Initialize a Cyber Security Career

With the number of cyber-attacks growing worldwide coupled with the adversarial gains in these successes, the need for qualified cyber security professionals will continue to grow. Just recently, on October 21st, 2016,  the Internet experienced a major slow down within the United States due to a DNS Distributed Denial of Service (DDoS) attack. A specific company was the target due to the DNS service provided to a large number of frequently used websites and resulted in users not being able to gain access those sites. These attacks will only expand as the world continues to depend on services provided by Internet companies either through daily communications, business transactions, and any other services digitally delivered to the end user. This report will introduce the pathways of certification to those seeking to enter the world of cyber security by illustrating the different vendors, types of skill sets taught, and the various levels one can obtain to enter and grow in this ever demanding profession. Exploring different certification options The individual that seeks to enter the world of cyber security can be overwhelmed with the number of avenues being offered by a multitude of certification vendors, colleges and other services being offered to develop a proper cyber defender.  Beyond the terms and names of certifications and degree types, the absolute end state of anyone wanting to enter this exciting career is how much time will be spent on acquiring the needed skill sets and what will it cost before actually being hired into the field? These two questions are always explored and reevaluated constantly as time moves forward and demand remains high. The initial student of cyber security may find free services, but lack the time available or the adequate resources to properly study and employ what is being offered is missing. This dilemma will face the most novice to the most experienced student at one time or another and must be dealt with on a case-by-case basis. Don’t be discouraged! Different Training Options Once the decision is made to explore the different skill sets available to entry level cyber security students, the quest to find the best training available will begin. A great starting point is the .pdf file offered by a major and highly respected certification vendor, CompTIA. Using a search engine, the entry point to cyber security can begin by deducting what exactly is being sought by industry or government in the way of information security (IS). The very top of this multi-vendor diagram will list security certifications that are recognized by entities hiring cyber security professionals.¹ This roadmap will allow the student to choose the appropriate path that will allow entry into the sought-after profession that is most appropriate. Students should also be ready to explore low level or beginners certification just to enter the IS realm such as the world recognized CompTIA A+ce. The A+ce will usually allow students to obtain a personal computer (PC) technician job and set the foundation upon which future security professionals will build from. When approaching this first, but very important, certification students should be prepared for the initial cost of several books and study aids. Having access to a personal computer is also key to success, since most, if not all, libraries or other public computers will not allow you to download exam engines for practice exam questions and lab simulations as one would find in exam preparation books. The A+ exam is also divided into two exams.² Each is priced currently at $199 with the additions and combinations of the official study guides like Pearson, Exam Cram, or Sybex will add another $100 US to the expense of this particular certification. Sometimes, there are events in major cities where a company will offer a free two-week training boot camp with study materials and books in an attempt to train future IS professionals, but the student will have to make the time and commitment to attend and actually complete the training in an effort to become certified. Available resources for limited funding There are other options, depending on the lack of funding, but the high desire to achieve, that is available to students seeking an IS career. There are places of employment that may fund certifications or at least put the student in an environment that gives them experience and the funding to seek such training outside of business hours. The student should evaluate these different avenues, to include, community colleges and educational grants that may pay for the necessary courses that prepare the  student to take such certifications in PC technology, networking, and security. In the end, the student may not get everything they paid for, but any amount of free training and education should always be evaluated regularly. Online resources are another great addition to aiding the student in learning the needed concepts and skills that not only will be found on the exams, but also on the job itself. Web sites such Cybrary and Professor Messer allow access to content that is presented in video format and backed by experienced professionals within the IS industry that aid in building the foundation, as well as, higher levels throughout the IS community. The student should conduct prior research to find the most reputable and trusted online sites that offer this training. The student should also be wary of free downloads and dumps where the end result is they receive a direct education to “click jacking” or “malware” infections. Having built the foundation of earning a certification such as A+ce from CompTIA, the student will need to decide what area to move to next. Some