Why Get Security Certifications?

I recently found out that my Post-9/11 GI Bill education benefits were going to expire at the end of August and I had a good amount of funds still available. I had already used some of the educational benefits for previous certifications, such as my CISSP, so I figured I would do the same again.

After speaking with some folks about which certifications to take, some suggested the Certified Cloud Security Professional (CCSP), offered by ISC2. It’s a newer certification, given how relatively new cloud security is, but also an area I’m not as well versed in, so I figure I would try to get the certification.

Now I know what some people are thinking, and believe me I asked myself the same thing, “Why even get a security certification?” I had to ask myself the same thing when considering the CCSP. It did get me thinking about why other people would get certifications – are there common reasons why people would?

Over the years I’ve thought about this on and off, but never came up with a list of reasons.  So now I decided to put my two cents out there in the hopes that this may help someone who’s thinking about getting one.

Below are the three common reasons why I think people would get a security certification.

1. You want to learn basic concepts/terminology or demonstrate baseline knowledge.

I’ve found that numerous people when they start off in security, myself included, often get certified to get a foundational understanding of security. This makes sense if you think about it – why Google a bunch of security concepts or topics when a security certification can provide some type of structure for you to learn it?

The Security+ certification is a great example of a foundational security cert for people trying to get into the security field. CompTIA recommends that you have a couple of years experience in IT administration and have taken the Network+ cert, but no other security experience or knowledge. According to such CompTIA’s website, the certification covers a fairly wide range of security concepts, such as “network security, compliance and operation security, threats and vulnerabilities as well as application, data and host security, access control, identity management, and cryptography.”

The Security+ isn’t the only entry-level certification out there, but it’s these types of certifications that I believe are great for folks looking to get into the security field.

Several well-known security professionals agree that certain security certifications are a great way to learn the basics:

  • Lesley Carhart mentions it her blog post about starting an InfoSec career here.
  • Daniel Miessler mentions it on his blog post about building a successful InfoSec career here.

Both blog posts are excellent reads on how to get into the security field as well, so definitely worth reading.

I think that people who have been in the security field for a while may also benefit from learning the basics through certifications as well. I’m not well versed in cloud security, hence why I’m taking the CCSP exam later this month.

Let me be clear though about what certifications will NOT do for you – it will not make you an expert and won’t speak to your proficiency or competency in security. Certs mean that you’ll understand the basics and that’s it.

In my opinion, even some of the most coveted and challenging security certifications, such as the Offensive Security Certified Professional (OSCP) or SANS Penetration Tester (GPEN), at best only demonstrate some level of competency.  I know several folks that don’t have these certifications but are some of the best penetration testers out there.

2. You need the certification to clear HR.

I recently attended a webinar that John Strand, another well-known security professional, hosted about being successful in InfoSec and touches on certifications. He highlights that people should not focus on security certifications but rather actually building your security skill set by doing, such as building a Linux server from scratch or setting up a test router at your house and managing it.

However, he does say that the unfortunately reality of working in corporate America is that we need certifications to get past HR for jobs, and I agree. I’ve seen, much like many others, that job postings require a CISSP, CISM, CCNA or some other certification to even get an interview. HR looks for certifications – if you don’t have it, you’re out of luck.

In a way, this makes sense. HR departments I’ve worked with aren’t well versed in security, let alone IT, making it harder for them to get a handle on who they should bring in for an interview. Certifications are a short cut way to get a pool of “qualified” candidates for an interview. HR doesn’t have to scrutinize the person’s resume for the right or ideal experience for the role, and to be fair they shouldn’t. The hiring manager ought to be weeding out candidates as they review resumes.

When I was a hiring manager, I often looked for certifications as well because it gave me some indication that if we were to bring that person on board, they would have the same security model or framework that I would have. For example, if the person has a CISSP-ISSAP certification, I at least knew that they had some kind of fundamental understanding of security architecture design and requirements gathering.

However, I would then dig into their resume and experience further.  How many projects has the person completed? What kinds of projects have they done? How many high level security architecture design documents have they drafted? How many requirements gathering sessions have they facilitated? These questions can’t be answered by simply having certifications.

