Feeling Certifiable: Building Security Credentials from Beginner to Expert

all right three two one and go good evening i hope everyone's had a pleasant day and learned as much as i have from besides idaho 2020 i'm steve kirby and i'm a security engineer with bright spring health services in louisville kentucky i want to talk about a subject that's near and dear to my heart today which is i.t certifications and security certifications in particular before we get started i want to mention that if you notice down at the bottom there is a tiny url address you might want to jot that down or make a screenshot that will get you a link to where you can download the slides because people seem to like to do that and it was just easier

to do it this way than to worry about shuffling them back and forth so if you want to come back and get that uh after the session's over it it'll it'll be there for you to see i might tell you a little bit about myself i'm a former graduate student in history uh many many years ago i worked for almost 10 years as a reference librarian and kind of fell into it work started off running a small artist off lantastic network sharing cd-rom databases back in the late 1980s and that moved and moved on to nobel netware and then discovered unix and spent 26 years of my life as a unix systems administrator i've worked

with some really old crusty stuff so uh i won't bore you with the details but it a lot of it now is museum grade stuff uh along the way i picked up an interest in security work as i tell people mostly as a means of preserving paycheck continuity because a lot of the systems i worked on were high profile to somebody from somebody's perspective and having a security breach would not have been a good thing i have earned a dozen security certifications in the last few years and that's important especially for talk like this because you know somebody who has certifications obviously is well informed and knows what they're talking about i've got some of mine listed there

uh there are others but those those will give you some idea of what i'm what i'm about i should open with a disclaimer that uh the views the next opinions that are expressed here are entirely my own my employer hasn't screened them hasn't approved them in fact most of the people i work with don't even know that i'm doing a presentation today so this is this is entirely me and my employer should be held blameless and all that good stuff the question we're going to ask is are you certifiable and people have been telling me for years that i am and i thought i thought it was a compliment i thought they would were saying that it would be easy for me to

get certified in it's things i don't think that's what they meant but uh the question we need to ask is can you do it and the answer is of course yes it's not all that difficult uh certifications have a lot of advantages over formal education for example uh a university degree or maybe some specialized study and i say that speaking is from the perspective of someone who spent 25 years in higher education i believe in it but there are advantages that certifications offer over conventional higher education number one and possibly the most obvious is that it's faster a four-year degree takes four years uh once you get started i guess you could possibly knock out some certifications

in a matter of weeks uh it's also cheaper higher ed is not as not the value it was people i work with are stunned to find out that when i've graduated from college excuse me

sorry about that the lights are apparently on a timer when i graduated from college back in the late 1970s uh tuition was about 15 a credit hour it's gone up considerably since then and of course the other advantage that certifications have are that they are more focused on job skills so it makes it easier to apply what you've learned to any positions you might be trying to obtain now it helps to have a framework if you're trying to decide what certifications you want to perceive the one that i settled on was the department of defense's 8570 or 8140 regulations originally it was 8570 8140 is the updated version and there's a link there at the top of

the page uh it's a little bit more complicated than what i've got displayed here but basically uh these regulations divide it certifications into two groups one the iet group which would be for technical people who do hands-on work and the other for managers labeled iam there are there's a little bit of overlap between them uh some certifications could be used for either category but uh by and large it it separates out two different distinct paths depending on what sort of positions that you think you might want to apply for now or in the future it's going to do a little bit of what i call exception exception handling we're going to go back and talk about

some of those certifications from the dod in a moment but i want to mention first of all microsoft's mta certifications which are not part which are not included on that list they don't have the department of defense's blessing there are quite a few of them they're entry-level certifications that are geared towards high school students or college students or people are looking to change jobs like for example someone who's been working on a help desk and is looking to make a transition into something a little bit more advanced they offer three that i would recommend highly one for network fundamentals that would be introduce you to basically windows networking and some tcp security fundamentals and then windows

servers fundamental server fundamentals because those are the network fundamentals and server fundamentals certifications talk about assets those are the things that the security professionals were trying to protect and so it helps to have an understanding of what those are about hey steve steve can you hear me [Music] yes um you're uh you're you're not advancing the slides for the uh for the viewer hmm where do we get to yeah steve we're on the first slide you might have to kill your share and then re-share possibly yep looks like it thank you sorry that's all

right how's that perfect thanks good deal okay and there's the the dod 8570 list that i mentioned uh that could be that's a very useful framework for selecting certifications that you might want to pursue i mentioned microsoft's mta those are the ones that i would recommend most but there are others in addition for example you wanted to learn about sql server databases or other microsoft technologies that would be one avenue to pursue and we'll talk about that a little bit later and when we talk about uh strategies for pursuing certification i also want to mention cisco they have recently revamped a lot of their certification program a lot of the certificates that were listed on the