will tout the need for Network+, while others may skip the certification, but go through the free training courses to gain the knowledge in moving to Security+, SSCP, or GSEC. Again, the student needs to conduct prior research in moving into other vendors that will require years of “provable” experience, applications with fees, and other documentation prior to testing and maintaining a certification, if required. This is in addition to a higher cost in study material and preparation with the addition in exam prices. Obtaining multiple certifications to get the best career options Despite widening out to gain other vendor certifications, the student does have the option to stay within one house. For example, there is nothing hurtful in maintaining the traditional IS route of A+ce to Network+ce to Security+ce while then adding the newest CyberSecurity Analyst+ (CSA+) certification.³ The CSA+ will be released by CompTIA in 2017 and will allow the developing student to maintain continuing education (CE) requirements for one house. Coupled with the experience thus gained at this point, the student should evaluate whether their initial track within the IT Roadmap is directing the professional course correctly. Branching out to other vendors (houses) may offer specific skill sets being sought that are unique and in higher demand. The student again needs to return in conducting research on what is in demand by looking at job postings and the realistic expectations of skills hiring managers are seeking. Specialties in Linux, Cloud technologies, Cisco, Microsoft, ethical hacking, penetration testing, and various others may launch the student in a different direction than what was first analyzed. Even with this, the student needs to remember that the information technology (IT) world is vast and complex that there is no way someone can know everything about IS or IT. Gaining the initial foundation of the “triple three” (A+, Network+, Security+) is always a well-informed start. However, in today’s world of fast moving technology and high demand for IS, the student can almost fast track their career by gaining at least 3 main certifications to land an entry or mid-level job while strengthening experience with education. No one should devalue the traditional educational side of gaining proper knowledge within any profession. True, one can learn everything they need to know in the same amount of time as earning a two or four-year degree, but there is something to say about a grounded college education, be it traditional or online. Competition is one and perhaps the most important one to write about. When promotions are at hand or human resources are scouring a massive pile of resumes, they will start separating those that have experience, certifications, and higher education accomplishments from those that only have one of these elements. This may not be fair, but it is how the machine works. Suggestions start with working on obtaining the least expensive certification available and building from there. Larger companies may offer college courses to their employees and the smart ones will take advantage of that. Community colleges offer some of the most direct skill set building courses out there where bachelor type foundations will also prove that but may skip telling their students about certifications. The various package when presenting a resume before a hiring element is how much has been accomplished and earn or learned. Those that have more have a better chance of being hired. The positive aspect of this, since one is actually looking into a career in the cyber arena, is that there are a large number of reputable online schools that given the time and perseverance a degree can be earned giving the holder the edge to gain a better-paid position within the IT/IS world. Before leaving the educational institution of your choosing, make sure your resume is formatted to show your earned education and certifications at the top while visiting the office for job placement. Employers and colleges are always working together to hire future or recent graduates. Forming the plan to obtain your certificates At this point, the whole approach thus far outlined my seem overwhelming, but be assured it is not. The student needs to plan out what the desired effect will be and work backward to gain the initial push forward. Start with a certification list that can be mounted right above your study area that you see every day. Earning each certification will train your sense of accomplishment and your brain to gain more and more. The same can be said when cracking open the first book on whatever certification one decides to pursue. Master each chapter, one by one, until the certification guide is complete. Master the exam preparation exam questions, as well as the simulations and labs presented. A separate list of checked off chapters, labs, simulations, additional research, and prep exam questions should be laying right on the desk to show progress. Just like traveling, each mile must be driven and eventually you will get to your destination. Effective study skills are crucial When studying, block out times throughout the day to look at flash cards, read a chapter, study a block of questions, or complete one lab. Family and friends need to understand that this is your career that you are prepping for and that life will not always be this way. It may actually take you two to four years to complete and earn the necessary certifications and education that lands you in the desired profession. There will be sacrifices made by everyone involved, but the end result will be worth it. Personally, the people approached with this plan and the immediate look they give when they view at the A+ certification guide is a make-or-break moment. This is why one needs to start there and work their way up to higher, but specific, certifications. If one cannot accomplish the A+ foundational certification, then it is doubtful they will complete more complicated certifications. Finding your vendors The best practice is to line up at least two to three vendors and list their foundational to higher certifications to complete a cost analyst and determine what best course of action will be while providing the student the best “bang for the buck” when committing the necessary funds and time to earn each one.  