3

What are a list of useful certificates for someone who wants to work on the information security field?

I have heard of CISSP but from what I have understood it is way too advanced for someone new to the field, as it is representing years of experience in the field. What are other useful certificates that, say a (future) penetration tester or a (future) digital forensics investigator might want to hold, that are valid and respected by the industry?

NlightNFotis
  • 1,130
  • 1
  • 10
  • 18

4 Answers4

7

As others have said, the CISSP is perhaps the most well-known and recognized IT Security certification out there. If you need to start more entry-level, CompTIA's Security+ is a good start, and actually can be used to take a year off of the work experience requirements of the CISSP.

After the basics are out of the way, the question you really need to ask is which certifying authorities are recognized and well-respected. Then, choose a certification from among those offered by those authorities which properly reflects your experience level and skill set.

The key to remember here, is that a certification should be exemplary of skills that you already posess - not just an exam that you can cram your way through. Before obtaining a certification, you should have at least some work experience to further demonstrate to potential employers that you actually have experience and knowledge in the subject represented by that certification.

The list referred to by @Rook covers a lot of territory. There's a number of certifications and organizations on there I've never heard of, but it also lists most of the big industry players as well.

  • CompTIA offers a number of certifications covering several domains. However, most of these are very entry-level. The only Security-speicifc certification they have is Security+. Other certifications primarily focus on system or network administration and troubleshooting.
  • (ISC)^2 is all about Information Security. They have several certifications available, including the well-known CISSP. A full CISSP certification requires passing a written test, five years of relevant and verifiable work experience, and endorsement by a current CISSP in good standing. If you fall short of the work experience requirement, you may hold the title of "Associate of (ISC)^2" until such time as you meet that requirement.
  • EC-Council is most well-known for the CEH. Most of their other certifications also center around security and penetration testing, but there are some on other topics such as Forensics and Programming.
  • GIAC was founded by SANS, which is a well-respected institute for security training. As such, they have numerous certifications covering many different aspects of Information Security. After obtaining a GIAC certification, you can also go the extra mile by elevating it to Gold status. This requires you to work with a GIAC adviser who will guide you through the process of writing a research paper (expected to take 6 months) which must be reviewed and endorsed by your adviser and two others in order to be accepted.
  • Cisco is the go-to vendor for networking certifications. The most notable of these is the CCNA. They also offer some certifications which include a security focus. Their highest-level certification is the legendary CCIE, which requires passing both a two-hour written exam and an eight-hour hands-on lab which is only offered at ten Cisco facilities worldwide.
  • Microsoft is, of course, where you want to go to get certified on Windows systems. Perhaps the most well-known, current certification is the MCITP - Server Administrator (formerly known as MCSA). Some of their certifications are also focused on security.

Full disclosure: I currently hold certifications from CompTIA, EC-Council, and Cisco, and am pursuing certifications from Microsoft and (ISC)^2.

Iszi
  • 26,997
  • 18
  • 98
  • 163
  • +1 for a much more useful and balanced answer than @rooks's. FD: I have a bunch of certifications myself and am not a pen tester. – adric Oct 12 '12 at 22:16
2

It sounds like an SSCP may be more your speed, it has less work requirement than the CISSP. There's also the GIAC GPEN for penetration testing, and the Certified Ethical Hacker from EC Council.

GdD
  • 17,291
  • 2
  • 41
  • 63
2

As a penetration tester I think that certificates are completely and totally meaningless. You need to prove that you can break software, a certificate just proves that you can get most of the answers right on some test. This is just not applicable to the real world. (disclamer: I have a CISSP, and it was only required for the most boring of jobs. What a waste.)

If you want a job in the industry prove that you are worth something by obtianing CVE numbers. They are free, and it is PROOF that you can break software.

Here is a huge list that will waste your time and money.

rook
  • 46,916
  • 10
  • 92
  • 181
  • 4
    I agree that certifications usually mean nothing for someone's real skills, but they can make an enormous difference when looking for a job, especially if you're trying to break into a field. Most recruiters wouldn't know real talent if it bit them, but they do spot acronyms. – GdD Oct 12 '12 at 16:08
  • @GdD yeah and a CVE number shows real talent in the real world. That is work experience, that is proof. The only reason to be certified is if its **required**. This is why I got my CISSP, and this is very a common reason. – rook Oct 12 '12 at 16:14
  • 1
    CISSP is probably one of the few out there that it's probably worth to get. – Polynomial Oct 12 '12 at 16:18
-1

Penetration testing certifications like CEH or OSCP will top the list for sure.

As penetration testers and IT security professionals are expected to be experts in their respective fields (after all, you wouldn't entrust your system to someone who does not understand it right?), certificates that demonstrate expertise in a particular area will be helpful.

You might want to consider RHCE for linux administration and CCNA for networking. You can proceed further with their security certifications if you want.

In addition, while you need working experience to gain the CISSP, you might consider becoming an associate member.

  • Thank you for your answer! RHCE was in my mind too, but was kinda doubtful about it, seeing as it primarily applies to sysadmins. – NlightNFotis Oct 12 '12 at 15:54
  • 2
    CEH is absolutely terrible. Please do not suggest it. It claims netcat is a trojan of all things! – forest May 18 '21 at 23:18