Thursday, January 19, 2006

Notes from Airplane Reading

Last week I read several magazines on the way to DoD Cybercrime. Here are a few thoughts on what I read. From the threat and vulnerability definition department, we have the article DHS offers $765M in risk-based grants from Federal Computer Weekly:

The Homeland Security Department has made $765 million available in fiscal 2006 for 35 urban areas to guard against terrorist threats, DHS Secretary Michael Chertoff announced today.

The Urban Areas Security Initiative (UASI) this year follows a new, risk-based formula that allots funding according to threat, vulnerability and consequence, Chertoff said...

In assigning the grants, DHS also for the first time used threat analysis from the intelligence community to look at different kinds of threats, such as transient populations, Chertoff said.


Replace the word "consequence" with "cost of replacement" in the second paragraph and you have the common risk equation found in my books and elsewhere. Nice reporting, Michael Arnone!

I liked this article by CIO magazine editor in chief Abbie Lundberg. This is an excerpt:

People talk a lot about the new skills for IT being "business" skills, coming from the business side. It bothers me that people talk about "the business" as if it’s some monolithic thing made up of every department that’s not IT.

The implication is that all these not-IT departments share common skills, attributes and concerns, and that there are no competing interests among them or any lack of understanding between them. It also seems to assume that they possess some intrinsic understanding of what’s right for the enterprise’s future and that IT doesn’t. Right.

Frankly, I don’t think "the business," or any one part of it, is in unique possession of the skills necessary to construct the 21st-century organization. In fact, I’d hazard to say that IT may be better equipped to drive and execute this transformation than any other department in the modern corporation.


Thank you. I don't know what you read or hear, but I am tired of hearing drivel about "business skills." Here's an example from the same issue of CIO, an article titled The New IT Department:

The preferred educational background for IT employees today is more often an MBA than a computer science degree, says [Lauri] Orlov [VP and research director for Forrester]. New IT hires are as likely to be brought over from the business side as they are to have been groomed in IT.

Is this why companies continue to be compromised? Are the MBAs running around wondering why their self-defending networks are failing? I guarantee we will see a "back-to-basics" movement in the next few years, where "hands-on" tech skills will be emphasized again.

Speaking of "hands-on" skills, FCW had another interesting article -- SANS: Popular certifications don't ensure security. So what's the big deal? Alan Paller summarizes the findings:

Many popular information technology security certifications don't improve holders' ability to ensure computer systems' security, according to a new survey from the SANS Institute, a training and education organization for security professionals.

The survey found that respondents with certifications from the Computing Technology Industry Association (CompTIA), the International Information Systems Security Certification Consortium -- also known as (ISC)2 -- and the Information Systems Audit and Control Association (ISACA) think that their training does not give them as strong an advantage in performing hands-on security jobs as platform- and vendor-specific certifications do.

Because respondents could vote for multiple certifications, "the low votes for CompTIA, (ISC)2 and ISACA certifications are compelling proof that these certifications should not be relied upon for people with hands-on security responsibilities," said Alan Paller, the institute's director of research.


One could argue this report and the survey (.pdf) are serving SANS's interests, but the findings also benefit holders of Cisco and similar vendor certifications.

Why is Alan upset?

He is especially concerned that the Defense Department now requires its frontline information assurance employees to have such nontechnical certifications. DOD's decision, finalized in December, came after the Titan Rain scandal last year in which international cybercriminals circumvented DOD's security measures and stole classified information.

"If these certifications do not correlate with hands-on security skills, then DOD is misleading its commanders by implying their people have the necessary security skills when they do not," Paller said.


What does DoD require?

DOD officials are satisfied with their choice of certifications, said Robert Lentz, director of information assurance in the DOD CIO's office. The department has codified competencies for its IT security employees under Directive 8570.1, "Information Assurance Training, Certification and Workforce Management," which requires frontline security professionals to have certifications from CompTIA and (ISC)2 but not from the SANS Institute or vendors.

Lentz said the certifications ensure that information assurance employees have adequate hands-on experience. Combined with additional specialized training that commanders provide on-site, they will ensure sufficient security for mission-critical systems, he added.


CompTIA and (ISC)2? Wonderful. Even I will admit that SANS certification holders are far more technically equipped than CompTIA Security+™ or CISSP holders.

It is a tragedy that the CISSP has become associated with "hands-on" technical proficiency. And what of CompTIA?

The CompTIA Security+ certification tests for security knowledge mastery of an individual with two years on-the-job networking experience, with emphasis on security.

"Two years" and "security knowledge mastery" should not be in the same sentence.

I may have more to say on this topic after I attend tonight's ISSA-NoVA meeting. The subject is 8570.1.

4 comments:

Keydet89 said...

"The survey found that respondents with certifications from...the International Information Systems Security Certification Consortium -- also known as (ISC)2...think that their training does not give them as strong an advantage in performing hands-on security jobs as platform- and vendor-specific certifications do."

Well...duh! The CISSP cert does not claim to be a technical cert, and when I received my certification in '99, was not advertized as such.

I agree that holders of the other certs (SANS, Cisco, etc) are more technically prepared than the ISC^2 cert holders, in general, though that really depends upon the consultant.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Richard Bejtlich said...

Harlan -- I've debated this point with many people who think CISSP is a technical cert. Someone running as a candidate in a local infosec group even advertised himself by saying "I have my CISSP, so that means I have technical skills."

Anonymous said...

Richard,

You probably already know this but Security+ is not even anywhere near the same class as the CISSP. I am quite sure no work experience is required to take the cert - it's a very 'base' level certifcation. Additionally, although Security+ tests a somewhat broad range of topics, it is universally agreed that the exam requires you to pick the best answer from badly worded questions and bad choices of solutions. "Relevancy" of questions was generally ok but when I took the exam one of the questions was to do with an obscure acronym of an 'security-related' association.
Make of this opinion what you will, however I'm sure many others have similar sentiments regarding the Security+ certification.

nr said...

Gah! I keep forgetting about the ISSA meetings. I'd like to get to a couple.

DoD requires certifications? What happened to judging employees or potential candidates by experience, knowledge, and other factors that have a more direct effect on job functions? This approach of having a list of items that makes a good employee just doesn't work in the real world. We all probably know someone that can pass certification tests but miserably fails in real-world situations (and I say that as someone with a few certifications).

Guidelines are as close as you can get to list of precise requirements or you will end up hiring based on a cookie-cutter approach and lack diversity of experience and knowledge. Am I just being naive?

The people doing the hiring don't trust themselves or the technical managers to make good hiring decisions. They seem to feel the need to make these lists of requirements in an effort to reduce the number of subjective judgements required when evaluating job candidates. I just don't think that works.