Security Certification 3/3 – Doing and Teaching

This post is part 3 of a series.  Please see posts 1 and 2.

So you’ve learned something. Congratulations. Knowing is half the battle. Sadly, the other half involves actual fighting. This post is on how to fight… or, in this case, demonstrate that you know stuff. (Which is a lot like fighting if you leave all that tedious stuff about hitting people.)

I like to follow the old cliche “Learn One, Do One, Teach One”. So you’ve learned something. The next step is how do you do something with it? Since we’re talking about security, the best option would probably be to stop a bad guy. Sadly, that’s not always feasible. Fortunately, you have some options.

Doing

One thing I strongly suggest is joining an open source project. I used to suggest starting one, but it seems that whenever I said that, someone would run off and make a new network scanner. We have enough of those.

Join a project that uses modules. Metasploit is good. So are SET and NMap. If you’re webby, take a crack at extending w3af. This will force you to understand a system, improve a system and work with others to get your change accepted. In short, it demonstrates everything that a prospective employer wants.

Suppose you’re not a programmer. That’s OK. You can use the tools above to run assessments. Assess your home network to learn how everything works then start calling local non-profit groups. Offer them scan in return for the ability to post a summary of the results online (after they approve the anonymization of the data). Now, there is a bit of risk here, so you might want to investigate error and omissions insurance before hand. At the very least, consider one of the “approval” forms so that you’re protected. Learning the ins and outs of these sorts of assessments demonstrates that you not only have the technical skills, but that you can also use them in a meaningful way.

(Note: Never give anything away for free. This is a scan in exchange for publicly-viewable experience. If you offer to work for free, all you’ll do is get a lot of clients… who also want you to work for free.)

Now, those two paths are all well and good if you’re technical. However, we have some people in this field that aren’t technical at all. There’s nothing wrong with that… but be aware that to be truly successful you have to understand both technology and people. Try to branch out.

If you’re not going to branch out, you can still help an open source project. Documentation on many projects is… well to call it “lacking” would be like calling the Titanic “a boat that encountered a spot of bother”. There’s a lot of need there and a lot of wikis that are fully editable, so get cracking. You might also be able to help with project management, with resolving disputes on mailing lists, or by prioritizing bugs based on user impact. You know, basically doing all the tasks that stereotypical geeks aren’t very good at.

The next step is to promote the fact that you’ve done something. The best way to do this is teaching, and the Internet makes this easy.

Teaching

Teaching is all about sharing knowledge. While the traditional teaching option of holding a class is still viable, it doesn’t give you the same range of exposure as techniques like blogging and vidding. You certainly get a more personal connection by teaching a class and the people consuming your content might absorb it better, but if you’re wanting to build a brand and try to jump into a better job, you have to cast wide. Here are some options:

Basic blogging is much like you’re reading now. Just grab yourself a domain, link it to WordPress and go. The difficulty with blogging is the tendency to lose time to “research”. If you’re new to blogging, give yourself two days (20 hours) of research time on how to blog. A good place to start are the Converstation Archives. Once you’ve done that, build a list of topics and give yourself one hour for each topic. Give yourself 20 minutes to write the content, 20 minutes to edit the content (after waiting a day or so), and 20 minutes to publish the content on WordPress (this includes adding links and images). You can spend more time than that on posts that matter strongly to you (as I did on this series), but be careful not to spend too much time. If you keep trying to make it “perfetc”, it’ll never get published.

Micro-blogging is a lot like blogging, but you say more with less. In the US, Twitter is the most popular micro-blogging platform, but Facebook and Google+ are challenging it. Personally, I find this a very difficult medium. What works for me is to write a blog and then excerpt key phrases from it for micro-blogging purposes. If you’re gifted in this medium, feel free to start here. However, if you use it for professional purposes, please try to avoid the shorthand that’s common in the medium. U wont get jobz talking lik this.

Vidding and podcasting are other techniques that I’m not personally comfortable with, but which work for a whole lot of people. This is as simple as sitting in front of a web camera and talking to an audience that you hope will emerge over time. My attempts at podcasting were all aborted because the editing took too much time. Perfectionism and linear editing do not mix well. I hope to give this a shot again later this year, but we’ll see. It’s very hard for me.

One friend suggests that these techniques are made easier if you have a script.  Granted, you have to practice to make sure it doesn’t sound scripted, but this is very good advice.  I’ll have to try it the next time I give this technique a whirl.

Graphically-intensive content such as infographics and comics is another way to get the message out. I’ve done tons of infographics (few are public) and a fairly large graphic novel that has been “in progress” for the last five years. The trick here is not biting off more than you can chew. If you are skilled graphically, take a shot at illustrating what you’ve done and sharing it with others. This can be a very powerful technique.

There are tons of other methods. If you think I’ve missed something important, please let me know in the comments.

