Email from Reddit

I like giving back to the InfoSec community. I figure they’ve done so much for me so it’s only fair that I give back as well. As part of that, I moderate /r/CISSP. My goal is to provide up to date study materials, and answer any questions that come my way.

Recently a user reached out to me with a Direct Message. His questions were so relevant that I thought it would be good to post on the blog as well.

I’m the guy from this thread. What languages would be useful for me to learn? I’m learning python through learnpythonthehardway and -bash/ssh from overthewire.org but, I don’t really know how I would start to practice for the things I would do in a job. As stated in my thread, I am hoping to get a job in either government or a corporation.

What are some good blogs for CyberSecurity to follow and in general things that I should always keep up to date on pertaining to the field?

How long should I study for SEC+? I was thinking of picking a book around the end of the semester, study through summer and hopefully get the cert in time to put it on my resume for internships in October.

Honestly, if you’re looking to learn a language for a particular cert (specifically the CISSP), I wouldn’t bother. Coding/Scripting isn’t part of the Sec+, SSCP, or CISSP. HOWEVER…if you’re looking to get some more advanced hacking/pentest stuff (GPEN,OSCP,etc), you can’t go wrong with python. Depending on where you want to go in your career (red/blue/purple) will depend on what sort of skillset you should acquire.

SEC+ shouldn’t take you long. I’d say take no more than 30-45 days to study and take the exam. Everyone learns differently. Me? I can’t stand reading. Put a book in front of me and I’ll fall asleep in a matter of minutes. Online video training? That works as long as you keep the keyboard away from me so I can’t alt-tab out and surf reddit or something (oh the irony). Classroom? Oh hell yeah. I’m all about classroom training.

There’s a lot of resources online. I’m not much on the infosec blogs. Twitter however is where it’s at. It’s the primary social media of infosec practitioners. Podcasts are also a great resource. I personally listen to the The Cyberwire, Defensive Security, Southern Fried Security, Paul’s Security Weekly, and a few others. Also, check the sidebar on the /r/cissp page. The links there are legit. I swear ITPro.tv and skillset.com are my favorites.

Lastly, where are you based out of? The infosec community is a very close knit group. We look out for each other. I personally know a guy in Dallas that’s looking for a summer intern. Let me know where you’re out of and perhaps I can hook you up.

One other thing that I forgot to mention is that the CISSP requires 5 years of relevant work in the domains to be considered for the certification. Considering that you’re just coming out of school, you’re not going to be even in consideration for the full certification. You’d be getting the associates. I’d personally wait until you have some more certifications under your belt, more experience in the field before you tackle the CISSP. It’ll come much easier to you as well by that time. 

GIAC – GPEN Certified!

I took my GPEN certification exam on Thursday and I passed. I was rather nervous to be honest about the exam considering two of my fellow co-workers struggled with it. I waited until the very last day to take the exam and I’m glad I did. Luckily I scored a 91%. Even though it was open book, it was a doozy of an exam. I had my notes, index, and the texts to work from…and it was still a challenge. TBH – I’m really proud of my index (no I won’t share it with you). It looks like a unicorn threw-up on a notebook, but it had just about everything I needed. I’m also excited because I scored high enough to be in the advisory council and to possibly be a SANS mentor! I’m very humbled and honored!

Just a little tip thought: I won’t go into specifics, but I would advise anyone taking the exam to brush up specifically on the netcat switches and really learn scapy backwards and forwards. Not only will it help you with the exam, but I’ve found myself using both tool in my day to day roles a lot now.

So…what’s the first thing I do now that I don’t have a certification deadline looming over me? Go pick out another cert to tackle. My wife tells me that I’m goal driven. I need a goal to strive for if I want to be productive. At this point I’m strongly considering either the CCSP from (ISC)2 or one of the Amazon certifications. I need to skill-up on cloud a little bit before I go after the OSCP. So let me know. What do you think? What certification should I go after next?

 

One last thing….

 

Dearest people outside of the realm of InfoSec,

Someone mentions the word ‘Penetration’ in proper context, and you folks lose your damn minds. Get your heads out of the gutter. Thanks.