NT-Security Certification - SANS Proposal (FW)

Vin McLellan vin@shore.net
Mon, 29 Jun 1998 07:36:22 -0400

Forwarded excerpt from SANS NT DIGEST, Vol. 1, No. 3
June 27, 1998  (Jesper M. Johansson, editor)

<Gene Schultz, formerly of DoE (CIAC,) now with SAIC, is a member
of the editorial board for the SANS NT Digest. E-mail replies to:
"SANS Inst." <sans@clark.net>    _Vin>

/begin excerpt/

8. EDITORIAL--MCSE and Its Relationship to Information Security

Many different types of certification are currently available in the
technical arena. Few people would disagree that MCSE certification has
grown considerably in its meaning and impact over the last few years,
especially as Windows NT has increased its market share. To prevent
misunderstanding at this point, I'd like to go on the record as saying
that I have a great deal of respect for anyone who has passed the MSCE

At the same time, consider the growing need for experts in Windows NT
security. This need has increased dramatically as this product has become
more widely deployed within organizations throughout the world. Many new,
and potentially serious, security-related vulnerabilities in Windows NT
have emerged in recent years; the problem has been exacerbated by the fact
that fixes that Microsoft has developed have not been effective in closing
all the vulnerabilities.

Where do organizations need to turn to obtain security-related expertise
in Windows NT? An all-too-frequent solution is to look to technical staff
with MSCE certification. Although someone who has achieved this status has
demonstrated genuine knowledge and competence, a relatively small part of
the MSCE curriculum actually covers security-related issues. This is, of
course, not a particularly bad thing; after all, security is only one of
many considerations in the computing world. Worse, however, is the fact
that the MSCE curriculum functionally omits coverage of the many
security-related vulnerabilities in Windows NT and possible solutions.
Dealing with the many vulnerabilities that have emerged in this product
over the years has become an increasingly important priority in Windows NT
security. Simply put, MSCE certification prepares a person to deal with
many facets of Windows NT, but it does not prepare that person to deal
with many of the most pressing Windows NT security issues, issues that are
"life-and-death" issues in the business and military worlds.

What then is the solution? Microsoft could start including more
security-related material in its MSCE courses and exams. This possibility,
however, would be far from optimal in that Microsoft should not be
expected to "show its dirty laundry" by teaching information about
vulnerabilities in its flagship operating system. What we need is
independent Windows NT security certification in the same spirit as
(ISC)2 certification for information security professionals. A consortium
consisting of recognized Windows NT security experts (perhaps financially
backed by concerned corporations) could develop a certification
examination that could be administered similarly to the way (ISC)2 exams
are given. The result would be a pool of Windows NT security engineers who
have demonstrated a suitable level of competence. Getting this kind of
certification process in place will not be easy, but when one considers
the alternatives, it is the most viable option at the present time.

MSCE certification is valuable and its importance will not be overshadowed
by Windows NT security certification. As things are now, however, MSCE
certification can be and often is construed as involving knowledge about
Windows NT security, something that is not necessarily true. We need to
keep our thinking straight. It is well time for a separate, independently
administered certification in Windows NT security.

                              ---Eugene Schultz, Ph.D., CISSP

Editor's Note: Do you agree or disagree with Dr. Schultz?  Please let us
know.  If there is sufficient interest in an independent Windows NT
Security certification program, the SANS Institute will organize an
industry-wide consortium to implement a certification program.

/end excerpt/

      Vin McLellan + The Privacy Guild + <vin@shore.net>
  53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
                         -- <@><@> --