Professional Documents
Culture Documents
Security Certification Resource Guide: IT Influencer Series
Security Certification Resource Guide: IT Influencer Series
IT Influencer Series
Security Certification
Resource Guide
2003
Essential information on security certifications for IT professionals and managers.
All content was written and/or developed by Keith Ward, senior editor, Microsoft Certified Professional Magazine;
Becky Nagel, editor, CertCities.com; Michael Domingo, editor, MCPmag.com and Dian Schaffhauser, editorial director,
Microsoft Certified Professional Magazine.
Pa ge 3 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles
Experience Counts
It takes more than just knowledge to earn (ISC)2’s CISSP and SSCP titles.
The International Information Systems Security Certification to attempt the organization’s Systems
Consortium, (ISC)2, formed in 1989 to create an industry Security Certified Practitioner (SSCP)
title. This three-hour, 125-question
standard for information security best practices. Since that exam focuses on seven of the above
time, the organization has released several vendor-neutral domains and requires only one year of
direct work experience. Like the CISSP,
certifications that combine testing candidates’ knowledge of
you must subscribe to the organization’s
these practices along with experience, ethical and ongoing code of ethics and earn continuing edu-
education requirements. cation units to maintain the title.
If you don’t have enough experi-
The organization’s flagship title, the degree can substitute for one year. This ence to earn either title but you still
Certified Information Systems Security experience must be documented by an want to take the above exams, you can
Professional (CISSP), focuses on 10 independent third-party and submitted become an Associate of (ISC)2. This
common bodies of knowledge (CBKs) to the (ISC)2 for audit, along with a new program from the organization
based on the above-mentioned standards: signed document stating that the candi- allows candidates without the required
• Access Control Systems & Methodology date will subscribe to the organization’s experience to take the exams and then
• Applications & Systems Development code of ethics. Only then will the title of earn the certifications once they obtain
• Business Continuity Planning CISSP be granted. But that’s not the end the needed experience.
• Cryptography of it—all CISSPs must complete 120 If you’re already a CISSP and want
• Law, Investigation & Ethics units of continuing education per year to to distinguish yourself further, the
• Operations Security keep their title active. organization recently announced sever-
• Physical Security If you don’t quite have four years of al “concentrations” that candidates can
• Security Architecture & Models direct work experience, you may want add on to their CISSP: CISSP Man-
• Security Management Practices agement and CISSP Architecture.
• Telecommunications, Network & (ISC)2 There’s also the Information System
Internet Security Vendor: The International Information Security Engineering Professional
The resulting exam is a six-hour, Systems Security Certification (ISSEP), a concentration formed in
250-question affair, for which most can- Consortium (ISC)2 conjunction with the United States
didates study months to prepare. Certifications: CISSP, SSCP, related National Security Agency that focuses
Because of the broad depth of knowl- concentrations on the information security needs of
edge covered on the exam, most stu- Certification Type/Focus: Vendor- federal government employees.
dents prefer not to go it alone, joining neutral titles focusing on best practices Note that because the organization’s
study groups or attending instructor-led for information security professionals. exams are paper-based, candidates must
training courses. Candidates must meet experience sign up through (ISC)2 and travel to an
However, simply passing the exam requirements and sign an ethics pledge. official testing location. Prices for the
won’t earn you the CISSP. (ISC)2 cites Exam Prices: $350 to $550 (U.S.) organization’s exams currently range
its mission to create a “gold standard” Training Required?: No from $350 to $550, but will rise as much
certification as the reason it requires all as $100 beginning January 1, 2004.
Testing Centers: Available only
candidates to have at least four years of More information on all of the
through vendor
“direct full-time security professional above titles can be found on (ISC)2’s
More information:
work experience” in one or more of the Web site at http://www.isc2.org.
http://www.isc2.org
test domains listed above. A college — Becky Nagel
Pa ge 4 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
MCPSecurityAd12-03 11/20/03 8:31 AM Page 1
collection of Network Security courses delivered by real-world, expert instructors. Visit our web site now
A Practical
Approach
The SANS Institute’s GIAC certifications combine
testing with practical assignments.
Like (ISC)2, the SANS Institute’s Global Information Assurance
Certification (GIAC) takes a vendor-neutral approach.
However, this organization’s titles focus on the practical more
than the theoretical, testing candidates’ skills in a wide
variety of areas through online or in-person testing as well as
practical assignments.
Pa ge 6 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles
Locking Windows
Microsoft debuts MCSA: Security and MCSE: Security
specializations.
If you’re a Microsoft networking professional, you no longer
need to seek titles from outside vendors to certify your
Windows security expertise. That’s because in June Microsoft
announced new security specializations for its Microsoft
Certified Systems Engineer (MCSE) and Microsoft Certified
Systems Administrator (MCSA) titles.
Microsoft
“We put together these certification specializations to allow IT professionals a way Vendor: Microsoft Corp.
to demonstrate a specific technical focus in the area of security within their job Certification: MCSE: Security, MCSA:
roles,” David Lowe, product manager for security with Microsoft’s Training and Security
Certification group, said in an interview with MCP Magazine when the exams Certification Type/Focus: Windows-
debuted. “The new specializations are directly analogous to the existing base cre- specific specializations that show a
dentials, but with a ‘prescribed path’ of specialization exams rather than electives.” candidate’s security focus within the
And that’s the key to these specializations: To become an MCSE: Security or company’s MCSA and MCSE titles.
MCSA: Security, you don’t have to take any more exams than would be required Exam Price: $125 (U.S.)
to earn the standard MCSA or MCSE. It’s determined by which exams you take. Training Required?: No
Testing Centers: Pearson Vue and
For MCSA: Security 2000, your elective exams must include:
Prometric
• 70-214: Implementing and Administering Security in a Microsoft Windows More information:
2000 Network
http://www.microsoft.com/mcp
• 70-227: Installing, Configuring, and Administering Microsoft Internet Security
and Acceleration (ISA) Server 2000, Enterprise Edition OR CompTIA’s
Security+
allow individuals to demonstrate; they’ll
For MCSE: Security 2000, you must also take the elective: get to highlight their focus on platform-
• 70-220: Designing Security for a Microsoft Windows 2000 Network specific security and design skills.”