Understanding what is available and what employers are looking for in your work area will add to your decision and allow you to make the right decision on starting your commitment to cyber security. Additionally, you need to read through different blogs to see the current state of certification vendors and any educational institution you wish to attend. Reputation is key and some vendors will change their certifications that impact their standing in the cyber community. Up to this point, the discussion has covered a few examples of vendors, areas of concentration, and the important fact that a combination of education and certification will build initial experiences that can be leveraged against a cyber-position where you, the student, end up being hired. It’s obvious, by the use of examples within this report, that CompTIA is a solid performer while being world respected and recognized. However, there are specific vendors that do offer more to the foundation that the student can continue to build with beyond CompTIA or even Microsoft certifications. Moving past Microsoft and CompTIA, students need to discover on their own time and research if vendors such as ISC² is a correct fit for their study schedule and available funding. A good comparison to see what certifications match up to CompTIA, ISC², GIAC, and others is by viewing the chart issued out by US Department of Defense, DoD 8750, which is now replaced with areas of knowledge and skill sets in the newly released DoD 8140, which does not rely on specific certifications. Regardless, one can see that CompTIA’s Security+ce is in the same class as ISC² System Security Certified Practitioner (SSCP) or GIAC’s GSEC. As of this date, DoD is using the manual for regulating DoD 8750, but has already transitioned over to DoD 8140 as of Fall 2015. The area of IT management is one that is in high demand and can be satisfied with the certifications being held in the ISC² house of certifications. The first and less known is the SSCP that requires an application, at least one year of paid experience, pay $250 US, and take a 3 hour exam.⁴ This foundational certification can be held in a non-experienced “associate” format until such is gained. After several years of experience using this certification, the holder can then apply for the most recognized and well known Certified Information Systems Security Professional (CISSP).⁵ As with this certification house (vendor) and others ones, the student will be required every so many years to have shown continuing education (CE) and submit those with a maintenance fee that can range from $60 US to higher for each year. This proves that certification holders are just not getting these certifications and not doing the necessary skill building to keep abreast of current cyber security awareness. As stated above, the student should also do a cost and time analysis on each vendor that fits the need of the student. Most hiring managers or human resource offices look for any number of these certifications and will usually move the applicant forward. The truth of knowledge test comes when the applicant is now sitting in front of a panel proving he has not only learned what is in his certifications list, but also he has the necessary background experience within a security environment. Regardless, the student/applicant should be prepared to state, if push comes to shove, that everything learned has only been in a school “lab” environment, home virtual environment (VM), or other learning platform. The biggest hurdle is getting the certification to get the experience and plainly stating that one has to start somewhere and that just might be the lab. Certifications beyond IT/IS Management Moving past IT/IS management, the student may want to stay in the network security realm and continue to develop this specialty. Just like CompTIA has certifications that match up with ISC², there are other companies that offer specific training that match up secure networks. Cisco is a well-known provider of networking devices, as well as, certifications to maintain those devices. Cisco offers four main certifications that will complete the necessary path to strive within this platform. The main security certification is called Cisco Certified Network Associate Security (CCNA Security) and is listed as the second in the list. The CCNA Security deals with security infrastructure, how to recognize threats and vulnerabilities to networks, and solving issues to mitigate security threats.