Top 9 IT Security Certifications


By | Information Security Blogger | Concise Courses



If you are looking for a certification in information security then you might be feeling a little confused since there are nearly a dozen internationally recognized certs to choose from. The heavy hitters, or rather the better known security certifications out there tend to revolve around those offered by EC-Council, namely the Certified Ethical Hacker (CEHv8) and CompTIA’s Security+ but there are others!

We have arranged the vendor-neutral certifications into separate sections so you can review the various training and self-study options (along with the associated fees) and we have also put a little test together for you to try! If you pass the real-life multiple choice practice test then you are certainly in a very good place and should consider getting certified. Each test, available in all our four certs, lasts only five minutes and there are ten timed questions. If you need help please contact us by email.



Completely new?
Download our Security+ InfoPack!
Check out our
low Security+ price!
Take a 5 min
Security+ practice test!
Completely new?
Download our CISSP InfoPack!
Check out our
low CISSP price!
Take a 5 min
CISSP practice test!
Completely new?
Download our CPTE InfoPack!
Check out our
low CPTE price!
Take a 5 min
CPTE practice test!

 


OK, so back to the post! What are other information security certifications?

1. CPTC – Certified Penetration Testing Consultant
2. CPTE – Certified Penetration Testing Engineer
3. CompTIA – Security+
4. CSTA – Certified Security Testing Associate
5. GPEN – GIAC Certified Penetration Tester
6. OSCP – Offensive Security Certified Professional
7. CEH – Certified Ethical Hacker
8. ECSA – EC-Council Certified Security Analyst
9. CEPT – Certified Expert Penetration Tester

Unless otherwise stated these certifications are assessed by multiple choice and they require continuing education.

CPTC and CPTE (first and second on our list)
Taking each of these certifications in order: CPTE and CPTC are very similar – but the CPTC is slightly more geared towards the business end of penetration testing. Mile2 offer both of these security certifications and we have already spoken at length on the differences between CPTE and CPTC. We also have a download that examines CPTE in more detail. In summary Mile2 is becoming rapidly popular due to the US military adopting several of their courses and the fact that they have excellent instructors. For more information please click on the above links within this paragraph.

CompTIA Security+ (also known as SY0-301) (third on our list)
The Security+ is an excellent all-round certification in information security. Having been around for a long time now – CompTIA , as a charity and vendor-free organization, remains a highly venerated IT training body. We have a detailed review and a huge amount of information related to Security+ including: “Why study CompTIA Security+?, How to break into Information Security field, (detailed) Security+ syllabus, exam structure – how is it graded?, practice online exam center (Virtual Test Center), an overview of required acronyms, expected salaries and opportunities in 2013, the CompTIA course pathway, 300 interview questions and 13 interview no-no’s! You can get all of that in a nice pdf format here. Worth re-iterating that we also offer for free a Security+ practice exam with model answers!

However – if you don’t have time to drill down into all of that data here is a list of the modules you would have to learn if you decide to sit for the Security+ exam and certification.

1.0 Network Security
1.1 Explain the security function and purpose of network devices and technologies
1.2 Apply and implement secure network administration principles
1.3 Distinguish and differentiate network design elements and compounds
1.1 Explain the security function and purpose of network devices and technologies
1.4 Implement and use common protocols
1.5 Identify commonly used default network ports
1.6 Implement wireless network in a secure manner
2.0 Compliance and Operational Security
2.1 Explain the security function and purpose of network devices and technologies
2.2 Carry out appropriate risk mitigation strategies
2.3 Explain the security function and purpose of network devices and technologies
2.4 Explain the importance of security related awareness and training
2.5 Compare and contrast aspects of business continuity
2.7 Explain the impact and proper use of environmental controls
2.8 Execute disaster recovery plans and procedures
3.0 Threats and Vulnerabilities
3.1 Analyze and differentiate among types of malware
3.2 Analyze and differentiate among types of attacks
3.3 Analyze and differentiate among types of social engineering
3.4 Analyze and differentiate among types of wireless attacks
3.5 Analyze and differentiate among types of application attacks
3.6 Analyze and differentiate among types of mitigation and deterrent techniques
3.7 Implement assessment tools and techniques to discover security threats and vulnerabilities
3.8 Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning
4.0 Application, Data and Host Security
4.1 Explain the importance of application security
4.2 Carry out appropriate procedures to establish host security
4.3 Explain the importance of data security
5.0 Access Control and Identity Management
5.1 Explain the function and purpose of authentication services
5.2 Explain the fundamental concepts and best practices related to authentication, authorization and access control
5.3 Implement appropriate security controls when performing account management
6.0 Cryptography
6.1 Summarize general cryptography concepts
6.2 Use and apply appropriate cryptographic tools and products
6.3 Explain the core concepts of public key infrastructure
6.4 Implement PKI, certificate management and associated components

CSTA – Certified Security Testing Associate (fourth on our list).
CSTA is maintained by a British organization called 7Safe. CSTA is a four day course and has a syllabus somewhat like the Certified Ethical Hacker by EC-Council. 7Safe have a network of authorized training centers. CTSA is interwoven within lab testing – i.e. the course is very hands-on and practical.

