Download as pdf or txt
Download as pdf or txt
You are on page 1of 30

This guide offers in-depth coverage

of security certifications in the IT


industry as well as resources for
further study.

IT Influencer Series

Security Certification
Resource Guide

2003
Essential information on security certifications for IT professionals and managers.

Introduction 3 EC-Council: Know Your Enemy 14

Blueprint for a Career 15


Contents (ISC)2 : Experience Counts 4
in Security
SANS: A Practical Approach 6 Guide to Security Job Titles 19

Microsoft: Locking Windows 7 Q&A: Can Security 22


Certifications Help Your Career?
CompTIA: Security for the Masses 8
Salary Data for IT 23
Professionals
Cisco: Hardware Lockdown 9
About Those U.S. Government 24
Check Point: Enterprise Certified 10 Security Clearances

CWNP: Wireless Pro 10 15 Best Web Sites for Security 25

ISACA: Audit Secure 12 5 Must-Read Security 26


Newsletters
TruSecure: TISCA Experience 12
5 Web Picks for Security 26
Symantec: Sleeper Hit 13 Certification

SCP: Security Certified Pro 13 Security Bookshelf 28

SCSA: Seeking the Sun 14 Advertiser Index 30


Introduction

S ecurity is one of the hottest areas in IT certification today.


It can also be the most confusing.
As little as two years ago, IT profes-
sionals wanting to certify their
security-related knowledge and
expertise had only a handful of cre-
dentials to choose from, most of
which were reserved for the most
experienced professionals.
Since then, several vendors have
added security-related titles and
options, and those specializing in
security are offering more credentials
than ever. This boom has created a
mix of titles that, while serving a
wider cross-section of the IT commu-
nity, also make understanding and an honest perspective from an indus-
evaluating security certifications an try insider on exactly what certifica-
arduous endeavor. tion can (and can’t) do for your
We’ve created this guide to help career. We also share the real way
IT professionals and managers sort those all-too-elusive U.S. security
out the many options available. On clearances are obtained.
its pages you’ll find profiles of almost To help in the learning process,
every major security-related certifi- we’ve included our top picks for secu-
cation available today. For each, we rity Web sites and newsletters, as well
explain the audience they’re aimed as certification preparation resources.
for, the requirements for obtaining Whether you’re an IT profes-
the titles, and what separates each sional considering a career in securi-
from the other credentials. ty or a manager who needs to guide
But we also know that becoming your security staff’s professional
an IT security professional takes more development, we hope the following
than just certification. That’s why information will offer you the com-
you’ll also find advice on developing prehensive overview of security cer-
an IT security career, including frank tification you’ve been searching for.
words from security maven and Enjoy.
author Roberta Bragg on what it
takes to excel in this field, as well as —The Editors

All content was written and/or developed by Keith Ward, senior editor, Microsoft Certified Professional Magazine;
Becky Nagel, editor, CertCities.com; Michael Domingo, editor, MCPmag.com and Dian Schaffhauser, editorial director,
Microsoft Certified Professional Magazine.

Pa ge 3 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles

Experience Counts
It takes more than just knowledge to earn (ISC)2’s CISSP and SSCP titles.
The International Information Systems Security Certification to attempt the organization’s Systems
Consortium, (ISC)2, formed in 1989 to create an industry Security Certified Practitioner (SSCP)
title. This three-hour, 125-question
standard for information security best practices. Since that exam focuses on seven of the above
time, the organization has released several vendor-neutral domains and requires only one year of
direct work experience. Like the CISSP,
certifications that combine testing candidates’ knowledge of
you must subscribe to the organization’s
these practices along with experience, ethical and ongoing code of ethics and earn continuing edu-
education requirements. cation units to maintain the title.
If you don’t have enough experi-
The organization’s flagship title, the degree can substitute for one year. This ence to earn either title but you still
Certified Information Systems Security experience must be documented by an want to take the above exams, you can
Professional (CISSP), focuses on 10 independent third-party and submitted become an Associate of (ISC)2. This
common bodies of knowledge (CBKs) to the (ISC)2 for audit, along with a new program from the organization
based on the above-mentioned standards: signed document stating that the candi- allows candidates without the required
• Access Control Systems & Methodology date will subscribe to the organization’s experience to take the exams and then
• Applications & Systems Development code of ethics. Only then will the title of earn the certifications once they obtain
• Business Continuity Planning CISSP be granted. But that’s not the end the needed experience.
• Cryptography of it—all CISSPs must complete 120 If you’re already a CISSP and want
• Law, Investigation & Ethics units of continuing education per year to to distinguish yourself further, the
• Operations Security keep their title active. organization recently announced sever-
• Physical Security If you don’t quite have four years of al “concentrations” that candidates can
• Security Architecture & Models direct work experience, you may want add on to their CISSP: CISSP Man-
• Security Management Practices agement and CISSP Architecture.
• Telecommunications, Network & (ISC)2 There’s also the Information System
Internet Security Vendor: The International Information Security Engineering Professional
The resulting exam is a six-hour, Systems Security Certification (ISSEP), a concentration formed in
250-question affair, for which most can- Consortium (ISC)2 conjunction with the United States
didates study months to prepare. Certifications: CISSP, SSCP, related National Security Agency that focuses
Because of the broad depth of knowl- concentrations on the information security needs of
edge covered on the exam, most stu- Certification Type/Focus: Vendor- federal government employees.
dents prefer not to go it alone, joining neutral titles focusing on best practices Note that because the organization’s
study groups or attending instructor-led for information security professionals. exams are paper-based, candidates must
training courses. Candidates must meet experience sign up through (ISC)2 and travel to an
However, simply passing the exam requirements and sign an ethics pledge. official testing location. Prices for the
won’t earn you the CISSP. (ISC)2 cites Exam Prices: $350 to $550 (U.S.) organization’s exams currently range
its mission to create a “gold standard” Training Required?: No from $350 to $550, but will rise as much
certification as the reason it requires all as $100 beginning January 1, 2004.
Testing Centers: Available only
candidates to have at least four years of More information on all of the
through vendor
“direct full-time security professional above titles can be found on (ISC)2’s
More information:
work experience” in one or more of the Web site at http://www.isc2.org.
http://www.isc2.org
test domains listed above. A college — Becky Nagel

Pa ge 4 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
MCPSecurityAd12-03 11/20/03 8:31 AM Page 1

STAY ON TOP OF THE LATEST


SECURITY TRAINING...
...or your replacement will be happy to do it for you.
With 28 hands-on Security Training courses, Global Knowledge offers the industry’s most comprehensive

collection of Network Security courses delivered by real-world, expert instructors. Visit our web site now

for more information: www.globalknowledge.com Keyword: MCPSECURE or call 1-800-COURSES.

GET A FREE T-SHIRT


When you take our 1-minute IT survey at
www.globalknowledge.com/securitytee

© 2003 Global Knowledge Network, Inc. All rights reserved.


certification profiles

A Practical
Approach
The SANS Institute’s GIAC certifications combine
testing with practical assignments.
Like (ISC)2, the SANS Institute’s Global Information Assurance
Certification (GIAC) takes a vendor-neutral approach.
However, this organization’s titles focus on the practical more
than the theoretical, testing candidates’ skills in a wide
variety of areas through online or in-person testing as well as
practical assignments.

Those interested in GIAC testing have Administrator; and GIAC Certified


a wide variety of titles to choose from: Unix Security Administrator—can
• GIAC Security Essentials earn the organization’s highest certifi- GIAC exam, candidates must complete
Certification (GSEC) cation, the GIAC Security Engineer. a “practical assignment”—an original
• GIAC Certified Firewall Analyst According to the organization, only research paper that demonstrates the
(GCFW) two GIAC Security Engineers exist in candidate’s knowledge of the material
• GIAC Certified Security the world today. being tested. These assignments are
Leadership (GSLC) Before being allowed to take any reviewed and graded by the organiza-
• GIAC Certified Intrusion Analyst tion, and those who pass are then
(GCIA) allowed to sit the related exam.
• GIAC Certified Incident Handler
SANS/GIAC GIAC exams are delivered online
(GCIH) Vendor: The SANS Institute and at SANS conferences. Because of
• GIAC Certified Windows Security Certifications: 12 Global Information the program’s tie-in with SANS’ educa-
Administrator (GCWN) Security Certification (GIAC) titles tional offerings, some GIAC certifica-
• GIAC Certified Unix Security Certification Type/Focus: Skills testing tions require that candidates take the
Administrator (GCUX) in a variety of security areas, such as related SANS training course either at
• GIAC Information Security firewalls, intrusion analysis and foren- a conference or online. When taken
Officer (GISO) sics. Candidates must pass an exam along with a training course, the price
• GIAC Systems and Network along with a practical assignment. of the exam is $250. Exams cost $450
Auditor (GSNA) when not accompanied by training.
Exam Prices: $250 (U.S.) with train-
• GIAC Certified Forensic Analyst All GIAC professionals must
ing, $450 (U.S.) without
(GCFA) recertify every two years by passing a
• GIAC IT Security Audit Essentials Training Required?: Yes, for select “refresher” exam. The price of renewal
(GSAE) titles is $120, which includes free access to
Those who earn five of the above Testing Centers: Available only SANS courseware online.
titles—GIAC Certified Firewall Ana- through vendor More information on GIAC’s cer-
lyst; GIAC Certified Intrusion Analyst; More information:
tification program can be found at:
GIAC Certified Incident Handler; http://www.giac.org/
http//:www.giac.org.
GIAC Certified Windows Security — Becky Nagel