For MCSA: Security 2003, you must take the following electives: Microsoft exams consist of stan-
• 70-299: Implementing and Administering Security in a Microsoft Windows dard, multiple-choice questions as well
Server 2003 Network as more in-depth scenario-based ques-
• 70-227: Installing, Configuring, and Administering Microsoft Internet tions. The company doesn’t place train-
Security and Acceleration (ISA) Server 2000, Enterprise Edition OR ing or experience requirements on its
CompTIA’s Security+ certifications, but hands-on experience
MCSE: Security 2003 requires the above plus: with the products is highly recom-
mended. Microsoft exams cost $125
• 70-298: Designing Security for a Microsoft Windows Server 2003 Network
(U.S.) and are available worldwide
If you’ve already earned your MCSA or MCSE, you can simply take any addi- through Pearson Vue and Prometric
tional exams required to add the desired specialization. testing centers.
Lowe explained that Microsoft created the specializations because, “We recognize More information on these certifi-
that in IT job roles, like systems administrator and systems engineer, there are a num- cations can be found at
ber of individuals who have a very specific concentration on a particular area and, http://www.microsoft.com/mcp.
obviously, in an important area as security. So that’s what these specializations will — Becky Nagel
Pa ge 7 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles
Security
for the Masses
CompTIA’s Security+ aims to bring baseline
security knowledge to all IT professionals.
Security+ is a one-exam certification bers, such as Microsoft, IBM and Sun, or allow it as an alternative requirement.
covering a wide-range of top-level helped create the title, participating in For example, Security+ counts as an
security knowledge. Topics covered on development meetings and deciding the elective toward MCSE 2000 as well as
this exam include: certification’s focus. As such, several cer- its new MCSA: Security and MCSE:
• Communication security tification programs either recommend Security specializations.
• Infrastructure security Security+ as a prerequisite for their titles These tie-ins may be one reason
• Cryptography this title has resonated so well with the
• Access control CompTIA IT community. Even before its official
• Authentication Vendor: Computing Technology release, Security+ landed at #2 on
• External attacks CertCities.com’s list of Top 10 IT
Industry Association
• Operational security Certifications for 2003. And according
The exam itself consists of 100 Certification: Security+ to Gene Salois, CompTIA’s vice presi-
questions with a 90-minute time limit. Certification Type/Focus: Vendor- dent of certification, Security+ is the
The minimum passing score is 764, organization’s fastest-growing title ever.
neutral security title that focuses on
graded on a scale of 100 to 900. One The Security+ exam costs $225
baseline security knowledge and skills.
focus of the exam is terminology, mak- (U.S), with a discount given to
ing sure candidates understand the Exam Price: $225 (U.S.) employees of corporate members. The
many threats out there. Candidates are Training Required?: No
certification is good for life, so there
also tested on the best ways to tackle are no extra costs associated with
those threats. CompTIA recommends Testing Centers: Pearson Vue and renewing the title.
that all candidates have at least two Prometric More information about
years of general networking experience More information: Security+ can be found at
before taking the exam, but the experi- http://www.comptia.org/certification
http://www.comptia.org/certifiction/
ence level isn’t required. /security/default.asp.
security/default.asp
Many CompTIA corporate mem- — Becky Nagel
Pa ge 8 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles
Pa ge 9 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles
Wireless Pro
Certify your wireless security expertise with Planet3’s CWSP.
CWNP
Vendor: Planet3 Wireless
There are plenty of security issues sur- first obtain the program’s Certified
Certification: CWSP
rounding wireless networking. The Wireless Networking Associate
Certified Wireless Networking Program (CWSA) before pursuing the CWSP. Certification Type/Focus: Vendor-
(CWNP) from Planet3 Wireless is a cer- According to Planet3 Wireless, the neutral wireless security title.
tification option that allows wireless pro- CWSP exam focuses on three areas: Exam Price: $175 (U.S.)
fessionals to test their security knowl- • Wireless LAN intrusion Training Required?: No
edge and skills. • Wireless LAN security policy
Testing Center: Prometric
According to Planet3, CWNP’s • Wireless LAN security solutions
Certified Wireless Security Professional The exam itself is a standard-for- More information:
(CWSP) title is vendor-neutral, focus- mat, multiple-choice test with 60 ques- http://www.cwne.com
ing on 802.11 wireless technology tions. It’s available through Prometric
rather than specific vendors’ products. testing centers worldwide for $175, For more information on this certifica-
As the second tier of the program’s four although candidates must purchase the tion, visit http://www.cwne.com.
levels of certification, candidates must exam voucher directly from Planet3. —Becky Nagel
Pa ge 1 0 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
TMNO04 full page 10/1/03 3:23 PM Page 1
Netwofirckation
i
and ceinrting for
tra ows®
Wind ionals.
profess
2004
EVENTS
NEW ORLEANS, LA
APRIL 4 – 8
SAN JOSE, CA
SEPTEMBER 28 – OCTOBER 1
Pa ge 1 2 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles
Pa ge 1 3 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
certification profiles
Pa ge 1 4 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
Blueprint for a
Career in Security
By Roberta Bragg
Pa ge 1 5 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
You’ll meet people who already work in Now the good news—maybe: If you the job, some were trained by the mili-
the field, gain some security knowledge, stop and think about it, much of what tary, and others were gifted with deep
and maybe make a few useful contacts. you do in IT is security-related. Most talent and mathematical education.