It will be interesting to see the uptake for CSTA. Our hunch is that it will have a difficult time against the strongly established CEHv8 (Certified Ethical Hacker) and Security+. The premise for this security certification is to think and behave like a hacker so that the student will better learn and prepare against attacks. This is all excellent but it just seems very familiar to CEH. Anyways – good luck to them and we will certainly be keeping a close eye on their progress and course acceptance. In their own words, “The CTSA course is suited to system administrators, IT security officers and budding penetration testers.”

We understand that the CSTA is a progression path towards an ultimate goal of becoming a CREST Registered Tester.

OPEN – GIAC Certified Penetration Tester (fifth on our list)
GIAC claims to be the most “methodical pentesting course” that trains the student to seek and destroy security vulnerabilities within weak configurations, unpatched systems, and/ or inherited legacy botched architectures. SANS places emphasis on training the student to work with flawed legacy systems which certainly has appeal in a job interview, especially if the position is to rectify a “broken” network or computer system.

Certainly a very in-depth course GIAC is seeking to covers all elements of successful network penetration testing by training students to improve their enterprise’s security stance. According to the course summary, students learn how to perform detailed reconnaissance, scanning, experimenting with numerous tools in hands-on exercises and exploitation. Similar to CPTC (mile2’s consultancy/ business-leaning cert) GIAC also includes a professional auditing module: i.e. the training includes a module designed to help students understand how to write report that will maximize the value of the penetration test from both a management and technical perspective.

GIAC as you would expect also includes lab work to help the student work with exploitation frameworks and all necessary pentesting tools.

OSCP – Offensive Security Certified Professional (sixth on our list)
The mighty BackTrack pentesting distro is connecting to this IT security certification – meaning that it is the same organization – Offensive Security. (If you are interested in linux pentesting distros we put together a really great list here – which includes our favorite: Backbox).

Relatively new to the stage the “Offensive Security101″ training course seems to be maturing well and gaining acceptance. It certainly was a smart move to create such a popular linux distro and then add  IT security courses to it – because, naturally, all the tools contained within the distro are precisely what the (and all information security courses) require you to be proficient with.

This course gives a solid understanding of the penetration testing process. If we understand correctly the course is mainly aimed at the CBT market. The registration entitles you to downloadable “Offensive Security 101″ course videos. For an additional fee you can opt to take their online lab (30 day access) and certification challenge (similar to mile2’s CBT course program).

CEH – Certified Ethical Hacker (seventh on our list)
The Certified Ethical Hacker certification, offered by EC Council, is a popular cyber security certification. The exam contains 150 multiple choice questions which must be answered within 240 Minutes with a passmark of 70%

The latest version of the Certified Ethical Hacker is Version 8.

Regarding as being content heavy – the CEH still holds sway on our opinion. We think that EC-Council have always believed that to beat a hacker, you need to think like one – and that in our opinion sums up the course perfectly. CEH immerses the student in a hands-on fashion where they are taught how to work, test and audit like a professional ethical hacker. The course starts by instructing students how to breach perimeter defenses and then effectively scan and attack networks. True to the principle that you gotta think bad to do good (i.e. think like a hacker) – students will also learn how to escalate privileges, create a secure shell and what steps can be taken to secure a system. In addition, participants will learn about Intrusion Detection, Social Engineering, DDoS Attacks, Buffer Overflows, Virus Creation and more.

ECSA – EC-Council Certified Security Analyst (eighth on our list)
EC-Council are extremely involved in the community. They organize the Hacker Halted conferences in the US and Asia and have been pioneering some really great IT security certifications. Their courses are either offered online, via their iClass course delivery or Live Instructor Led (i.e. in person). Following from CEH is the ECSA – or CSA.

The ESCA is designed to perform better audits of security systems, in other words, what are the result of the pentest? The ECSA is very similar to mile2’s CPTC in that the course is client focused in being able to present accurate data and post-testing suggestions to employer and/ or clients.