Pa ge 6 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles

Locking Windows
Microsoft debuts MCSA: Security and MCSE: Security
specializations.
If you’re a Microsoft networking professional, you no longer
need to seek titles from outside vendors to certify your
Windows security expertise. That’s because in June Microsoft
announced new security specializations for its Microsoft
Certified Systems Engineer (MCSE) and Microsoft Certified
Systems Administrator (MCSA) titles.
Microsoft
“We put together these certification specializations to allow IT professionals a way Vendor: Microsoft Corp.
to demonstrate a specific technical focus in the area of security within their job Certification: MCSE: Security, MCSA:
roles,” David Lowe, product manager for security with Microsoft’s Training and Security
Certification group, said in an interview with MCP Magazine when the exams Certification Type/Focus: Windows-
debuted. “The new specializations are directly analogous to the existing base cre- specific specializations that show a
dentials, but with a ‘prescribed path’ of specialization exams rather than electives.” candidate’s security focus within the
And that’s the key to these specializations: To become an MCSE: Security or company’s MCSA and MCSE titles.
MCSA: Security, you don’t have to take any more exams than would be required Exam Price: $125 (U.S.)
to earn the standard MCSA or MCSE. It’s determined by which exams you take. Training Required?: No
Testing Centers: Pearson Vue and
For MCSA: Security 2000, your elective exams must include:
Prometric
• 70-214: Implementing and Administering Security in a Microsoft Windows More information:
2000 Network
http://www.microsoft.com/mcp
• 70-227: Installing, Configuring, and Administering Microsoft Internet Security
and Acceleration (ISA) Server 2000, Enterprise Edition OR CompTIA’s
Security+
allow individuals to demonstrate; they’ll
For MCSE: Security 2000, you must also take the elective: get to highlight their focus on platform-
• 70-220: Designing Security for a Microsoft Windows 2000 Network specific security and design skills.”
For MCSA: Security 2003, you must take the following electives: Microsoft exams consist of stan-
• 70-299: Implementing and Administering Security in a Microsoft Windows dard, multiple-choice questions as well
Server 2003 Network as more in-depth scenario-based ques-
• 70-227: Installing, Configuring, and Administering Microsoft Internet tions. The company doesn’t place train-
Security and Acceleration (ISA) Server 2000, Enterprise Edition OR ing or experience requirements on its
CompTIA’s Security+ certifications, but hands-on experience
MCSE: Security 2003 requires the above plus: with the products is highly recom-
mended. Microsoft exams cost $125
• 70-298: Designing Security for a Microsoft Windows Server 2003 Network
(U.S.) and are available worldwide
If you’ve already earned your MCSA or MCSE, you can simply take any addi- through Pearson Vue and Prometric
tional exams required to add the desired specialization. testing centers.
Lowe explained that Microsoft created the specializations because, “We recognize More information on these certifi-
that in IT job roles, like systems administrator and systems engineer, there are a num- cations can be found at
ber of individuals who have a very specific concentration on a particular area and, http://www.microsoft.com/mcp.
obviously, in an important area as security. So that’s what these specializations will — Becky Nagel

Pa ge 7 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles

Security
for the Masses
CompTIA’s Security+ aims to bring baseline
security knowledge to all IT professionals.

The Computing Technology Industry Association is well


known for its entry-level, vendor-neutral certifications
such as A+, Network+ and Linux+. Therefore, it wasn’t
surprising when late last year the organization added
Security+ to its roster.

Security+ is a one-exam certification bers, such as Microsoft, IBM and Sun, or allow it as an alternative requirement.
covering a wide-range of top-level helped create the title, participating in For example, Security+ counts as an
security knowledge. Topics covered on development meetings and deciding the elective toward MCSE 2000 as well as
this exam include: certification’s focus. As such, several cer- its new MCSA: Security and MCSE:
• Communication security tification programs either recommend Security specializations.
• Infrastructure security Security+ as a prerequisite for their titles These tie-ins may be one reason
• Cryptography this title has resonated so well with the
• Access control CompTIA IT community. Even before its official
• Authentication Vendor: Computing Technology release, Security+ landed at #2 on
• External attacks CertCities.com’s list of Top 10 IT
Industry Association
• Operational security Certifications for 2003. And according
The exam itself consists of 100 Certification: Security+ to Gene Salois, CompTIA’s vice presi-
questions with a 90-minute time limit. Certification Type/Focus: Vendor- dent of certification, Security+ is the
The minimum passing score is 764, organization’s fastest-growing title ever.
neutral security title that focuses on
graded on a scale of 100 to 900. One The Security+ exam costs $225
baseline security knowledge and skills.
focus of the exam is terminology, mak- (U.S), with a discount given to
ing sure candidates understand the Exam Price: $225 (U.S.) employees of corporate members. The
many threats out there. Candidates are Training Required?: No
certification is good for life, so there
also tested on the best ways to tackle are no extra costs associated with
those threats. CompTIA recommends Testing Centers: Pearson Vue and renewing the title.
that all candidates have at least two Prometric More information about
years of general networking experience More information: Security+ can be found at
before taking the exam, but the experi- http://www.comptia.org/certification
http://www.comptia.org/certifiction/
ence level isn’t required. /security/default.asp.
security/default.asp
Many CompTIA corporate mem- — Becky Nagel

Pa ge 8 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles

Hardware Lockdown Cisco


Cisco offers a variety of ways to certify your Vendor: Cisco Systems

expertise in securing its essential internetworking Certifications: CCIE Security, CCSP,


Qualified Specialist
devices.
Certification Type/Focus:
For the past 10 years Cisco Systems has CCIE Security, you may be interested Product-specific titles for a variety
been offering IT professionals working in Cisco’s newest security offering, the of experience levels.
with its products ways to certify their Cisco Certified Security Professional Exam Prices: $125 to $1,250 (lab
expertise, but only recently has a suite (CCSP). exam) (U.S.)
of options emerged for those wishing to The CCSP is a professional-level
Training Required?: No
prove their security skills. title, on the same level as its Cisco
For the most experienced candi- Certified Network Professional (CCNP) Testing Centers: All but lab available
dates, Cisco offers a security track for its and Cisco Certified Design Professional through Pearson Vue and Prometric.
expert-level Cisco Certified Internet- (CCDP) certifications. More information:
work Engineer (CCIE) title. The CCIE To become a CCSP, candidates http://www.cisco.com/en/US/learning/
is known world-wide as one of the hard- must obtain a Cisco Certified
est certifications to obtain because candi- Network Associate (CCNA) or Cisco your existing CCNA certification with
dates must pass an in-person, proctored Certified Internetwork Professional one of Cisco’s security-related concen-
troubleshooting lab exam. (CCIP) credential, then pass the fol- trations available through its Qualified
Typical study methods won’t get lowing five exams: Specialist program.
you a CCIE. As Cisco states on its Web • 642-501 SECUR: Securing Cisco The company currently offers three
site, “Training is not the CCIE program IOS Networks security-related Qualified Specialist titles
objective. Rather, the focus is on identi- • 642-511 CSVPN: Cisco Secure for the IT community at large:
fying those experts capable of under- VPN • Cisco Firewall Specialist
standing and navigating the subtleties, • 642-521 CSPFA: Cisco Secure • Cisco IDS Specialist
intricacies and potential pitfalls inher- PIX Firewall Advanced • Cisco VPN Specialist
ent to end-to-end networking.” As • 643-531 CSIDS (beta): Cisco As mentioned above, candidates
such, the company recommends that all Secure Intrusion Detection System must first obtain a CCNA. From there,
candidates have at least three to five • 642-541 CSI: Cisco SAFE each title requires passing two exams:
years of hands-on experience working Implementation 642-501 SECUR, plus one focused on
directly with the technology in a real- As you can see from the above, the chosen specialty from the above list
world environment. this certification is so new that one of of CCSP exams. Because the exams are
CCIE exams are not only gruel- the required exams is still in beta for- the same, candidates can apply their
ing, they’re expensive: $1,250 (U.S.) mat—it is expected to be released in its Qualified Specialist title toward future
plus expenses to travel to one of five final version by the end of 2003. pursuit of the CCSP.
locations worldwide where lab exams These tests are standard-format All Cisco certifications require
are offered. To make sure that only exams featuring multiple-choice ques- recertification through passing update
those who have a chance of passing tions. Some also include simulation exams. Recertification for Cisco titles
attempt the exam, all CCIE candidates questions that require hands-on skills. takes place every two to three years.
must first pass a $300, standard-format All are available at Prometric and More information on all of Cisco
“qualification” exam, available through Pearson Vue testing centers worldwide. certification offerings can be found at
local Pearson Vue and Prometric test- The beta is priced at $50 and the live the following URL on Cisco’s Web site:
ing centers. There are no other require- exams are $125 (U.S.). http://www.cisco.com/en/US/learn
ments or prerequisites to earn the title. If you’re not looking for a stand- ing/.
If you’re not yet ready to tackle alone title, you might want to augment — Becky Nagel

Pa ge 9 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles

to earn any other Check Point certifi-


Enterprise Certified cation but is recommended for those
new to security.
Check Point’s certifications test users’ skills with the Check Point’s Management track
company’s Firewall-1 NG product and more. offers two titles:
• Check Point Certified Managed
Mid-size and enterprise networks across title: Check Point Certified Security Security Expert (CCMSE)
the globe use Check Point Software Principles Associate (CCSPA), “an • CCMSE Plus VPX
Technologies’ Firewall-1 and VPN-1 entry-level certification that validates a Check Point describes the CCMSE
products to keep their environments student’s proficiency in security funda- as its premier-level title for those using
secure. If you are looking for a way to mentals, concepts and best prac- the company’s Firewall-1, VPN-1 and
certify your skills on these products, tices”—much like CompTIA’s Secur- Provider-1 products in a “Network
Check Point offers several options. ity+ exam. The CCSPA isn’t required Operating Center” environment. It
Check Point separates its certifica- requires passing three exams. The
tions into two tracks: Security and Check Point CCSME Plus option allows CCSMEs
Management. Within the Security Vendor: Check Point Software add to their credential by showing their
track, there are three titles, each of Technologies expertise with the company’s VSX secu-
which requires one exam. The certifica- Certifications: CCSPA, CCSA, CCSE, rity solution, as managed by Provider-1.
tions are tiered, meaning that each CCSE Plus, CCMSE, CCMSE Plus VSX All of Check Point’s exams are
higher level requires the previous certi- standard-format multiple choice tests,
Certification Type/Focus: Product-
fication. They are: available for $150 (U.S.) through
specific titles focusing on Check Point
• Check Point Certified Security Pearson Vue testing centers worldwide.
security solutions for mid-size to
Administrator (CCSA), which Check Point recommends that all can-
enterprise networks.
focuses on Firewall-1. didates have six months to one year of
• Check Point Certified Security Exam Price: $125 (U.S.) hands-on experience with the products
Expert (CCSE), which adds VPN-1. Training Required?: No they want to certify on.
• CCSE Plus Enterprise Integration Testing Centers: Pearson Vue More information on Check Point’s
and Troubleshooting, which adds certification program can be found at:
More information: http://www.check
integration and troubleshooting http://www.checkpoint.com/services/ed
point.com/services/education/certifica
for both products. ucation/certification/index.html.
tion/index.html
Also within this track is a new — Becky Nagel

