IT security training: CompTIA Security+ vs EC-Council CEH v8 vs ISC2 CISSP vs GIAC/SANS GSEC vs Offensive Security OSCP vs CREST CRT/CCT
For more than 10 years I have worked in IT infrastructure roles with a range of organisations. And as I progress further in my career I find most roles lose their vitality after six months or a year at most: Roles can become repetitive and boring, even if I excel at them and my work is admired by my managers and colleagues.
I want to be passionate about what I do, so I've decided to shift careers to a new area that is always dynamic and challenging and also allows me to capitalise on my existing skills and experience accumulated during a decade in IT: Information security.
To prove that I have the required skills and knowledge for such roles I have completed several industry-recognised information security certifications over the past few months: CompTIA Security+, EC-Council CEH v8, ISC2 CISSP, and GIAC/SANS GSEC.
Currently, I’m preparing for Offensive Security OSCP, and CREST CRT/CCT as well.
'Security is a process not a product' is a widely accepted principle in information security. This process runs across the entire enterprise, and the organisation IT staff are key elements in this process.
In order to improve the effectiveness of the security process, proper skills and knowledge should be present among an enterprise's IT staff across at a variety of levels.
Ideally, IT staff should be categorised into distinct levels in order to provide the appropriate training, and at each level there should be an expectation of a certain set of security skills and knowledge. I suggest that IT staff in this context should be categorised into four categories:
1. All IT technical staff
2. Senior IT administrators (systems administrators, network administrators, etc), and lead developers
3. IT managers (up to the CIO), enterprise architects, and IT architects/designers
4. IT security administrators
Based on these categories, I make a range of recommendations below of what certifications enterprises should prioritise for their staff.
By following the outlined recommendations, especially if they are backed by incentives for staff who get certified, an organisation can transform the weakest link in the information systems security chain into one of the strongest links.
Skilled, security-aware staff can protect the IT assets of an organisation much more effectively than most advanced and sophisticated security software and appliances (which in any case can't be leveraged correctly without highly skilled and knowledgeable staff).
Yet technology is normally more efficient. Therefore, investing in both will provide the maximum protection in an effective and efficient manner.
CompTIA Security+
Recommendation:
All IT technical staff including the IT help desk should attend training for this certification, and ideally should be certified as well.
Justification:
CompTIA Security+ is an entry-level certification. The certification validates foundation-level security skills and knowledge across the IT infrastructure, and hence certification holders can be trusted to manage the resources under their control safely, and also be able to protect them from non-sophisticated attacks.
This basic knowledge can be viewed as the anti-virus equivalent for the brains of IT staff to protect them from social engineering attacks, and steer them clear of introducing security vulnerabilities unconsciously. Moreover, it will also enable the IT staff to confidently educate non-IT staff about security issues, hence more security awareness across the enterprise.
CompTIA Security+ is a vendor-neutral security certification, and it covers the following 6 domains in a high-level:
1. Network Security
2. Compliance and Operational Security
3. Threats and Vulnerabilities
4. Application, Data and Host Security
5. Access Control and Identity Management
6. Cryptography
EC-Council CEH (Certified Ethical Hacker) v8
Recommendation:
IT security administrators should at least attend training for this certification if they can’t afford training for higher level certifications such as Offensive Security OSCP, CREST CRT/CCT, or GIAC/SANS.
Justification:
EC-Council CEH is intended to be an advanced technical level certification that focuses on common hacking attacks and countermeasures. However, the actual exam is relatively easy with straightforward questions; many candidates by merely memorising and cramming for the exam can pass it. Hence, it does not reliably validate the certification holder is knowledgeable in the domains covered.
EC-Council CEH v8 is a vendor-neutral security certification, and it covers the following 19 domains:
1. Introduction to Ethical Hacking
2. Footprinting and Reconnaissance
3. Scanning Networks
4. Enumeration
5. System Hacking
6. Trojans and Backdoors
7. Viruses and Worms
8. Sniffers
9. Social Engineering
10. Denial of Service
11. Session Hijacking
12. Hacking Webservers
13. Hacking Web Applications
14. SQL Injection
15. Hacking Wireless Networks
16. Evading IDS, Firewalls, and Honeypots
17. Buffer Overflow
18. Cryptography
19. Penetration Testing
ISC2 CISSP (Certified Information Systems Security Professional)
Recommendation:
All IT managers up to the CIO, including the enterprise architects and IT architects/designers, should attend training for ISC2 CISSP. Senior IT technical staff should attend it as well but if they have to choose between ISC2 CISSP or GIAC/SANS GSEC then the latter should be chosen.
Justification:
ISC2 CISSP is an advanced management level certification, and covers most aspects of information systems in a high-level which IT managers will have to make decisions around.
The more aware they are of potential risks and security issues of what they manage, the wiser and more informed decisions they will make.
Moreover, enterprise architects and IT architects/designers by attending this training will be more able to proactively address the security risks associated with the design and embed the necessary security controls at the initial stage rather than after the fact.
