Last week I read several magazines on the way to DoD Cybercrime. Here are a few thoughts on what I read. From the threat and vulnerability definition department, we have the article DHS offers $765M in risk-based grants from Federal Computer Weekly:
The Homeland Security Department has made $765 million available in fiscal 2006 for 35 urban areas to guard against terrorist threats, DHS Secretary Michael Chertoff announced today.
The Urban Areas Security Initiative (UASI) this year follows a new, risk-based formula that allots funding according to threat, vulnerability and consequence, Chertoff said...
In assigning the grants, DHS also for the first time used threat analysis from the intelligence community to look at different kinds of threats, such as transient populations, Chertoff said.
Replace the word "consequence" with "cost of replacement" in the second paragraph and you have the common risk equation found in my books and elsewhere. Nice reporting, Michael Arnone!
I liked this article by CIO magazine editor in chief Abbie Lundberg. This is an excerpt:
People talk a lot about the new skills for IT being "business" skills, coming from the business side. It bothers me that people talk about "the business" as if it’s some monolithic thing made up of every department that’s not IT.
The implication is that all these not-IT departments share common skills, attributes and concerns, and that there are no competing interests among them or any lack of understanding between them. It also seems to assume that they possess some intrinsic understanding of what’s right for the enterprise’s future and that IT doesn’t. Right.
Frankly, I don’t think "the business," or any one part of it, is in unique possession of the skills necessary to construct the 21st-century organization. In fact, I’d hazard to say that IT may be better equipped to drive and execute this transformation than any other department in the modern corporation.
Thank you. I don't know what you read or hear, but I am tired of hearing drivel about "business skills." Here's an example from the same issue of CIO, an article titled The New IT Department:
The preferred educational background for IT employees today is more often an MBA than a computer science degree, says [Lauri] Orlov [VP and research director for Forrester]. New IT hires are as likely to be brought over from the business side as they are to have been groomed in IT.
Is this why companies continue to be compromised? Are the MBAs running around wondering why their self-defending networks are failing? I guarantee we will see a "back-to-basics" movement in the next few years, where "hands-on" tech skills will be emphasized again.
Speaking of "hands-on" skills, FCW had another interesting article -- SANS: Popular certifications don't ensure security. So what's the big deal? Alan Paller summarizes the findings:
Many popular information technology security certifications don't improve holders' ability to ensure computer systems' security, according to a new survey from the SANS Institute, a training and education organization for security professionals.
The survey found that respondents with certifications from the Computing Technology Industry Association (CompTIA), the International Information Systems Security Certification Consortium -- also known as (ISC)2 -- and the Information Systems Audit and Control Association (ISACA) think that their training does not give them as strong an advantage in performing hands-on security jobs as platform- and vendor-specific certifications do.
Because respondents could vote for multiple certifications, "the low votes for CompTIA, (ISC)2 and ISACA certifications are compelling proof that these certifications should not be relied upon for people with hands-on security responsibilities," said Alan Paller, the institute's director of research.
One could argue this report and the survey (.pdf) are serving SANS's interests, but the findings also benefit holders of Cisco and similar vendor certifications.
Why is Alan upset?
He is especially concerned that the Defense Department now requires its frontline information assurance employees to have such nontechnical certifications. DOD's decision, finalized in December, came after the Titan Rain scandal last year in which international cybercriminals circumvented DOD's security measures and stole classified information.
"If these certifications do not correlate with hands-on security skills, then DOD is misleading its commanders by implying their people have the necessary security skills when they do not," Paller said.
What does DoD require?
DOD officials are satisfied with their choice of certifications, said Robert Lentz, director of information assurance in the DOD CIO's office. The department has codified competencies for its IT security employees under Directive 8570.1, "Information Assurance Training, Certification and Workforce Management," which requires frontline security professionals to have certifications from CompTIA and (ISC)2 but not from the SANS Institute or vendors.
Lentz said the certifications ensure that information assurance employees have adequate hands-on experience. Combined with additional specialized training that commanders provide on-site, they will ensure sufficient security for mission-critical systems, he added.
CompTIA and (ISC)2? Wonderful. Even I will admit that SANS certification holders are far more technically equipped than CompTIA Security+™ or CISSP holders.
It is a tragedy that the CISSP has become associated with "hands-on" technical proficiency. And what of CompTIA?
The CompTIA Security+ certification tests for security knowledge mastery of an individual with two years on-the-job networking experience, with emphasis on security.
"Two years" and "security knowledge mastery" should not be in the same sentence.
I may have more to say on this topic after I attend tonight's ISSA-NoVA meeting. The subject is 8570.1.