Wireless Pro
Certify your wireless security expertise with Planet3’s CWSP.
CWNP
Vendor: Planet3 Wireless
There are plenty of security issues sur- first obtain the program’s Certified
Certification: CWSP
rounding wireless networking. The Wireless Networking Associate
Certified Wireless Networking Program (CWSA) before pursuing the CWSP. Certification Type/Focus: Vendor-
(CWNP) from Planet3 Wireless is a cer- According to Planet3 Wireless, the neutral wireless security title.
tification option that allows wireless pro- CWSP exam focuses on three areas: Exam Price: $175 (U.S.)
fessionals to test their security knowl- • Wireless LAN intrusion Training Required?: No
edge and skills. • Wireless LAN security policy
Testing Center: Prometric
According to Planet3, CWNP’s • Wireless LAN security solutions
Certified Wireless Security Professional The exam itself is a standard-for- More information:
(CWSP) title is vendor-neutral, focus- mat, multiple-choice test with 60 ques- http://www.cwne.com
ing on 802.11 wireless technology tions. It’s available through Prometric
rather than specific vendors’ products. testing centers worldwide for $175, For more information on this certifica-
As the second tier of the program’s four although candidates must purchase the tion, visit http://www.cwne.com.
levels of certification, candidates must exam voucher directly from Planet3. —Becky Nagel

Pa ge 1 0 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
TMNO04 full page 10/1/03 3:23 PM Page 1

Netwofirckation
i
and ceinrting for
tra ows®
Wind ionals.
profess

2004
EVENTS
NEW ORLEANS, LA
APRIL 4 – 8

SAN JOSE, CA
SEPTEMBER 28 – OCTOBER 1

Join network managers and administrators for a


new lineup of technical training sessions by
networking, messaging and security experts.
Take control. Get solutions, not theories, to your
everyday networking problems.

Registration opens mid-November.

presented by: TechMentorEvents.com


certification profiles

Audit Secure ISACA


Vendor: Information Systems Audit
The Independent Systems Audit and Control Association
and Control Association
offers two certification options for IS auditing and security
Certifications: CISA, CISM
professionals. Certification Type/Focus: High-level
The Information Systems Audit and responsibilities,” the Web site states. “ It certifications for information security
Control Association (ISACA) has been is business-oriented and focuses on infor- and auditing professionals.
offering its flagship Certified Infor- mation risk management while address- Exam Price: $325 to $495 (U.S.)
mation Systems Auditor (CISA) title ing management, design and technical Training Required?: No
since 1978. The title, which focuses on security issues at a conceptual level.” Testing Centers: Available through
IS auditing and control as well as sys- Both ISACA exams are offered vendor only
tems security, is now held by more than once a year at a variety of locations
More information:
30,000 professionals worldwide. worldwide. Candidates don’t have to be
http://www.isaca.org
While this title does cover security, members to take an exam, but they do
the organization recently decided to cre- need to agree to adhere to the organiza- years of information security experience
ate another credential specifically for tion’s code of ethics. Both titles must be can grandfather directly into the CISM
security professionals: the Certified maintained through continuing educa- title without taking the exam. Various
Information Security Manager (CISM). tion requirements. degrees and certifications count toward
ISACA describes the CISM as its The exams range in cost from the grandfathering process.
“next generation credential…specifically $325 to $495 (U.S.) depending on More information on ISACA cer-
geared toward experienced information membership status, registration date tifications can be found at
security managers and those who have and method of registration. Through http://www.isaca.org.
information security management Dec. 31, 2004, candidates with eight — Becky Nagel

TISCA Experience TruSecure


TruSecure moves into certifying individuals with its TICSA Vendor: TruSecure
program. Certification: TISCA
Certification Type/Focus: Vendor-
You may know TruSecure as the com- • Risk management fundamentals
neutral title that also requires
pany that owns the ISCA labs, which • TCP/IP networking basics
experience.
tests and certifies security products. • Firewall fundamentals
What you might not know is that • Incident response and recovery Exam Price: $295 (U.S.)
TruSecure also offers certifications for practices Training Required?: No
IT security professionals. • Administration maintenance
Testing Center: Prometric (U.S. and
The company has turned its certifi- procedures
Canada Only)
cation experience into the vendor-neu- • Design and configuration
tral TruSecure ICSA Certified Security fundamentals More information:
Associate (TICSA) title. To achieve it, • Malicious code mechanisms https://ticsa.trusecure.com/
candidates must first prove they have • Law, ethics, and policy issues
least two years of hands-on experience • Authentication techniques The $295 (U.S.) exam is available
or attend 48 hours of computer securi- • Cryptography basics through Prometric testing centers in
ty training within a two-year period. • Host- vs. network-based security the U.S. and Canada only. In addition
Only then are candidates allowed to sit • PKI and digital certificates basics to passing the exam, candidates are
the TISCA exam, which features 70 • Operating system security required to sign an ethics statement
questions covering TruSecure’s 14 fundamentals before the credential will be awarded.
“essential” bodies of knowledge: Six areas of risk are also covered: For more information on the TISCA,
• Essential security practices vs. electronic, malicious code, physical go to: https://ticsa.trusecure.com/.
“best” security practices threat, human, privacy and downtime. —Becky Nagel

Pa ge 1 2 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles

Sleeper Hit looking for. Symantec’s program features


four tiers of certification focusing on its Symantec
Symantec jumps to second products along with general security Vendor: Symantec
on CRN’s 2003 list of most knowledge and strategies. Following is
Certifications: SPS, STA, SCSE, SCSP
valuable certifications for the listing of these titles and their
description as provided by Symantec: Certification Type/Focus: Tiered
resellers.
• Symantec Product Specialist program focusing four Symantec
(SPS): One exam on a single securi- product areas.
If you’re looking for a security certifica- ty product and its functionality in
Exam Price: $125 to $150 (U.S.)
tion that resonates with solution an overall security system.
providers, then a title from Symantec • Symantec Technology Archi- Training Required?: No
may be right for you. tect (STA): one-exam title focusing Testing Centers: Prometric
Earlier this year, Computer Reseller on vendor-neutral security knowledge
More information:
News released the results of its third of how to design, plan, deploy and
http://www.symantec.com/
annual certification study, which rates manage effective security solutions.
the importance of various IT certifica- • Symantec Certified Security education/certification/
tions for small and large solution Engineer (SCSE): covers a high-level
providers. Symantec’s Certified Security understanding of a broad range of secu- VPN, Vulnerability Management,
Practitioner (SCSP) jumped up the list rity solutions plus in-depth knowledge Intrusion Detection and Virus Protec-
to become the second most important and skills within a specific security tion & Content Filtering.
certification for small solution pro- focus. These titles require passing two Symantec exams cost between
viders (revenue under $5 million) and to three SPS and/or STA exams. $125 and $150 (U.S.) and are available
the fastest-growing title in importance • Symantec Certified Security at Prometric testing centers worldwide.
for large service providers (revenue Practitioner (SCSP): senior security More information on Symantec
more than $5 million). title. Achieved by earning all four of certification can be found at
Even if you’re not working for a the SCSE certifications. h t t p : / / w w w. s y m a n t e c . c o m / e d u
solution provider or reseller, Symantec Within these tiers, there are four cation/certification/.
may still offer the certification you’re areas of product focus: Firewall & — Becky Nagel

Security Certified Pro SCP


Vendor: Ascendant Learning
Ascendant Learning offers a vendor-neutral alternative.
Certifications: SCNP, SCNA
Ascendant Learning bills its Security ty technologies, such as firewalls and Certification Type/Focus: Mid- to
Certified Professional as an advanced, intrusion detection. The SCNA focuses high-level vendor-neutral security
vendor-neutral IT security certification on the next level of technology, such as certifications.
program. “The Security Certified enterprise security solutions, forensics
Exam Price: $150 to $180 (U.S.)
Program is proud to offer intense certi- and biometrics.
Training Required?: No
fication exams,” the program’s Web site Both titles require passing two
reads. “Whereas most certifications test exams each. The exams feature sce- Testing Centers: Pearson Vue and
on rote memorization-level details… nario-based questions. Although train- Prometric
SCP exams are designed to test a candi- ing is highly emphasized on the pro- More information: http://www.securi
date’s knowledge of working security gram Web site, it doesn’t say that it’s tycertified.net
issues, programs and utilities.” required before taking the exams.
Currently, the program offers two SCNP exams cost $150. SCNA holders to recertify every two years.
titles: Security Certified Network exams cost $180 (U.S.). All are avail- For more information about these
Professional (SCNP) and the Security able at Pearson Vue and Prometric test- certifications, visit http://www.security
Certified Network Architect (SCNA). ing centers worldwide. certified.net.
The SCNP focuses on defensive securi- The program requires all title — Becky Nagel

Pa ge 1 3 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles

Seeking the Sun


Solaris administrators worldwide now have a way to certify Sun
their expertise on this Unix-based operating system. Vendor: Sun Microsystems
Certification: SCSA for Solaris 9
While there’s still a dearth of Unix-spe- Certified Network Administrator Certification Type/Focus: One-exam
cific security certifications available, at (SCNA) or Sun Certified Systems title testing security expertise in
least one vendor has stepped up to the Administrator (SCSA) certification Solaris 9.
plate. In April 2003, Sun Microsystems before attempting the exam. Six to 12 Exam Price: $150 (U.S.)
debuted the Sun Certified Security months of hands-on experience is also
Training Required?: No
Administrator (SCSA) for Solaris 9 OS. recommended.
Testing Center: Prometric
This one-exam title is, in fact, the Like other Sun tests, the Sun
first security-specific certification to be Certified Security Administrator exam More information:
offered by Sun. The objectives for the contains multiple choice, scenario- http://suned.sun.com/US/catalog/cou
exam break down into six main areas: based, matching, drag and drop and rses/CX-310-301.html
• General security concepts free-response questions. There are 60
• Detection and device management questions, with 60 percent needed to Sun has made no indication of creating
• Security attacks pass. Candidates are given 90 minutes. exams for earlier versions, despite the
• File and system resources protection The exam is available for $150 (U.S.) at continued popularity of its SCSA and
• Host and network prevention Prometric testing centers worldwide. SCSA for Solaris 8 exams.
• Network connection access, To give candidates an idea of what More information about this cer-
authentication and encryption to expect, Sun offers 10 free sample tification can be found at:
Although there are no prerequi- questions for the SCSA on its Web site. http://suned.sun.com/US/catalog/cour
sites for this title, Sun recommends Because the certification is so new, ses/CX-310-301.html.
that all candidates hold either its Sun it’s only available for Solaris version 9. — Becky Nagel

