Security Certification Resource Guide 2003 - 1105 Mediadownload.101com.com/certcities/security/security_cert.pdf · SANS:A Practical Approach 6 ... Security Certification Resource

Introduction 3

(ISC)2 : Experience Counts 4

SANS: A Practical Approach 6

Microsoft: Locking Windows 7

CompTIA: Security for the Masses 8

Cisco: Hardware Lockdown 9

Check Point: Enterprise Certified 10

CWNP: Wireless Pro 10

ISACA: Audit Secure 12

TruSecure: TISCA Experience 12

Symantec: Sleeper Hit 13

SCP: Security Certified Pro 13

SCSA: Seeking the Sun 14

EC-Council: Know Your Enemy 14

Blueprint for a Career 15in Security

Guide to Security Job Titles 19

Q&A: Can Security 22Certifications Help Your Career?

Salary Data for IT 23Professionals

About Those U.S. Government 24Security Clearances

15 Best Web Sites for Security 25

5 Must-Read Security 26Newsletters

5 Web Picks for Security 26Certification

Security Bookshelf 28

Advertiser Index 30

Co n t e n t s

This guide offers in-depth coverage

of security certifications in the IT

industry as well as resources for

further study.

2003Security CertificationResource Guide

Essential information on security certifications for IT professionals and managers.

IT Influencer Series

http://mcpmag.com/go/sponsor/go.asp?name=sec03_intense




As little as two years ago, IT profes-

sionals wanting to certify their

security-related knowledge and

expertise had only a handful of cre-

dentials to choose from, most of

which were reserved for the most

experienced professionals.

Since then, several vendors have

added security-related titles and

options, and those specializing in

security are offering more credentials

than ever. This boom has created a

mix of titles that, while serving a

wider cross-section of the IT commu-

nity, also make understanding and

evaluating security certifications an

arduous endeavor.

We’ve created this guide to help

IT professionals and managers sort

out the many options available. On

its pages you’ll find profiles of almost

every major security-related certifi-

cation available today. For each, we

explain the audience they’re aimed

for, the requirements for obtaining

the titles, and what separates each

from the other credentials.

But we also know that becoming

an IT security professional takes more

than just certification. That’s why

you’ll also find advice on developing

an IT security career, including frank

words from security maven and

author Roberta Bragg on what it

takes to excel in this field, as well as

an honest perspective from an indus-

try insider on exactly what certifica-

tion can (and can’t) do for your

career. We also share the real way

those all-too-elusive U.S. security

clearances are obtained.

To help in the learning process,

we’ve included our top picks for secu-

rity Web sites and newsletters, as well

as certification preparation resources.

Whether you’re an IT profes-

sional considering a career in securi-

ty or a manager who needs to guide

your security staff’s professional

development, we hope the following

information will offer you the com-

prehensive overview of security cer-

tification you’ve been searching for.

Enjoy.

—The Editors

I n t r o d u c t i o n

All content was written and/or developed by Keith Ward, senior editor, Microsoft Certified Professional Magazine;

Becky Nagel, editor, CertCities.com; Michael Domingo, editor, MCPmag.com and Dian Schaffhauser, editorial director,

Microsoft Certified Professional Magazine.

ecurity is one of the hottest areas in IT certification today.

It can also be the most confusing.S

P a g e 3 • S e c u r i t y Ce r t i f i c a t i o n 2 0 0 3 R e s o u r c e G u i d e

( c ) 2 0 0 3 1 0 1 c o m m u n i c a t i o n s L L C , h t t p : / / c e r t c i t i e s . c o m , h t t p : / / m c p m a g . c o m

http://certcities.com

http://mcpmag.com

Experience Counts

c e r t i f i c a t i o n p r o f i l e s

The organization’s flagship title, theCertified Information Systems SecurityProfessional (CISSP), focuses on 10common bodies of knowledge (CBKs)based on the above-mentioned standards:

• Access Control Systems & Methodology

• Applications & Systems Development

• Business Continuity Planning

• Cryptography

• Law, Investigation & Ethics

• Operations Security

• Physical Security

• Security Architecture & Models

• Security Management Practices

• Telecommunications, Network &

Internet Security

The resulting exam is a six-hour,250-question affair, for which most can-didates study months to prepare.Because of the broad depth of knowl-edge covered on the exam, most stu-dents prefer not to go it alone, joiningstudy groups or attending instructor-ledtraining courses.

However, simply passing the examwon’t earn you the CISSP. (ISC)2 citesits mission to create a “gold standard”certification as the reason it requires allcandidates to have at least four years of“direct full-time security professionalwork experience” in one or more of thetest domains listed above. A college

The International Information Systems Security Certification

Consortium, (ISC)2, formed in 1989 to create an industry

standard for information security best practices. Since that

time, the organization has released several vendor-neutral

certifications that combine testing candidates’ knowledge of

these practices along with experience, ethical and ongoing

education requirements.

degree can substitute for one year. Thisexperience must be documented by anindependent third-party and submittedto the (ISC)2 for audit, along with asigned document stating that the candi-date will subscribe to the organization’scode of ethics. Only then will the title ofCISSP be granted. But that’s not the endof it—all CISSPs must complete 120units of continuing education per year tokeep their title active.

If you don’t quite have four years ofdirect work experience, you may want

to attempt the organization’s SystemsSecurity Certified Practitioner (SSCP)title. This three-hour, 125-questionexam focuses on seven of the abovedomains and requires only one year ofdirect work experience. Like the CISSP,you must subscribe to the organization’scode of ethics and earn continuing edu-cation units to maintain the title.

If you don’t have enough experi-ence to earn either title but you stillwant to take the above exams, you canbecome an Associate of (ISC)2. Thisnew program from the organizationallows candidates without the requiredexperience to take the exams and thenearn the certifications once they obtainthe needed experience.

If you’re already a CISSP and wantto distinguish yourself further, theorganization recently announced sever-al “concentrations” that candidates canadd on to their CISSP: CISSP Man-agement and CISSP Architecture.There’s also the Information SystemSecurity Engineering Professional(ISSEP), a concentration formed inconjunction with the United StatesNational Security Agency that focuseson the information security needs offederal government employees.

Note that because the organization’sexams are paper-based, candidates mustsign up through (ISC)2 and travel to anofficial testing location. Prices for theorganization’s exams currently rangefrom $350 to $550, but will rise as muchas $100 beginning January 1, 2004.

More information on all of theabove titles can be found on (ISC)2’sWeb site at http://www.isc2.org.

— Becky Nagel

(ISC)2

Vendor: The International Information

Systems Security Certification

Consortium (ISC)2

Certifications: CISSP, SSCP, related

concentrations

Certification Type/Focus: Vendor-

neutral titles focusing on best practices

for information security professionals.

Candidates must meet experience

requirements and sign an ethics pledge.

Exam Prices: $350 to $550 (U.S.)