Check out the sites listed below and the systems administrators spend a fair Few had formal training in computer
conferences and seminars they offer. amount of time granting or preventing security, per se. In the second phase, a
They represent many different sides of resource access. Security is, in large part, large demand meant even inexperi-
the security game. Just don’t assume about exercising controls in order to pro- enced people could earn money ped-
you’ll see all security careers represented tect resources. If, however, you get your dling security advice, and many self-
at any one event, or that you’ll be chuckles from making complex systems proclaimed hackers—the guys with the
accepted with open arms when you say work, or writing elegant code, or getting experience—were able to cut their hair
the words “Microsoft” and “security.” the best performance or throughput, or and morph into security consultants.
• http://www.rsasecurity.com the most “bang for the buck,” then secu- Now we’re in stage three. There’s still
• http://www.sans.org rity may not be a wise choice for you. a large demand, but buyers are more
• http://www.gocsi.com/annual/ On the other hand, if you feel that knowledgeable. To get hired, you need
index.html someone’s always looking over your some proof of expertise. If you don’t
• http://www.blackhat.com shoulder; if you have multiple online have experience, do you have certifica-
• http://www.defcon.org personalities; change out your hard tion or education? Employers today are
• http://www.issa.org drive when you go online; subscribe to certification-shy, and bad experiences
• http://www.misti.com multiple security newsletters (and with paper MCSEs have contributed to
actually read and follow their advice); this. Several very good education alter-
Step Two: Get Naked have been to Defcon or a CSI confer- natives exist, and you should start at
Second, take a long look at yourself. ence; downloaded all the NSA guide- http://www.nsa.gov/isso/programs/nietp
Carefully review your background, suc- lines; know who Stephen Northcutt, /newspg1.htm. Among the offerings on
cesses and failures, dreams and reality. Bruce Schneier, Mudge and cDc are; the National INFOSEC Education &
As they say in the weight-loss biz, stand purchased the SANS checklists; and Training Program Web site are the 50
in front of the mirror naked and take a have www.microsoft.com/security as universities designated “Centers of
good, long look. A clear understanding your default home page, you probably Excellence in Information Assurance
of your abilities, aptitudes and experi- have the necessary makeup for the Education” by the National Security
ence is the starting point. Having a security field. Agency. Take a look at these programs.
clear goal will help you identify the You’ll find that not one of them is a
path to take. Does something in your Step Three: Get Trained short-term answer to your goals. Most
background fit your idea of this long- Now that you know where you are and are traditional four-year undergraduate
term goal? If your experience lies in what you want to do, determine what programs, or master’ and doctorate pro-
networking or systems administration, you need to do to get there. Each secu- grams. Some of the more well-known of
you have a good foundation to build rity opportunity may require a different these schools include:
upon. Writing solid code and under- skill set, a different level of education. • Carnegie Mellon University:
standing good coding practices is para- Where not long ago there were no (http://www.heinz.cmu.edu/infose
mount to many security careers. If you “security degrees” and only a smattering curity/), well-known as the host
don’t have either of these skill sets, why of certifications, both formal education location for the Computer Emergen-
are you reading this article? Seriously, and a plethora of certification programs cy Response Team (CERT), as well
while many security jobs don’t require now exist. The opportunities for educa- as many fine programs that offer
you to code or to configure systems, tion have multiplied like hack attacks education in information security.
they do require you to have knowledge on a new IIS server. • George Mason University:
in these areas. Get some. If you’re Are formal education programs the (http://www.isse.gmu.edu/~csis/
struggling in IT because of a lack of way to go? Remember: Security as a index.html)
ability to do a job for which you were career has gone through its first two • Janes Madiscon University:
trained, what makes you believe that phases. In the first one, a need evolved (http://www.infosec.jmu.edu/pro
you can enter the security arena with- as the natural result of the mainframe gram/html/classroom.htm) offers a
out any experience or education at all? culture. Many people got trained on Continued on next page
Pa ge 1 6 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
“This is the way to learn!”
First 20 Callers
SAVE $100! Security is not an option! LearnKey Security Training
on LearnKey SecurityTraining
Pa ge 1 8 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
Guide to Security
Job Titles
Does adding “security” to already-existing IT job
titles mean a new job for you? In some cases, yes.
Pa ge 1 9 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
rity engineer title: Enterprise Security One company on ITjobs.com post- that encompassed the same as a securi-
Engineer, Ethical Hacker, for a Fortune ed a job for a “senior consultant, ty monitoring/compliance officer, but
500 company in Chicago. The company HIPAA security,” who would primarily also required some experience in legal
requires “ethical hacking skills,” which play advisor and coordinator for pre- evidence-gathering techniques.
often means programming expertise sales engagements to companies that
with a strength in developing exploits. required HIPAA compliance before Security Director
forming partnerships. Security directors are often the line
Security Architect Another listing called for a Security between staff and executive manage-
Similar to security engineer in expert- Analyst, Intrusion Detection/Forensics, ment, usually leaning over to the latter.
ise, security architects are primarily a job whose defining characteristic was Security directors, though, make rare
responsible for establishing a frame- the ability to respond quickly to securi- appearances on job search engines,
work for a comprehensive security ty incidents that can affect mission-crit- because the responsibilities can be an
strategy. The framework might involve ical production systems. Response had amalgamation of higher-level duties
drilling down to specific policies and to be quick and thorough, particularly taken on by a team of security managers,
procedures. Rarely is the security archi- in assessing, documenting and offering engineers and administrators. If such a
tect involved in implementation, unless solutions to thwart attacks. Another job listing appears, it’s rarely for a small
providing hands-on support to a secu- duty: That person would be tasked with company. Typical responsibilities for
rity team. Architects usually have a developing new ways to harden systems. security directors include: overseeing
thorough understanding of network, Another job listing asked for a and coordinating security policies for IT
application and database security. cyber security analyst. Based on the and company-wide for departments like
Security architects can be highly spe- description, job duties matched up engineering, operations, legal and so on;
cialized, such as one Dice.com listing for with a typical security consultant. developing and standardizing the com-
a “single sign-on architect.” It’s a highly munication of security, privacy policies
specialized security architect whose sole Security Monitoring/Compliance and disaster recovery initiatives, often in
responsibility is to design a single sign- Officer accordance with industry regulations;
on standard, often done for disparate This person implements and supports and developing or driving security
network systems that need to be wholly information security to maintain com- awareness training. Security directors
secure across architectures. pliance with applicable laws. He or she typically report to a chief information
The security architect might be acts as a resource on matters relating to officer or chief security officer.