ESCA does follow on from CEH (and indeed EC-Council suggest that you first finish Ethical Hacker) because the post-reporting can only be achieved with an understanding of the processes in the first place. In summary, the ESCA’s purpose is to add value to an experienced security professional by assisting them to analyze the outcomes of their penetration tests.

CEPT – Certified Expert Penetration Tester (ninth on our list)
Like the rest, this certification is assessed by multiple choice (100 questions with a passmark of 80%). This certification is different to the rest because it relies more on programming and understanding the actual code. You really must speak C++, Python and understand compilers/ assemblers before taking this course. Here is a summary of the CEPT syllabus and modules that a student must complete to pass the certification. There are nine modules:

1. Penetration Testing Methodologies
2. Network Attacks
3. Network Recon
4. Shellcode
5. Reverse Engineering
6. Memory Corruption/Buffer Overflow Vulnerabilities
7. Exploit Creation – Windows Architecture
8. Exploit Creation – Linux/Unix Architecture
9. Web Application Vulnerabilities

In Summary!
It is quite a mammoth task to compare and outline 100% accurately all these courses, especially when you factor in bias and industry reputation. It is very easy for this discussion to enter a “is it worth it” angle – but instead we tried just to stay within an academic or better said, training dimension. We are interested in what you actually learn and what the syllabus contains.

In summary – and this is a real basic summary! – we think that CEH is widely known and for HR – it is fast becoming a check-box that helps to get that interview. CPTC and CPTE are similar in that they have a more consultancy and business role to them – which is great if you are already qualified but missing that business client-side to your resume. GIAC looks at penetration testing from a very methodical approach and Security+ is the all-round winner in due to its’ longevity and proof of concept with its’ solid syllabus.


29 thoughts on “Top 9 IT Security Certifications”
  1. Gary Kohler says:

    You don’t discuss CISSP but then you go and cover Security+. Really?

    1. Concise-Team says:

      We mention CISSP at the start of the post but your right, it does not more exposure to do this post justice. We will be updated shortly. Thanks for your feedback.

  2. SAH says:

    By the “replies” to the informational posts regarding I.T. certifications that I have seen, there is much distress over which certifications are the best, and which are not- yadie yadie.. The fact of the matter is that it really does not matter which are the “best”, but where the people with good, comparable qualifications will fit where, the best. This is the main component any employer will look at in my humble opinion, and not so much as to what tests you have passed. Of course the skills matter! But the person with the “best” certs is not always the “best” fit.

    There are many obvious reasons why companies and individuals alike promote certain certifications (it is a business after all), but the best advice that someone new to the industry could hear would be to pick a certification path, stick with it, LEARN EVERYTHING YOU CAN, and be the BEST you can! -no matter what. That is the real formula for success.

    Who cares what path you take? At the end of the day we are all professionals, but only if we think, act, and conduct ourselves accordingly. Am I wrong?

    1. An excellent comment and thanks very much for sharing your thoughts.

      100% agree with you. To have called our list of certifications ‘best’ should not be regarded as an absolute. We always tell our students that simply getting a certification without any experience will not generally get you the job, rather, experience WITH a specific certification would be more beneficial. Thanks again for your comment.

      1. SAH says:

        Your welcome! Just to clear it up, I was referring to people that comment about articles more than your specific article. I believe the article you wrote is well laid out and informative. Thank you for your advice and work on this.

  3. Sondra schneider says:

    Hey !
    Lets talk about THE OLDEST performance based hands-on Security certifications – since 1999 – 4+years before EC-Council CEH.

    Q/ISP Qualified/ Information Security Professional –

    Q/ISP Certification Program/ WORLD CLASS Graduate and Master Certificate

    4 CyberSecurity Certification + 3 Practicals

    Q/EH Q/SA Q/PTL Q/FE Q/ND
    Q/ISP® Cert Exam CNSS 4011/4012/4013/4015/4016A
    Q/EH® Qualified/ Ethical Hacker Certification
    Q/SA® Qualified/ Security Analyst Pen Tester Cert.
    Q/PTL® Qualified/ Penetration Tester License
    Q/FE® Qualified/ Forensic Expert Certification
    Q/ND® Qualified/ Network Defender Certification

    23,000 students enrolled – US GI Bill approved, ACCET Accredited.

    1. Thanks for this! CEH and the other usual suspects often take all the limelight, and maybe for some solid reasons but it’s good to know that there are others out there.