Training Required?: No

Testing Centers: Available only

through vendor

More information:

http://www.isc2.org

It takes more than just knowledge to earn (ISC)2’s CISSP and SSCP titles.




http://mcpmag.com

http://www.isc2.org

STAY ON TOP OF THE LATESTSECURITY TRAINING...

© 2003 Global Knowledge Network, Inc. All rights reserved.

...or your replacement will be happy to do it for you.

With 28 hands-on Security Training courses, Global Knowledge offers the industry’s most comprehensive

collection of Network Security courses delivered by real-world, expert instructors. Visit our web site now

for more information: www.globalknowledge.com Keyword: MCPSECURE or call 1-800-COURSES.

GET A FREE T-SHIRTWhen you take our 1-minute IT survey atwww.globalknowledge.com/securitytee

MCPSecurityAd12-03 11/20/03 8:31 AM Page 1

http://mcpmag.com/go/sponsor/go.asp?name=sec03_global




Like (ISC)2, the SANS Institute’s Global Information Assurance

Certification (GIAC) takes a vendor-neutral approach.

However, this organization’s titles focus on the practical more

than the theoretical, testing candidates’ skills in a wide

variety of areas through online or in-person testing as well as

practical assignments.

Those interested in GIAC testing havea wide variety of titles to choose from:

• GIAC Security EssentialsCertification (GSEC)

• GIAC Certified Firewall Analyst(GCFW)

• GIAC Certified SecurityLeadership (GSLC)

• GIAC Certified Intrusion Analyst(GCIA)

• GIAC Certified Incident Handler(GCIH)

• GIAC Certified Windows SecurityAdministrator (GCWN)

• GIAC Certified Unix SecurityAdministrator (GCUX)

• GIAC Information SecurityOfficer (GISO)

• GIAC Systems and NetworkAuditor (GSNA)

• GIAC Certified Forensic Analyst(GCFA)

• GIAC IT Security Audit Essentials(GSAE)Those who earn five of the above

titles—GIAC Certified Firewall Ana-lyst; GIAC Certified Intrusion Analyst;GIAC Certified Incident Handler;GIAC Certified Windows Security

GIAC exam, candidates must completea “practical assignment”—an originalresearch paper that demonstrates thecandidate’s knowledge of the materialbeing tested. These assignments arereviewed and graded by the organiza-tion, and those who pass are thenallowed to sit the related exam.

GIAC exams are delivered onlineand at SANS conferences. Because ofthe program’s tie-in with SANS’ educa-tional offerings, some GIAC certifica-tions require that candidates take therelated SANS training course either ata conference or online. When takenalong with a training course, the priceof the exam is $250. Exams cost $450when not accompanied by training.

All GIAC professionals mustrecertify every two years by passing a“refresher” exam. The price of renewalis $120, which includes free access toSANS courseware online.

More information on GIAC’s cer-tification program can be found at:http//:www.giac.org.

— Becky Nagel

The SANS Institute’s GIAC certifications combine

testing with practical assignments.

Administrator; and GIAC CertifiedUnix Security Administrator—canearn the organization’s highest certifi-cation, the GIAC Security Engineer.According to the organization, onlytwo GIAC Security Engineers exist inthe world today.

Before being allowed to take any

SANS/GIACVendor: The SANS Institute

Certifications: 12 Global Information

Security Certification (GIAC) titles

Certification Type/Focus: Skills testing

in a variety of security areas, such as

firewalls, intrusion analysis and foren-

sics. Candidates must pass an exam

along with a practical assignment.

Exam Prices: $250 (U.S.) with train-

ing, $450 (U.S.) without

Training Required?: Yes, for select

titles

Testing Centers: Available only

through vendor

More information:

http://www.giac.org/


A PracticalApproach




http://mcpmag.com



“We put together these certification specializations to allow IT professionals a wayto demonstrate a specific technical focus in the area of security within their jobroles,” David Lowe, product manager for security with Microsoft’s Training andCertification group, said in an interview with MCP Magazine when the examsdebuted. “The new specializations are directly analogous to the existing base cre-dentials, but with a ‘prescribed path’ of specialization exams rather than electives.”And that’s the key to these specializations: To become an MCSE: Security orMCSA: Security, you don’t have to take any more exams than would be requiredto earn the standard MCSA or MCSE. It’s determined by which exams you take.

For MCSA: Security 2000, your elective exams must include:

• 70-214: Implementing and Administering Security in a Microsoft Windows2000 Network

• 70-227: Installing, Configuring, and Administering Microsoft Internet Securityand Acceleration (ISA) Server 2000, Enterprise Edition OR CompTIA’sSecurity+

For MCSE: Security 2000, you must also take the elective:

• 70-220: Designing Security for a Microsoft Windows 2000 Network

For MCSA: Security 2003, you must take the following electives:

• 70-299: Implementing and Administering Security in a Microsoft WindowsServer 2003 Network

• 70-227: Installing, Configuring, and Administering Microsoft InternetSecurity and Acceleration (ISA) Server 2000, Enterprise Edition ORCompTIA’s Security+

MCSE: Security 2003 requires the above plus:

• 70-298: Designing Security for a Microsoft Windows Server 2003 Network

If you’ve already earned your MCSA or MCSE, you can simply take any addi-tional exams required to add the desired specialization.

Lowe explained that Microsoft created the specializations because, “We recognizethat in IT job roles, like systems administrator and systems engineer, there are a num-ber of individuals who have a very specific concentration on a particular area and,obviously, in an important area as security. So that’s what these specializations will

Locking Windows

If you’re a Microsoft networking professional, you no longer

need to seek titles from outside vendors to certify your

Windows security expertise. That’s because in June Microsoft

announced new security specializations for its Microsoft

Certified Systems Engineer (MCSE) and Microsoft Certified

Systems Administrator (MCSA) titles.

allow individuals to demonstrate; they’llget to highlight their focus on platform-specific security and design skills.”

Microsoft exams consist of stan-dard, multiple-choice questions as wellas more in-depth scenario-based ques-tions. The company doesn’t place train-ing or experience requirements on itscertifications, but hands-on experiencewith the products is highly recom-mended. Microsoft exams cost $125(U.S.) and are available worldwidethrough Pearson Vue and Prometrictesting centers.

More information on these certifi-cations can be found athttp://www.microsoft.com/mcp.

— Becky Nagel


Microsoft debuts MCSA: Security and MCSE: Security

specializations.

MicrosoftVendor: Microsoft Corp.

Certification: MCSE: Security, MCSA:

Security

Certification Type/Focus: Windows-

specific specializations that show a

candidate’s security focus within the

company’s MCSA and MCSE titles.

Exam Price: $125 (U.S.)