interchangeable with the security man- information security and will investi-
ager at some companies or may report gate and recommend secure solutions Chief Security Officer
to a security manager. for implementing IS security policy At or near the top of a company hierar-
and standards. In some companies, the chy (CSO would report directly to the
Security Consultant security monitoring/compliance officer CTO or CEO), the chief security offi-
Often someone whose breadth of expe- might report directly to an enterprise cer often dictates the companywide
rience encompasses security administra- security director or chief security offi- security mission or strategy. One high
tor to architect to director, security ana- cer, perhaps even to the CIO or CEO. profile member of this elite corps is
lysts or consultants often work in an A Dice.com job listing asked for a Howard Schmidt, previously the CSO
outsource capacity to test and recom- specialized business information securi- for Microsoft, then pegged as cyberse-
mend security solutions or strategies. ty officer (BISO) who would be respon- curity advisor to the White House, and
Security consultants and analysts should sible for IS audits and advising other more recently vice president and chief
have extensive knowledge of network groups of security requirements for line information security officer for eBay.
access, authentication, development of of business applications and concoct While it’s a mystery how CSOs differ
security policies and procedures and compliance reports in terms of business from CIOs, many of the Fortune 500
conducting vulnerability assessments. risk. The BISO would report to the offi- companies like Microsoft and General
They may also be involved in security cers of various groups, such as engineer- Electric have them.
pre-sales engagements. The security ana- ing directors and data center managers. Consider these positions to be a
lyst title may be interchangeable with Another job was listed as fraud rare breed, indeed.
the security consultant title. investigator, a highly specialized skill —Michael Domingo
Pa ge 2 0 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
Q&A: Can Security Certifications Help Your Career?
We asked a security insider to share his honest take on exactly what security certifications
can—and can’t—do for your job prospects.
Greg Owen is technical director for the security problems from time to time. because they’re so big that one person
Global Information Assurance That cert makes it more official that can’t do all the jobs. Having said that, I
Certification (GIAC), a vendor-neutral they do know this area. They’ve proba- don’t think being fully specialized is a
certification program sponsored by the bly had to deal with it, probably had to helpful thing, especially in security. I
SANS Institute. He holds three GIAC help out. I think that for a person with think knowing a little bit about every-
certifications: no IT experience, to go out and get a thing helps you do one thing better.
• GIAC Certified Incident Handler cert is not as useful, but that’s not the Broad experience and broad under-
(GCIH) case for the vast majority of people who standing of the entire problem area
• GIAC Certified Windows Security are [pursuing security certification]. It makes dealing with specific areas easier.
Administrator (GCWN) can still be useful for someone without
• GIAC Certified Forensic Analyst experience, but employers are looking Is there value in platform-specific certifi-
(GCFA) for the combination of experience and cation, like Microsoft or Cisco?
Part of his duties with GIAC include testable proof. There definitely is. With specific respect
exam preparation. Owen also does net- to security, I don’t know how much the
work security consulting for a consulting Should you wait until you’ve been in secu- Microsoft [security specialization] will
company in Boston, Massachusetts. He’s rity for some years before getting certs? help. It’s only recently that they’ve
been working in IT, including network I think a year or two is useful, but the added the security specialization. I think
security, for more than 10 years. thing about security is it’s something the attitude is, “Why would you go to
people have to deal with all the time. the vendor who shipped the broken
Are security certifications becoming Having a job on your resume that has software in the first place to tell you how
more important or less so in the current to do with security [is helpful]. to fix it?” There’s a certain amount of
market? hesitancy there, but specific training is
Greg Owen: It’s becoming more impor- Do security certifications help if you want definitely valuable if you’re going to be
tant. The larger the company, the more to become a security consultant? working in that area. If you’re looking
reliant they are on the certification. I think so. Whenever a consulting firm for a Windows network administrator,
The events of the last couple of years or independent consultant comes in to you definitely want them to have their
are starting to drive home to everybody bid for a job, the good ones will have a MCSE. If you have a large Cisco infra-
the point that security is more impor- page on the back which has a quick bio structure and you need that supported,
tant than it used to be. For a large com- of the people they’re proposing to send you’re going to want Cisco certification.
pany, it’s hard for them to make a shift in on the job [and certifications show
like that. Human resources needs to up well]. What would you tell someone who want-
have something they can look for to Consulting [for independent con- ed a security certification because it’s the
differentiate that “this is a candidate sultants] is as much a sales issue as any- “hot” field right now?
who can do what we want; this [one thing else, and part of the sales issue is I wouldn’t recommend that somebody
isn’t].” At one bank I’ve worked with, saying, “Yes, I know what I’m doing, and go into it if they haven’t had an interest
their security people almost universally here’s what I have to prove it.” in it, just because of that [i.e., it’s popu-
hold the CISSP. Certifications can be very helpful to lar at the moment]. Like any profession,
prove that. if you’re just going into it for the money,
Can you get a security-related job with if you’re not truly interested in the chal-
certification and no experience? Will there be further areas of security cer- lenges, it will show to employers. They’ll
I think the security certification helps a tification specialization? see that. If you don’t enjoy doing that
lot, in the situation where someone’s It depends on the size of the company. kind of work, if you don’t enjoy walking
been doing IT and has gotten certifica- In larger companies, I’m definitely see- that walk, I’m not sure I’d recommend it.