Know Your Enemy


EC-Council offers white hats a chance to shine with its Ethical Hacker certification.
What exactly is an ethical hacker? The other security professionals who are
International Council of E-Commerce EC-Council interested in exactly what the other
Consultants (EC-Council) states on its Vendor: International Council of side is doing and how to prevent it.
Web site: “The Ethical Hacker is an E-Commerce Consultants The exam itself consists of 50 ques-
individual who is employed and can be Certification: Ethical Hacker tions covering 22 domain areas, such as
trusted to undertake an attempt to footprinting, system hijacking, hacking
Certification Type/Focus: Tests
penetrate networks and/or computer Web servers, SQL injection, password
knowledge of hacking terminology
systems using the same methods as a cracking techniques and ethics. It’s
and techniques.
Hacker… The key difference is that available for $125 at Prometric testing
Exam Price: $125 (U.S.)
the Ethical Hacker has authorization to centers worldwide. EC-Council offers
probe the target.” Training Required?: No optional training for the title.
Although passing the title’s one Testing Center: Prometric More information about this
exam does grant one the title of Ethical More information: certification can be found at:
Hacker, the credential appears to really http://www.cwne.com http://www.eccouncil.org/CEH.htm.
be aimed at systems administrators and — Becky Nagel

Pa ge 1 4 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
Blueprint for a
Career in Security

By Roberta Bragg

If you want to do IT security because


it’s “hot” right now, or because you
think that’s where the money is, forget
it. If you truly love the field, read on.
What do I mean? Perhaps you’re one
of the many who have written for my
help in “getting into security” or pursu- fingernails and struggling to keep up for an attacker to steal credit card num-
ing a security career. Perhaps you wonder with the dual demands of rapidly bers off your servers grab your guts?
if security is an area for you. Maybe you changing information and rarely Would you rather manage or do? Does
want the big bucks. Maybe you’re out of changing attitudes. Sure, it’s fun to creating policy float your boat? As you
a job, find your engagement calendar ramble about the foibles of most infra- can see, there’s a wide range of careers
empty, or otherwise think it’s time to structure gurus, but I can’t even talk in security. I know security officers who
change your game plan. about my greatest jobs, those where my have never touched a server, and sys-
input or my design prevented the suc- tems admins who never should have.
You Missed the Wave, Dude cess of a very determined attacker. To help you find your niche, con-
Security isn’t the answer to your sider attending a security conference.
shrinking paycheck. It won’t bring you The Four-Step Program Continued on next page
fame and fortune; it won’t even get you Are you still reading, even after my
an interview. If you don’t already have attempts at dissuasion? You haven’t Hackers Need Not Apply
deep security knowledge, you don’t given up in despair? You say you want
have time to gain it in order to ride the to be a security expert, and you realize If you think that hacking into
current wave. The days of success are it’s not an easy thing. Here, in my Web sites, writing and releasing
long past for those armed with mini- humble opinion, is how to fulfill that malicious code or breaching
mal knowledge and a pre-programmed goal. Your program should include security at Fortune 500 compa-
security vulnerability scanner. The these four steps. nies, government offices, utilities
word “Security” in your title or your or other well-known entities is a
company’s name will get you no instant Step One: Narrow Your Options precursor to or a guarantee of a
appreciation now. The market for secu- Your first step should be to determine security career, you’re dead
rity goods and services is more sophis- exactly what you mean by “security.” wrong. Doing these things is just
ticated than it was. To make your way, Do you want to specialize in some tech-
plain stupid. You can disrupt
to survive, you have to be able to do nical aspect of security, say establishing
business, shut down basic utili-
more than know a few buzzwords. and configuring perimeter defenses
This market isn’t a Mecca for those such as firewalls? Do you absolutely ties and kill people. There’s a
who want to relax, either. Security is 10 love decoding packets to figure out new hardened attitude out there,
percent pure panic and 90 percent what’s happening on the wire? Are you and you may just find yourself
drudgery. It’s long hours with no obsessive-compulsive about the code doing time instead of working
reward. You’ll generally only get recog- you write? Does implementing tech- for the company of your choice.
nition when you fail. For me, it’s like nology excite you, or does the fact that —Roberta Bragg
I’m always hanging from a cliff by my your mistakes might provide a venue

Pa ge 1 5 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
You’ll meet people who already work in Now the good news—maybe: If you the job, some were trained by the mili-
the field, gain some security knowledge, stop and think about it, much of what tary, and others were gifted with deep
and maybe make a few useful contacts. you do in IT is security-related. Most talent and mathematical education.
Check out the sites listed below and the systems administrators spend a fair Few had formal training in computer
conferences and seminars they offer. amount of time granting or preventing security, per se. In the second phase, a
They represent many different sides of resource access. Security is, in large part, large demand meant even inexperi-
the security game. Just don’t assume about exercising controls in order to pro- enced people could earn money ped-
you’ll see all security careers represented tect resources. If, however, you get your dling security advice, and many self-
at any one event, or that you’ll be chuckles from making complex systems proclaimed hackers—the guys with the
accepted with open arms when you say work, or writing elegant code, or getting experience—were able to cut their hair
the words “Microsoft” and “security.” the best performance or throughput, or and morph into security consultants.
• http://www.rsasecurity.com the most “bang for the buck,” then secu- Now we’re in stage three. There’s still
• http://www.sans.org rity may not be a wise choice for you. a large demand, but buyers are more
• http://www.gocsi.com/annual/ On the other hand, if you feel that knowledgeable. To get hired, you need
index.html someone’s always looking over your some proof of expertise. If you don’t
• http://www.blackhat.com shoulder; if you have multiple online have experience, do you have certifica-
• http://www.defcon.org personalities; change out your hard tion or education? Employers today are
• http://www.issa.org drive when you go online; subscribe to certification-shy, and bad experiences
• http://www.misti.com multiple security newsletters (and with paper MCSEs have contributed to
actually read and follow their advice); this. Several very good education alter-
Step Two: Get Naked have been to Defcon or a CSI confer- natives exist, and you should start at
Second, take a long look at yourself. ence; downloaded all the NSA guide- http://www.nsa.gov/isso/programs/nietp
Carefully review your background, suc- lines; know who Stephen Northcutt, /newspg1.htm. Among the offerings on
cesses and failures, dreams and reality. Bruce Schneier, Mudge and cDc are; the National INFOSEC Education &
As they say in the weight-loss biz, stand purchased the SANS checklists; and Training Program Web site are the 50
in front of the mirror naked and take a have www.microsoft.com/security as universities designated “Centers of
good, long look. A clear understanding your default home page, you probably Excellence in Information Assurance
of your abilities, aptitudes and experi- have the necessary makeup for the Education” by the National Security
ence is the starting point. Having a security field. Agency. Take a look at these programs.
clear goal will help you identify the You’ll find that not one of them is a
path to take. Does something in your Step Three: Get Trained short-term answer to your goals. Most
background fit your idea of this long- Now that you know where you are and are traditional four-year undergraduate
term goal? If your experience lies in what you want to do, determine what programs, or master’ and doctorate pro-
networking or systems administration, you need to do to get there. Each secu- grams. Some of the more well-known of
you have a good foundation to build rity opportunity may require a different these schools include:
upon. Writing solid code and under- skill set, a different level of education. • Carnegie Mellon University:
standing good coding practices is para- Where not long ago there were no (http://www.heinz.cmu.edu/infose
mount to many security careers. If you “security degrees” and only a smattering curity/), well-known as the host
don’t have either of these skill sets, why of certifications, both formal education location for the Computer Emergen-
are you reading this article? Seriously, and a plethora of certification programs cy Response Team (CERT), as well
while many security jobs don’t require now exist. The opportunities for educa- as many fine programs that offer
you to code or to configure systems, tion have multiplied like hack attacks education in information security.
they do require you to have knowledge on a new IIS server. • George Mason University:
in these areas. Get some. If you’re Are formal education programs the (http://www.isse.gmu.edu/~csis/
struggling in IT because of a lack of way to go? Remember: Security as a index.html)
ability to do a job for which you were career has gone through its first two • Janes Madiscon University:
trained, what makes you believe that phases. In the first one, a need evolved (http://www.infosec.jmu.edu/pro
you can enter the security arena with- as the natural result of the mainframe gram/html/classroom.htm) offers a
out any experience or education at all? culture. Many people got trained on Continued on next page

Pa ge 1 6 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
“This is the way to learn!”

LearnKey 2003 Winner


Best Computer Application Training
Best Online Certification Training
- Training Magazine 2003 APX awards

First 20 Callers
SAVE $100! Security is not an option! LearnKey Security Training
on LearnKey SecurityTraining

CISSP Series ( Domains also sold separately) ................................................................................................................................. 11 Sessions..............C#150168............$2,995


Cisco® Certified Security Professional Series (Prep for SECUR, CSPFA, CSVPN, CSI, & CSIDS Exams) ........ 24 Sessions..............C#562198............$3,265
CompTIA® Security+.............................................................................................................................................................. 4 Sessions..............C#101078................$355

Hacking Revealed....................................................................................................................................................................... 5 Sessions..............C#150108................$425

Windows® 2000 Network Security Design...................................................................................................... 3 Sessions..............C#601098................$265

ISA Server 2000............................................................................................................................................................................ 4 Sessions..............C#601958................$355

FREE Security Training CD!