  4. Jaz says:

    The new way to monetize the IT industry. I really can’t believe why many people are into certification – well I guess they simply want to propel their salary and probably fool someone that they know the subject matter. I personally lost my confidence with this certiying bodies when I learned that “dump sites” exist and its ok with them. If this certifying bodies truly give pride on their examinations then how come none of them is sending DMCA to take down these websites? Or maybe, they prefer the dollars from the cert fanboys who are continuously fooled.

    Few Google search, compile their searches…voila! We have the course outline and we’re now a certifying body. As if any group of friends can now build some sort of organization and call themselves “standard” of something…yeah right!

    1. Thanks for your comments – they are certainly valid.

      Bottom line is that these vendor-free certifications work by selling exam vouchers and the license fee associated with franchising their courses. Take for example CompTIA which anyone can study for free using brain dumps, YouTube, etc etc, but you still have to pay for the exam voucher – so CompTIA still wins.

      With reference to the course ‘helping’ a career I think that essentially they do. No, you cant get a job by having zero experience and then doing a CEH or CISSP course, but what the cert will do is ‘strengthen’ your job application – especially if you are applying for a security job role within IT. I have heard that many HR people actually view CISSP as a ‘gold standard’ and actively look for people that have that cert. The same HR person might know very little about the usefulness of the CISSP course but the point here is that they are LOOKING for people with that particular certification.

      Final point I’ll make is that demand is outstripping supply when it comes to truly qualified skilled information security specialists – so that is the good news. Lastly – all education should be perceived in a good light. I’m sure you have heard this but here’s a qoute by Henry Ford:

      Anyone who stops learning is old, whether at twenty or eighty. Anyone who keeps learning stays young. The greatest thing in life is to keep your mind young.

      1. Jaz says:

        Thanks for the reply Henry, I absolutely agree with Henry Ford’s quotation. As a matter fact, the invention of Internet gives everyone the opportunity to learn at their phase. The bad news, some people are somehow brainwashing or creating some sort of norms that people with cert are really skilled. Some HR personnel will immediately jump to the question – do you have certification? And the simple reason behind this, is most of them are not qualified to assess the real skill of the applicant. Same with the owner of a big business who happens to have money and setup an IT company. S/He cannot assess the skill of the applicant but s/he likes to have an IT company, so they will immediately look to someone with certification.

        Good thing, that you also mentioned these vendor-neutral certification because obviously vendor-specific certs is all about money and marketing BUT there are still people who are taking this and passed the exam. These leakage sites or dump sites is not about learning – this is all about memorizing the questions and answers then take the exam. Again, the question is – why none of these certiying body are taking down these websites.

        All the materials are freely available online and all we need to do is study.
        But to be certify and get my money? That’s another story.

        Red Hat Linux is the only remaining credible certification body for me – since they will really put your skill in a real test nott just multiple choice.

      2. Jaz says:

        I just want to add and maybe this is off the topic.

        You will also notice the encarnation of PCI-DSS, HIPPA, Sabanes-Oxley and other industry certiying bodies.
        Seriously, who are these people (college friends?) – who gave them the right to certify specific industry?
        Most of them are not even sanctioned by the government. Most of them are not even technically inclined but they have the nerve to call themselves auditors…yeah right! Funny when I got the checklist of PCI-DSS, I can’t help not to laugh because the list only consist of common sense. Well, after all common sense is not common – so yeah organization like this are simply taking advantage other people.

        You will also laugh if you read their organizations missions & vision – the main goal is to HELP.
        But hey, we have a good news you need to pay. Obviously, the main and TRUE goal is to EARN.

        Organizations like OWASP, Wikipedia, Open-Source OS and tools are the best example of the people who are truthfully willing to help IT industry and individuals.

  5. Absul wahab says:

    accorging to you isnt CCNA and CCNP a good security certifications

    1. Absolutely. CCNA (Cisco Certified Network Professional) is a very popular certification – which focuses on networking. As a vendor-specific cert by Cisco it is considered as being the ‘gold standard’ for their technologies – the certs in our list are mostly vendor neutral information security certs so that’s the difference. CCNA is assessed by a 90 minute exam and as far as I know you don’t need any previous experience – but don’t quote me on that!

      CCNP (Cisco Certified Network Professional) and CCIE (Cisco Certified Internetwork Expert) are also two excellent certifications.

      Good luck! Have you started to study any cert?