tion and had to deal with corners of the ing a trend toward specialization, simply — Keith Ward
Pa ge 2 2 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
Salary Data for IT Security Professionals
Title Salary
“The true source of long-run wealth is
MCP* $61,700
for us to specialize in what we are best
ISA Server $65,100
at,” writes Brad DeLong, economics
professor at U.C. Berkeley. He may (ISC)2 Systems Security Certified Practitioner $77,500
have been explaining 19th century Check Point Certified Security Expert $78,500
economist David Ricardo’s principle of (ISC)2: Certified Information System Security Professional (CISSP) $78,800
“comparative advantage” in simpler Cisco Certified Security Professional $93,500
terms, but DeLong’s explanation has
Table 1. Comparing salaries of MCPs and those holding security-specific certifications.
application with IT careers. * Average base salary of all MCPs; all other figures come from Chart 8, “Salary by Other
Becoming a specialist can be one way Certifications,” from the 2003 MCP Magazine Salary Survey. More at http://mcpmag.com.
to make some personal improvements in
your career and sustain your good for- as well as the MCP, made at least because Salary.com gathers it on a
tune in these shaky times. Several current $4,000 more, and in some cases continual basis.
surveys of IT salaries among those who $30,000 more (see Table 1). • ComputerWorld 2003 Salary
specialize in security skills show modest While specializing may seem to be Survey:
gains against contemporaries who don’t the next logical step, salary numbers (http://www.computerworld.com/c
indicate a specialty. like those shown on these reports aren’t areertopics/careers/story/0,10801,8
Take Salary.com, which offers basic guaranteed. Remember that salary sur- 6413,00.html). Published in
ongoing reporting of salaries within the veys only provide a snapshot of salaries October 2003, data comes from
U.S., compiling data from thousands among the employed as those surveys more than 19,000 responses.
of human resources departments. were conducted. Obtaining a security • Microsoft Certified Professional
Based on its report for Nov. 11, medi- specialty only means your breadth of Magazine 2003 Salary Survey:
an average salary for network adminis- expertise may give you an advantage (http://mcpmag.com/salary
trators across the U.S. was $54,458. over peers. Whether that translates to surveys/) MCP Magazine is known
Compare that to security administra- additional compensation is up to your for its yearly survey of certified pro-
tors, whose median was $62,074, a 12 employer and your powers of persua- fessionals woking with Microsoft
percent increase. sion over the one who signs your check. products. Data collected from more
ComputerWorld’s 2003 compensa- Looking into 2004, it’s tough to than 6,000 respondents.
tion survey backs up Salary.com’s data know how valuable the security focus • Janco Associates:
with a more pronounced increase. in your portfolio will continue to be. (http://www.psrinc.com/salary.htm)
Network administrators earned What’s hot today can grow cold tomor- This technical outsourcing firm
$51,265 on average, while IS security row in IT. We’d advise you to stay in gathers compensation data from
specialists said they earned $70,780. touch with published information on more than 400 mid- and large-sized
Specialization here may account for a compensation; but remember, those companies twice a year. The most
26 percent increase. numbers can’t pinpoint what a particu- recent report was published in June.
Salaries qualified by certification lar individual should earn. Variables • Foote Partners LLC:
show increases that are just as remark- such as geographic location, years of (http://www.footepartners.com/sala
able. The Microsoft Certified experience, type and size of organiza- ryresearch.htm) Collects salary data
Professional Magazine 2003 Salary tion and negotiating skills come into from 35,000 IT workers on a quar-
Survey (MCP Magazine and play in any given scenario. terly basis. Reports are costly, but
CertCities.com are both 101communi- To find detailed salary survey infor- the sample versions have a signifi-
cations LLC companies) reports that mation, check out these links: cant amount of data.
the average base salary for MCPs was • Salary.com: More links to salary surveys can be
$61,700. Respondants who held addi- (http://www.salary.com) Get daily found on CertCities.com at http://cert
tional security-based certifications like salary reports just by clicking on the cities.com/editorial/salary_surveys/.
Microsoft’s own ISA Server or CISSP, simple criteria. Data changes —Michael Domingo
Pa ge 2 3 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
About Those U.S. Government Security Clearances
You’ve found a job whose description fits including titles, supervisor names and granted or denied.
you perfectly except for one small matter: supervisor addresses—people who know If it’s granted, the fun doesn’t stop
It requires a security clearance and you you well aside from spouses and rela- there. Depending on what level of clear-
don’t have one. As with many things in tives, relatives and associates (along with ance you have, you’ll have to undergo
life, getting this particular position their dates of birth, country of birth and reinvestigation every five, 10 or 15 years.
would be a long shot for you, but that current address), your military history If you leave that position, the clearance is
doesn’t mean you shouldn’t try anyway. and foreign activities (including travel still active, but it may not be usable by
The fact is that security clearance is for business and pleasure), police your next employer—depending on
something you can’t obtain for yourself. records, medical records, financial what type of security clearance the new
Your current or prospective employer has records and delinquencies, use of illegal job requires. Let enough time pass and
to set the wheels in motion to get it for drugs and alcohol, and groups you asso- the clearance will have no merit at all.
