Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Worthwhile Security Training Courses?

Posted by timothy on from the just-fill-out-this-form dept.

ageoffri writes: I'm going to be able to take one, or maybe two, training courses next year and starting to figure out what would be a good course to take. While I'm not 100% sold on the concept of certs as the be-all and end-all of demonstrating knowledge and more importantly application of that knowledge, if someone else is going to pay for them I figure, Why not? Right now I'm leaning towards classes that have certs associated with them since HR drones look for letters. I also wouldn't mind a class that is just fun and interesting even if it isn't directly applicable to what I do currently. My short list is: CCSP by Training Camp (SEC503); Intrusion Detection In-Depth by SANS (GPPA cert); SEC504: Hacker Tools, Techniques, Exploits and Incident Handling (GCIH cert); and SEC550: Active Defense, Offensive Countermeasures and Cyber Deception (no cert). The first two directly apply to my day to day job. The third one just looks like fun, while the last one is also fun sounding, but I doubt I'd have much opportunity to put the skills to use. I'm curious what others here are thinking about for future training and other options to consider. I already have my CISSP, along with an MS in Information Assurance, so the two obvious choices are finished.

43 of 70 comments (clear)

  1. OSCP by bluefoxlucid · · Score: 3, Informative

    Get the OSCP.

    --
    Support my political activism on Patreon.
    1. Re:OSCP by Anonymous Coward · · Score: 1

      +1 - Doing the class right now and having fun and learning a lot. You can take the class and test online, saving your company travel $$ too. Prices are very low - a lot of bang for the buck. As a CISO, I would look quite favorably on someone having the OSCP cert.

    2. Re: OSCP by rickb928 · · Score: 1

      Having to take meds that cause drowsiness when taken and horrible withdrawal when not would, if it interfered with your ability to work, be a significant detractor.

      You'll be looking for work where response time is not an important consideration.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    3. Re: OSCP by rickb928 · · Score: 1

      Unless you're testing during holidays, off-hours, when key personnel are unavailable, you know, vulnerable times.

      All that can be planned for.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
  2. Easy! by slashdice · · Score: 2
    Slashdot Deals: 98% off on Cyber Security Professional Training & Certification Bundle.

    DO NOT USE THAT ONE!!!!!

    --
    Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    1. Re:Easy! by zlives · · Score: 1

      LOL that's exactly what i thought.

    2. Re:Easy! by __aaclcg7560 · · Score: 1

      If you're not pooping gold bricks each week, you're not doing it right.

    3. Re:Easy! by slashdice · · Score: 1

      Like they say, shit in one hand, get a slashdot cybersecurity degree in the other. Both look and smell the same!

      --
      Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
  3. work on doctorate? by i.r.id10t · · Score: 2

    You have a masters... will work pay for you to keep taking courses to get a PhD ?

    --
    Don't blame me, I voted for Kodos
  4. classes by JohnVanVliet · · Score: 1

    Offensive Security

    https://www.offensive-security...

    and a masters in CS

    --
    "I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
    1. Re:classes by karnal · · Score: 1

      Maybe they're trying to be offensive.

      --
      Karnal
  5. Can't recommend this enough by meloneg · · Score: 1

    http://www.aspectsecurity.com/...

    I've taken this class. Can't recommend it strongly enough.

  6. General Security by jon3k · · Score: 3, Interesting

    Generalized security is mostly bullshit. It's all an inch deep over a broad area. For it to be worth a shit you need to be a specialist who understands a particular area and knows enough about it to understand how to secure it.

    But as far as what bullshit security certification generates the most cash in your pocket? I'd guess CISSP.

    1. Re:General Security by __aaclcg7560 · · Score: 1

      If you bother to read the summary: "I already have my CISSP, along with an MS in Information Assurance, so the two obvious choices are finished."

      So the question should really be what to take after being BS-certified by Microsoft and CISSP.

    2. Re:General Security by jon3k · · Score: 1

      Yeah way too many words, not that interested. But with that said, I'd say specialize in something. Just getting "security training" with no particular objective or aim is kind of a waste of time.

    3. Re:General Security by nharmon · · Score: 2

      So the question should really be what to take after being BS-certified by Microsoft and CISSP.

      I think "MS in Information Assurance" was referring to a Master of Science degree, and not a Microsoft cert. But don't let me get in the way of you telling off someone about their reading skills. :)

    4. Re:General Security by __aaclcg7560 · · Score: 1

      Never heard of a master degree in Information Assurance. Looks like an East Coast thing. I was puzzled why another commentator referred to a master degree when no master degree was mentioned in the summary. I thought it was an obscure Microsoft (MS) certification.

    5. Re:General Security by __aaclcg7560 · · Score: 1

      Security+ and ITIL are popular in my department. Since we are a Windows shop, Win7 and Server certs are nice to have.

    6. Re:General Security by __aaclcg7560 · · Score: 1

      Whatever happened to having 10 to 20 years of general I.T. experience before entering InfoSec? A master degree is no better than a certification without the work experience.