Testing Centers: Pearson Vue and

Prometric

More information:

http://www.microsoft.com/mcp




http://mcpmag.com



The Computing Technology Industry Association is well

known for its entry-level, vendor-neutral certifications

such as A+, Network+ and Linux+. Therefore, it wasn’t

surprising when late last year the organization added

Security+ to its roster.

Security+ is a one-exam certificationcovering a wide-range of top-levelsecurity knowledge. Topics covered onthis exam include:

• Communication security• Infrastructure security• Cryptography• Access control• Authentication• External attacks• Operational security

The exam itself consists of 100questions with a 90-minute time limit.The minimum passing score is 764,graded on a scale of 100 to 900. Onefocus of the exam is terminology, mak-ing sure candidates understand themany threats out there. Candidates arealso tested on the best ways to tacklethose threats. CompTIA recommendsthat all candidates have at least twoyears of general networking experiencebefore taking the exam, but the experi-ence level isn’t required.

Many CompTIA corporate mem-

for the MassesCompTIA’s Security+ aims to bring baseline

security knowledge to all IT professionals.

bers, such as Microsoft, IBM and Sun,helped create the title, participating indevelopment meetings and deciding thecertification’s focus. As such, several cer-tification programs either recommendSecurity+ as a prerequisite for their titles

or allow it as an alternative requirement.For example, Security+ counts as anelective toward MCSE 2000 as well asits new MCSA: Security and MCSE:Security specializations.

These tie-ins may be one reasonthis title has resonated so well with theIT community. Even before its officialrelease, Security+ landed at #2 onCertCities.com’s list of Top 10 ITCertifications for 2003. And accordingto Gene Salois, CompTIA’s vice presi-dent of certification, Security+ is theorganization’s fastest-growing title ever.

The Security+ exam costs $225(U.S), with a discount given toemployees of corporate members. Thecertification is good for life, so thereare no extra costs associated withrenewing the title.

More information aboutSecurity+ can be found athttp://www.comptia.org/certification/security/default.asp.

— Becky Nagel

CompTIA

Vendor: Computing Technology

Industry Association

Certification: Security+


neutral security title that focuses on

baseline security knowledge and skills.




Prometric

More information:

http://www.comptia.org/certifiction/

security/default.asp


Security




http://mcpmag.com

http://www.comptia.org/certifiction/security/default.asp

http://www.comptia.org/certifiction/security/default.asp

Hardware Lockdown

For the past 10 years Cisco Systems hasbeen offering IT professionals workingwith its products ways to certify theirexpertise, but only recently has a suiteof options emerged for those wishing toprove their security skills.

For the most experienced candi-dates, Cisco offers a security track for itsexpert-level Cisco Certified Internet-work Engineer (CCIE) title. The CCIEis known world-wide as one of the hard-est certifications to obtain because candi-dates must pass an in-person, proctoredtroubleshooting lab exam.

Typical study methods won’t getyou a CCIE. As Cisco states on its Website, “Training is not the CCIE programobjective. Rather, the focus is on identi-fying those experts capable of under-standing and navigating the subtleties,intricacies and potential pitfalls inher-ent to end-to-end networking.” Assuch, the company recommends that allcandidates have at least three to fiveyears of hands-on experience workingdirectly with the technology in a real-world environment.

CCIE exams are not only gruel-ing, they’re expensive: $1,250 (U.S.)plus expenses to travel to one of fivelocations worldwide where lab examsare offered. To make sure that onlythose who have a chance of passingattempt the exam, all CCIE candidatesmust first pass a $300, standard-format“qualification” exam, available throughlocal Pearson Vue and Prometric test-ing centers. There are no other require-ments or prerequisites to earn the title.

If you’re not yet ready to tackle

CCIE Security, you may be interestedin Cisco’s newest security offering, theCisco Certified Security Professional(CCSP).

The CCSP is a professional-leveltitle, on the same level as its CiscoCertified Network Professional (CCNP)and Cisco Certified Design Professional(CCDP) certifications.

To become a CCSP, candidatesmust obtain a Cisco CertifiedNetwork Associate (CCNA) or CiscoCertified Internetwork Professional(CCIP) credential, then pass the fol-lowing five exams:

• 642-501 SECUR: Securing CiscoIOS Networks

• 642-511 CSVPN: Cisco SecureVPN

• 642-521 CSPFA: Cisco SecurePIX Firewall Advanced

• 643-531 CSIDS (beta): CiscoSecure Intrusion Detection System

• 642-541 CSI: Cisco SAFEImplementationAs you can see from the above,

this certification is so new that one ofthe required exams is still in beta for-mat—it is expected to be released in itsfinal version by the end of 2003.

These tests are standard-formatexams featuring multiple-choice ques-tions. Some also include simulationquestions that require hands-on skills.All are available at Prometric andPearson Vue testing centers worldwide.The beta is priced at $50 and the liveexams are $125 (U.S.).

If you’re not looking for a stand-alone title, you might want to augment

your existing CCNA certification withone of Cisco’s security-related concen-trations available through its QualifiedSpecialist program.

The company currently offers threesecurity-related Qualified Specialist titlesfor the IT community at large:

• Cisco Firewall Specialist• Cisco IDS Specialist• Cisco VPN Specialist

As mentioned above, candidatesmust first obtain a CCNA. From there,each title requires passing two exams:642-501 SECUR, plus one focused onthe chosen specialty from the above listof CCSP exams. Because the exams arethe same, candidates can apply theirQualified Specialist title toward futurepursuit of the CCSP.

All Cisco certifications requirerecertification through passing updateexams. Recertification for Cisco titlestakes place every two to three years.

More information on all of Ciscocertification offerings can be found atthe following URL on Cisco’s Web site:http://www.cisco.com/en/US/learning/.

— Becky Nagel

CiscoVendor: Cisco Systems

Certifications: CCIE Security, CCSP,

Qualified Specialist

Certification Type/Focus:

Product-specific titles for a variety

of experience levels.

Exam Prices: $125 to $1,250 (lab

exam) (U.S.)


Testing Centers: All but lab available

through Pearson Vue and Prometric.

More information:

http://www.cisco.com/en/US/learning/


Cisco offers a variety of ways to certify your

expertise in securing its essential internetworking

devices.




http://mcpmag.com



Enterprise Certified

Check Point’s certifications test users’ skills with the

company’s Firewall-1 NG product and more.

Mid-size and enterprise networks acrossthe globe use Check Point SoftwareTechnologies’ Firewall-1 and VPN-1products to keep their environmentssecure. If you are looking for a way tocertify your skills on these products,Check Point offers several options.

Check Point separates its certifica-tions into two tracks: Security andManagement. Within the Securitytrack, there are three titles, each ofwhich requires one exam. The certifica-tions are tiered, meaning that eachhigher level requires the previous certi-fication. They are:

• Check Point Certified SecurityAdministrator (CCSA), whichfocuses on Firewall-1.

• Check Point Certified SecurityExpert (CCSE), which adds VPN-1.