you. Since the process is costly and time- ciate with that espouse the violent over- The whole process of obtaining a
consuming, organizations won’t do it throw of the government. clearance can take many months—
unless it’s absolutely essential. Let’s Sound comprehensive? The idea is sometimes longer than a year—and cost
review the basics. to weed out those who aren’t (according several thousands (even tens of thou-
You typically need a security clear- to SF 86) “reliable, trustworthy, of good sands) of dollars. The more sensitive the
ance when you hold a sensitive position conduct and character, and loyal to the job, the deeper—and the costlier and
within the federal government or when United States.” The same form also more time-consuming—the investiga-
you work for a government contractor or warns that your current employer will be tion. You can’t speed up the effort, nor
some other organization that has access contacted and questioned, whether you can you offer to pay the cost. That’s why
to classified information or deal with want them to be or not. so many jobs listing security clearance as
other restricted information relating to Your form and your fingerprints go a requirement are anxious to find candi-
national security. Clearances come in to the Federal Investigations Processing dates who already possess a clearance of
many different flavors, primarily confi- Center, which calls on investigators— the right type—the project may be over
dential, secret, top secret, and sensitive both federal employees and contract—to by the time somebody new to the
compartmented information (SCI). start confirming what you’ve said on the process obtains his or her clearance. If
Once a person has been offered a form. During this phase of the process, you’ve noticed the propensity of govern-
position that requires a clearance, the investigators review available records ment contractors to intensely recruit ex-
employer opens up a request with the (including your presence on the military people for open positions, it’s
Office of Personnel Management Internet), check with the police, run a because vets frequently come with the
through a federal security officer. The credit check on you and talk to people security clearance that’s needed as part
OPM gives the candidate undergoing who know you—those you’ve listed on of their portfolio.
the clearance check access to an online the form as well as people in a position to If you don’t already have a security
system called e-Qip, or Electronic observe you, such as neighbors. Plus, clearance but there’s a particular organi-
Questionnaire for Investigations Pro- you’ll be interviewed yourself. zation you’re determined to work for,
cessing, a digital version of Standard All the data that’s collected ends up your best approach is to obtain employ-
Form 86 (http://www.usaid.gov/pro in a single file, called “The Report of ment that doesn’t require the clearance
curement_bus_opp/procurement/forms/ Investigation,” which is sent to the feder- with the agency or firm. Then put in
SF-86/sf-86.pdf). al agency that asked for the investigation your time and make it clear to your man-
SF 86 is a 13-page document that in the first place. At that point, it’s up to ager that should the right opportunity
asks you to list your vitals—name, social the federal security officer at the agency present itself, you’d be willing to undergo
security number, place of birth, etc.— of hire to determine your eligibility to the investigation. But temper your
and then drills down on your personal have a position with access to secure enthusiasm: Too much eagerness to
history going back at least seven years. information. You may get the chance to undergo this in-depth exploration into
You’re expected to list where you’ve lived explain or refute negative or unclear your personal and professional life might
for the last seven years, where you went information during this “adjudication be viewed as suspicious behavior.
to school, your employment activities— phase.” Then your clearance is either — Dian Schaffhauser
Pa ge 2 4 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
15 Best Web Sites for Security
Pa ge 2 5 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
5 Must-Read
Security Newsletters
1. TechNet Flash The SANS Critical Vulnerability based in India that, among other activ-
http://www.microsoft.com/technet/s Analysis Report is a weekly bulletin of ities, publishes a bi-weekly security
ubscriptions/current/suboserv.asp top vulnerabilities. SANS, a security newsletter that’s mostly news, but also
TechNet Flash is Microsoft’s bi-weekly training company, lists the risk levels has sprinklings of opinion scattered
newsletter covering all things TechNet. with each vulnerability, potential dam- throughout. Solid coverage of security
Of course, one of its main purposes is age of each and links to learn more news throughout the world, not just
to alert you of the newest security vul- about them. the United States.
nerabilities, patches, hotfixes and pro- — Keith Ward
cedures for securing your network. 5. Asian School of Cyber Laws
http://www.asianlaws.org/infosec/ne Note: Only free newsletters were consid-
2. Security Watch wsletter/index.htm ered for this list. Most of us have enough
http://lists.101com.com/nl/main.asp The first reaction to the “Asian School things to pay for without shelling out for
?NL=mcpmag of Cyber Laws” is usually, “What the electronic newsletters.
Security Watch, published by the same heck is that?” It’s a public organization
folks who produce Microsoft Certified
Professional Magazine, provides lots of
original content (something often diffi-
cult to find in newsletters). Included in 5 Web Picks for Security Certification
each issue is a commentary by 1. CCCure.org
Windows security expert Roberta http://www.cccure.org
Bragg and a roundup of top security This top-notch site for CISSP candidates is packed with useful preparation tools,
stories by ENTMag.com editor Scott including exam reviews, news, research and an expansive collection of practice
questions. A similar site worthy of prospective CISSP candidates can be found at
Bekker. If you have security responsi-
http://www.cissps.com/.
bilities on a Windows network, this
2. Rtek2000 Security Links
newsletter is a must-read.
http://www.rtek2000.com/Tech/InternetSecureLinks.html
This page from training company Rtek2000 hosts one of the most comprehen-
3. Crypto-Gram sive security link collections available, covering just about every baseline topic
http://www.counterpane.com/crypto- tested on security certification exams (and then some). The perfect place to
gram.html begin your online studies.
Crypto-Gram is a free monthly news- 3. CertCities.com Security Exam Reviews
letter from Bruce Schneier, the field’s http://www.certcities.com/certs/security/exams/
foremost expert in cryptography. Go here to read CertCities.com’s collection of security-related exam reviews,
Schneier comments on a host of securi- including Microsoft’s 70-214, CompTIA’s Security+ and (ISC)2’s CISSP.
ty topics, covering a broad range of 4.Certification-Crazy’s Security+ Resources
issues. He’s never at a loss for a strong http://www.certification-crazy.net/security+.htm
Scroll down to view a nice list of online Security+ resources from a fellow candidate.
opinion on any security-related topic.
5. GetCertified4Less.com
http://www.getcertified4less.com/testvoucher.asp
4. SANS Critical Vulnerability
Offers discounted vouchers for Microsoft, Cisco, Check Point and CompTIA exams.
