CompTia Security+

[Sage2k]

Hey guys,

A while back I got a Security+ study guide for the SY0-201 test. That test is about to expire, they are moving to SY0-301. I was about to start studying , but I'm wondering if I should pony up some money and get a 301 study guide or just use what I currently have? Im not sure how big a difference its from 201 to 301...

Or should I even bother with the security+? Maybe I should go for a different cert?

 

[AMD_Gamer]

Security+ is a great cert and you can learn a lot from it. A lot of NOC and other security jobs require the Security+ or make you get it within a few months of being hired.

 

[Nicklebon]

The only vendor neutral security certs that carry any weight in the industry are the CISSP, CISA and some of the specialties from GIAC. My company won't even consider non CISSP applicants for our security operations team.

 

[Innocence]

If you're learning from it - keep going with Security +. It's not too expensive and a great kick off to figure out if you're actually interested in diving deeper into the convoluted security certification game. Not to mention

Don't throw yourself into something like CISSP before learning the basics. And.... well that CISSP won't even let you register (although you can still give them a pile of money and write the exams, for no benefit) unless you're been working full time directly in network security for at least 5 years. Same thing for CISA, although I've heard they are softer on what qualifies as "network security" work. Once you know this, feel free to laugh at the 19 year olds who claim to hold these certs.
They are still relatively well respected Certifications for a reason.

 

[-Jess-]

The only vendor neutral security certs that carry any weight in the industry are the CISSP, CISA and some of the specialties from GIAC. My company won't even consider non CISSP applicants for our security operations team.

That's all well and good - but considering that getting a Security+ cert may get your foot through the door into network security. Which, I don't know... may lead the candidate into a job role and experiences so he/she can meet some some of the requirements for CISSP, CISA, etc.

OP - If you're into networking, security kinda tags along like obsessed girlfriend. It's great knowledge to have, since infrastructure and security are pretty much completely entangled.
If you're resume building and have the cash - it's a certification worth having.

 

[Nicklebon]

That's all well and good - but considering that getting a Security+ cert may get your foot through the door into network security. Which, I don't know... may lead the candidate into a job role and experiences so he/she can meet some some of the requirements for CISSP, CISA, etc.

OP - If you're into networking, security kinda tags along like obsessed girlfriend. It's great knowledge to have, since infrastructure and security are pretty much completely entangled.
If you're resume building and have the cash - it's a certification worth having.

OP - Let me more blunt. In networking and security don't waste time and money with any CompTia certs. Any shop that values these is a shop you don't want to be in. You need to start with the basic Cisco certs. CompTia certs are usually red flags for little or no exp and worse, no clue. Every shop I've worked in never even considered apps with these certs. Let me point I am a hiring manager for a Fortune 100 security shop.

 

[mattjw916]

If you are at the entry level no cert is a "waste of time". Getting a CCNA won't be very meaningful if you want to get into the security management field (especially if you aren't in a Cisco based shop) and you can't just skip straight to the big guns like CISSP due to its requirements (unless you lie and have someone lie for you which isn't a good start to a career in security IMO).

Any job that requires DoD Directive 8570 compliance will necessitate passing any one of several exams to meet the requirement, one of which is the Sec+ which is relatively cheap and easy.

Personally I studied for less than 4 hours and passed Sec+ with around a 95% score. I'm sure after a couple weeks of studying anyone could pass that test.

 

[-Jess-]

OP - Let me more blunt. In networking and security don't waste time and money with any CompTia certs. Any shop that values these is a shop you don't want to be in. You need to start with the basic Cisco certs. CompTia certs are usually red flags for little or no exp and worse, no clue. Every shop I've worked in never even considered apps with these certs. Let me point I am a hiring manager for a Fortune 100 security shop.

Well, I do admire the bluntness.

With a preference for GIAC/CISA/CISSP - you, as well as the organizations you've worked with represent a micro fraction of an IT market which is on an enormous scale.

The 99% of hiring managers, human resources and personnel departments still look for/ask for certain base credentials to separate favourable candidates unfavourable.

Do a search for broad search for job vacancies and sort the list with those asking for Security+ as a requirement. There are potentially dozens of them with a variety of Fortune 100, Fortune 500 and Fortune 1000. Look a little further at that list - a Defense contractor, a Bank, et cetera.