• CCSE Plus Enterprise Integrationand Troubleshooting, which addsintegration and troubleshootingfor both products.Also within this track is a new

title: Check Point Certified SecurityPrinciples Associate (CCSPA), “anentry-level certification that validates astudent’s proficiency in security funda-mentals, concepts and best prac-tices”—much like CompTIA’s Secur-ity+ exam. The CCSPA isn’t required

to earn any other Check Point certifi-cation but is recommended for thosenew to security.

Check Point’s Management trackoffers two titles:

• Check Point Certified ManagedSecurity Expert (CCMSE)

• CCMSE Plus VPXCheck Point describes the CCMSE

as its premier-level title for those usingthe company’s Firewall-1, VPN-1 andProvider-1 products in a “NetworkOperating Center” environment. Itrequires passing three exams. TheCCSME Plus option allows CCSMEsadd to their credential by showing theirexpertise with the company’s VSX secu-rity solution, as managed by Provider-1.

All of Check Point’s exams arestandard-format multiple choice tests,available for $150 (U.S.) throughPearson Vue testing centers worldwide.Check Point recommends that all can-didates have six months to one year ofhands-on experience with the productsthey want to certify on.

More information on Check Point’scertification program can be found at:http://www.checkpoint.com/services/education/certification/index.html.

— Becky Nagel

Check PointVendor: Check Point Software

Technologies

Certifications: CCSPA, CCSA, CCSE,

CCSE Plus, CCMSE, CCMSE Plus VSX

Certification Type/Focus: Product-

specific titles focusing on Check Point

security solutions for mid-size to

enterprise networks.



Testing Centers: Pearson Vue

More information: http://www.check

point.com/services/education/certifica

tion/index.html

There are plenty of security issues sur-rounding wireless networking. TheCertified Wireless Networking Program(CWNP) from Planet3 Wireless is a cer-tification option that allows wireless pro-fessionals to test their security knowl-edge and skills.

According to Planet3, CWNP’sCertified Wireless Security Professional(CWSP) title is vendor-neutral, focus-ing on 802.11 wireless technologyrather than specific vendors’ products.As the second tier of the program’s fourlevels of certification, candidates must

first obtain the program’s CertifiedWireless Networking Associate(CWSA) before pursuing the CWSP.

According to Planet3 Wireless, theCWSP exam focuses on three areas:

• Wireless LAN intrusion• Wireless LAN security policy• Wireless LAN security solutionsThe exam itself is a standard-for-

mat, multiple-choice test with 60 ques-tions. It’s available through Prometrictesting centers worldwide for $175,although candidates must purchase theexam voucher directly from Planet3.

For more information on this certifica-tion, visit http://www.cwne.com.

—Becky Nagel

CWNPVendor: Planet3 Wireless

Certification: CWSP


neutral wireless security title.



Testing Center: Prometric

More information:

http://www.cwne.com

Wireless ProCertify your wireless security expertise with Planet3’s CWSP.


P a g e 1 0 • S e c u r i t y Ce r t i f i c a t i o n 2 0 0 3 R e s o u r c e G u i d e


http://mcpmag.com

http://www.cwne.com

http://www.cwne.com

http://www.checkpoint.com/services/education/certification/index.html



TechMentorEvents.compresented by:

2 0 0 4E V E N T SNEW ORLEANS, LA APRIL 4 – 8

SAN JOSE, CA SEPTEMBER 28 – OCTOBER 1

Join network managers and administrators for a

new lineup of technical training sessions by

networking, messaging and security experts.

Take control. Get solutions, not theories, to your

everyday networking problems.

Registration opens mid-November.

Network

and certification

training for

Windows®

professionals.

TMNO04 full page 10/1/03 3:23 PM Page 1

http://www.techmentorevents.com




TISCA ExperienceTruSecure moves into certifying individuals with its TICSA

program.

You may know TruSecure as the com-pany that owns the ISCA labs, whichtests and certifies security products.What you might not know is thatTruSecure also offers certifications forIT security professionals.

The company has turned its certifi-cation experience into the vendor-neu-tral TruSecure ICSA Certified SecurityAssociate (TICSA) title. To achieve it,candidates must first prove they haveleast two years of hands-on experienceor attend 48 hours of computer securi-ty training within a two-year period.Only then are candidates allowed to sitthe TISCA exam, which features 70questions covering TruSecure’s 14“essential” bodies of knowledge:

• Essential security practices vs.“best” security practices

• Risk management fundamentals• TCP/IP networking basics• Firewall fundamentals• Incident response and recovery

practices• Administration maintenance

procedures• Design and configuration

fundamentals• Malicious code mechanisms• Law, ethics, and policy issues• Authentication techniques• Cryptography basics• Host- vs. network-based security• PKI and digital certificates basics• Operating system security

fundamentalsSix areas of risk are also covered:

electronic, malicious code, physicalthreat, human, privacy and downtime.

The $295 (U.S.) exam is availablethrough Prometric testing centers inthe U.S. and Canada only. In additionto passing the exam, candidates arerequired to sign an ethics statementbefore the credential will be awarded.For more information on the TISCA,go to: https://ticsa.trusecure.com/.

—Becky Nagel

TruSecureVendor: TruSecure

Certification: TISCA


neutral title that also requires

experience.



Testing Center: Prometric (U.S. and

Canada Only)

More information:

https://ticsa.trusecure.com/

The Information Systems Audit andControl Association (ISACA) has beenoffering its flagship Certified Infor-mation Systems Auditor (CISA) titlesince 1978. The title, which focuses onIS auditing and control as well as sys-tems security, is now held by more than30,000 professionals worldwide.

While this title does cover security,the organization recently decided to cre-ate another credential specifically forsecurity professionals: the CertifiedInformation Security Manager (CISM).

ISACA describes the CISM as its“next generation credential…specificallygeared toward experienced informationsecurity managers and those who haveinformation security management

responsibilities,” the Web site states. “ Itis business-oriented and focuses on infor-mation risk management while address-ing management, design and technicalsecurity issues at a conceptual level.”

Both ISACA exams are offeredonce a year at a variety of locationsworldwide. Candidates don’t have to bemembers to take an exam, but they doneed to agree to adhere to the organiza-tion’s code of ethics. Both titles must bemaintained through continuing educa-tion requirements.

The exams range in cost from$325 to $495 (U.S.) depending onmembership status, registration dateand method of registration. ThroughDec. 31, 2004, candidates with eight

years of information security experiencecan grandfather directly into the CISMtitle without taking the exam. Variousdegrees and certifications count towardthe grandfathering process.

More information on ISACA cer-tifications can be found athttp://www.isaca.org.

— Becky Nagel

ISACAVendor: Information Systems Audit

and Control Association

Certifications: CISA, CISM

Certification Type/Focus: High-level

certifications for information security

and auditing professionals.

Exam Price: $325 to $495 (U.S.)