⁶ If the position demands or requires it and the student is evolving toward this very specific area, then Cisco will satisfy the standard. Although there is a multitude of opportunities within the networking world, the student should conduct a personal assessment on cornering themselves into a very specific bracket of certifications. Even if they do, there are always opportunities to swing over to another house and earn a new area of certification and apply gained experience to come out a stronger cyber security professional. The growing importance of ethical hacking and penetration testing A growing area of cyber security is the world of ethical hacking and penetration testing. One could also place digital forensics in this category as well. The cyber security realm needs people with foundational training to exploit the network to discover the vulnerabilities that other IS professionals might have missed or not patched. Ethical hackers are those individuals that understand the malicious avenues that cyber criminals take to infiltrate networks to steal or destroy the information that resides on various databases. Penetration testers can test the networks and discover these infiltration avenues with additional information of how to patch and fix these vulnerabilities. These assessments are key to maintenance the integrity of the data that various entities depend on to conduct daily work. Two vendors that offer user-friendly training and great platforms to learn foundational knowledge are Mile2 and Offensive Security. Offensive Security (OS) is well known in the “Red Teams” environment and is a serious certification that once earned, does not require CE’s. The training expense is in line with other houses that offer close to the same training and certification. It is the most realistic platform for hacking and penetration testing out on the market. The Offensive Security Certified Professional (OSCP) uses Kali Linux and a series of labs offered in several affordable levels where the student learns by hands on lab environment through OS’s own remote servers.⁷ The student will be introduced to how to organize, plan, and then report the attacks accomplished throughout the whole learning lab environment with the accumulation of a 24-hour exam. If notes are organized correctly, the student will have everything they need to successfully pass this examination and write the final report for certification. A different type of learning platform for ethical hacking and penetration testing is offered by a well-known vendor within major military areas called Mile2. This company offers training for the US Air Force, Canadian Department of National Defense, and other law enforcement entities, as well as, other private individuals within the defense and private realm. This is where the DoD 8140 Directive will and can be applied. Beyond being an Authorized partner of both CompTIA and Microsoft, Mile2 delivers not only the practical learning course but then takes the theory of knowledge gained and applies that in their own Cyber Range that the student can remote into to complete the labs.⁸ Much like the Offensive Security platform of conducting learning and testing from the students own home office, Mile2 provides the same remote learning and testing environment without having to attend a physical classroom. The decision to work in government service or private sector The student, at this point, needs to continue their evaluation of whether government service or private sector employment is sought. As in Mile2’s offering, where they are recognized in Federal Bureau of Investigation (FBI) Tier 1 -3 level of acceptable certifications, as well as, being accredited by CNSS as well.⁹ There are equivalent alternatives to certifications that cover information security professionals, digital forensics, incident handling, hacking, and penetration testing that Mile2 offers that conforms to the training environment and budget sought after by the student. Again, this is where a side-by-side assessment needs to be conducted to see exactly what is being offered, who recognizes it, the cost of the training, the time commitment, and resulting certification that can be leveraged towards an employment opportunity. Options for students outside the USA For students not in the US, there are other options that are equally available or other US based companies that offer quality certifications as well. A British-based company called CREST offers students the ability to purchase a variety of study materials and learning objectives that prepare them for their examinations which lead the student from practitioner to certified.¹⁰ Other very specific certification vendors that the US and other foreign students can explore is a company called eLearn Security, which offers certification in Web Security, Penetration, and Reverse Malware.¹¹ Although not too broad, this company does build upon junior to professional certifications that advance the student forward in their expanding career. The courseware can be done online and will cost the student $800 to attend and complete. As with everything written about within this report, the student should discover what will be accepted by the employer and what they can afford in funding and time. In conclusion, the report has described certain pathways for certification to those seeking to enter the world of cyber security by illustrating the different vendors, types of skill sets taught, and the various levels one can obtain to enter and grow in this ever demanding profession. Although this is not a complete list of vendors and certifications available, nor were any educational institution listed, the student will have to be the end state of that particular decision. Committing a certain amount of initial funding and time will pay in the student’s return-of-investment (ROI) in time. Advancing knowledge in specific areas of the cyber security arena will fill the need for high-demand positions but may lock in a person’s ability to quickly move into another area of the cyber security world. There are no definite and fool proof designs other than self-research to see what will work for the student looking to get in this expanding career. Despite this, once in and working the student will find it rewarding and exciting and will always be employed as long as they conduct themselves in a professional manner.