Why? Because it's recognized - just as Cisco Certifications or CISSP certfications are. It probably isn't revered in the high end security community, but having it is still a basic requirement for even being a candidate many networking/information technology related jobs.
These jobs that probably may not have anything to do with diving into security - but you may need to be aware of certain aspects of the broad information security topic and how it translates into your networking job or desktop support job which may be entry level or mid level in an organization; where having a high level security certification probably won't influence your pay or may be completely overkill for your job scope.

Also note - just because someone has a CompTIA certification - it doesn't necessarily translate into them being incompetent. A lot of people get CompTIA certifications to put on their resumes because it is asked of you by the broader hiring market - the 99%. Experience makes the difference - but people also list that on their resumes.

As part of an HR team that interviews potential employees - I've seen people with IT degrees that can't put a computer one together as well as some Cisco "professionals" who couldn't describe a router to me in more than a sentence.

There's always incompetence and lack of experience - that goes with the territory, but blacklisting a certification completely without understanding the job scopes and roles it applies to is indescribable,

 

[cyr0n_k0r]

as well as some Cisco "professionals" who couldn't describe a router to me in more than a sentence.

It shouldn't take more than one sentence to describe a router.

 

[Volcanon]

If someone was a CCNP and couldn't accurately describe a router I'll eat my fucking sneakers.

 

[AMD_Gamer]

If someone had a CCNP cert and couldn't accurately describe a router I'll eat my fucking sneakers.

Lol how is that possible? you learn that in CCENT.

 

[Sage2k]

I'm lookin thru the Security+ stuff and it seems to be mostly broad general knowledge. It's not very technical at all. It would probably be just fine where I currently work. Where I work, the security dept doesnt do too much technical work, they mainly handle policies and such (although they do take care of some smaller scale technical things). The network engineering dept are the ones that handle the border firewall, vpn, IDS, etc. I would like to get into the more technical things, but I realize I do need a base set of knowledge...

How is security handled in other companies that you guys have experience with?

Also every single network security type position I see requires a cert and usually CISSP, CISA, and GIAC are mentioned but it seems those certs require someone who has experience...its like a chicken and egg situation...how do you get the experience so you can get the cert to get the job that requires the cert ..

 

[Volcanon]

Lol how is that possible? you learn that in CCENT.

Thats kind of what I was getting at, but re-reading the post, they probably didn't mean the actual cert, just someone saying they were a cisco professional who'd worked on the hardware before.

Cisco certs are about as bulletproof of a cert as you can get.

 

[Volcanon]

I'm lookin thru the Security+ stuff and it seems to be mostly broad general knowledge. It's not very technical at all. It would probably be just fine where I currently work. Where I work, the security dept doesnt do too much technical work, they mainly handle policies and such (although they do take care of some smaller scale technical things). The network engineering dept are the ones that handle the border firewall, vpn, IDS, etc. I would like to get into the more technical things, but I realize I do need a base set of knowledge...

How is security handled in other companies that you guys have experience with?

Also every single network security type position I see requires a cert and usually CISSP, CISA, and GIAC are mentioned but it seems those certs require someone who has experience...its like a chicken and egg situation...how do you get the experience so you can get the cert to get the job that requires the cert ..

Where I'm working now the security team is mostly separate from the networking group(my group) and they work on devices like firewall, VPNs, etc. They do it all from the technical work to the policy creation and such. It's not as much technical work as what the networking group does but it's pretty close

If you want to break into the security area you'll probably have to take a crappy job to start, unless you know someone who knows someone.

Your best bet is to look very closely at companies for job openings because sometimes they don't widely advertise jobs unless they're high end jobs where it can be harder to find qualified talent, and thus those are most of the jobs you're seeing.

 

[-Jess-]

Thats kind of what I was getting at, but re-reading the post, they probably didn't mean the actual cert, just someone saying they were a cisco professional who'd worked on the hardware before.

Cisco certs are about as bulletproof of a cert as you can get.

I just realized that the post needs an edit - just for some background:
The guy had his CCNA - self described "professional" . He seemed fit for the position which was a entry level networking job and overall the interview was going great. One of the interviewers asked a basic technical question and I'm paraphrasing - Describe a router/routing and how does it fit into a network. When that scene was over - we tried to bring back momentum with a question IPv4/IPV6.

Between the uh's and oh's - there's various part of a sentence or two. We're still looking for the rest.