Testing Centers: Available through

vendor only

More information:

http://www.isaca.org

Audit SecureThe Independent Systems Audit and Control Association

offers two certification options for IS auditing and security

professionals.





http://mcpmag.com





Ascendant Learning bills its SecurityCertified Professional as an advanced,vendor-neutral IT security certificationprogram. “The Security CertifiedProgram is proud to offer intense certi-fication exams,” the program’s Web sitereads. “Whereas most certifications teston rote memorization-level details…SCP exams are designed to test a candi-date’s knowledge of working securityissues, programs and utilities.”

Currently, the program offers twotitles: Security Certified NetworkProfessional (SCNP) and the SecurityCertified Network Architect (SCNA).The SCNP focuses on defensive securi-

ty technologies, such as firewalls andintrusion detection. The SCNA focuseson the next level of technology, such asenterprise security solutions, forensicsand biometrics.

Both titles require passing twoexams each. The exams feature sce-nario-based questions. Although train-ing is highly emphasized on the pro-gram Web site, it doesn’t say that it’srequired before taking the exams.

SCNP exams cost $150. SCNAexams cost $180 (U.S.). All are avail-able at Pearson Vue and Prometric test-ing centers worldwide.

The program requires all title

holders to recertify every two years.For more information about these

certifications, visit http://www.securitycertified.net.

— Becky Nagel

SCPVendor: Ascendant Learning

Certifications: SCNP, SCNA

Certification Type/Focus: Mid- to

high-level vendor-neutral security

certifications.




Prometric

More information: http://www.securi

tycertified.net

Security Certified ProAscendant Learning offers a vendor-neutral alternative.


Sleeper Hit

Symantec jumps to second

on CRN’s 2003 list of most

valuable certifications for

resellers.

If you’re looking for a security certifica-tion that resonates with solutionproviders, then a title from Symantecmay be right for you.

Earlier this year, Computer ResellerNews released the results of its thirdannual certification study, which ratesthe importance of various IT certifica-tions for small and large solutionproviders. Symantec’s Certified SecurityPractitioner (SCSP) jumped up the listto become the second most importantcertification for small solution pro-viders (revenue under $5 million) andthe fastest-growing title in importancefor large service providers (revenuemore than $5 million).

Even if you’re not working for asolution provider or reseller, Symantecmay still offer the certification you’re

VPN, Vulnerability Management,Intrusion Detection and Virus Protec-tion & Content Filtering.

Symantec exams cost between$125 and $150 (U.S.) and are availableat Prometric testing centers worldwide.

More information on Symanteccertification can be found at h t tp : / /www. symantec . com/education/certification/.

— Becky Nagel

Symantec

Vendor: Symantec

Certifications: SPS, STA, SCSE, SCSP

Certification Type/Focus: Tiered

program focusing four Symantec

product areas.



Testing Centers: Prometric

More information:

http://www.symantec.com/

education/certification/

looking for. Symantec’s program featuresfour tiers of certification focusing on itsproducts along with general securityknowledge and strategies. Following isthe listing of these titles and theirdescription as provided by Symantec:

• Symantec Product Specialist

(SPS): One exam on a single securi-ty product and its functionality inan overall security system. • Symantec Technology Archi-

tect (STA): one-exam title focusingon vendor-neutral security knowledgeof how to design, plan, deploy andmanage effective security solutions. • Symantec Certified Security

Engineer (SCSE): covers a high-levelunderstanding of a broad range of secu-rity solutions plus in-depth knowledgeand skills within a specific securityfocus. These titles require passing twoto three SPS and/or STA exams.• Symantec Certified Security

Practitioner (SCSP): senior securitytitle. Achieved by earning all four ofthe SCSE certifications.

Within these tiers, there are fourareas of product focus: Firewall &



http://mcpmag.com

http://www.symantec.com/education/certification/

http://www.symantec.com/education/certification/

http://www.securitycertified.net




While there’s still a dearth of Unix-spe-cific security certifications available, atleast one vendor has stepped up to theplate. In April 2003, Sun Microsystemsdebuted the Sun Certified SecurityAdministrator (SCSA) for Solaris 9 OS.

This one-exam title is, in fact, thefirst security-specific certification to beoffered by Sun. The objectives for theexam break down into six main areas:

• General security concepts• Detection and device management• Security attacks• File and system resources protection• Host and network prevention• Network connection access,

authentication and encryptionAlthough there are no prerequi-

sites for this title, Sun recommendsthat all candidates hold either its Sun

Certified Network Administrator(SCNA) or Sun Certified SystemsAdministrator (SCSA) certificationbefore attempting the exam. Six to 12months of hands-on experience is alsorecommended.

Like other Sun tests, the SunCertified Security Administrator examcontains multiple choice, scenario-based, matching, drag and drop andfree-response questions. There are 60questions, with 60 percent needed topass. Candidates are given 90 minutes.The exam is available for $150 (U.S.) atPrometric testing centers worldwide.

To give candidates an idea of whatto expect, Sun offers 10 free samplequestions for the SCSA on its Web site.

Because the certification is so new,it’s only available for Solaris version 9.

Sun has made no indication of creatingexams for earlier versions, despite thecontinued popularity of its SCSA andSCSA for Solaris 8 exams.

More information about this cer-tification can be found at:http://suned.sun.com/US/catalog/courses/CX-310-301.html.

— Becky Nagel

SunVendor: Sun Microsystems

Certification: SCSA for Solaris 9

Certification Type/Focus: One-exam

title testing security expertise in

Solaris 9.




More information:

http://suned.sun.com/US/catalog/cou

rses/CX-310-301.html

Seeking the SunSolaris administrators worldwide now have a way to certify

their expertise on this Unix-based operating system.


What exactly is an ethical hacker? TheInternational Council of E-CommerceConsultants (EC-Council) states on itsWeb site: “The Ethical Hacker is anindividual who is employed and can betrusted to undertake an attempt topenetrate networks and/or computersystems using the same methods as aHacker… The key difference is thatthe Ethical Hacker has authorization toprobe the target.”

Although passing the title’s oneexam does grant one the title of EthicalHacker, the credential appears to reallybe aimed at systems administrators and

EC-CouncilVendor: International Council of

E-Commerce Consultants

Certification: Ethical Hacker

Certification Type/Focus: Tests

knowledge of hacking terminology

and techniques.




More information:

http://www.cwne.com

other security professionals who areinterested in exactly what the otherside is doing and how to prevent it.

The exam itself consists of 50 ques-tions covering 22 domain areas, such asfootprinting, system hijacking, hackingWeb servers, SQL injection, passwordcracking techniques and ethics. It’savailable for $125 at Prometric testingcenters worldwide. EC-Council offersoptional training for the title.

More information about this certification can be found at:http://www.eccouncil.org/CEH.htm.