department of defense site no longer exist or have had the names changed one that has had the name changed is the cyberops certification and that one's still around uh but it is an entry-level certification that would be really useful if you're looking for a career in network security it's it's designed to uh obviously provide that sort of background one that has kind of gone by the wayside there used to be separate uh certifications for separate ccna their middle level uh network associate certifications for security and other other tools those have all been combined into one ccna exam so you don't have that option available to you anymore but it's it's not useful to note that

those do exist on the department of defense site but you won't be able to actually take the take those starts any longer which leads us to some certification bodies there are several that are that bear special attention one would be comptia the computing technology industry association and they are a very common very popular uh supplier of certification services ranging from lower level certs like a plus or network plus here which would be comparable to the microsoft network fundamentals certification that i mentioned security plus which is probably the best known entry-level certification available and then other more more advanced certifications like cloud plus which obviously deals with cloud solutions their cysa which is a blue team cyber security

analyst i believe is what stands for uh certification that teaches you how to deal with computer incidents and how to protect assets pen test plus the name is reasonably descriptive uh it is to teach people who are interested in penetration testing and offensive security and then last but not least is the casp plus which is their top level uh certification uh for people with about 10 years of experience it is a hands-on technic techie certification as opposed to some others that we'll talk about here in a minute it's designed for it's not designed necessarily for people who want to be managers but it's designed for people who want to be doers and actually uh be involved in day-to-day

uh technical operations and i i possess that one and value it very highly one neat thing that comptia started doing a couple of years ago is what they call stackable certifications and what that allows you to do is combine one or two or more uh certifications together and derive a third an a third certification for example security plus and their cloud plus certification gets you secure cloud professional so it's a way of validating that you have uh a skill set that transcends one particular the the confines of one particular search isc squared or the international information systems security uh certification consortium is another popular certification body and they produce two certifications that we'd want to talk about

one is the sscp the system security certified practitioner that is an entry to intermediate level certification and it may be one of the best values on the certification market you could take this test for about 250 dollars as opposed to over 300 i think is the standard asking price for most of comptia certs some are even more expensive than that ise squared awful also offers the cissp or certified information system security professional and that is probably the gold standard for advanced security certifications a lot of people i know have that is that that's on their professional bucket list they they want to achieve that certification once they have done that they they they feel like they will have

gone as far in their profession as they as they need to go a possible alternative alternative to isc squared is isaca which formerly had a long name and decided sensibly to change it to just isaca and they offer three certifications i'd like to mention the first is a relatively new one the csx cybersecurity fundamentals which is an entry-level certification but it's not as basic in its approach as say security plus or the microsoft search uh it's a little i thought it was a little bit more difficult when i look at the sample questions uh the nice thing about this is that as opposed to some other certification bodies you don't have to there's no continuing education

requirement so in addition to getting the isaca name behind it you don't have to go go through conti and have continuing education in order to keep the certifications current virtually all comptia certifications and all of the ise squared uh certs do have that requirement uh the one the high level cert from most common high level search from isaka would be the cism or cism the certified information security manager and that's another popular one that would be a counterpart to the cissp i know a lot of people who have both uh apparently there's a lot of overlap in the study so if the folks i know have gotten one and immediately launched into prepare for the other because it cut down on the

amount of study time and then last but not least is the cisa or certified information systems auditor and that name is pretty much uh self-explanatory it's designed for auditors or people who want to take charge of insurance compliance and systems management so there we've got a very brief outline of a possible set of security uh certification path uh you might want to begin with something like the microsoft mta or cisco cyber ops or some of the lower level comptia certifications and spend the first two to five years of your career built building out a foundation based on those certs and as you get a little bit more experience you could then start to look at things like the

cisa cysa plus or pentest plus even cloud plus or uh the sscp and as a capstone when you once you've got to maybe the 10 to 12 year experience mark you might want to look at something like cast plus or the cissp or cism if you decide the latter two would be if you perhaps wanted to go into management i should make a little bit of a mention about potential online training providers because some of these certifications can be quite expensive to prepare for unless you do it yourself or do something other than the vendor supply training uh there's a nice market in vendor supply training and the market can be quite substantial one source for training that i would

recommend would be pluralsight uh very popular and a good source of videos on individual topics if you notice there they've got uh the cissp and the cism and security plus so in most in most cases they're going to have one course for certification it will be very in-depth and very very very well done i've been a loyal pluralsight customer for a long time in addition to certification training pluralsight i should mention also offers training in security tools things like splunk for a seam or vulnerability scanning or things like security frameworks that could be useful for learning job skills or for continuing education as you move along in your career linkedin learning is another potential source of training it's very similar

in a lot of ways to pluralsight it used to be known as lynda.com and one p one reason people like it linkedin learning or lynda.com as a source is it's often possible to get a uh get free access to it from your local public library microsoft bought lynda.com about 18 months ago i don't know how long they're going to continue that policy but i've talked to people that have done it recently so the program hasn't been revoked yet again you're going to have one one course per certificate one set of courses for certification uh and they're also for the most part quite good one of my favorites is udemy udemy is kind of a contrast to pluralsight and