    7. Re:General Security by luis_a_espinal · · Score: 1

      Never heard of a master degree in Information Assurance.

      We are all ignorant of something. That's ok. The important thing is not to be quick in jumping to conclusions without first checking our assumptions.

      With that said, calling it an "East Coast" thing means what? You never knew about the degree, but you think you can call it names or something? Dude, expand your horizons. Ignorance is not bliss.

    8. Re:General Security by luis_a_espinal · · Score: 1

      Whatever happened to having 10 to 20 years of general I.T. experience before entering InfoSec? A master degree is no better than a certification without the work experience.

      Again, you have never heard about the degree. You do not even know the curriculum, and yet you question its validity? Information Assurance (IA) is more than IT security (just as security/enterprise security is more than just IT security.) Organizations and projects dealing with DOE and DOD contracts rely heavily in IA.

      And why wait 10 to 20 years of general IT experience before entering InfoSec? Where did you get that from? If you, the generic you, pay close attention, you can get all you need in terms of experience within a decade? 20 years, then you have been doing something wrong.

    9. Re:General Security by __aaclcg7560 · · Score: 1

      A Google search came up with a bunch of East Coast schools with that degree program. Since I'm on the West Coast (California, in particular), it's an easy assumption to make.

    10. Re:General Security by __aaclcg7560 · · Score: 1

      I was hired on for a nationwide I.T. security project a year-and-a-half ago. Everyone who got hired on had 10 to 20 years of general I.T. experience. Everyone has the basic certs: A+, Network+ and Microsoft Windows. Our project leads has 20+ years of general I.T. experience, the basic certs, and Security+ or higher certifications. I'm studying for the Security+ and ITIL certifications (DoD favorites). I was hoping that the requirement 10 to 20 years of general I.T. experience, which you need to complete the basic certs if you follow the recommended guidelines for each one, would save me from dealing with the idiots who have a degree or certification but no experience.

    11. Re:General Security by will_die · · Score: 1

      The major security one that wants you to have years of experience is CISSP however that is easy to get signed off on go to any security group and ask for someone to sign off and you will get a copy of people that will.
      That said I have worked with a bunch of CISSP certified people and as a collective skill group they are some of dumbest technical people around, for example I had to repeatly explain to them how to get a computer name when the logs only showed IP addresses for a computer.

    12. Re:General Security by dcw3 · · Score: 1

      Every cert you listed is basic (unless you're beyond ITIL Foundations). None of that comes close to requiring 10-20 years of experience, and all of those combined could be completed in a couple months. I've been in the business since the 70s, but almost none of my experience from over 10 years ago is applicable anymore because of the advances in technology.

      --
      Just another day in Paradise
    13. Re:General Security by dcw3 · · Score: 1

      Could it be that you're working with the DoD, which has a requirement (8570) by the military? Sec+ is mostly useless unless you're required to have it for the job.

      --
      Just another day in Paradise
    14. Re:General Security by __aaclcg7560 · · Score: 1

      You simply lucked out or had the right connections to get on that project.

      Not luck or connections. I had an impressive resume backed up by years of experience. Everyone else on my team also have similar backgrounds. Those who are faking it are fired within a month.

      At some point you are going to have to be honest with someone, even if that someone is only yourself.

      You sound full of yourself. Let me guess, you got a master degree?

    15. Re:General Security by __aaclcg7560 · · Score: 1

      When I did help desk for Google, I had to walk a newly hired graduate from Stanford University in turning on his desktop computer. He apparently never owned his own computer and used the computer labs extensively at school, where someone was always around to turn on the computers and made sure that they work. I welcomed him to the real world.

    16. Re:General Security by __aaclcg7560 · · Score: 1

      I've known people who blitzed through their certifications and couldn't get a job because they had no actual work experience. I got my experience before I got my certifications, which made taking the exams easier. While the specific details of technology changes over the years, troubleshooting users and technology doesn't change.

    17. Re:General Security by __aaclcg7560 · · Score: 1

      Could it be that you're working with the DoD, which has a requirement (8570) by the military?

      I can neither confirm nor deny, but a lot of my coworkers are ex-military. With the DoD having the largest computer network in the world (or so I've been told), it wouldn't surprise me if the DoD set the standards for the rest of the government.

      Sec+ is mostly useless unless you're required to have it for the job.

      Isn't that true for any certification?

    18. Re:General Security by dcw3 · · Score: 1

      Sec+ is mostly useless unless you're required to have it for the job.

      Isn't that true for any certification?

      The point is that Sec+ doesn't show any useful knowledge. Anybody can pass it. The whole 8570 requirement is welfare for the testing companies.

      --
      Just another day in Paradise
    19. Re:General Security by __aaclcg7560 · · Score: 1

      MS = Microsoft, M.S. = Masters of Science

  7. Good idea by viperidaenz · · Score: 2

    I heard it's a great time to get in to security research

  8. Worthwhile Security Training Courses? by Anonymous Coward · · Score: 1

    It's called hacking, once you get a few hundred under your belt, then you can call yourself a security professional.