3. Your certification is paid for by work/government/other.

This was my primary reason for taking the CCSP. Were it not for the Post 9/11 GI Bill I most likely wouldn’t be taking the certification. But if your company was going to pay for your certification, why not? I think it’s foolish not to get certified if you don’t have to pay for it.

I know of some companies that pay for annual certifications, which I think is fantastic for the folks who work there and can take advantage of it.

In summary, I believe the three reasons above are the most common reasons why people would get a security certification. Much like anything else in life, I think it’s important to know why we do what we do. Make sure you’re clear on why you want to get a security certification.

Advertisements

Machine Learning & AI Journey

Machine learning and artificial intelligence seems to be in the news a lot and it got me thinking about its application in security.  I see it being implemented mostly in user behavior analytics solutions such as Splunk UBA and Interset, as well as endpoint protection solutions such as Cylance.  I’m sure there are other security solutions that machine learning is being applied to that I’m not aware of, but this is exactly what I’m curious about.

Machine learning and AI is more easily seen in non-security contexts, such as Amazon or Netflix.  Algorithms power product or movie recommendations based on your previous purchases or movies watched.  It seems logical that this same capability can be applied in security, but I wonder how and whether it’s effective or not.

Starting last month I decided to focus more time into machine learning & AI, and dig deeper to understand its applicability in security.  To do this, I started to see what courses on machine learning I could take to get started.  I stumbled across a great blog post by Per Harald Borgen where he talks about his experience in trying to learn machine learning in a week: https://medium.com/learning-new-stuff/machine-learning-in-a-week-a0da25d59850.  He followed up with another blog post about his experience after a year of learning machine learning: https://medium.com/learning-new-stuff/machine-learning-in-a-year-cdb0b0ebd29c.

Based on Per Harald’s blogs I decided to start off by taking the Udacity course “Intro to Machine Learning”.  I’m about 20% through the course but it’s fantastic.  It’s moves at a very good pace, even for folks that don’t have a strong math background.  It does assume some basic Python programming skills as the course has you jump right into running actual code, but in reality, if you’ve taken any basis programming classes in college you’ll be fine.

I’ll be posting more of my experience as I go along but my ultimately I want to see how I can apply machine learning and AI to improve security for an organization.

Target: 40 Million Credit/Debit Cards Compromised

I think everyone’s heard the news by now, but if not, here’s a link to the examiner.com with more info:

http://www.examiner.com/article/hackers-target-info-for-up-to-40m-credit-debit-cards-from-store-pos-systems

It appears folks that physically shopped at the Target stores across the US were impacted – anyone who purchased online are safe.  It’s still not clear how the breach occurred, though it will be interesting to see how these hackers actually did it.  According to theories I’ve seen on Twitter and the article, hackers must have compromised the POS systems.  I doubt card skimmers were used for this scheme, similar to what was found at Nordstrom stores in October of this year.  The sheer number of affected stores and the number of credit cards stolen would probably point to the theory that the POS system software was compromised.

At this point, hackers have all card related information, including the CVV security code.  This is bad news for folks that regularly use debit cards – those hackers can wipe out your checking and/or savings account, assuming they also have your PIN.  At this point, we’re not sure, but better to be safe than sorry and assume so.

Personally, I don’t use my debit card at all for daily purchases, for just this reason.  I would rather have my credit card maxed out, if it were stolen, and call the credit card company and mark those purchases as fraudulent.  If your checking/savings account is wiped out, sure, you will most likely get your money back, but why risk your money by using a debit card, use the credit card companies money to protect yourself.

If you shopped at Target between Nov. 27 & Dec. 15, closely monitor your credit charges.  I would even recommend changing your debit card PIN if you think you used it at a Target Store – just in case.

Codecademy

For the past month I've been coding on Codeacademy: Javascript, Python, Ruby & HTML/CSS. It's a great website and has made it easy and fun to get back into coding, though I'll be looking forward to courses in C and/or Objective-C (Assembly would be awesome, but I highly doubt they will). Check it out if you have a chance.

http://www.codecademy.com