linkedin learning you will they do offer online video courses and they're some of them are quite good some of them are not so it's kind of a hit or miss proposition but in this case you're going to have possibly a half dozen or so courses possibly even more i guess dealing with the same certification but they're provided by different uh individuals or different groups some of them are better than others some of them are a lot better than others so it's important that when you evaluate udemy you look at things like the star rating over here on the right hand side it gives you some idea of what people who have taken the course think of it

you also want to evaluate not again

you also want to evaluate the last update because some of these courses can take several several years to develop and they go out of date uh from time to time sometimes they get left out on udemy for purchase even though they're dealing with an older version of the certification pack publishing is one of my personal favorites in addition to their relatively inexpensive uh subscription price you can actually buy a lot of courses that are available through udemy and download them and take them with you on your laptop with pluralsight and linkedin learning you can download to mobile devices i don't recall if they have applications for pcs and macs or not but with linked with

pact you can get you can get a subscription that would cover uh a subset of what's on udemy anyhow and in addition to that you get access to print with the electronic books uh to go along with the videos i will mention a few uh instructors and publishers that i'm fond of these folks are both unpacked and on udemy uh jason dion would be one mike myers in total seminars would be another and thor peterson who specializes in the advanced level certifications like cissp and schism would be a third cybrary is one a lot of folks are familiar with they've recently changed their business model and i don't recommend them as highly as i used to they've got some

good material but it can get a little pricey these days but it used to be no it used to be well known because the training was free and you paid for certificates of completion but that has changed and last but not least i want to mention professor messer uh who offers courses through his own website and then on youtube free of charge he makes his money from selling course notes and other study materials printed study materials uh i haven't actually taken any of his courses but i know several people who have who swear that they're quite good so i recommend them very recommending very highly so to wrap up and summarize what we talked about

credibility as a security professional comes from a combination of experience and credentials the two are not con are not competing they're complimentary lower level certs like credentials complement experience but they don't replace it and vice versa i think systems and networking experience is essential for security work because they're a large part of the assets we are protecting so it's important to have a good fundamental background in both systems and networking if you want to be a security professional things like passion hardening and configuration skills can be reinforced with security certifications and of course as we mentioned even after your career is launched you'll need to earn continuing education credits to keep most of your certifications

and that means that learning never stops hopefully this brief chat has provided a a overview of a potential framework for chasing security certifications and a reminder some of the excellent low-cost means of learning i think we have a few minutes left i'll be glad to field any questions yeah sure thanks steve thank you very good information great resources there there are uh there is a question that we do have i've transcribed it in there okay also i noticed uh yeah you need to tell your company to pay the power bill there and it was no i didn't lights went out a couple times we were thinking maybe like put a roomba and put a uh maybe a broomstick uh with a witch

writing it or something around in the back that's i think it would take something like that i wasn't prepared for that because this we we moved out i moved out of this building for a year and when i left the lights would stay on in perpetuity if i turned them on they stayed on apparently that has changed in the well i was gone well maybe we can hack into the light system well but better so let's get to the questions uh question here so you mentioned a lot of learning resources are there is there a starting place for any particular learning resources you would recommend for somebody just starting out like one of those you mentioned maybe

the starting place i i would default towards pluralsight uh in all likelihood uh it's not terribly expensive if you want to buy a monthly account for it it's about thirty dollars i think linkedin learning is about 25 and if you want to gamble on one of the udemy courses you can often find them on sale for 10 to 15 and the nice thing about you to me is that once you have access to the course you've got it for life it never expires whereas pluralsight and lynda or linkedin are subscriptions that require an ongoing commitment but i would probably start with one of those three that's a good point you could buy them a la carte depending on

what you're interested in or if you want a subscription model you could do that as well and just kind of go for the whole thing whichever works best for you all right uh also relating to that if you're really interested in just certification say you're interested in cissp is there a particular one of those learning resources that might be better than another uh well the fellow who wrote the cia wrote the cissp training for ise squared as the one who does the cissp preparation course for pluralsight that would probably be a good one to start with um for security plus i enjoy but jason dion's is quite good the one that mike myers you has produced is quite

good i would recommend either of those for folks who are looking for an entry level um peter thor peterson i mentioned who's on udemy and available through pac publishing does a great job for cissp and cism but doesn't do any of the entry-level certifications so and and professor messer uh for security plus and or network plus would be hard to beat because those are those resources are available for free for no charge all right excellent very good good resources um any last words in summary no i think that's all i've got for tonight i need to probably need to get out of here before the lights go out again good call all right with that uh thank

you very much steve uh excellent information thank you thank you