Conclusion

This has been a lot of text… but hopefully this has answered your certification questions at a very high level and explained how to extend your learning. If you do this, you should gain something more directly useful to you than tacking a few letters to your name. Of course, it’s a bit more complex than this in “real life”.

In addition to what I described here, each certification comes with it’s own community which may or may not mesh with your needs. Personally, I mesh well with the SANS community and not very well with the ISC(2) community… but this is extremely personal. There’s no way to know where you’ll mesh without giving it a try, so pick the certification based on what you need to learn and figure out the social aspects once your certification grants you access to a community.

Similarly, the “doing” and “teaching” phases only work if you dedicate enough time to them. Your journey doesn’t end when you get the certification, so if you can’t devote the time from your life to complete the process, you should seriously reconsider whether to even get a certification in the first place.

However, if you can afford the time to learn, do and teach, you should see your professional life advance extremely quickly.

Security Certification 2/3 – Learning

If you’re reading this post, it is assumed that you’ve already read my post on what certifications are for. If not, go there and check it out. This post details my method for comparing certifications.

First, go to each certification’s website and review each certification’s pre-requisites. If you don’t have any of them, it’s probably not wise to do the next step with that one. While I recommend challenging yourself and pursuing a certification for which you do not have all of the pre-requisites, if you have absolutely none of them, you’ve identified what you need to learn and that the certification you are considering will not teach you that.

Second, consider your career trajectory… then throw it away. Some certifications have specific paths that are laid out for you.  If you go into the CISSP world, you’re “supposed” to be a manager.  If you use Offensive Security, you’re “supposed” to be a penetration tester.  While it’s true that these certifications have somewhat high value in these areas, increasingly, security practitioners are expected to know a bit of everything and be good at what they’re good at. It’s about the learning process. Unless you have no interest in learning (in which, go away, this post is not for you), you’ll be better off picking a certification based on what you’ll learn from the process. If you pick a career path laid out for you by someone else, you’re not only trusting your life to guesswork… but to someone else’s guesswork.  For example, my grandfather gave me my first computer because it was the wave of the future… but also gave me a slide rule… “because you’ll need to be able to take something into the field with you”.  If you’re going to screw up your career path, at least do yourself the favor of doing it to yourself so you can analyze why you wound up where you did and can correct from there.

Third, review what the different certifications cover. For each topic covered, give yourself a rating based on how well you know the topic.

• 0 = No idea what the topic means
• 1 = Have a bit of clue about the topic, maybe played with it in a lab
• 2 = Have done this professionally or played with it a lot in a lab environment. Still have room to learn.
• 3 = Have done this enough to consider yourself something of an expert
• 4 = Understand this topic inside and out. Comfortable teaching it to others.

Now, take an average of all your ratings and divide it by four. This will give you a percent of what you already know from what the certification will teach you. Subtract this from 100% to get the amount you will learn from the certification.

Fourth, you have to factor in your time. Most of us have a loaded rate for work that includes salary and benefits. If you know this number, use it. If not, take your hourly rate (convert if you’re salaried) and multiply it by 1.5. If you’re unemployed, figure out what you’d charge doing freelance work. You can quibble over this all you like. Really, you’re just measuring the cost of the time it takes to gain a certification, as that time could be used to boost your skills by working overtime at your day job or doing freelance work in the evenings.

Finally, estimate the time you’ll spend on the certification, multiply it by your rate, add the certification costs and you’ll have a dollar estimate. Take your learning percentage and divide it by the dollar estimate and you’ll get you a number that you can use to compare how valuable that particular certification will be for you.

In other words, Value = (Learning Percentage) / ((Time Spent * Hourly Rate) + (Cost of Certification)). When comparing certifications, the highest value wins.

Here are two examples. Since a lot of the information about tests is hidden behind registration links, I won’t do a complete analysis… just enough to give you an idea of what I’m talking about. In this, we’ll assume that my time value is $50/hr. Basically, I am choosing this number because it makes the math easier and should be in line with a mid-level career person that loves learning enough to drop the “personal cost” a bit. If you’re entry level, it’ll be lower. If you’re well seasoned and have other hobbies, it’ll be higher.

Note: I am also assuming a “zero” time cost to taking in-person classes. There is actually a time cost here, but for most people, it’ll be incurred by your organization, not you. If this isn’t the case, add the time cost back in.

Example: CISSP-ISSAP

This certification would extend my existing CISSP to focus on architecture. Reviewing the Candidate Information Bulletin, there’s a lot of information covered. Here are the first two domains. My score for each point is in brackets at the end. (The typo for “Methodology” is theirs… sorry.)