 

[Gomar]

never even considered apps with these certs. Let me point I am a hiring manager for a Fortune 100 security shop.

ok. say I have a masters in computer science or engineering etc. but no certs of any kind;
and another app has CISCO, A+, Network+, Security+, MCSE, CISSP, CISA, CCNP but
no college degree, whom would you hire?

 

[Sage2k]

ok. say I have a masters in computer science or engineering etc. but no certs of any kind;
and another app has CISCO, A+, Network+, Security+, MCSE, CISSP, CISA, CCNP but
no college degree, whom would you hire?

I think the better question would be....who would get the interview?

 

[Mackintire]

I think the better question would be....who would get the interview?

Probably the guy with the certs.... CCNP is not for numbskulls.

Then again you didn t say where your masters degree came from. If it were from Virgina Tech, MIT, Carnegie Mellon......you'd probably get the interview. If it was from a fly by night online school....I doubt it.

 

[Nicklebon]

ok. say I have a masters in computer science or engineering etc. but no certs of any kind;
and another app has CISCO, A+, Network+, Security+, MCSE, CISSP, CISA, CCNP but
no college degree, whom would you hire?

Neither of you would even get an interview. We require a related BS degree and a CISSP. Our group does MSSP work and it is heavily promoted that 100% of the operations team hold degrees and a CISSP. I should also go ahead point out that by related degree I mean a math based CS/AM/Eng type BS degree not a business based CIS/MIS. The exact requirement reads something to the effect of 16 hours of math beyond college algebra to include at least 12 hours of calculus. We do allow folks who have been grandfathered but are being held back from promotion to pad non CS degrees with the policy desired math.

 

[mattjw916]

heavily promoted that 100% of the operations team hold degrees and a CISSP

so in other words you want people who look good on paper but otherwise are useless... sounds like a lot of the people in the security field I work with... you know, the ones that click "run report" on the $10+k security appliances and then hand off the real work to the technical team for analysis and implementation...

 

[cyr0n_k0r]

We do allow folks who have been grandfathered but are being held back from promotion to pad non CS degrees with the policy desired math.

What a stupid and elitist policy.
I'm sure whatever moron came up with that probably has a few masters degrees and thinks that every person should have wasted their time and money getting degrees too.
Because obviously thats the only way to gain technical knowledge right?

 

[mikey71497]

What a stupid and elitist policy.
I'm sure whatever moron came up with that probably has a few masters degrees and thinks that every person should have wasted their time and money getting degrees too.
Because obviously thats the only way to gain technical knowledge right?

+1....gotta be the dumbest thing I have heard, requiring a degree. I have not one ounce of college background. I went to Computer Learning Center, right out of high school, when they existed. Where I am at today is due to persistence, hard work and the desire to succeed. A degree has nothing to do with it. I can't stand folks who work to the bone, family comes second or have certs and degrees and feel like everyone else should do the same.

 

[Nicklebon]

+1....gotta be the dumbest thing I have heard, requiring a degree. I have not one ounce of college background. I went to Computer Learning Center, right out of high school, when they existed. Where I am at today is due to persistence, hard work and the desire to succeed. A degree has nothing to do with it. I can't stand folks who work to the bone, family comes second or have certs and degrees and feel like everyone else should do the same.

You're welcome to your opinion, but in today's ultra competitive environment that's being naive. If you want to work for small shops then what you've said is certainly on target. If you want work on the cutting edge for a top quadrant, tier 1 MSSP you will have a degree, a CISSP, and the experience to understand why these are needed. Companies with multi-billion dollar revenue streams don't turn over their networks to "shadetree" security consultants.

 

[cyr0n_k0r]

If you want work on the cutting edge for a top quadrant, tier 1 MSSP you will have a degree, a CISSP, and the experience to understand why these are needed. Companies with multi-billion dollar revenue streams don't turn over their networks to "shadetree" security consultants.

and how exactly does taking tons of upper level math equate to sifting through firewall logs looking for intrusion attempts?
Or packet sniffing and probing your network for flaws?

 

[mikey71497]

You're welcome to your opinion, but in today's ultra competitive environment that's being naive. If you want to work for small shops then what you've said is certainly on target. If you want work on the cutting edge for a top quadrant, tier 1 MSSP you will have a degree, a CISSP, and the experience to understand why these are needed. Companies with multi-billion dollar revenue streams don't turn over their networks to "shadetree" security consultants.

I work for one of the major MSOs in the country.

