IN SEPTEMBER, The SANS (System Administration, Networking, and Security) Institute (www.sans.org) released the results of its latest survey of federal executives and administrators. The organization asked what constituted the greatest security threats and what were the largest concerns regarding security. The answers proved yet again that training and education are the biggest keys to maintaining s
ecurity at your site.
How many times have we spouted off about security education? Ad nauseam, you'll probably say. But the true value of education is inescapable: Security training is probably the greatest weapon you have to protect your company from attack. What other tool in your arsenal offers such rewards?
We've always said, "Security is not a goal, it is a process," and, "Security is not a product, it's a mentality." Although these statements may be obvious to many of you, most of the world simply does not get them. We get dozens of e-mails each month asking if we think product XYZ is secure. If you're asking the question, then you don't get it. Products may be secure yesterday or today (as far as you know), but tomorrow is a whole other day.
We dare to state that security can be created only through raised awareness and education. We see a powerful transformation that clients go through, from spouting the virtues of firewall XYZ one day, to actually performing a port redirection attack through the very firewall they swore was the best the day before. We believe that in countless ways showing people how to bypass systems is the only way to get them to understand how to fix those problems, not just for now, but forever.
Being conscious of security flaws in products, in network architectural designs, and in configuration and maintenance procedures doesn't come from reading books or installing products; it comes from understanding how you are being attacked so you can plan to defend yourself. If you don't know how your enemies work, how can you possibly prevent them from breaking in? Not by implicitly trusting product vendors.
We're surprised that some industry folks warn of the evils of education. They claim that showing people how to get into systems perpetuates insecurity. The only explanation we have for this mentality is that they, too, just don't get it. Or perhaps the motivation runs deeper. Next time you hear their arguments, check to see if they have their own products ready to peddle. Be conscious of where you derive your moral security compass from; they may be carrying more than good intentions.
A number of security certifications have cropped up over the years, including the now de facto standard from the International Information Systems Security Certifications Consortium (www.isc2.org). The organization is now famous for its CISSP certification, of which more than 2,000 security professionals are card-carrying members (yours truly included). CISSP is certainly better than nothing, but what does the certification really provide?
We admit the CISSP certification is geared toward security policy and procedures designers (auditors who moved into the world of computer security) rather than toward real-world administration. The certification does give a candidate a broad understanding of security concepts and ideas, but does it help prepare you to defend your computer and network devices against attack? Not as much as you may think. Although neither of us is Cisco certified, we hold that certification as the pinnacle of certification standards. Friends have taken the tests and have failed, many times. Unlike traditional certifications such as the Certified Novell Engineer and Microsoft Certified Systems Engineer programs, Cisco's tests require in-depth knowledge of routing and networking -- the likes of which you simply would not be able to grasp without some serious book crunching, hands-on training, and real-world experience. In the same respect, if a security certification doesn't require the same preparation to pass, it will do little to help most folks secure their networks.
Among the other barriers reported by SANS in its recent survey was the lack of consensus on standards for highest security priorities, and departments resistant to security initiatives. Understanding and recognizing risks helps define security priorities, but how can you understand and recognize the risks without seeing them firsthand? If a picture is worth a thousand words, a hands-on penetration exercise is a novel.
Departmental resistance is another enormous hurdle for many organizations. Again resistance comes from a lack of understanding of the breadth and depth of the security problem. No lengthy board meeting will properly explain the impact that an attack can have on businesses and livelihoods; only a demonstration will succeed.
What do you think about the power of education, training, and certification for defending your sites? Let us know at security_watch@infoworld.com.