Analysis Report
— Becky Nagel
http://www.sans.org/newsletters/cva
Pa ge 2 6 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
TechStrategies 1pg MCP2.pdf 12/1/03 11:43 AM Page 1
• The best-of-breed tool overviews • A technical track will focus on tools and
• Case studies straight from your peers trators, network managers, analysts,
IT managers and administrators –
• Legislation and regulation
anyone fighting spam in the trenches.
• What the major ISPs are doing
• A business track will focus on legislation,
regulation, costs, and other business issues
PRESENTERS:
for IT managers, vice presidents,
Hear from top names fighting the spam problem
today: Experts from AOL, Yahoo, Microsoft, the technical developers, and chief privacy
FTC, California's Office of Privacy Protection, and officers, chief security officers, and
many more.
other C-level executives.
• Ryan Hamlin • Jon Praed
General Manager, Founding Partner,
Microsoft’s Anti-Spam Internet Law Group
Technology and Strategy Group
R E G I S T E R T O D AY ! W W W . 1 0 1 T E C H S T R AT E G I E S . C O M
Security Bookshelf Popular print resources for security technology and certification.
.NET Framework Security Building Secure Software: Counter Hack: A Step-by- Firewall Architecture for the
Brian A. How to Avoid Security Step Guide to Computer Enterprise
LaMacchia, Problems the Right Way Attacks and Effective Norbert Pohlmann, Tim
Sebastian John Viega, Gary McGraw Defenses Crothers
Lange, Addison-Wesley Ed Skoudis John Wiley & Sons
Matthew 020172152X Prentice Hall July 8, 2002
Lyons, Rudi September 24, 2001 PTR 076454926X
Martin, Kevin $54.99 0130332739 $49.99
T. Price July 23, 2001
Addison-Wesley Building an Information $49.99 Firewalls: The Complete
067232184X Security Awareness Program Reference
April 24, 2002 Mark B. Desman Computer Security by Keith Strassberg, Gary
$57.99 Auerbach Handbook Rollie, Richard Gondek
0849301165 Seymour Bosworth and Michel McGraw-Hill Osborne Media
Anti-Hacker Tool Kit October 30, 2001 E. Kabay, Editors 0072195673
Keith J. Jones, Mike Shema, $49.95 John Wiley & Sons May 28, 2002
Bradley C. Johnson 0471412589 $59.99
McGraw-Hill Osborne Media Building Internet Firewalls April 2002
0072222824 (2nd Edition) $80
June 25, 2002 Elizabeth D. Zwicky, Simon Firewalls and Internet
$59.99 Cooper, D. Brent Chapman Designing Security Security: Repelling the Wily
O’Reilly & Associates Architecture Solutions Hacker, Second Edition
The Art of Deception : 1565928717 Jay Ramachandran William R. Cheswick, Steven
Controlling the Human January 15, 2000 John Wiley & Sons M. Bellovin, Aviel D. Rubin
Element of Security $49.95 0471206024 Addison-Wesley
Kevin D. March 1, 2002 020163466X
Mitnick, The CERT Guide to System $55 February 24, 2003
William L. and Network Security $49.99
Simon Practices The E-Policy Handbook:
Hungry Julia H. Allen Designing and Implementing The Hack Counter-Hack
Minds Addison- Effective E-Mail, Internet, Training Course: A Desktop
076454280X Wesley and Software Policies Seminar
October 2003 020173723X Nancy L. Flynn Edward Skoudis
$16.95 June 7, 2001 AMACOM Prentice Hall PTR
$39.99 0814470912 013047729X
Authentication: From November 2000 June 14, 2002
Passwords to Public Keys Computer Forensics: $19.95 $69.99
Richard E. Smith Incident Response Essentials
Addison-Wesley Warren G. Kruse II, Jay G. Hacker’s Challenge 2: Test
The Effective Incident
0201615991 Heiser Your Network Security &
Response Team
October 1, 2001 Addison-Wesley Forensic Skills
Julie Lucas,
$44.99 0201707195 Mike
Brian Moeller
September 26, 2001 Schiffman,
Addison-
Beyond Fear: Thinking $44.99 Bill
Wesley
Sensibly About Security in Pennington,
0201761750
an Uncertain World Computer Security Incident David Pollino,
September 26,
Bruce Schneier Handling: Step-by-Step Adam J.
2003
Copernicus Books (Version 2.3.1) O’Donnell
$39.99
0387026207 Stephen Northcutt McGraw-Hill
September 2003 SANS Institute Osborne Media
$25 0972427376 0072226307
March 2003 December 18, 2002
$29.99 $39.99
Pa ge 2 8 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
Hacking Exposed: Network Honeypots: Tracking Hackers Information Security Policy Kerberos: A Network
Security Secrets & Lance Manual Authentication System
Solutions, Fourth Edition Spitzner Edmond D. Jones Brian Tung
Stuart Addison- Rothstein Associates Addison-Wesley
McClure, Joel Wesley 1931332096 0201379244
Scambray, 0321108957 February 23, 2001 May 4, 1999
George Kurtz September 10, $89 $19.95
McGraw-Hill 2002
Osborne $44.99 Information Security Know Your Enemy: Revealing
Media Risk Analysis the Security Tools, Tactics,
0072227427 Incident Response: Thomas R. and Motives of the Blackhat
February 25, 2003 Investigating Computer Crime Peltier Community
$49.99 Chris Prosise, Kevin Mandia Auerbach The
McGraw-Hill Osborne Media 0849308801 Honeynet
Hacking Exposed Web 0072131829 January 23, Project
Applications June 21, 2001 2001 Addison-
Joel Scambray, Mike Shema $39.99 $69.95 Wesley
McGraw-Hill Osborne Media 0201746131
007222438X Information Security The Information Systems August 31, 2001
June 19, 2002 Architecture, Second Edition Security Officer’s Guide: $39.99
$49.99 Jan Killmeyer Tudor Establishing and Managing
CRC Press an Information Protection Linux Security Cookbook
Hacking Exposed 0849315492 Program Daniel J. Barrett, Richard E.