      1. FA1LURE says:

        CCNA is no longer a general entry level certification since Cisco has restructured their exams. Their CCENT is their entry level certification which allows anyone seeking further Cisco specific certification to do so in a more direct manner – such as down a path of routing/switching, or security, etc. with CCNA, CCNP and CCIE level exams for each. Quite a bit of their prior CCNP R/S material has now for instance made its way down to the ICND2/CCNA R/S exams. While I would add that their IS value in vendor specific certifications to respond to some of what others have said, specifically when said vendor still retains a majority of the current market share within a given industry. With that said, I do believe that anyone looking to be effective in their role especially in the area of IT, and Networking/Security should be prepared to continually learn, truly understand and grasp the fundamentals and ultimately be able to apply them while evolving with the industry, if not staying a head of, when able.

        Also, to discredit a certification because someone can cheap is a ridiculous notion. If someone wants to spend a couple hundred dollars to sit and take an exam for which they utilized materials as noted above in the manner described…. then more power to them. I would pay, should they get hired, to see how long they last. Since if they had to cheat and stoop to such levels to pass the exam they are undeserving of, they will likely not be able to live up to the expectations and needs of the company when asked to completed routine and expected duties.

  6. Arnold says:

    What about CISE (Certified Information Security Expert)?

    1. Hi Arnold – thanks for your comment. We are not too familiar with CISE. Have you completed this certification?

  7. Sherisse G says:

    What is the average salaries for people who is certified in CPTC and CPTE?

    1. Very difficult to say – a lot depends on experience (of course) but you with experience you *should* be on at least $65+ – but that is dependent on so many things….where you live is obviously a factor – but experience always plays a vital role.

      The $65+ was based upon me asking our team here (our instructors are all CISSP/ Pentesters, Consultants etc) and that is what they replied with :)

      Good luck and let us know if you need any help or other info.

  8. Yuvraj says:

    Could anyone please help me out by suggesting an entry level certification in information security..??
    I have completed my MCA degree and i am planning to do my career in information security auditing and consulting.

    1. Sure! Please get in contact with us if you would like more detailed information.

      Congratulations on your MCA Degree!

      OK…in terms of entry level InfoSec certs, we can only really refer to those offered by EC Council, ISC2, CompTIA and Mile2 since these are our areas of expertise.

      Security+
      There are several entry levels. The one that we like the most is the CompTIA Security+ Certification which is widely recognized and has been around for ages. CompTIA recently updated the syllabus and the exam structure which ought to have the benefit of making it more appreciated by employers. The two good things about Security+ is that it is a recognized cert with an in-depth security syllabus and secondly, that it is very affordable. Our pricing is under $400 and that includes everything – exam voucher, study materials such as books, practice exams etc.

      Network 5, Wireless 5, Security 5, Certified Security Specialist (ECSS) and the Certified e-Business Professional (CEP).
      These are offered by EC Council and are all regarded as entry level certs.

      Our advice would be to take a look at these listed above and then get in touch with us if you have any questions! Good luck.

    2. Kumar says:

      Go with CDAC or university courses. They are the cheapest

  9. mohsen says:

    hi, i have an MCSE degree, CCIE, and now I work Security info. now i am a pentester i have road ceh, sec+, Ecsa , lpt , web app pentes. How can i work from remote , i live in iran and i want to work with international company.

    1. Thank you for your comment. You seem very qualified – sorry that we can’t help but good luck with your job search!

  10. Spencer says:

    I pretty much disagree with most of your list, form the perspective of a security consultant based out of western Canada with 12 years of experience. Many of those certificates I have never heard of. Absolutely I agree that the certification doesn’t mean anything in a practical sense – I know some talented people with no certs and some utterly useless ones with all the certs. But when I look at job offers and when I meet with recruiters locally, they are all looking for CISSP. They don’t know what it means, but those are the letters they want to see on job applications.

    1. Thanks for your comment.

      Certainly, information security IT certifications are indeed ever-evolving. CISSP does seem to be the most popular from all the certifications in our experience – many even call it the ‘Gold Standard’ – sure there are plenty of critics on either side of the fence – but – what I can tell you is this: if HR/ Recruitment Mangers are seeking people with the CISSP designation; then yes, it will help you get that interview and position.

  11. Parshu says:

    Was reading other comments but wanted to make a point here, those who criticize cissp they should at least appear to the exam once & face that 250 questions bombarding, specially when you have to decide what that question & up to what level the question is expecting. How can a person criticize cissp certification without ever checking what actually it demands ? :)

  12. santosh says:

    what about CISE: “certified information security expert”. Who is the organiser of this exam and what is the standard ?

  13. Tomas says:

    LPIC-3 Security – that’s hardcore one.

    1. Thanks for sharing. Here’s the link for those that are interested: LPIC-3 Security

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>