— Becky Nagel

Know Your EnemyEC-Council offers white hats a chance to shine with its Ethical Hacker certification.




http://mcpmag.com

http://suned.sun.com/US/catalog/courses/CX-310-301.html



http://www.cwne.com

http://www.eccouncil.org/CEH.htm

If you want to do IT security becauseit’s “hot” right now, or because youthink that’s where the money is, forgetit. If you truly love the field, read on.

What do I mean? Perhaps you’re oneof the many who have written for myhelp in “getting into security” or pursu-ing a security career. Perhaps you wonderif security is an area for you. Maybe youwant the big bucks. Maybe you’re out ofa job, find your engagement calendarempty, or otherwise think it’s time tochange your game plan.

You Missed the Wave, Dude

Security isn’t the answer to yourshrinking paycheck. It won’t bring youfame and fortune; it won’t even get youan interview. If you don’t already havedeep security knowledge, you don’thave time to gain it in order to ride thecurrent wave. The days of success arelong past for those armed with mini-mal knowledge and a pre-programmedsecurity vulnerability scanner. Theword “Security” in your title or yourcompany’s name will get you no instantappreciation now. The market for secu-rity goods and services is more sophis-ticated than it was. To make your way,to survive, you have to be able to domore than know a few buzzwords.

This market isn’t a Mecca for thosewho want to relax, either. Security is 10percent pure panic and 90 percentdrudgery. It’s long hours with noreward. You’ll generally only get recog-nition when you fail. For me, it’s likeI’m always hanging from a cliff by my

fingernails and struggling to keep upwith the dual demands of rapidlychanging information and rarelychanging attitudes. Sure, it’s fun toramble about the foibles of most infra-structure gurus, but I can’t even talkabout my greatest jobs, those where myinput or my design prevented the suc-cess of a very determined attacker.

The Four-Step Program

Are you still reading, even after myattempts at dissuasion? You haven’tgiven up in despair? You say you wantto be a security expert, and you realizeit’s not an easy thing. Here, in myhumble opinion, is how to fulfill thatgoal. Your program should includethese four steps.

Step One: Narrow Your Options

Your first step should be to determineexactly what you mean by “security.”Do you want to specialize in some tech-nical aspect of security, say establishingand configuring perimeter defensessuch as firewalls? Do you absolutelylove decoding packets to figure outwhat’s happening on the wire? Are youobsessive-compulsive about the codeyou write? Does implementing tech-nology excite you, or does the fact thatyour mistakes might provide a venue

for an attacker to steal credit card num-bers off your servers grab your guts?Would you rather manage or do? Doescreating policy float your boat? As youcan see, there’s a wide range of careersin security. I know security officers whohave never touched a server, and sys-tems admins who never should have.

To help you find your niche, con-sider attending a security conference.

Blueprint for aCareer in Security

By Roberta Bragg

Hackers Need Not Apply

If you think that hacking into

Web sites, writing and releasing

malicious code or breaching

security at Fortune 500 compa-

nies, government offices, utilities

or other well-known entities is a

precursor to or a guarantee of a

security career, you’re dead

wrong. Doing these things is just

plain stupid. You can disrupt

business, shut down basic utili-

ties and kill people. There’s a

new hardened attitude out there,

and you may just find yourself

doing time instead of working

for the company of your choice.

—Roberta Bragg

Continued on next page




http://mcpmag.com

You’ll meet people who already work inthe field, gain some security knowledge,and maybe make a few useful contacts.Check out the sites listed below and theconferences and seminars they offer.They represent many different sides ofthe security game. Just don’t assumeyou’ll see all security careers representedat any one event, or that you’ll beaccepted with open arms when you saythe words “Microsoft” and “security.”

• http://www.rsasecurity.com• http://www.sans.org• http://www.gocsi.com/annual/

index.html• http://www.blackhat.com• http://www.defcon.org• http://www.issa.org• http://www.misti.com

Step Two: Get Naked

Second, take a long look at yourself.Carefully review your background, suc-cesses and failures, dreams and reality.As they say in the weight-loss biz, standin front of the mirror naked and take agood, long look. A clear understandingof your abilities, aptitudes and experi-ence is the starting point. Having aclear goal will help you identify thepath to take. Does something in yourbackground fit your idea of this long-term goal? If your experience lies innetworking or systems administration,you have a good foundation to buildupon. Writing solid code and under-standing good coding practices is para-mount to many security careers. If youdon’t have either of these skill sets, whyare you reading this article? Seriously,while many security jobs don’t requireyou to code or to configure systems,they do require you to have knowledgein these areas. Get some. If you’restruggling in IT because of a lack ofability to do a job for which you weretrained, what makes you believe thatyou can enter the security arena with-out any experience or education at all?

Now the good news—maybe: If youstop and think about it, much of whatyou do in IT is security-related. Mostsystems administrators spend a fairamount of time granting or preventingresource access. Security is, in large part,about exercising controls in order to pro-tect resources. If, however, you get yourchuckles from making complex systemswork, or writing elegant code, or gettingthe best performance or throughput, orthe most “bang for the buck,” then secu-rity may not be a wise choice for you.

On the other hand, if you feel thatsomeone’s always looking over yourshoulder; if you have multiple onlinepersonalities; change out your harddrive when you go online; subscribe tomultiple security newsletters (andactually read and follow their advice);have been to Defcon or a CSI confer-ence; downloaded all the NSA guide-lines; know who Stephen Northcutt,Bruce Schneier, Mudge and cDc are;purchased the SANS checklists; andhave www.microsoft.com/security asyour default home page, you probablyhave the necessary makeup for thesecurity field.

Step Three: Get Trained

Now that you know where you are andwhat you want to do, determine whatyou need to do to get there. Each secu-rity opportunity may require a differentskill set, a different level of education.Where not long ago there were no“security degrees” and only a smatteringof certifications, both formal educationand a plethora of certification programsnow exist. The opportunities for educa-tion have multiplied like hack attackson a new IIS server.

Are formal education programs theway to go? Remember: Security as acareer has gone through its first twophases. In the first one, a need evolvedas the natural result of the mainframeculture. Many people got trained on

the job, some were trained by the mili-tary, and others were gifted with deeptalent and mathematical education.Few had formal training in computersecurity, per se. In the second phase, alarge demand meant even inexperi-enced people could earn money ped-dling security advice, and many self-proclaimed hackers—the guys with theexperience—were able to cut their hairand morph into security consultants.