1) ACCESS CONTROL SYSTEMS AND METHODOLGY
A. Apply Access Control Concepts Methodologies, and Techniques
A.1 Application of control concepts and principles (e.g., discretionary/mandatory, segregation/separation of duties, rule of least privilege) [4]
A.2 Access control administration [4]
A.3 Identification, authentication, authorization, and accounting methods [3]
A.4 Identify and access management architecture [3]
B. Determine access control protocols and technologies (e.g., RADIUS, Kerberos, EAP) [3]

2) COMMUNICATIONS & NETWORK SECURITY
A. Determine Communications Architecture
A.1 Unified communication (e.g., convergence, collaboration, messaging) [2]
A.2 Transportation mechanisms (e.g., voice, facsimile) [4]
B. DetermineNetworkArchitecture
B.1 Network types [3]
B.2 Protocols [3]
B.3 Securing common services (e.g., wireless, email, VoIP) [4]
C. Protect Communications and Networks
C.1 Firewalls [4]
C.2 Gateways, routers, and switches architecture (e.g., access control, segmentation, out-of-band management) [4]
C.3 Detection and response [4]
C.4 Content filtering [4]
C.5 Device control [4]
D. Identify Security Design Considerations and Associated Risks
D.1 Interoperability [2]
D.2 Audit requirements (e.g., regulatory, legislative) [3]
D.3 Security configuration (e.g., baseline) [4]
D.4 Remote access [4]
D.5 Monitoring (e.g., sensor placement) [4]
D.6 Network configuration (e.g., physical, logical, high availability) [4]
D.7 Operating environment (e.g., virtualization, cloud computing) [4]

So, for the first two domains of the CISSP-ISSAP, we get (4+4+3+3+3+2+4+3+3+4+4+4+4+4+4+2+3+4+4+4+4+4) / (22 * 4) = .886 for a “known” ratio. This means that the percentage that I have to learn is 11%.

Now let’s look at costs. The official textbook runs $80. The review class runs $2,195. The test costs $449. And the certification costs $82.50. (Not required, but included because the GIAC cert comes with passing the test and we want to be as fair as possible.)

So, we have two options.

* Take the full in person class (assuming the course book is included with the class) $2,195 + $449 + $82.50 = $2,726.50. Add to this, study time of 20 hours at $50/hr and you get $3,726.50
* Wing it with the textbook $80 + $449 + $82.50 = $611.50. Add to this study time of 40 hours, and you get 2,611.50

So, if I were to take the in person class, I’d get a learning value of 11/3,726.50, or 0.295%. If I were to wing it, my learning value would be 0.42%… but the burden of the work would be on me.

Example: SANS/GIAC GXPN

Let’s compare this to the SANS/GIAC Advanced Penetration Testing Essentials / GXPN option. Looking at Day 1, we have the following list of learning objectives:

Low profile enumeration of large Windows environments without heavy scanning [1]
Strategic target selection [2]
Remote Desktop Protocol (RDP) [1] and man-in-the-middle attacks [1]
Windows network authentication attacks (e.g., MS-Kerberos, NTLMv2, NTLMv1, LM) [2]
Windows network authentication downgrade [0]
Discovering [3] and leveraging MS-SQL for domain compromise without knowing the sa password [1]
Metasploit tricks to attack fully patched systems [1]
Utilize LSA Secrets and service accounts to dominate Windows targets [1]
Dealing with unguessable/uncrackable passwords [2]
Leveraging password histories [1]
Gaining graphical access [2]
Expanding influence to non-Windows systems [3]
Exploiting single sign-on systems [1]
Escaping restricted desktops [1]

So, for the first day of this class, we get (1+2+1+1+2+0+1+1+1+2+1+2+3+1+1) / (15*4) == .333 for a “known” ratio, or a learning percentage of 67%.

Looking at costs, it’s a tad more complex, with more options, but fewer parts. The vLive version of the course costs $4,370. The Self Study option costs $3,916. The Conference version costs $4,595. For all options, the test costs $549.

So we have three learning ratios to calculate:

* Self Study: 67 / ($3,916 + $549 + 60*$50) = 0.89%
* vLive: 67 / ($4,370 + $549 + 40*$50) = 0.97%
* Conference: 67 / ($4,595 + $549 + 20*$50) = 1.09%

Example: CISSP-ISSAP vs SANS/GIAC GXPN

So, as you see, even though it’s the most expensive option, you maximize learning when compared to time and dollar costs with the GXPN Conference option.

Now, there are a LOT of variables at play here. If you mis-estimate the time you’ll spend or the amount of money your time is worth, you’ll get drastically different values. So think about these numbers carefully before before you decide for certain which certification to pursue.

Once you’ve followed this process, you’ll have an idea as to which certification to pursue. If you are in this solely for the learning, stop now. The next post is not about certification but focuses on extending your learning in a way that is visible and gets you both known in the community (building the Who You Know) and in gaining and demonstrating experience.

