In recent weeks, I have had a flurry of emails from fledgling hackers asking me how they should train to be become an IT security professional, i.e. an ethical hacker. I have answered this question so many times that I thought I should post my answer here so that everyone can read it.
Formal Education
Although some people choose to go through college and receive a B.S. in Computer Science or Information Technology (IT), many people in this field have no degrees and little formal education. Obviously, I chose to go the college route, but not everyone does. Many of my colleagues are without any degrees and those that do have degrees often have them in a fields other than Computer Science or Information Technology.
I'm not recommending against going to college, I'm simply saying that this discipline is full of people without college degrees. Unlike programmers, who most often do have college degrees, in Information Security, most people do NOT have college degrees in IT or Computer Science.
College education and training will give you the fundamentals of Information Technology, but few offer training on hacking and exploitation. Of course, to really be effective at hacking and exploitation you first must have the fundamentals of information technologies.
If you do decide to go the college route, though, make certain that you get a thorough grounding in networking, operating systems, application programming, scripting, database, and data structures. Make ceratin you are conversant in at least one of the major programming languages (C++, Java, C), one database management system (Oracle, MySQL, SQL Server), one scripting language (Python, Perl, Ruby) and, of course, learn as much as you can about Linux/Unix as it is the operation system of choice for every self-respecting hacker (you really can't be a hacker using Windows for many, many reasons). In the real world, hackers use Linux, victims use Windows.
Certfications
Rather than go the formal education route, many choose the on-the-job training and certification route. Even those with college degrees and even advanced college degrees enhance their education with IT certifications. Our industry is one of the few that places such emphasis on certifications.
The field of Information Security is still so new that many schools don't even offer degrees in it and often will only offer a course or two. This field still values competence and accomplishments over credentials. If you want credentials, there any many certifications that you can get without a college degree that will help you get a start in this field.
Probably the best starting point is the CompTia Security+ certification. It is a beginner level certification that covers all the concepts of IT security, but none in any great depth. The U.S. military requires that all their IT personnel pass this certification, including their contractors.
If you don't have the formal education from a college or university in Information Technology, I recommend studying for and passing the CompTia A+ and Network+ certifications. The A+ is a basic computer skills entirely working in Windows and the Network+ is a basic networking concepts and skills course. Both will build you a good foundation. In addition, the Linux+ knowledge and certification will serve you well.
At the highest end of IT certifications, the CISSP from ISC2 and the CISM from ISACA are considered to be the gold standard in IT security certifications. In both cases, they are more IT security management and administrative certifications rather than hands on or highly technical certifications.
In-between, we have numerous hands-on certifications. For the aspiring hacker/pentester/ethical hacker, you can choose between the CEH, CPT, CHFI, CASP. CEH is widely recognized, but not real rigorous. Probably the best CEH courses are offered by InfoSec Institute, which offers the CPT certification with the CEH in a one-week bootcamp. The CHFI is a forensic certification which will complement your hacking. CompTia has developed a new certification that is gaining wide acceptance: CASP. This certification is most often considered to be a mid-level security certification.
Other Certifications
Although not as widely recognized by the industry, there are a number of other certifications you might consider to hone your skills as a pentester/hacker. The developers of BackTrack and Kali, Offensive Security, has a number of hacking certifications are very demanding. These courses can be quite expensive ($3,000-5,000) to take in person, but Hakin9 is offering an online version for about $1,000 starting in February 2015.
SANS Institute, probably the leading security training firm in the U.S., offers a number of demanding IT security courses including GSEC, GCIA, GWAPT, and GPEN, among many others. These are good, solid, and demanding courses.
In addition, you might consider specialized courses in such hacking applications such as Metasploit.
If you are looking to enter this elite field of Information Security/Ethical Hacking, there are many routes to get here. Of course, start off by reading all the posts here on Null Byte, but build a background in a variety of Information Technology disciplines while collecting as many of these key certifications as possible.
22 Responses
Thank you so much for this. As you said, a lot of people ask for this, so better have an answer always ready, and I'm one of them too.
Thank you for this, OTW. It's great to have something organised nicely to refer to and I've already been studying for my CompTIA certifications.
It's also very encouraging to see that the field puts more emphasis on certifications rather than degrees.
ghost_
Many thanks for this excellent post. As someone who would benefit from a good grounding in the basics the CompTIA courses look ideal, and they're not too expensive.
there are ways around that.
Why Chris, I'm sure I've no idea what you could be referring to, ahem...
OTW, If you were starting out today..would you first go thought the training for the CEH or is there something you believe is a better starting point?
-Neo
I would start with Security+ and then CEH. If I were taking the CEH, I would do it with InfoSec Institute. There's is combined with the CPT and much more rigorous than the standard CEH training.
Hello. Ive been reeding many of your posts, awesome job. Refering certifications, i see that you havent mentioned cisco security certifications. What is your opinion abut that one? I am taking now routing and switching and then plan on going towards CEH to get some knowledge as pre-preparation for cisco security certification. I went through A+ already since ofcourse anyone will find there stuff which are very usefull. So pls put your opinion for cisco security certifications. Thank You
Slavco:
My article was focused upon becoming a pentester/ethical hacker. The Cisco courses don't really address that subject. Although the Cisco courses and certs are good, they are vendor specific and I discourage vendor specific certs.
OTW
very good column, you've covered all the bases. A college degree is always a good thing to fall back on. I've been told that a degree isn't necessary just to repeat what u said. The Junior college in my area has something for networking/programming. I'm sure you've heard of Assembly? I wish to learn that in depth. guy I've talked to who has CISSP cert knows assembly program. for those who don't know, it is used to bootstrap an operating system from the ground up. (create your own OS).
And more. Asm is an essential skill in hacking and exploitation.
To feel asm's flavor: "Hacking, The art of Exploitation" is one of the best books imo.
Thank you. This exactly what I was looking for. If a person devoted all their time to learn, how long would you say it would take to go from Sec+ to a GPEN skill level? From what you've heard/experienced.
Maybe 2 years.
Thank you, Sir.
This Article is great however I feel the need to ask about the prices......
is it expensive to take these certifications?
How much would everything cost?
EDIT-Oh and how much does one earn on a monthly basis in this field on average?
Certifications are typically around the $200 mark per certification. They also need to be resit every 3 years.
You're looking at about $100,000+ per year for most Information Security jobs.
ghost_
Although is correct about most certifications, the CEH costs $500 and the CISSP cost $650.
WE are starting a new certification program here and the costs and the cost will be $100-150. Should be up and running by January.
Thanks for the reply @ghost and @OTW
Still have some questions though,why must the certifications need to be resit every 3 years??
Is it because of new information or techniques?
Also,in your opinion,which InfoSec job is the most exciting?
Espionage? Private Investigator?
Nothing better than having a job that excites you.
Is there more detail on this or is it still being hashed out?
Much of the details are still being worked out, but I did release this guide to what to study to pass the exam.
Will there be cool medals below the name when you respond to articles when you're certified?! Oh man, i would love that :)
anyway, thanks for the link. Not sure how i missed that
Hacking has become a much bigger problem at the present time. Today in many cases we are not completely safe. In the meantime, we are going to see a lot of damage. How can we solve this kind of problems? Please comments me your thought. Your comments may have an Idea !!!
Share Your Thoughts