  9. What if they are auditing? or other? by s.petry · · Score: 3, Interesting

    The real answer is that it "depends". Like "What should I get my degree in if I want to head to Law School?" Well, are you going into criminal law, tax law, constitutional law? Theoretically it should not matter, but in practice a History major makes a better Constitutional lawyer where a Business/Accounting major will do much better in Tax law. So what do you plan to get out of the certification or class?

    CEH is one of my favorites because it covers lots of the legal aspects of white hat hacking, while teaching you how to hack. The first is more in depth for the CISSP so should be the easy part. OSCP is similar to CEH in that it focuses on the hacking aspects (pen testing). If you are looking to be more independent you may wish to forgo additional "Security" related certifications and get a RHCE/RHCA to provide some clout in that direction. Then as you note there are numerous non certified training camps which are very good to have if you just want to learn. If you plan on Law enforcement you could focus on forensics, cryptography for intelligence, low level network monitoring (in depth Ethernet, TCP/IP inspection), etc.. etc...

    Then there is the DOD/GOV side which has different rules and certifications. You can start by looking up DISA, JAFAN, NISPOM (should most get you to .mil sites).

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:What if they are auditing? or other? by bigtomrodney · · Score: 1

      The CEH is certainly something that looks good on the CV, but I have never met a pen tester or IT Security manager who actually held it in high regard. The OSCP is by all accounts an order of magnitude more difficult, more relevant and more respected. I'm not opposed to multiple choice exams (I have several of the certs mentioned here and am quite proud of it) but for me it just doesn't add up that you can demonstrate a practical skill such as hacking through this form of test.

      --
      I never get used to these constant resurrections
    2. Re:What if they are auditing? or other? by bluefoxlucid · · Score: 1

      Because our tasks are uniquely difficult: not only are they complex, but they're impossible to verify. If all the hackers and security auditors and Bruce Schneier think your network is secure, that's the end of that; if all the NASA engineers in the world think your plane will fly, they can stand around scratching their heads about it when it doesn't.

      --
      Support my political activism on Patreon.
  10. courses by An+ominous+Cow+art · · Score: 3, Informative

    I took the SANS Intrusion Detection and Hacker Exploits courses 10+ years ago and they were very good. It was a long time ago, though, and I don't know what the courses are like now.

    1. Re:courses by Anonymous Coward · · Score: 1

      It's still excellent, but very expensive. I have SANS certs I am probably going to let expire because it's too hard to monetize the cert if you are not doing consulting or something where people actually look for certs...

  11. SANS is great content, if expensive by Tool+Man · · Score: 2

    I've taken the intrusion detection and incident handling courses, with certs in both (still have the latter). When considering them, try to align with what you figure you'll be doing job-wise, if you know. The intrusion detection stuff was great for grubbing through packets to figure out what's going on, where the hacker tools and incident handling gives you some hands-on playing and knowledge you'll want for incident response. I wasn't doing any network monitoring in my role though, so didn't keep up the intrusion analyst cert, but I did love the course.

  12. Everything at OpenSecurityTraining.info... by BIOS4breakfast · · Score: 2
    ...assuming you're the kind of person who wants to know how systems work, as opposed to how to run tools.

    OST doesn't cater to all topics (yet), because it's volunteer driven. Its primary volunteers thus far have come from a deep system security background. Its assembly, OS/BIOS internals, exploits, and malware curriculum tracks are the most developed, and far deeper than anything you'll (ever) find at SANS, since OST is not commercial and therefore doesn't have to pander to popularity and buzzwords and try to deal with the never-ending churn of trying to put butts in seats.

    OpenSecurityTraining.info/Training.html

  13. Changes in global IT by AHuxley · · Score: 1

    Follow the new mil security and gov educational funding over the past decade. A lot of fancy public/private sector entry level university academic offerings quickly divert cyber or security course selection into only what the US gov or mil needs. The talking to good people with years of broad math, science, engineering skills and offering them the option to enter gov/mil contracts seems to have been replaced.
    Pack entry level classes with students interested in security and pick the best in the open seems to be the new gov method.
    The ability to pass background investigations, understand databases that connect public private partnerships and not talk about work will be the new 'security' skills.
    A generation later and it will be a huge rush to create general broad academic skills again. As far as learning any one US branded OS or database, recall the free changes over the decade. The ability and background to learn and understand any new computer related idea vs a deep understanding of one traditional brands pay per seat, core expected market share.

    --
    Domestic spying is now "Benign Information Gathering"
  14. From the horse's mouth by Gunfighter · · Score: 1

    I just spoke to a recruiter in my company's MSSP division. Recommendations:

    CISSP (you're all set)
    OSCP
    CEH

    Tack on some SIEM certs or experience for good measure.

    --
    -- Stu

    /. ID under 2,000. I feel old now.