Choose from these popular titles: Training Features:
• Dynamic instructor-led video
CompTIA® Security+ • CISSP • Cisco® SECUR
• Powerful animations & graphics
HU
Click Here First 5RRY! • Testing, labs and eSupport
and register to get yours! 0 Only
! • 99% pass-rate

www.learnkey.com/mcpsecurity / 1.800.865.0165 ext. 5256


© 2003 LearnKey, Inc. LK112503 Source Code #5256 Prices listed are for Single-Users. Please call for Multi-User pricing and Corporate solutions.
master’s degree program with a con- of which are profiled in the first part of adding the word “security” was a double
centration in information security, this report—may help. Experience is guarantee. Many of these companies are
taught entirely online. more important, but studying for certi- just treading water now; make your own
• North Carolina State University: fication isn’t a bad way to develop well- inquiries before diving in.
(http://ecommerce.ncsu.edu/infosec/ rounded product knowledge. Think outside the box. Did you
courses.html), offers undergraduate, notice the acronym “HIPAA” in the job
masters and doctorate programs in Step Four: Market Research list above? It stands for Health Insurance
information assurance. Research the job market. IT security Portability and Accountability Act of
• University of Idaho: employment is currently suffering a soft- 1996. Some of the regulations of this act
(http://www.csds.uidaho.edu/), has ening of the market. Visit IT recruiter L.J. mean radical changes in the way hospi-
the Center for Secure and Depen- Kushner (http://www.ljkushner.com/) to tals, doctor offices, insurance companies
dable Software (CSDS). get the skinny on where they think it’s and anyone who handles patient infor-
headed; if you’re qualified, post a resume. mation must do their job. While many
Be sure to check out the new Visit popular headhunter sites and institutions have a strategy in place, oth-
Federal Cyber Service: Scholarship for do a search on information security. At ers are still trying to understand what
Service programs if you’re studying Career Builder (http://www.headhunt they need to do. In either case, there will
information security in college. U.S. er.net) I found more than 371 jobs from be a continued demand for IT security
citizens can get two years of their infor- the keywords “information security.” people in the health care industry.
mation security education paid for in Granted, a lot of jobs didn’t fit my defi-
return for two years of government nition of info sec, but many did. Poring If You’re Still Interested…
information security work. Pay atten- over the possibilities might just reveal By now you should have an idea that
tion to the qualifications: Not every some ideas you hadn’t considered. How being a security professional is not don-
program—nor every candidate—quali- about being a senior fraud examiner, ning a 10-year-old’s T-shirt or doing
fies. You must be enrolled in an info sec security manager, risk management-secu- the rock star strut across a stage. There’s
curriculum in one of several qualifying rity and regulatory manager, security no surgical security implant or Viagra
colleges before you can apply. Several of engineer, IT auditor, security engineering for the brain. You’ve found there’s a cry-
the programs referenced above partici- specialist, IT risk management specialist, ing need for those who know IT securi-
pate in the program. Your best source policy maintenance senior specialist, ty, but no money to pay them; hordes
of information is their Web sites. acquisition security specialist, network of security babe-wannabes; and an
And don’t forget that good old prac- security integrator, chief information pri- immature industry where even the def-
tice of studying on your own or with vacy officer, security analyst, security sys- inition of “security professional” is
your buds. I don’t have to tell you that tem installer, director of IT security or undecided. If somehow you’ve made it
many of your peers in IT run extensive HIPPA information security officer? Job to this point, you probably still want to
home test networks. If you’re thinking listing sites are an excellent way to learn pursue the dream, so go for it.
of hitting the consultant career path, about the various security job categories
this is essential. It’s my belief that you and required experience level. You may A version of this article was first print-
can earn the equivalent of a master’s be startled to learn that many pay less ed in Microsoft Certified Professional
degree if you’re willing to invest in a than a good network administrator job. Magazine.
subscription to MSDN and TechNet, Graze through popular security
cobble together a few boxes in your product sites. Many of them have Roberta Bragg, MCSE: Security, CISSP,
basement and spend hours and hours employment sections. Working for a Security+ and contributing editor for
with them. Note that it’s my belief: I security consulting firm or product MCP Magazine, runs Have Computer
know of no college that will give you company can boost your career. A word Will Travel Inc., an independent firm spe-
credit for your wee-hour explorations to the wise: Research the financial sta- cializing in security, operating systems and
of PKI, Insect, Kerberos, group policy bility of these companies before you databases. She’s a frequent speaker and
or other security-related items. join. Many security startups got their trainer for TechMentor. She’s currently
Many vendors have certifications, funding during the high-tech expansion completing two books on network security
too. If you work extensively with their wars, when the word “Internet” was for Microsoft Press. Contact her at
products or wish to, these certs—many synonymous with “Cha-ching!” and Roberta.bragg@mcpmag.com.

Pa ge 1 8 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
Guide to Security
Job Titles
Does adding “security” to already-existing IT job
titles mean a new job for you? In some cases, yes.

A search of popular job search engines security clearance—


like Dice.com or ITjobs.com on the which isn’t something
keywords “IT,” “network” and “securi- you can simply pick up
ty” will produce titles such as systems when you need it, making
administrator and security administra- that a factor beyond the
tor, network analyst and security ana- usual IT job descriptions.
lyst, or IS manager and IS security (For more on this topic,
manager. Are these new jobs or the read “About Those U.S.
same jobs you’re familiar with, with Government Security Clearances” later Security Engineer
security sneaking onto the list of in this guide.) Security engineers are typically involved
responsibilities? Purely based on a ran- In this article, we share various in planning, managing and implement-
dom survey of jobs that are available security-related job titles and what ing higher-level security issues as they
out there, it’s a mixture of both. kind of work they entail. It isn’t meant relate to systems and networks and are
The need for specialists pervades to be a comprehensive list, but it cov- often tasked with evaluating security
any profession and often produces new ers the major ones you’ll run across in software and the impact that third-party
job titles—the IT profession is no dif- the course of scanning employment software may have as it’s installed on a
ferent. New security titles have cropped opportunities. network. Security engineers usually have
up out of necessity and these types of significant input on setting up security
jobs can be found primarily in medium Security Administrator policies during the planning phase. The
to large organizations where security Security administrators typically are security engineer may fill roles as project
has to be controlled on a large scale. tasked with implementing security leads and may even be a manager.
(That’s not to say that small companies measures on a network. This may You’ll find security engineers among
don’t have their fair share of security include: administering passwords, any type of IT engineer who performs a
jobs; you might find the odd need for a monitoring system or data security specialty. One interesting form of the
security analyst at a consulting or out- practices based on established compa- security engineer on an ITjobs.com list-
sourcing firm.) Imagine, for example, ny guidelines and monitoring and ing is the information assurance security
having to manage and troubleshoot reg- thwarting internal and external inci- engineer. This job’s differentiating factor
ularly scheduled password changes for dents (worms, viruses, Trojans and was the concentration on certification
an accounting firm, where data access is external or internal system abuses). and accreditation of systems/sites. For
critical and can’t be interrupted. They also might be in charge of disas- this job title, the company required
Security encompasses issues beyond ter recovery efforts and typical net- someone with some form of govern-
the tradtional IT scope; for example, as work administrator duties. ment security clearance, since the job
with the Health Insurance Portability Security administrators may have involved writing up information assur-
and Accountability Act of 1996. HIPAA a hand in maintaining or recommend- ance activities on federal government
is a recurring criteria for security-related ing changes in established security poli- customer systems and networks.
jobs in healthcare and banking. Like- cies and procedures. You might find jobs with specialties
wise, federal positions having to do with Security administrators report to a in database security and firewalls.
security may require you to possess a project lead or manager. Here’s an interesting twist on the secu-

Pa ge 1 9 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
rity engineer title: Enterprise Security One company on ITjobs.com post- that encompassed the same as a securi-
Engineer, Ethical Hacker, for a Fortune ed a job for a “senior consultant, ty monitoring/compliance officer, but
500 company in Chicago. The company HIPAA security,” who would primarily also required some experience in legal
requires “ethical hacking skills,” which play advisor and coordinator for pre- evidence-gathering techniques.
often means programming expertise sales engagements to companies that
with a strength in developing exploits. required HIPAA compliance before Security Director
forming partnerships. Security directors are often the line
Security Architect Another listing called for a Security between staff and executive manage-
Similar to security engineer in expert- Analyst, Intrusion Detection/Forensics, ment, usually leaning over to the latter.
ise, security architects are primarily a job whose defining characteristic was Security directors, though, make rare
responsible for establishing a frame- the ability to respond quickly to securi- appearances on job search engines,
work for a comprehensive security ty incidents that can affect mission-crit- because the responsibilities can be an
strategy. The framework might involve ical production systems. Response had amalgamation of higher-level duties
drilling down to specific policies and to be quick and thorough, particularly taken on by a team of security managers,
procedures. Rarely is the security archi- in assessing, documenting and offering engineers and administrators. If such a
tect involved in implementation, unless solutions to thwart attacks. Another job listing appears, it’s rarely for a small
providing hands-on support to a secu- duty: That person would be tasked with company. Typical responsibilities for
rity team. Architects usually have a developing new ways to harden systems. security directors include: overseeing
thorough understanding of network, Another job listing asked for a and coordinating security policies for IT
application and database security. cyber security analyst. Based on the and company-wide for departments like
Security architects can be highly spe- description, job duties matched up engineering, operations, legal and so on;
cialized, such as one Dice.com listing for with a typical security consultant. developing and standardizing the com-
a “single sign-on architect.” It’s a highly munication of security, privacy policies
specialized security architect whose sole Security Monitoring/Compliance and disaster recovery initiatives, often in
responsibility is to design a single sign- Officer accordance with industry regulations;
on standard, often done for disparate This person implements and supports and developing or driving security
network systems that need to be wholly information security to maintain com- awareness training. Security directors
secure across architectures. pliance with applicable laws. He or she typically report to a chief information
The security architect might be acts as a resource on matters relating to officer or chief security officer.
interchangeable with the security man- information security and will investi-
ager at some companies or may report gate and recommend secure solutions Chief Security Officer
to a security manager. for implementing IS security policy At or near the top of a company hierar-
and standards. In some companies, the chy (CSO would report directly to the
Security Consultant security monitoring/compliance officer CTO or CEO), the chief security offi-
Often someone whose breadth of expe- might report directly to an enterprise cer often dictates the companywide
rience encompasses security administra- security director or chief security offi- security mission or strategy. One high
tor to architect to director, security ana- cer, perhaps even to the CIO or CEO. profile member of this elite corps is
lysts or consultants often work in an A Dice.com job listing asked for a Howard Schmidt, previously the CSO
outsource capacity to test and recom- specialized business information securi- for Microsoft, then pegged as cyberse-
mend security solutions or strategies. ty officer (BISO) who would be respon- curity advisor to the White House, and
Security consultants and analysts should sible for IS audits and advising other more recently vice president and chief
have extensive knowledge of network groups of security requirements for line information security officer for eBay.
access, authentication, development of of business applications and concoct While it’s a mystery how CSOs differ
security policies and procedures and compliance reports in terms of business from CIOs, many of the Fortune 500
conducting vulnerability assessments. risk. The BISO would report to the offi- companies like Microsoft and General
They may also be involved in security cers of various groups, such as engineer- Electric have them.
pre-sales engagements. The security ana- ing directors and data center managers. Consider these positions to be a
lyst title may be interchangeable with Another job was listed as fraud rare breed, indeed.
the security consultant title. investigator, a highly specialized skill —Michael Domingo