Windows 2000 June 28, 2003 Gerald L. Kovacich Silverman, Robert G. Byrnes
Joel $79.95 Butterworth-Heinemann O’Reilly & Associates
Scambray, 0750698969 0596003919
Stuart Information Security May 1998 June 2003
McClure Architecture: An Integrated $41.95 $39.95
0072192623 Approach to Security in the
August 29, Organization Inside Network Perimeter Linux Server Hacks
2001 Jan Killmeyer Tudor Security: The Definitive Rob Flickenger, Editor
$49.99 CRC Press Guide to Firewalls, Virtual O’Reilly & Associates
0849399882 Private Networks (VPNs), 0596004613
Hacking Exposed Windows September 25, 2000 Routers, and Intrusion January 2003
Server 2003 $69.95 Detection Systems $24.95
Joel Scambray, Stuart McClure Stephen Northcutt, Lenny
McGraw-Hill Osborne Media Information Security Zeltser, Scott Winters, Karen Malware: Fighting
0072230614 Management Handbook, Fredrick, Ronald W. Ritchey Malicious Code
October 27, 2003 Fourth Edition, Volume 4 Que Ed Skoudis,
$49.99 Micki Krause 0735712328 Lenny Zeltser
and Harold F. June 28, 2002 Prentice Hall
Hacking Linux Exposed Tipton, $49.99 PTR
Brian Hatch, James B. Lee, Editors 0131014056
George Kurtz Auerbach Intrusion Detection with Snort November 9,
0072127732 0849315182 Jack Koziol 2003
March 27, 2001 November 26, SAMS $44.99
$39.99 2002 157870281X
$69.95 May 20, 2003 Managing A Network
HackNotes Web Security $45 Vulnerability Assessment
Pocket Reference Information Security Justin Peltier, John A. Blackley,
Mike Shema Policies, Procedures, and Intrusion Signatures and Thomas R. Peltier
McGraw-Hill Osborne Media Standards: Guidelines for Analysis Auerbach
0072227842 Effective Information Mark Cooper, Stephen 0849312701
June 30, 2003 Security Management Northcutt, Matt Fearnow, May 30, 2003
$29.99 Thomas R. Peltier Karen Frederick $59.95
CRC Press Que
0849311373 0735710635 Continued on next page
December 20, 2001 January 29, 2001
$69.95 $39.99
Pa ge 2 9 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com
Network Intrusion Real World Linux Security: Snort 2.0 Intrusion SQL Server Security Distilled
Detection, Third Edition Intrusion Prevention, Detection Morris Lewis
Stephen Northcutt, Judy Detection and Recovery Brian Caswell, Jay Beale, James APress
Novak Bob Toxen C. Foster (Editor), Jeremy 1590591925
Que Prentice Hall PTR Faircloth (Editor) July 1, 2003
0735712654 November 2000 McGraw-Hill Osborne Media $39.99
August 27, 2002 0130281875 0072226307
$49.99 $44.99 December 18, 2002 Web Hacking: Attacks
$39.99 and Defense
Network Security: Private Secrets and Lies: Digital Stuart
Communication in a Public Security in a Networked Special Ops: Host and McClure,
World World Network Security for Saumil Shah,
Charlie Kaufman, Radia Bruce Schneier Microsoft, UNIX, and Oracle Shreeraj Shah
Perlman, Mike Speciner John Wiley & Sons Erik Pace Birkholz, Stuart Addison-
Prentice Hall PTR 0471453803 McClure Wesley
0130460192 January 2004 Syngress 0201761769
April 15, 2002 $17.95 1931836698 August 8, 2002
$54.99 February 17, 2003 $49.99
Security Architecture: $69.95
PKI: Implementing & Design, Deployment and Writing Information
Managing E-Security Operations Stealing the Network: How Security Policies
Andrew Nash, Christopher King, Ertem to Own the Box by Scott Barman
Bill Duane, Osmanoglu (Editor), Curtis Ryan Russell Que
Derek Brink, Dalton (Editor), Ido 157870264X
Celia Joseph McGraw-Hill Osborne Media Dubrawsky, November 9, 2001
McGraw-Hill 0072133856 FX $34.99
Osborne July 30, 2001 Syngress
Media $49.99 1931836876 Writing Secure Code
0072131233 June 2003 Michael Howard and David
March 27, 2001 The Shellcoder’s Handbook : $49.95 Lebl, David LeBlanc
$49.99 Discovering and Exploiting Microsoft Press
Security Holes SQL Server Security 0735615888
Practical Unix & Internet Jack Koziol, David Litchfield, Chip Andrews, David December 15, 2001
Security, 3rd Edition Dave Aitel, Chris Anley, Sinan Litchfield, Bill Grindlay $39.99
Simson Garfinkel, Gene Eren, Neel Mehta, Riley McGraw-Hill Osborne Media
Spafford, Alan Schwartz Hassell 0072225157 —Michael Domingo
O’Reilly & Associates John Wiley & Sons August 27, 2003
0596003234 0764544683 $49.99
February 2003 March 2004
$54.95 $50
Advertiser Index
Global Knowledge Intense School LearnKey, Inc.
www.global knowledge.com www.intenseschool.com www.learnkey.com/mcpsecurity
Global Knowledge is a worldwide leader The Security Training Experts. 2003 Free Security Training CD. Sec+, CISSP,
in IT education and offers over 31 Award Winners. SECUR. Hurry 50 only!
hands-on security training courses.
Pa ge 3 0 • S e c u ri t y Ce r t i f i c a t i o n 2 0 0 3 Re s o u rc e G u i d e
(c) 2003 101communications LLC , http://certcities.com, http://mcpmag.com