditing? or other? by bigtomrodney · 2015-10-22 10:13 · Score: 1
  
  The CEH is certainly something that looks good on the CV, but I have never met a pen tester or IT Security manager who actually held it in high regard. The OSCP is by all accounts an order of magnitude more difficult, more relevant and more respected. I'm not opposed to multiple choice exams (I have several of the certs mentioned here and am quite proud of it) but for me it just doesn't add up that you can demonstrate a practical skill such as hacking through this form of test.
  
  --
  I never get used to these constant resurrections
2. Re:What if they are auditing? or other? by Anonymous Coward · 2015-10-22 11:16 · Score: 0
  
  Why, out of all professions in the world, does ours require a test to prove we can do any relevant task? Other professions don't have a test for every piece of their career puzzle, so why do we not only need to constantly take these tests, but then be held to an expectation that they don't prove anything anyway?
  The whole thing is absurd. At least with certs people know that you are self-motivated, not brain dead, and can pass an array of tests with ever increasing difficulty. Good luck even finding that much verification of confidence in your doctor, lawyer, or tradespeople.
3. Re:What if they are auditing? or other? by bluefoxlucid · 2015-10-23 01:25 · Score: 1
  
  Because our tasks are uniquely difficult: not only are they complex, but they're impossible to verify. If all the hackers and security auditors and Bruce Schneier think your network is secure, that's the end of that; if all the NASA engineers in the world think your plane will fly, they can stand around scratching their heads about it when it doesn't.
  
  --
  Support my political activism on Patreon.
courses by An+ominous+Cow+art · 2015-10-22 08:52 · Score: 3, Informative

I took the SANS Intrusion Detection and Hacker Exploits courses 10+ years ago and they were very good. It was a long time ago, though, and I don't know what the courses are like now.
1. Re:courses by Anonymous Coward · 2015-10-22 12:21 · Score: 1
  
  It's still excellent, but very expensive. I have SANS certs I am probably going to let expire because it's too hard to monetize the cert if you are not doing consulting or something where people actually look for certs...
Try out Pentester Academy by Anonymous Coward · 2015-10-22 09:25 · Score: 0

Vivek probably has more practical security knowledge than any other person on Earth and his courses are easy to follow, even for advanced concepts.
Hack Your Own Code was brilliant by Anonymous Coward · 2015-10-22 09:26 · Score: 0

Did this in 2012. BRILLIANT. I'm not affiliated with Trustwave in any way and get nothing from saying this.
https://www.owasp.org/images/a/ac/Training_-_Hack_your_own_code.pdf
SANS is great content, if expensive by Tool+Man · 2015-10-22 10:00 · Score: 2

I've taken the intrusion detection and incident handling courses, with certs in both (still have the latter). When considering them, try to align with what you figure you'll be doing job-wise, if you know. The intrusion detection stuff was great for grubbing through packets to figure out what's going on, where the hacker tools and incident handling gives you some hands-on playing and knowledge you'll want for incident response. I wasn't doing any network monitoring in my role though, so didn't keep up the intrusion analyst cert, but I did love the course.
Everything at OpenSecurityTraining.info... by BIOS4breakfast · 2015-10-22 11:39 · Score: 2

...assuming you're the kind of person who wants to know how systems work, as opposed to how to run tools.
OST doesn't cater to all topics (yet), because it's volunteer driven. Its primary volunteers thus far have come from a deep system security background. Its assembly, OS/BIOS internals, exploits, and malware curriculum tracks are the most developed, and far deeper than anything you'll (ever) find at SANS, since OST is not commercial and therefore doesn't have to pander to popularity and buzzwords and try to deal with the never-ending churn of trying to put butts in seats.
OpenSecurityTraining.info/Training.html
Changes in global IT by AHuxley · 2015-10-22 12:28 · Score: 1

Follow the new mil security and gov educational funding over the past decade. A lot of fancy public/private sector entry level university academic offerings quickly divert cyber or security course selection into only what the US gov or mil needs. The talking to good people with years of broad math, science, engineering skills and offering them the option to enter gov/mil contracts seems to have been replaced.
Pack entry level classes with students interested in security and pick the best in the open seems to be the new gov method.
The ability to pass background investigations, understand databases that connect public private partnerships and not talk about work will be the new 'security' skills.
A generation later and it will be a huge rush to create general broad academic skills again. As far as learning any one US branded OS or database, recall the free changes over the decade. The ability and background to learn and understand any new computer related idea vs a deep understanding of one traditional brands pay per seat, core expected market share.

--
Domestic spying is now "Benign Information Gathering"
Cross post from Spiceworks by Anonymous Coward · 2015-10-22 23:45 · Score: 0

https://community.spiceworks.com/topic/1245304-training-for-next-year
Take one, skip one. by Anonymous Coward · 2015-10-23 01:29 · Score: 0

Take one good course and then take it again, but use the time as a vacation!
From the horse's mouth by Gunfighter · 2015-10-23 05:55 · Score: 1

I just spoke to a recruiter in my company's MSSP division. Recommendations:
CISSP (you're all set)
OSCP
CEH
Tack on some SIEM certs or experience for good measure.

--
-- Stu

/. ID under 2,000. I feel old now.
Immunity NOP by Anonymous Coward · 2015-10-24 02:39 · Score: 0

I've been working as a security researcher for a large corp for 7 years now.
The only certificate I respect is NOP by immunity. All the rest are good to impress HR\management type of people.
The technical guys don't give a shit about CISSP and the rest of that BS certificates.