Firewall Wizards mailing list archives
NT-Security Certification - SANS Proposal (FW)
From: Vin McLellan <vin () shore net>
Date: Mon, 29 Jun 1998 07:36:22 -0400
Forwarded excerpt from SANS NT DIGEST, Vol. 1, No. 3 June 27, 1998 (Jesper M. Johansson, editor) <Gene Schultz, formerly of DoE (CIAC,) now with SAIC, is a member of the editorial board for the SANS NT Digest. E-mail replies to: "SANS Inst." <sans () clark net> _Vin> /begin excerpt/ 8. EDITORIAL--MCSE and Its Relationship to Information Security Many different types of certification are currently available in the technical arena. Few people would disagree that MCSE certification has grown considerably in its meaning and impact over the last few years, especially as Windows NT has increased its market share. To prevent misunderstanding at this point, I'd like to go on the record as saying that I have a great deal of respect for anyone who has passed the MSCE exams! At the same time, consider the growing need for experts in Windows NT security. This need has increased dramatically as this product has become more widely deployed within organizations throughout the world. Many new, and potentially serious, security-related vulnerabilities in Windows NT have emerged in recent years; the problem has been exacerbated by the fact that fixes that Microsoft has developed have not been effective in closing all the vulnerabilities. Where do organizations need to turn to obtain security-related expertise in Windows NT? An all-too-frequent solution is to look to technical staff with MSCE certification. Although someone who has achieved this status has demonstrated genuine knowledge and competence, a relatively small part of the MSCE curriculum actually covers security-related issues. This is, of course, not a particularly bad thing; after all, security is only one of many considerations in the computing world. Worse, however, is the fact that the MSCE curriculum functionally omits coverage of the many security-related vulnerabilities in Windows NT and possible solutions. Dealing with the many vulnerabilities that have emerged in this product over the years has become an increasingly important priority in Windows NT security. Simply put, MSCE certification prepares a person to deal with many facets of Windows NT, but it does not prepare that person to deal with many of the most pressing Windows NT security issues, issues that are "life-and-death" issues in the business and military worlds. What then is the solution? Microsoft could start including more security-related material in its MSCE courses and exams. This possibility, however, would be far from optimal in that Microsoft should not be expected to "show its dirty laundry" by teaching information about vulnerabilities in its flagship operating system. What we need is independent Windows NT security certification in the same spirit as (ISC)2 certification for information security professionals. A consortium consisting of recognized Windows NT security experts (perhaps financially backed by concerned corporations) could develop a certification examination that could be administered similarly to the way (ISC)2 exams are given. The result would be a pool of Windows NT security engineers who have demonstrated a suitable level of competence. Getting this kind of certification process in place will not be easy, but when one considers the alternatives, it is the most viable option at the present time. MSCE certification is valuable and its importance will not be overshadowed by Windows NT security certification. As things are now, however, MSCE certification can be and often is construed as involving knowledge about Windows NT security, something that is not necessarily true. We need to keep our thinking straight. It is well time for a separate, independently administered certification in Windows NT security. ---Eugene Schultz, Ph.D., CISSP Editor's Note: Do you agree or disagree with Dr. Schultz? Please let us know. If there is sufficient interest in an independent Windows NT Security certification program, the SANS Institute will organize an industry-wide consortium to implement a certification program. /end excerpt/ ----- Vin McLellan + The Privacy Guild + <vin () shore net> 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> --
Current thread:
- NT-Security Certification - SANS Proposal (FW) Vin McLellan (Jun 29)