Now we’re in stage three. There’s stilla large demand, but buyers are moreknowledgeable. To get hired, you needsome proof of expertise. If you don’thave experience, do you have certifica-tion or education? Employers today arecertification-shy, and bad experienceswith paper MCSEs have contributed tothis. Several very good education alter-natives exist, and you should start athttp://www.nsa.gov/isso/programs/nietp/newspg1.htm. Among the offerings onthe National INFOSEC Education &Training Program Web site are the 50universities designated “Centers ofExcellence in Information AssuranceEducation” by the National SecurityAgency. Take a look at these programs.You’ll find that not one of them is ashort-term answer to your goals. Mostare traditional four-year undergraduateprograms, or master’ and doctorate pro-grams. Some of the more well-known ofthese schools include:

• Carnegie Mellon University:

(http://www.heinz.cmu.edu/infosecurity/), well-known as the hostlocation for the Computer Emergen-cy Response Team (CERT), as wellas many fine programs that offereducation in information security.

• George Mason University:

(http://www.isse.gmu.edu/~csis/index.html)

• Janes Madiscon University:

(http://www.infosec.jmu.edu/program/html/classroom.htm) offers a





http://mcpmag.com

http://www.rsasecurity.com

http://www.sans.org

http://www.gocsi.com/annual/index.html

http://www.gocsi.com/annual/index.html

http://www.blackhat.com

http://www.defcon.org

http://www.issa.org

http://www.misti.com

http://www.nsa.gov/isso/programs/nietp/newspg1.htm

http://www.nsa.gov/isso/programs/nietp/newspg1.htm

http://www.isse.gmu.edu/~csis/index.html

http://www.isse.gmu.edu/~csis/index.html

http://www.infosec.jmu.edu/program/html/classroom.htm

http://www.infosec.jmu.edu/program/html/classroom.htm

http://www.microsoft.com/security

© 2003 LearnKey, Inc. LK112503 Source Code #5256 Prices listed are for Single-Users. Please call for Multi-User pricing and Corporate solutions.

“This is the way to learn!”

www.learnkey.com/mcpsecurity / 1.800.865.0165 ext. 5256

LearnKey 2003 WinnerBest Computer Application TrainingBest Online Certification Training- Training Magazine 2003 APX awards

Security is not an option! LearnKey Security Training

CISSP Series ( Domains also sold separately) .................................................................................................................................

Cisco® Certified Security Professional Series (Prep for SECUR, CSPFA, CSVPN, CSI, & CSIDS Exams) ........

CompTIA® Security+..............................................................................................................................................................

Hacking Revealed.......................................................................................................................................................................

Windows® 2000 Network Security Design......................................................................................................

ISA Server 2000............................................................................................................................................................................

11 Sessions..............C#150168............$2,995

24 Sessions..............C#562198............$3,265

4 Sessions..............C#101078................$355

5 Sessions..............C#150108................$425

3 Sessions..............C#601098................$265

4 Sessions..............C#601958................$355

SAVE $100!on LearnKey SecurityTraining

SAVE $100!First 20 Callers

FREE Security Training CD!FREE Security Training CD!Choose from these popular titles:

CompTIA® Security+ • CISSP • Cisco® SECUR

Training Features:• Dynamic instructor-led video

• Powerful animations & graphics

• Testing, labs and eSupport

• 99% pass-rate

Security is not an option!

Click HereClick Hereand register to get yours!

CompTIA® Security+ • CISSP • Cisco® SECUR

HURRY!First 50 Only!

HURRY!

http://mcpmag.com/go/sponsor/go.asp?name=sec03_learnkey




master’s degree program with a con-centration in information security,taught entirely online.

• North Carolina State University:

(http://ecommerce.ncsu.edu/infosec/courses.html), offers undergraduate,masters and doctorate programs ininformation assurance.

• University of Idaho:

(http://www.csds.uidaho.edu/), hasthe Center for Secure and Depen-dable Software (CSDS).

Be sure to check out the newFederal Cyber Service: Scholarship forService programs if you’re studyinginformation security in college. U.S.citizens can get two years of their infor-mation security education paid for inreturn for two years of governmentinformation security work. Pay atten-tion to the qualifications: Not everyprogram—nor every candidate—quali-fies. You must be enrolled in an info seccurriculum in one of several qualifyingcolleges before you can apply. Several ofthe programs referenced above partici-pate in the program. Your best sourceof information is their Web sites.

And don’t forget that good old prac-tice of studying on your own or withyour buds. I don’t have to tell you thatmany of your peers in IT run extensivehome test networks. If you’re thinkingof hitting the consultant career path,this is essential. It’s my belief that youcan earn the equivalent of a master’sdegree if you’re willing to invest in asubscription to MSDN and TechNet,cobble together a few boxes in yourbasement and spend hours and hourswith them. Note that it’s my belief: Iknow of no college that will give youcredit for your wee-hour explorationsof PKI, Insect, Kerberos, group policyor other security-related items.

Many vendors have certifications,too. If you work extensively with theirproducts or wish to, these certs—many

of which are profiled in the first part ofthis report—may help. Experience ismore important, but studying for certi-fication isn’t a bad way to develop well-rounded product knowledge.

Step Four: Market Research

Research the job market. IT securityemployment is currently suffering a soft-ening of the market. Visit IT recruiter L.J.Kushner (http://www.ljkushner.com/) toget the skinny on where they think it’sheaded; if you’re qualified, post a resume.

Visit popular headhunter sites anddo a search on information security. AtCareer Builder (http://www.headhunter.net) I found more than 371 jobs fromthe keywords “information security.”Granted, a lot of jobs didn’t fit my defi-nition of info sec, but many did. Poringover the possibilities might just revealsome ideas you hadn’t considered. Howabout being a senior fraud examiner,security manager, risk management-secu-rity and regulatory manager, securityengineer, IT auditor, security engineeringspecialist, IT risk management specialist,policy maintenance senior specialist,acquisition security specialist, networksecurity integrator, chief information pri-vacy officer, security analyst, security sys-tem installer, director of IT security orHIPPA information security officer? Joblisting sites are an excellent way to learnabout the various security job categoriesand required experience level. You maybe startled to learn that many pay lessthan a good network administrator job.

Graze through popular securityproduct sites. Many of them haveemployment sections. Working for asecurity consulting firm or productcompany can boost your career. A wordto the wise: Research the financial sta-bility of these companies before youjoin. Many security startups got theirfunding during the high-tech expansionwars, when the word “Internet” wassynonymous with “Cha-ching!” and

adding the word “security” was a doubleguarantee. Many of these companies arejust treading water now; make your owninquiries before diving in.

Think outside the box. Did younotice the acronym “HIPAA” in the joblist above? It stands for Health InsurancePortability and Accountability Act of1996. Some of the regulations of this actmean radical changes in the way hospi-tals, doctor offices, insurance companiesand anyone who handles patient infor-mation must do their job. While manyinstitutions have a strategy in place, oth-ers are still trying to understand whatthey need to do. In either case, there willbe a continued demand for IT securitypeople in the health care industry.

If You’re Still Interested…

By now you should have an idea thatbeing a security professional is not don-ning a 10-year-old’s T-shirt or doingthe rock star strut across a stage. There’sno surgical security implant or Viagrafor the brain. You’ve found there’s a cry-ing need for those who know IT securi-ty, but no money to pay them; hordesof security babe-wannabes; and animmature industry where even the def-inition of “security professional” isundecided. If somehow you’ve made itto this point, you probably still want topursue the dream, so go for it.

