Saturday, 30 October 2010

Study plan for the next few months - Updated June 2011

I am about to embark on a full time IT Security study program for the next few months.

It's a syllabus of my own design. (There aren't really any university or college courses that I could attend, which cover the areas I want to study and research).

Over the last year I certified for CISSP, CISM  and OSWP (and got about halfway through PwB, + completed ITIL V3 Foundation and Prince2 Practitioner) - My next plans are a continuation of that study, but now really focusing-in on Pentesting and Ethical Hacking, and studying full time...!

I feel this is a big step for me, and a journey of thousand miles starts with a single big step (which I have already taken)

Phase one

In the first one or two months I will be focused on finishing PwB "OSCP", and passing the CISA exam + logging some more credits to renew my CISSP and CISM certifications. (My CISA exam is booked for Saturday 11th of December).
  • Update 07/11/10 - I have booked more PwB hacking lab-time starting on the 20th November, and working my way through my CISA study guide/book
  • Update 13/11/10 - Renewed my CISSP for another year
  • Update 04/12/10 - Completed 2 weeks of PwB lab-time, wrote several blogs during this time on tools and techniques
  • Update 09/12/10 - Continuing CISA study, passed several practice exams for CISA
  • Update 11/12/10 - Took CISA exam
  • Update 13/12/10 - Finished Security+ course 
  • Update 16/12/10 - Earned 21 hours of ISACA CPE credits this week by watching eSymposiums and passing online tests. Renewed membership of ISACA to continue my current CISM certification. Booked 30 days more PwB labtime
  • Update 16/12/10 - Completed 30 days PwB lab-time - More network access gained and many more machines pwned
  • Update 31/01/11 - Found out I passed the CISA exam
  • Update 10/02/11 - Booked PwB exam
  • Update 21/03/11 - Finished updating OSCP documentation
  • Update 10-11/04/11 - Passed OCSP - First time!
Phase two

My plan is then to proceed straight to CTP (Do not pass go, do not collect $200), pass the CEH and Security+ exams, and, maybe, finally get around to certifying for CCNA.
  • Update 13/11/10 - Passed hacking challenge to register for the CTP course, and got registration code for CEH exam
  • Update 09/12/10 - Booked exams for Security+ (11th Jan) and CEH (18th Jan)
  • Update 13/12/10 - Completed Security+ course. Signed up for CTP course starting 23rd of Jan
  • Update 14/12/10 - Completed Python course
  • Update 30/12/10 - Completed C programming course
  • Update 05/01/11 - Completed MySQL 5 course
  • Update 11/01/11 - Passed Security+ exam (Too easy)
  • Update 16/01/11 - Finished CEH review book
  • Update 18/01/11 - Passed CEH exam
  • Update 19/01/11 - Reviewing Metasploit Megaprimer
  • Update 23/01/11 - Started CTP course
  • Update 08/02/11 - Completed CTP material, started reverse-engineering course
  • Update 10/02/11 - Completed CCNA course, and started reviewing CCNA books
  • Update 16/03/11 - Completed Linux Security course
  • Update 06/04/11 - Completed Linux Professional Institute Certification Level 1 2009 course
  • Update 24/04/11 - Completed ICND 1 course, booked CCNA exam

Phase three

Further study (Possibly a SANS course, not sure which at this stage, and will be subject to available funds, maybe a CREST course or certification) and exploit development/mitigation research TBD...

  • Update 15/01/11 - Started reviewing GPEN material
  • Update 22/03/11 - Finished reviewing GPEN material
  • Update 13/04/11 - Started research project 1
  • Currently studying SANS 542 Web application attacks
I'm pretty much done now, and I won't be updating this blog entry further.
(I'll start another one if I need to)

    and then... the future is uncertain...
    (Which is always true ;o)

    In tandem and supporting the above

    Phases one to three will be intermingled with a sprinkling of various courses from, ad hoc, to support my weaker areas (VTC is a bargain online training service, at around $30 per month) I feel I need to beef-up my programming skills, especially for exploit development and research. If I can squeeze in the odd MCP then that's a bonus.