Pa ge 2 0 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
Q&A: Can Security Certifications Help Your Career?
We asked a security insider to share his honest take on exactly what security certifications
can—and can’t—do for your job prospects.
Greg Owen is technical director for the security problems from time to time. because they’re so big that one person
Global Information Assurance That cert makes it more official that can’t do all the jobs. Having said that, I
Certification (GIAC), a vendor-neutral they do know this area. They’ve proba- don’t think being fully specialized is a
certification program sponsored by the bly had to deal with it, probably had to helpful thing, especially in security. I
SANS Institute. He holds three GIAC help out. I think that for a person with think knowing a little bit about every-
certifications: no IT experience, to go out and get a thing helps you do one thing better.
• GIAC Certified Incident Handler cert is not as useful, but that’s not the Broad experience and broad under-
(GCIH) case for the vast majority of people who standing of the entire problem area
• GIAC Certified Windows Security are [pursuing security certification]. It makes dealing with specific areas easier.
Administrator (GCWN) can still be useful for someone without
• GIAC Certified Forensic Analyst experience, but employers are looking Is there value in platform-specific certifi-
(GCFA) for the combination of experience and cation, like Microsoft or Cisco?
Part of his duties with GIAC include testable proof. There definitely is. With specific respect
exam preparation. Owen also does net- to security, I don’t know how much the
work security consulting for a consulting Should you wait until you’ve been in secu- Microsoft [security specialization] will
company in Boston, Massachusetts. He’s rity for some years before getting certs? help. It’s only recently that they’ve
been working in IT, including network I think a year or two is useful, but the added the security specialization. I think
security, for more than 10 years. thing about security is it’s something the attitude is, “Why would you go to
people have to deal with all the time. the vendor who shipped the broken
Are security certifications becoming Having a job on your resume that has software in the first place to tell you how
more important or less so in the current to do with security [is helpful]. to fix it?” There’s a certain amount of
market? hesitancy there, but specific training is
Greg Owen: It’s becoming more impor- Do security certifications help if you want definitely valuable if you’re going to be
tant. The larger the company, the more to become a security consultant? working in that area. If you’re looking
reliant they are on the certification. I think so. Whenever a consulting firm for a Windows network administrator,
The events of the last couple of years or independent consultant comes in to you definitely want them to have their
are starting to drive home to everybody bid for a job, the good ones will have a MCSE. If you have a large Cisco infra-
the point that security is more impor- page on the back which has a quick bio structure and you need that supported,
tant than it used to be. For a large com- of the people they’re proposing to send you’re going to want Cisco certification.
pany, it’s hard for them to make a shift in on the job [and certifications show
like that. Human resources needs to up well]. What would you tell someone who want-
have something they can look for to Consulting [for independent con- ed a security certification because it’s the
differentiate that “this is a candidate sultants] is as much a sales issue as any- “hot” field right now?
who can do what we want; this [one thing else, and part of the sales issue is I wouldn’t recommend that somebody
isn’t].” At one bank I’ve worked with, saying, “Yes, I know what I’m doing, and go into it if they haven’t had an interest
their security people almost universally here’s what I have to prove it.” in it, just because of that [i.e., it’s popu-
hold the CISSP. Certifications can be very helpful to lar at the moment]. Like any profession,
prove that. if you’re just going into it for the money,
Can you get a security-related job with if you’re not truly interested in the chal-
certification and no experience? Will there be further areas of security cer- lenges, it will show to employers. They’ll
I think the security certification helps a tification specialization? see that. If you don’t enjoy doing that
lot, in the situation where someone’s It depends on the size of the company. kind of work, if you don’t enjoy walking
been doing IT and has gotten certifica- In larger companies, I’m definitely see- that walk, I’m not sure I’d recommend it.
tion and had to deal with corners of the ing a trend toward specialization, simply — Keith Ward

Pa ge 2 2 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
Salary Data for IT Security Professionals
Title Salary
“The true source of long-run wealth is
MCP* $61,700
for us to specialize in what we are best
ISA Server $65,100
at,” writes Brad DeLong, economics
professor at U.C. Berkeley. He may (ISC)2 Systems Security Certified Practitioner $77,500
have been explaining 19th century Check Point Certified Security Expert $78,500
economist David Ricardo’s principle of (ISC)2: Certified Information System Security Professional (CISSP) $78,800
“comparative advantage” in simpler Cisco Certified Security Professional $93,500
terms, but DeLong’s explanation has
Table 1. Comparing salaries of MCPs and those holding security-specific certifications.
application with IT careers. * Average base salary of all MCPs; all other figures come from Chart 8, “Salary by Other
Becoming a specialist can be one way Certifications,” from the 2003 MCP Magazine Salary Survey. More at http://mcpmag.com.
to make some personal improvements in
your career and sustain your good for- as well as the MCP, made at least because Salary.com gathers it on a
tune in these shaky times. Several current $4,000 more, and in some cases continual basis.
surveys of IT salaries among those who $30,000 more (see Table 1). • ComputerWorld 2003 Salary
specialize in security skills show modest While specializing may seem to be Survey:
gains against contemporaries who don’t the next logical step, salary numbers (http://www.computerworld.com/c
indicate a specialty. like those shown on these reports aren’t areertopics/careers/story/0,10801,8
Take Salary.com, which offers basic guaranteed. Remember that salary sur- 6413,00.html). Published in
ongoing reporting of salaries within the veys only provide a snapshot of salaries October 2003, data comes from
U.S., compiling data from thousands among the employed as those surveys more than 19,000 responses.
of human resources departments. were conducted. Obtaining a security • Microsoft Certified Professional
Based on its report for Nov. 11, medi- specialty only means your breadth of Magazine 2003 Salary Survey:
an average salary for network adminis- expertise may give you an advantage (http://mcpmag.com/salary
trators across the U.S. was $54,458. over peers. Whether that translates to surveys/) MCP Magazine is known
Compare that to security administra- additional compensation is up to your for its yearly survey of certified pro-
tors, whose median was $62,074, a 12 employer and your powers of persua- fessionals woking with Microsoft
percent increase. sion over the one who signs your check. products. Data collected from more
ComputerWorld’s 2003 compensa- Looking into 2004, it’s tough to than 6,000 respondents.
tion survey backs up Salary.com’s data know how valuable the security focus • Janco Associates:
with a more pronounced increase. in your portfolio will continue to be. (http://www.psrinc.com/salary.htm)
Network administrators earned What’s hot today can grow cold tomor- This technical outsourcing firm
$51,265 on average, while IS security row in IT. We’d advise you to stay in gathers compensation data from
specialists said they earned $70,780. touch with published information on more than 400 mid- and large-sized
Specialization here may account for a compensation; but remember, those companies twice a year. The most
26 percent increase. numbers can’t pinpoint what a particu- recent report was published in June.
Salaries qualified by certification lar individual should earn. Variables • Foote Partners LLC:
show increases that are just as remark- such as geographic location, years of (http://www.footepartners.com/sala
able. The Microsoft Certified experience, type and size of organiza- ryresearch.htm) Collects salary data
Professional Magazine 2003 Salary tion and negotiating skills come into from 35,000 IT workers on a quar-
Survey (MCP Magazine and play in any given scenario. terly basis. Reports are costly, but
CertCities.com are both 101communi- To find detailed salary survey infor- the sample versions have a signifi-
cations LLC companies) reports that mation, check out these links: cant amount of data.
the average base salary for MCPs was • Salary.com: More links to salary surveys can be
$61,700. Respondants who held addi- (http://www.salary.com) Get daily found on CertCities.com at http://cert
tional security-based certifications like salary reports just by clicking on the cities.com/editorial/salary_surveys/.
Microsoft’s own ISA Server or CISSP, simple criteria. Data changes —Michael Domingo