 

[mattjw916]

You're welcome to your opinion, but in today's ultra competitive environment that's being naive. If you want to work for small shops then what you've said is certainly on target. If you want work on the cutting edge for a top quadrant, tier 1 MSSP you will have a degree, a CISSP, and the experience to understand why these are needed. Companies with multi-billion dollar revenue streams don't turn over their networks to "shadetree" security consultants.

So anyone that doesn't have a degree falls into the "shadetree" category? Like those big dummies Bill Gates, Larry Ellison, Mark Zuckerberg, and Steve Jobs?

/facepalm

 

[Eickst]

I think if you want to work in a major company like that, it's much easier to get an interview when you have certs to back up your knowledge and experience.

It's certainly not impossible to land the job without them, but I think Nicklebon is partially right. In today's competitive landscape, and the relatively inexpensive cost of certifications, why wouldn't you pursue them?

 

[McTurkey]

I think if you want to work in a major company like that, it's much easier to get an interview when you have certs to back up your knowledge and experience.

It's certainly not impossible to land the job without them, but I think Nicklebon is partially right. In today's competitive landscape, and the relatively inexpensive cost of certifications, why wouldn't you pursue them?

I don't think the certs are the issue. I think it's expecting the college degree on top of certs and experience.

 

[cyr0n_k0r]

I don't think the certs are the issue. I think it's expecting the college degree on top of certs and experience.

Exactly. He specifically said that they not only require college degree's, but even go so far as to hold back people for promotions that either don't have them, or haven't taken extended math courses.

 

[Nicklebon]

So anyone that doesn't have a degree falls into the "shadetree" category? Like those big dummies Bill Gates, Larry Ellison, Mark Zuckerberg, and Steve Jobs?

/facepalm

No facepalm here. Comparing entrepreneurial front men to a security consultant is a /facepalm.

Bill Gates - Co ported BASIC. His claim to fame has never been his tech skills.

Larry Ellison - Front man. Bob Miner was the brains behind Oracle RDMS. (Guess what his degree was in)

Steve Jobs - Woz was brain, Steve had the vision. He was never the tech guy.

Mark Zuckerburg - From everything I have heard and read about him, he may be the last person on the planet I would allow inside one of our customer's networks. He is the definitive rogue.


Further each if these men are entrepreneurs and as a rule would not have made very good employees.. They are the exception not the rule and there are exceptions to every rule.

 

[cyr0n_k0r]

You're grasping at straws. You won't find a lot of friends here that agree that you don't deserve a promotion based solely on the fact you took 16 credits of math or not regardless of your experience or expertise.

 

[mattjw916]

I think the only thing that has been settled here is that it's pretty clear "hiring managers" have no fucking clue how or what it takes to actually be successful in IT. Hint: 16 credits of calculus for engineers won't help you.

 

[cyr0n_k0r]

Hint: 16 credits of calculus for engineers won't help you.

But it's for their security people! That makes all the difference!

 

[Nicklebon]

I think the only thing that has been settled here is that it's pretty clear "hiring managers" have no fucking clue how or what it takes to actually be successful in IT. Hint: 16 credits of calculus for engineers won't help you.

I never said it was my policy. That policy was established by the CIO of the company for our research group and adopted by the CSO. I'm also not defending it. I simply point out that's the way it is and if you want to work in a security shop you need to be looking at certs beyond what the help desk level certs Comp TIA has to offer. Whining about how it is isn't fair and is elitist will get you spot in line with the under/unemployed in an occupy camp. Grow up.

What do you think happens to all the data that various security devices collect? Do you think all that data compares and correlates itself? Do you really think a person slogs through hundreds of gigs of log files a day? All that analysis requires advanced math and our guys write the tools that do it. It seems to me that most you have no idea what goes on in a real high end security shop.

 

[haunter]

I never said it was my policy. That policy was established by the CIO of the company for our research group and adopted by the CSO. I'm also not defending it. I simply point out that's the way it is and if you want to work in a security shop you need to be looking at certs beyond what the help desk level certs Comp TIA has to offer. Whining about how it is isn't fair and is elitist will get you spot in line with the under/unemployed in an occupy camp. Grow up.

What do you think happens to all the data that various security devices collect? Do you think all that data compares and correlates itself? Do you really think a person slogs through hundreds of gigs of log files a day? All that analysis requires advanced math and our guys write the tools that do it. It seems to me that most you have no idea what goes on in a real high end security shop.