Security Certification 1/3 – Certifications in General

It seems that, about once a week, someone asks me about security certification. A lot of people seem to believe that a security certification can get you over the “need experience to get experience” hurdle. The point of this post is not to tell you which certification to get (though it does do this), but to explain why this common line of thinking is wrong.

At the entry level of the job market, the “you don’t have enough experience to get experience” problem is particularly troublesome. This is especially true in the current economy where fewer jobs means that many more experienced workers are competing for the entry level ones. These are the people that typically come to me and ask “CISSP, Security+ or GSEC?”.

However, if you show someone an experience-less resume that lists a security certification, all that is communicated is that that particular certification can be attained without experience. This weakens the certification and does nothing to make you look better.

In fact, most hiring managers I’ve spoken too will take the stack of resumes and filter it as follows:

1. Throw out everyone lacking a college degree.
2. If the stack is still too tall, throw out everyone that doesn’t have a four year degree.
3. Then they look at experience and get rid of everyone that lacks the requirements.
4. If the stack is still too big, throw out everyone that has experience but isn’t certified.
5. Take any resumes that come with a personal recommendation and add them back in to the pool.

It may not be fair, but when any job opening solicits hundreds of resumes, it is a fast way to get through them. It also means that if you have no experience, possessing a certification gains you absolutely nothing. In fact, the best thing you can do to be considered is to know someone in the organization. After that, the most helpful is a degree, then experience, then certification… but only as a tie breaker.

(Note, in some job areas, like the US Federal Government, certain certifications are required for specific job levels. Assume I’m not talking about these job areas. After all, if you’re going for one of those, you already know which certification you need.)

It seems, from this, that I’m saying that certifications are useless. Nothing could be further from the truth. Certifications are great… just not for getting a job. Let’s look at what employers find to be the most useful: who you know, college degrees and experience.

Who you know

If you are recommended by someone that the hiring manager knows, the manager has already vetted you far more thoroughly than is possible in a series of interviews. They know that you are likely a good person to work with, as you can clearly be friends with the sort of people that work at the organization. They know some of your strengths and weaknesses. In short, they know that you can probably do the job and that you are likely to grow with the business.

A lot of people are disdainful of the “good old boys” network, but if you’re not in it, there is always the question of “why”. Without an answer to that question, people create their own answers… and they are seldom complimentary of you as a candidate.

College degree

The industry also has a lot of disdain for college degrees. Do you need a college degree to work in security? Of course not. There are tons of people in the industry without them. (Of course, they got in because of who they knew.) Like many people state, a college degree is just a piece of paper that says that you spent four years putting up with crap… which is a really good measurement of what many organizations want.

If you can get through a university program for two or four years, toe the line and do what you’re told, a hiring manager will know that you’ll be unlikely to make waves. You might not know all you need to do the job, but you’ll likely be able to deal with stupid corporate rules for long enough to learn what you need.

In short, a standard degree is not a measure that you’ll be an awesome employee. It’s a measure that you won’t be horrible and cost the organization more money than you bring in.

(Note: liberal arts degrees are something different entirely… but from a hiring perspective, they are only useful if the hiring manager is aware of the school and what the degree means. Without that knowledge, they look the same as a regular degree, so it comes back to “who you know”)

Experience

Experience is, of course, the gold standard of getting hired. If you’ve done the job before, the manager knows that you can do it again. However, there’s a trap. If you have experience you’re somewhat stuck in that area of expertiese, and if that area goes away, you could be in trouble. A lot of COBOL programmers discovered this in recent years. If you’re in this situation, you’re really back to who you know.

Of course, it’s better to avoid getting into this situation by constantly taking on new projects and expanding your skill set. However, this series of posts is about certification, so I won’t delve into that topic.

Learning

So if that’s the situation, what do you do about it? The key, I think, is learning.

When you get right down to it, what a hiring manager wants to know is:

• What do you know?
• What are you capable of learning?
• Can you convert that knowledge into something useful to the organization?
• Can you do so without causing problems in other areas of the organization?

That’s it. Based on how well you do at those four points, your career will skyrocket or stagnate.

So, the keys are learning, translation and communication. Let’s look at certifications with that in mind.

Most people looking at security certifications look in four areas: ISC(2)’s CISSP line, SANS/GIAC’s G* line, CompTIA’s Security+ line and Offensive Security’s OS* line. The key criterion for you to consider is which line is going to maximize your learning for your dollar. Generally, SANS/GIAC is considered the most expensive, but in my experience also has the greatest opportunity for learning. Second to that, in my opinion, is the Offensive Security line. They’re more focused and hands-on than a lot of SANS/GIAC offerings, but also start a bit higher in the experience level.

So what you need is a way to compare not certifications, but what you learn from the certification process. If you can maximize the amount you learn per dollar you spend, you can both select the best certification for you and the best experience you can get from pursuing that certification.

Check in tomorrow for the method I use to compare certifications.

(See parts 2 and 3)