Pa ge 2 3 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
About Those U.S. Government Security Clearances
You’ve found a job whose description fits including titles, supervisor names and granted or denied.
you perfectly except for one small matter: supervisor addresses—people who know If it’s granted, the fun doesn’t stop
It requires a security clearance and you you well aside from spouses and rela- there. Depending on what level of clear-
don’t have one. As with many things in tives, relatives and associates (along with ance you have, you’ll have to undergo
life, getting this particular position their dates of birth, country of birth and reinvestigation every five, 10 or 15 years.
would be a long shot for you, but that current address), your military history If you leave that position, the clearance is
doesn’t mean you shouldn’t try anyway. and foreign activities (including travel still active, but it may not be usable by
The fact is that security clearance is for business and pleasure), police your next employer—depending on
something you can’t obtain for yourself. records, medical records, financial what type of security clearance the new
Your current or prospective employer has records and delinquencies, use of illegal job requires. Let enough time pass and
to set the wheels in motion to get it for drugs and alcohol, and groups you asso- the clearance will have no merit at all.
you. Since the process is costly and time- ciate with that espouse the violent over- The whole process of obtaining a
consuming, organizations won’t do it throw of the government. clearance can take many months—
unless it’s absolutely essential. Let’s Sound comprehensive? The idea is sometimes longer than a year—and cost
review the basics. to weed out those who aren’t (according several thousands (even tens of thou-
You typically need a security clear- to SF 86) “reliable, trustworthy, of good sands) of dollars. The more sensitive the
ance when you hold a sensitive position conduct and character, and loyal to the job, the deeper—and the costlier and
within the federal government or when United States.” The same form also more time-consuming—the investiga-
you work for a government contractor or warns that your current employer will be tion. You can’t speed up the effort, nor
some other organization that has access contacted and questioned, whether you can you offer to pay the cost. That’s why
to classified information or deal with want them to be or not. so many jobs listing security clearance as
other restricted information relating to Your form and your fingerprints go a requirement are anxious to find candi-
national security. Clearances come in to the Federal Investigations Processing dates who already possess a clearance of
many different flavors, primarily confi- Center, which calls on investigators— the right type—the project may be over
dential, secret, top secret, and sensitive both federal employees and contract—to by the time somebody new to the
compartmented information (SCI). start confirming what you’ve said on the process obtains his or her clearance. If
Once a person has been offered a form. During this phase of the process, you’ve noticed the propensity of govern-
position that requires a clearance, the investigators review available records ment contractors to intensely recruit ex-
employer opens up a request with the (including your presence on the military people for open positions, it’s
Office of Personnel Management Internet), check with the police, run a because vets frequently come with the
through a federal security officer. The credit check on you and talk to people security clearance that’s needed as part
OPM gives the candidate undergoing who know you—those you’ve listed on of their portfolio.
the clearance check access to an online the form as well as people in a position to If you don’t already have a security
system called e-Qip, or Electronic observe you, such as neighbors. Plus, clearance but there’s a particular organi-
Questionnaire for Investigations Pro- you’ll be interviewed yourself. zation you’re determined to work for,
cessing, a digital version of Standard All the data that’s collected ends up your best approach is to obtain employ-
Form 86 (http://www.usaid.gov/pro in a single file, called “The Report of ment that doesn’t require the clearance
curement_bus_opp/procurement/forms/ Investigation,” which is sent to the feder- with the agency or firm. Then put in
SF-86/sf-86.pdf). al agency that asked for the investigation your time and make it clear to your man-
SF 86 is a 13-page document that in the first place. At that point, it’s up to ager that should the right opportunity
asks you to list your vitals—name, social the federal security officer at the agency present itself, you’d be willing to undergo
security number, place of birth, etc.— of hire to determine your eligibility to the investigation. But temper your
and then drills down on your personal have a position with access to secure enthusiasm: Too much eagerness to
history going back at least seven years. information. You may get the chance to undergo this in-depth exploration into
You’re expected to list where you’ve lived explain or refute negative or unclear your personal and professional life might
for the last seven years, where you went information during this “adjudication be viewed as suspicious behavior.
to school, your employment activities— phase.” Then your clearance is either — Dian Schaffhauser

Pa ge 2 4 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
15 Best Web Sites for Security

1. Microsoft TechNet IT Pro Security 6. LinuxSecurity.com 11. Hacker Wacker


Zone http://linuxsecurity.com http://www.hackerwhacker.com/
http://www.microsoft.com/technet/s This is an excellent site for Linux secu- One of the best features of this securi-
ecurity/community/default.mspx rity administrators. Contains Linux ty-packed Web site is the ability to do
The IT Pro Security Zone is Microsoft’s security-specific news, advisories, tools free remote security scans of your net-
newest security portal. It’s your one- and research. work and firewall. See what the hackers
stop shop for Microsoft-related security are seeing.
newsgroups, latest patches, chats and 7. Windows 2000 Security Operations
special events, security articles, FAQs Guide 12. InfoSysSec
and lots more. http://www.microsoft.com/down http://www.infosyssec.org/
loads/details.aspx?displaylang=en&f Like many of the sites listed here, this
2. CERT Coordination Center amilyid=f0b7b4ee-201a-4b40-a0d2- one offers a wealth of security-related
http://www.cert.org/ cdd9775aeff8 information. However, this site also
The Computer Emergency Response This guide is a must-have document for lists the Top 10 IP addresses from
Team helps protect the Internet through anyone with Windows 2000 servers on which Internet attacks are being
various means. It constantly monitors their network. Following the step-by- launched and the Top 10 ports that are
public networks for attacks, and normal- step instructions can drastically reduce being attacked.
ly knows one is coming before it hits. A successful attacks on your network.
treasure trove of great information. 13. HIPAA.org
8. Common Criteria http://www.hipaa.org/
3. NTBugtraq http://www.commoncriteria.org/ Are you unsure of how the Health
http://www.ntbugtraq.com Common Criteria provides a set of Insurance Portability and Accountabi-
Everyone in the security community standards for information security. lity Act (HIPAA) works? If you’re a
knows Russ Cooper, TruSecure’s Sur- Products are submitted to CC for test- security consultant, you should know,
geon General. This is his Web site, ing and then given a rating based on since there’s a lot of money to be
which offers one of the most active their overall level of security. The high- made by ensuring HIPAA compli-
security newsgroups on the Net. er the number, the better. ance. This site is a good starting
point.
4. InfoSec Reading Room 9. InfoSec News
http://www.sans.org/rr/ http://www.infosecnews.com/ 14. CSRC NIST PKI Program
SANS is well-known for its security One of the few sites that specializes in http://csrc.nist.gov/pki/
training. Its InfoSec Reading Room has computer security news. It’s updated Thinking about instituting a Public
more than 1,200 security white papers daily and contains a broad range of Key Infrastructure? If so, this site from
in 70 different categories. All the major content. the National Institute of Standards and
platforms are covered, including main- Technology is the best place to begin
frames, Unix, Linux, Mac/Apple and 10. SecurityStats.com your research.
Windows. http://www.securitystats.com/
Want to follow the legal trials and 15. 2600
5. WildList Organization International tribulations of your favorite hackers? http://www.2600.com/
http://www.wildlist.org/ Find out how much the MS Blaster Why is the most famous hacker Web
The best source of information on what Worm cost companies? Keep up on site of all on this list? Because to fight
viruses are currently out there “in the Web defacements? Security Stats is the hackers, it’s important to understand
wild.” Serious security people check place to do that and get lots of other their mindset.
this list constantly. good security information. — Keith Ward

Pa ge 2 5 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
5 Must-Read
Security Newsletters
1. TechNet Flash The SANS Critical Vulnerability based in India that, among other activ-
http://www.microsoft.com/technet/s Analysis Report is a weekly bulletin of ities, publishes a bi-weekly security
ubscriptions/current/suboserv.asp top vulnerabilities. SANS, a security newsletter that’s mostly news, but also
TechNet Flash is Microsoft’s bi-weekly training company, lists the risk levels has sprinklings of opinion scattered
newsletter covering all things TechNet. with each vulnerability, potential dam- throughout. Solid coverage of security
Of course, one of its main purposes is age of each and links to learn more news throughout the world, not just
to alert you of the newest security vul- about them. the United States.
nerabilities, patches, hotfixes and pro- — Keith Ward
cedures for securing your network. 5. Asian School of Cyber Laws
http://www.asianlaws.org/infosec/ne Note: Only free newsletters were consid-
2. Security Watch wsletter/index.htm ered for this list. Most of us have enough
http://lists.101com.com/nl/main.asp The first reaction to the “Asian School things to pay for without shelling out for
?NL=mcpmag of Cyber Laws” is usually, “What the electronic newsletters.
Security Watch, published by the same heck is that?” It’s a public organization
folks who produce Microsoft Certified
Professional Magazine, provides lots of
original content (something often diffi-
cult to find in newsletters). Included in 5 Web Picks for Security Certification
each issue is a commentary by 1. CCCure.org
Windows security expert Roberta http://www.cccure.org
Bragg and a roundup of top security This top-notch site for CISSP candidates is packed with useful preparation tools,
stories by ENTMag.com editor Scott including exam reviews, news, research and an expansive collection of practice
questions. A similar site worthy of prospective CISSP candidates can be found at
Bekker. If you have security responsi-
http://www.cissps.com/.
bilities on a Windows network, this
2. Rtek2000 Security Links
newsletter is a must-read.
http://www.rtek2000.com/Tech/InternetSecureLinks.html
This page from training company Rtek2000 hosts one of the most comprehen-
3. Crypto-Gram sive security link collections available, covering just about every baseline topic
http://www.counterpane.com/crypto- tested on security certification exams (and then some). The perfect place to
gram.html begin your online studies.
Crypto-Gram is a free monthly news- 3. CertCities.com Security Exam Reviews
letter from Bruce Schneier, the field’s http://www.certcities.com/certs/security/exams/
foremost expert in cryptography. Go here to read CertCities.com’s collection of security-related exam reviews,
Schneier comments on a host of securi- including Microsoft’s 70-214, CompTIA’s Security+ and (ISC)2’s CISSP.
ty topics, covering a broad range of 4.Certification-Crazy’s Security+ Resources
issues. He’s never at a loss for a strong http://www.certification-crazy.net/security+.htm
Scroll down to view a nice list of online Security+ resources from a fellow candidate.
opinion on any security-related topic.
5. GetCertified4Less.com
http://www.getcertified4less.com/testvoucher.asp
4. SANS Critical Vulnerability
Offers discounted vouchers for Microsoft, Cisco, Check Point and CompTIA exams.
Analysis Report
— Becky Nagel
http://www.sans.org/newsletters/cva

Pa ge 2 6 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
TechStrategies 1pg MCP2.pdf 12/1/03 11:43 AM Page 1

THE ANTI-SPAM SUMMIT


MARCH 17-19, 2004
THE PALACE SAN FRANCISCO, CA

You know what e-mail abuse costs your business.

You’ve tried to stop it.

Now attend the only industry summit


focused solely on the technical and
business issues surrounding spam.

COME L E A R N A B O U T: W H AT THE SUMMIT OFFERS:

• The best-of-breed tool overviews • A technical track will focus on tools and

• The latest technologies technical solutions for systems adminis-

• Case studies straight from your peers trators, network managers, analysts,
IT managers and administrators –
• Legislation and regulation
anyone fighting spam in the trenches.
• What the major ISPs are doing
• A business track will focus on legislation,
regulation, costs, and other business issues
PRESENTERS:
for IT managers, vice presidents,
Hear from top names fighting the spam problem
today: Experts from AOL, Yahoo, Microsoft, the technical developers, and chief privacy
FTC, California's Office of Privacy Protection, and officers, chief security officers, and
many more.
other C-level executives.
• Ryan Hamlin • Jon Praed
General Manager, Founding Partner,
Microsoft’s Anti-Spam Internet Law Group
Technology and Strategy Group

Sponsored by 101communications and Microsoft Certified Professional Magazine

R E G I S T E R T O D AY ! W W W . 1 0 1 T E C H S T R AT E G I E S . C O M
Security Bookshelf Popular print resources for security technology and certification.