I do know that the head of the security team at a top tier university has a ba in arts and photography, little math, and a ton of cisco certs, and occasionally consulted for the FBI

you can be that choosy because you are huge and are deluged with other qualified candidates, so you have many many great guys to choose from when you interview

but its silly and elitist to think that you arent missing out on great employees by having the bar set so strictly high

I'm also not suggestiong that finding that one guy out of teh additional 10k that apply by loosing your criteria will make it worth it

you hedge your bets and roll with it

 

[cyr0n_k0r]

We require a related BS degree and a CISSP. Our group does MSSP work and it is heavily promoted that 100% of the operations team hold degrees and a CISSP. I should also go ahead point out that by related degree I mean a math based CS/AM/Eng type BS degree not a business based CIS/MIS. The exact requirement reads something to the effect of 16 hours of math beyond college algebra to include at least 12 hours of calculus. We do allow folks who have been grandfathered but are being held back from promotion to pad non CS degrees with the policy desired math.

I simply point out that's the way it is and if you want to work in a security shop you need to be looking at certs beyond what the help desk level certs Comp TIA has to offer. Whining about how it is isn't fair and is elitist will get you spot in line with the under/unemployed in an occupy camp. Grow up.

That's not what you said at all. While you do mention the CISSP you emphasize the degree as being the deciding factor in promotions. That IS elitist.

What do you think happens to all the data that various security devices collect? Do you think all that data compares and correlates itself? Do you really think a person slogs through hundreds of gigs of log files a day? All that analysis requires advanced math and our guys write the tools that do it. It seems to me that most you have no idea what goes on in a real high end security shop.

No. I do not believe people slog through hundreds of gigs of logs a day. But I also do not believe that taking calculus has ANYTHING to do with being able to interrupt log files in any way shape or form. Nor do I believe advanced algebra has anything to do with a person being able to analyze security log data.

 

[Gomar]

MIT, Carnegie Mellon......you'd probably get the interview. If it was from a fly by night online school....I doubt it.

If I had a masters from MIT I would be headhunted to death, not waste my time
emailing resumes or cover letters.
Only legit schools give out Masters amd PHDs; unless it's an honorary degree.

BTW, why is it that those who require BS/BA always seem to have positions open ?
Is it because they dont keep their workers long, dont pay, are fly by night, want too much,
are dotcoms with stock options and IPOs?

 

[Gomar]

Further each if these men are entrepreneurs and as a rule would not have made very good employees.. They are the exception not the rule and there are exceptions to every rule.

you are right 100%
They are all showmen. Good to be seen, telegenic, exoverts.
Take Donald Trump. His older quieter bro died, and Donald took over. Ever hear
what his bros and sisters are up to? No! They are quiet as a clam and keep a low profile.

Ever hear of Paul Allen?

I know a guy who has a proxy stand in for him at all meetings, a tall handsome man, because the guy always says "I dont have the face for it"... and he is right. He looks like
Gen.Ortega.
Image is everything; substance is nothing.

 

[Sean.hulbert]

CISSP is bloatware for certs.
Yes you can learn a lot but you will never ever retain all of its teachings.

Little dirty secret about CISSP is that the 2 founders are ex hackers who wanted to profit (that is the short story)

You want to be good at something teach yourself learn from others and read.
Then create test labs at your home with VMware.

CISSP good for those who need a break in the industry. I have labs that blow CISSP out of the water and actually are practical for everyday use. Once I complete my book I will be releasing remote labs for 90 days for people to play around in.

For those that are curious I make $150+ full time work as a Network security Specialist and another $170k-$230k as a consultant. This is without any certs but I do hold a BA SC and 20 + years and a TopSecret-TS clearance for the DoD.

 

[AMD_Gamer]

CISSP is bloatware for certs.
Yes you can learn a lot but you will never ever retain all of its teachings.

Little dirty secret about CISSP is that the 2 founders are ex hackers who wanted to profit (that is the short story)

You want to be good at something teach yourself learn from others and read.
Then create test labs at your home with VMware.

CISSP good for those who need a break in the industry. I have labs that blow CISSP out of the water and actually are practical for everyday use. Once I complete my book I will be releasing remote labs for 90 days for people to play around in.

For those that are curious I make $150+ full time work as a Network security Specialist and another $170k-$230k as a consultant. This is without any certs but I do hold a BA SC and 20 + years and a TopSecret-TS clearance for the DoD.

Where do you work for DOD?