    Microsoft Transact SQL
    Perl Fundamentals * Started
    Microsoft ASP.NET
    ASP Scripting
    PHP Programming: The Basics
    CompTIA Security+ Certification * Completed
    Cisco CCNA 640-801 * Completed
    Introduction to computer forensics * Started
    Linux Security * Completed
    C Programming 2007 * Completed
    Redhat Certified Technician * Started
    Programming With Ruby
    C++ fundamentals
    Microsoft Windows Vista Security  * Started
    Microsoft Windows Server 2008  * Started
    Advanced C Programming
    Assembly Language Programming  * Started
    Microsoft Windows 7
    Using Security Tools  * Started
    CompTIA Linux+ * Started
    Linux Professional Institute Cert Level 1  * Started
    Microsoft ASP.NET 3.5
    Microsoft SQL Server 2008 Development 
    Mac OS X Snow Leopard  * Started
    Microsoft Server 2008 Server Administrator
    QuickStart! - MySQL 5 * Completed
    QuickStart! - Python * Completed

    Also, keeping up to speed with emerging threats for which is a great site! some light bed-time reading, to fill my spare time:

    CISA practice questions book * completed
    Gray hat hacking * completed
    Teach yourself PHP MySQL and Apache
    Hacking exposed 6 - Great fun! * completed
    The Web Application Hackers Handbook * completed
    Python in a nutshell - bought on ebay for a few quid, bargain
    C for Linux programming - as above, bargain * 30% completed
    CISA study guide * completed
    Certified Ethical hacker review guide * completed
    7 x CCNA books I got on eBay * started reviewing

    I think my schedule is full, maybe too full?

    Wish me luck ;o)


    1. Your schedule seems to be on the light side... Surely you should also have time to design a jet propulsion system?

    2. Yeah ... I think you should do a cookery course as well - fish and CHIPS ... (computer chips ..... get it !!! ... old one I know !!!) .....

      Know you'll get there, not sure where that will be ... but I bet you'll enjoy gettting there.

      Wishing you luck :-) .... PS .... when would you use a "vendor class"

    3. Wow Ben that is a serious study schedule. Looking to do CTP soon myself but need to get the CREST exam done first for work.

      Look me up on #offsec as airloom and let me know how you are getting on.

    4. barking mad thats all I can say...

    5. That is an impressive array of skills you are looking to build there, good luck. Surely assembly language, is just about impressing the ladies

    6. LOL - The "assembly language" for writing small bits of shellcode, and understanding buffer overflows in detail.
      (The "ASP scripting" is for impressing the ladies)

    7. think you could learn to do some croching with the other...

    8. Umm... Crocheting tiger, knit a dragon?

    9. How do you afford to pay for such a huge list of courses and certifications? I am wondering how to make my employer pay for atleast a course or two.

    10. Check out

    11. This is a good plan... I have the CEH, now in march I take the PWK. this layout is nice.

    12. so what are you doing today???? did all of this pay off and land you a good job?

      1. Yes, it paid off.

        I am now a Senior Consultant for a leading IT Security company. I mainly perform penetration tests, but also some research.

      2. Also, I'm presenting at BlackHat in a few weeks:

    13. What a nice note.Thanks for your words..Basics & Beyond, Inc. is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors.
      CPE Hours

    14. This is an incredible post about PRINCE2® Practiitoner Certification in USA Getting such a wide range of benefits is really amazing.

    15. A very good post about PRINCE2® Certification US where you can get benefited with the info.

    16. This is an incredible post about PRINCE2® Foundation Certification In USA Getting such a wide range of benefits is really amazing.

    17. A smallish campaign with a homemade list would not be likely to yield much of a result. To achieve anything worthwhile, a much more aggressive effort is needed. Then, the age-old value analysis applies: projected earnings = margin on total projected sales - cost of campaign.

    18. It is second time that I appeared in ISACA and got it done finally. I could not pass this certification by the first attempt because I could not find a suitable material for preparation. This time one of my friends suggested me to use CISA Braindumps so I aced my exam easily. I am happy for my decision to take this handy material which helped me to get good grades in the final test. If you are also going for this certification then you should also choose CISA study material for your best results.

    19. I read this blog this is an excellent information about ethical hacking, learn Ethical Hacking Online Course Hyderabad

    20. This is nice. It can be applicable to all the exams like I have just begun with LSAT Prep Courses. It is my dream to become a successful lawyer and I am studying hard to achieve my goal. I am glad I found this post because at times I get nervous and I need such posts to help me keep going.