.NET Framework Security Building Secure Software: Counter Hack: A Step-by- Firewall Architecture for the
Brian A. How to Avoid Security Step Guide to Computer Enterprise
LaMacchia, Problems the Right Way Attacks and Effective Norbert Pohlmann, Tim
Sebastian John Viega, Gary McGraw Defenses Crothers
Lange, Addison-Wesley Ed Skoudis John Wiley & Sons
Matthew 020172152X Prentice Hall July 8, 2002
Lyons, Rudi September 24, 2001 PTR 076454926X
Martin, Kevin $54.99 0130332739 $49.99
T. Price July 23, 2001
Addison-Wesley Building an Information $49.99 Firewalls: The Complete
067232184X Security Awareness Program Reference
April 24, 2002 Mark B. Desman Computer Security by Keith Strassberg, Gary
$57.99 Auerbach Handbook Rollie, Richard Gondek
0849301165 Seymour Bosworth and Michel McGraw-Hill Osborne Media
Anti-Hacker Tool Kit October 30, 2001 E. Kabay, Editors 0072195673
Keith J. Jones, Mike Shema, $49.95 John Wiley & Sons May 28, 2002
Bradley C. Johnson 0471412589 $59.99
McGraw-Hill Osborne Media Building Internet Firewalls April 2002
0072222824 (2nd Edition) $80
June 25, 2002 Elizabeth D. Zwicky, Simon Firewalls and Internet
$59.99 Cooper, D. Brent Chapman Designing Security Security: Repelling the Wily
O’Reilly & Associates Architecture Solutions Hacker, Second Edition
The Art of Deception : 1565928717 Jay Ramachandran William R. Cheswick, Steven
Controlling the Human January 15, 2000 John Wiley & Sons M. Bellovin, Aviel D. Rubin
Element of Security $49.95 0471206024 Addison-Wesley
Kevin D. March 1, 2002 020163466X
Mitnick, The CERT Guide to System $55 February 24, 2003
William L. and Network Security $49.99
Simon Practices The E-Policy Handbook:
Hungry Julia H. Allen Designing and Implementing The Hack Counter-Hack
Minds Addison- Effective E-Mail, Internet, Training Course: A Desktop
076454280X Wesley and Software Policies Seminar
October 2003 020173723X Nancy L. Flynn Edward Skoudis
$16.95 June 7, 2001 AMACOM Prentice Hall PTR
$39.99 0814470912 013047729X
Authentication: From November 2000 June 14, 2002
Passwords to Public Keys Computer Forensics: $19.95 $69.99
Richard E. Smith Incident Response Essentials
Addison-Wesley Warren G. Kruse II, Jay G. Hacker’s Challenge 2: Test
The Effective Incident
0201615991 Heiser Your Network Security &
Response Team
October 1, 2001 Addison-Wesley Forensic Skills
Julie Lucas,
$44.99 0201707195 Mike
Brian Moeller
September 26, 2001 Schiffman,
Addison-
Beyond Fear: Thinking $44.99 Bill
Wesley
Sensibly About Security in Pennington,
0201761750
an Uncertain World Computer Security Incident David Pollino,
September 26,
Bruce Schneier Handling: Step-by-Step Adam J.
2003
Copernicus Books (Version 2.3.1) O’Donnell
$39.99
0387026207 Stephen Northcutt McGraw-Hill
September 2003 SANS Institute Osborne Media
$25 0972427376 0072226307
March 2003 December 18, 2002
$29.99 $39.99

Continued on next page

Pa ge 2 8 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
Hacking Exposed: Network Honeypots: Tracking Hackers Information Security Policy Kerberos: A Network
Security Secrets & Lance Manual Authentication System
Solutions, Fourth Edition Spitzner Edmond D. Jones Brian Tung
Stuart Addison- Rothstein Associates Addison-Wesley
McClure, Joel Wesley 1931332096 0201379244
Scambray, 0321108957 February 23, 2001 May 4, 1999
George Kurtz September 10, $89 $19.95
McGraw-Hill 2002
Osborne $44.99 Information Security Know Your Enemy: Revealing
Media Risk Analysis the Security Tools, Tactics,
0072227427 Incident Response: Thomas R. and Motives of the Blackhat
February 25, 2003 Investigating Computer Crime Peltier Community
$49.99 Chris Prosise, Kevin Mandia Auerbach The
McGraw-Hill Osborne Media 0849308801 Honeynet
Hacking Exposed Web 0072131829 January 23, Project
Applications June 21, 2001 2001 Addison-
Joel Scambray, Mike Shema $39.99 $69.95 Wesley
McGraw-Hill Osborne Media 0201746131
007222438X Information Security The Information Systems August 31, 2001
June 19, 2002 Architecture, Second Edition Security Officer’s Guide: $39.99
$49.99 Jan Killmeyer Tudor Establishing and Managing
CRC Press an Information Protection Linux Security Cookbook
Hacking Exposed 0849315492 Program Daniel J. Barrett, Richard E.
Windows 2000 June 28, 2003 Gerald L. Kovacich Silverman, Robert G. Byrnes
Joel $79.95 Butterworth-Heinemann O’Reilly & Associates
Scambray, 0750698969 0596003919
Stuart Information Security May 1998 June 2003
McClure Architecture: An Integrated $41.95 $39.95
0072192623 Approach to Security in the
August 29, Organization Inside Network Perimeter Linux Server Hacks
2001 Jan Killmeyer Tudor Security: The Definitive Rob Flickenger, Editor
$49.99 CRC Press Guide to Firewalls, Virtual O’Reilly & Associates
0849399882 Private Networks (VPNs), 0596004613
Hacking Exposed Windows September 25, 2000 Routers, and Intrusion January 2003
Server 2003 $69.95 Detection Systems $24.95
Joel Scambray, Stuart McClure Stephen Northcutt, Lenny
McGraw-Hill Osborne Media Information Security Zeltser, Scott Winters, Karen Malware: Fighting
0072230614 Management Handbook, Fredrick, Ronald W. Ritchey Malicious Code
October 27, 2003 Fourth Edition, Volume 4 Que Ed Skoudis,
$49.99 Micki Krause 0735712328 Lenny Zeltser
and Harold F. June 28, 2002 Prentice Hall
Hacking Linux Exposed Tipton, $49.99 PTR
Brian Hatch, James B. Lee, Editors 0131014056
George Kurtz Auerbach Intrusion Detection with Snort November 9,
0072127732 0849315182 Jack Koziol 2003
March 27, 2001 November 26, SAMS $44.99
$39.99 2002 157870281X
$69.95 May 20, 2003 Managing A Network
HackNotes Web Security $45 Vulnerability Assessment
Pocket Reference Information Security Justin Peltier, John A. Blackley,
Mike Shema Policies, Procedures, and Intrusion Signatures and Thomas R. Peltier
McGraw-Hill Osborne Media Standards: Guidelines for Analysis Auerbach
0072227842 Effective Information Mark Cooper, Stephen 0849312701
June 30, 2003 Security Management Northcutt, Matt Fearnow, May 30, 2003
$29.99 Thomas R. Peltier Karen Frederick $59.95
CRC Press Que
0849311373 0735710635 Continued on next page
December 20, 2001 January 29, 2001
$69.95 $39.99

Pa ge 2 9 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
Network Intrusion Real World Linux Security: Snort 2.0 Intrusion SQL Server Security Distilled
Detection, Third Edition Intrusion Prevention, Detection Morris Lewis
Stephen Northcutt, Judy Detection and Recovery Brian Caswell, Jay Beale, James APress
Novak Bob Toxen C. Foster (Editor), Jeremy 1590591925
Que Prentice Hall PTR Faircloth (Editor) July 1, 2003
0735712654 November 2000 McGraw-Hill Osborne Media $39.99
August 27, 2002 0130281875 0072226307
$49.99 $44.99 December 18, 2002 Web Hacking: Attacks
$39.99 and Defense
Network Security: Private Secrets and Lies: Digital Stuart
Communication in a Public Security in a Networked Special Ops: Host and McClure,
World World Network Security for Saumil Shah,
Charlie Kaufman, Radia Bruce Schneier Microsoft, UNIX, and Oracle Shreeraj Shah
Perlman, Mike Speciner John Wiley & Sons Erik Pace Birkholz, Stuart Addison-
Prentice Hall PTR 0471453803 McClure Wesley
0130460192 January 2004 Syngress 0201761769
April 15, 2002 $17.95 1931836698 August 8, 2002
$54.99 February 17, 2003 $49.99
Security Architecture: $69.95
PKI: Implementing & Design, Deployment and Writing Information
Managing E-Security Operations Stealing the Network: How Security Policies
Andrew Nash, Christopher King, Ertem to Own the Box by Scott Barman
Bill Duane, Osmanoglu (Editor), Curtis Ryan Russell Que
Derek Brink, Dalton (Editor), Ido 157870264X
Celia Joseph McGraw-Hill Osborne Media Dubrawsky, November 9, 2001
McGraw-Hill 0072133856 FX $34.99
Osborne July 30, 2001 Syngress
Media $49.99 1931836876 Writing Secure Code
0072131233 June 2003 Michael Howard and David
March 27, 2001 The Shellcoder’s Handbook : $49.95 Lebl, David LeBlanc
$49.99 Discovering and Exploiting Microsoft Press
Security Holes SQL Server Security 0735615888
Practical Unix & Internet Jack Koziol, David Litchfield, Chip Andrews, David December 15, 2001
Security, 3rd Edition Dave Aitel, Chris Anley, Sinan Litchfield, Bill Grindlay $39.99
Simson Garfinkel, Gene Eren, Neel Mehta, Riley McGraw-Hill Osborne Media
Spafford, Alan Schwartz Hassell 0072225157 —Michael Domingo
O’Reilly & Associates John Wiley & Sons August 27, 2003
0596003234 0764544683 $49.99
February 2003 March 2004
$54.95 $50

Advertiser Index
Global Knowledge Intense School LearnKey, Inc.
www.global knowledge.com www.intenseschool.com www.learnkey.com/mcpsecurity
Global Knowledge is a worldwide leader The Security Training Experts. 2003 Free Security Training CD. Sec+, CISSP,
in IT education and offers over 31 Award Winners. SECUR. Hurry 50 only!
hands-on security training courses.

Pa ge 3 0 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com

You might also like