ISC2 CISSP is a vendor-neutral security certification, and it covers the following 8 domains:
1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and Business Continuity)
o Confidentiality, integrity, and availability concepts
o Security governance principles
o Compliance
o Legal and regulatory issues
o Professional ethic
o Security policies, standards, procedures and guidelines
2. Asset Security (Protecting Security of Assets)
o Information and asset classification
o Ownership (e.g. data owners, system owners)
o Protect privacy
o Appropriate retention
o Data security controls
o Handling requirements (e.g. markings, labels, storage)
3. Security Engineering (Engineering and Management of Security)
o Engineering processes using secure design principles
o Security models fundamental concepts
o Security evaluation models
o Security capabilities of information systems
o Security architectures, designs, and solution elements vulnerabilities
o Web-based systems vulnerabilities
o Mobile systems vulnerabilities
o Embedded devices and cyber-physical systems vulnerabilities
o Cryptography
o Site and facility design secure principles
o Physical security
4. Communication and Network Security (Designing and Protecting Network Security)
o Secure network architecture design (e.g. IP & non-IP protocols, segmentation)
o Secure network components
o Secure communication channels
o Network attacks
5. Identity and Access Management (Controlling Access and Managing Identity)
o Physical and logical assets control
o Identification and authentication of people and devices
o Identity as a service (e.g. cloud identity)
o Third-party identity services (e.g. on-premise)
o Access control attacks
o Identity and access provisioning lifecycle (e.g. provisioning review)
6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
o Assessment and test strategies
o Security process data (e.g. management and operational controls)
o Security control testing
o Test outputs (e.g. automated, manual)
o Security architectures vulnerabilities
7. Security Operations (Foundational Concepts, Investigations, Incident Management, and Disaster Recovery)
o Investigations support and requirements
o Logging and monitoring activities
o Provisioning of resources
o Foundational security operations concepts
o Resource protection techniques
o Incident management
o Preventative measures
o Patch and vulnerability management
o Change management processes
o Recovery strategies
o Disaster recovery processes and plans
o Business continuity planning and exercises
o Physical security
o Personnel safety concerns
8. Software Development Security (Understanding, Applying, and Enforcing Software Security)
o Security in the software development lifecycle
o Development environment security controls
o Software security effectiveness
o Acquired software security impact
GIAC/SANS GSEC (Security Essentials)
Recommendation:
All senior IT administrators (e.g. systems administrators, network administrators, and so on) including the security administrators, and the lead developers should attend training for GIAC/SANS GSEC, and ideally should be certified as well.
Justification:
GIAC/SANS GSEC is a relatively advanced technical level certification that covers the security aspects of the core IT infrastructure components and technologies (e.g. Networking, MS Windows, Linux, etc.) which most senior IT administrators have to interact with one way or another.
The target audience for the certification, according to GIAC, is security professionals. However, security is a shared responsibility — and the IT infrastructure of enterprises is very large and complex, while IT security teams are normally small with limited resources.
Thus, other senior IT administrators should share the basic level of security by having sufficient knowledge and skills to harden their own systems. Distributing the load can provide more security assurance across enterprise IT systems.
The security administrators secure the network perimeter and the overall IT infrastructure, while other IT administrators should secure and harden the systems under their control. Accordingly, this provides defence-in-depth across the enterprise IT infrastructure.
GIAC/SANS GSEC is a vendor neutral security certification, and it covers the following topics:
• 802.11 attacks & countermeasures
• Access Control Theory
• Alternate Network Mapping Techniques
• Authentication and Password Management
• Common Types of Attacks
• Contingency Planning
• Critical Security Controls
• Crypto Concepts
• Crypto Fundamentals
• Defense-in-Depth
• DNS
• Firewalls
• Honeypots
• ICMP
• Incident Handling Fundamentals
• Information Warfare
• Intrusion Detection Overview
• IP Packets
• IPS Overview
• IPv6
• Legal Aspects of Incident Handling
• Linux/Unix Configuration Fundamentals
• Linux/Unix Logging and Log Management
• Linux/Unix OS Security Tools and Utilities
• Linux/Unix Overview
• Linux/Unix Patch Management
• Linux/Unix Process and Service Management
• Mitnick-Shimomura
• Network Addressing
• Network Fundamentals
• Network Mapping and Scanning
• Network Protocol
• Policy Framework
• Protecting Data at Rest
• Public Key Infrastructure PKI
• Reading Packets
• Risk Management
• Securing Windows Server Services
• Steganography Overview
• TCP
• UDP
• Virtual Private Networks VPNs
• Viruses and Malicious Code
• Vulnerability Management Overview
• Vulnerability Scanning
• Web Application Security
• Windows Auditing
• Windows Automation and Configuration
• Windows Network Security Overview
• Windows Permissions & User Rights
• Windows Security Templates & Group Policy
• Windows Service Packs, Hotfixes and Backups
• Windows Workgroups, Active Directory and Group Policy Overview
• Wireless Overview
Offensive Security OSCP (Offensive Security Certified Professional)
Recommendation:
IT security administrators should attend training for Offensive Security OSCP, and ideally should be certified as well.
Justification:
Offensive Security OSCP is relatively an advanced penetration-testing certification. Offence informs defence. Security administrators will effectively be able to defend the organisation IT assets if they can think like attackers, and know the tools and techniques used by hackers.
The course covers wide range of common hacking attacks and tools, and provides access over a VPN to a controlled lab environment to get hands-on (legal) experience of performing such attacks.
To be certified, the candidate need to practically hack systems in a controlled lab environment and submit a penetration testing report.
CREST CRT/CCT
Recommendation:
IT security administrators should at least be certified by CREST CRT, which is an entry-level penetration testing certification.
There is no official training for this certification, but unlike with Offensive Security OSCP certification involves a practical test conducted in person rather than remotely, which gives more credibility for the certification holder.
Justification:
The same reason mentioned above for Offensive Security OSCP.
Abraham Alawi is a solutions architect and DevOps engineer who has worked across a number of prominent Australian enterprises.