A version of this article was first print-ed in Microsoft Certified ProfessionalMagazine.

Roberta Bragg, MCSE: Security, CISSP,Security+ and contributing editor forMCP Magazine, runs Have ComputerWill Travel Inc., an independent firm spe-cializing in security, operating systems anddatabases. She’s a frequent speaker andtrainer for TechMentor. She’s currentlycompleting two books on network securityfor Microsoft Press. Contact her [email protected].




http://mcpmag.com

http://ecommerce.ncsu.edu/infosec/courses.html

http://ecommerce.ncsu.edu/infosec/courses.html

http://www.csds.uidaho.edu/

http://www.ljkushner.com

Guide to Security

Job Titles

Does adding “security” to already-existing IT job

titles mean a new job for you? In some cases, yes.

A search of popular job search engineslike Dice.com or ITjobs.com on thekeywords “IT,” “network” and “securi-ty” will produce titles such as systemsadministrator and security administra-tor, network analyst and security ana-lyst, or IS manager and IS securitymanager. Are these new jobs or thesame jobs you’re familiar with, withsecurity sneaking onto the list ofresponsibilities? Purely based on a ran-dom survey of jobs that are availableout there, it’s a mixture of both.

The need for specialists pervadesany profession and often produces newjob titles—the IT profession is no dif-ferent. New security titles have croppedup out of necessity and these types ofjobs can be found primarily in mediumto large organizations where securityhas to be controlled on a large scale.(That’s not to say that small companiesdon’t have their fair share of securityjobs; you might find the odd need for asecurity analyst at a consulting or out-sourcing firm.) Imagine, for example,having to manage and troubleshoot reg-ularly scheduled password changes foran accounting firm, where data access iscritical and can’t be interrupted.

Security encompasses issues beyondthe tradtional IT scope; for example, aswith the Health Insurance Portabilityand Accountability Act of 1996. HIPAAis a recurring criteria for security-relatedjobs in healthcare and banking. Like-wise, federal positions having to do withsecurity may require you to possess a

security clearance—which isn’t somethingyou can simply pick upwhen you need it, makingthat a factor beyond theusual IT job descriptions.(For more on this topic,read “About Those U.S.Government Security Clearances” laterin this guide.)

In this article, we share varioussecurity-related job titles and whatkind of work they entail. It isn’t meantto be a comprehensive list, but it cov-ers the major ones you’ll run across inthe course of scanning employmentopportunities.

Security Administrator

Security administrators typically aretasked with implementing securitymeasures on a network. This mayinclude: administering passwords,monitoring system or data securitypractices based on established compa-ny guidelines and monitoring andthwarting internal and external inci-dents (worms, viruses, Trojans andexternal or internal system abuses).They also might be in charge of disas-ter recovery efforts and typical net-work administrator duties.

Security administrators may havea hand in maintaining or recommend-ing changes in established security poli-cies and procedures.

Security administrators report to aproject lead or manager.

Security Engineer

Security engineers are typically involvedin planning, managing and implement-ing higher-level security issues as theyrelate to systems and networks and areoften tasked with evaluating securitysoftware and the impact that third-partysoftware may have as it’s installed on anetwork. Security engineers usually havesignificant input on setting up securitypolicies during the planning phase. Thesecurity engineer may fill roles as projectleads and may even be a manager.

You’ll find security engineers amongany type of IT engineer who performs aspecialty. One interesting form of thesecurity engineer on an ITjobs.com list-ing is the information assurance securityengineer. This job’s differentiating factorwas the concentration on certificationand accreditation of systems/sites. Forthis job title, the company requiredsomeone with some form of govern-ment security clearance, since the jobinvolved writing up information assur-ance activities on federal governmentcustomer systems and networks.

You might find jobs with specialtiesin database security and firewalls.Here’s an interesting twist on the secu-




http://mcpmag.com

rity engineer title: Enterprise SecurityEngineer, Ethical Hacker, for a Fortune500 company in Chicago. The companyrequires “ethical hacking skills,” whichoften means programming expertisewith a strength in developing exploits.

Security Architect

Similar to security engineer in expert-ise, security architects are primarilyresponsible for establishing a frame-work for a comprehensive securitystrategy. The framework might involvedrilling down to specific policies andprocedures. Rarely is the security archi-tect involved in implementation, unlessproviding hands-on support to a secu-rity team. Architects usually have athorough understanding of network,application and database security.

Security architects can be highly spe-cialized, such as one Dice.com listing fora “single sign-on architect.” It’s a highlyspecialized security architect whose soleresponsibility is to design a single sign-on standard, often done for disparatenetwork systems that need to be whollysecure across architectures.

The security architect might beinterchangeable with the security man-ager at some companies or may reportto a security manager.

Security Consultant

Often someone whose breadth of expe-rience encompasses security administra-tor to architect to director, security ana-lysts or consultants often work in anoutsource capacity to test and recom-mend security solutions or strategies.Security consultants and analysts shouldhave extensive knowledge of networkaccess, authentication, development ofsecurity policies and procedures andconducting vulnerability assessments.They may also be involved in securitypre-sales engagements. The security ana-lyst title may be interchangeable withthe security consultant title.

One company on ITjobs.com post-ed a job for a “senior consultant,HIPAA security,” who would primarilyplay advisor and coordinator for pre-sales engagements to companies thatrequired HIPAA compliance beforeforming partnerships.

Another listing called for a SecurityAnalyst, Intrusion Detection/Forensics,a job whose defining characteristic wasthe ability to respond quickly to securi-ty incidents that can affect mission-crit-ical production systems. Response hadto be quick and thorough, particularlyin assessing, documenting and offeringsolutions to thwart attacks. Anotherduty: That person would be tasked withdeveloping new ways to harden systems.

Another job listing asked for acyber security analyst. Based on thedescription, job duties matched upwith a typical security consultant.

Security Monitoring/Compliance

Officer

This person implements and supportsinformation security to maintain com-pliance with applicable laws. He or sheacts as a resource on matters relating toinformation security and will investi-gate and recommend secure solutionsfor implementing IS security policyand standards. In some companies, thesecurity monitoring/compliance officermight report directly to an enterprisesecurity director or chief security offi-cer, perhaps even to the CIO or CEO.

A Dice.com job listing asked for aspecialized business information securi-ty officer (BISO) who would be respon-sible for IS audits and advising othergroups of security requirements for lineof business applications and concoctcompliance reports in terms of businessrisk. The BISO would report to the offi-cers of various groups, such as engineer-ing directors and data center managers.

Another job was listed as fraudinvestigator, a highly specialized skill

that encompassed the same as a securi-ty monitoring/compliance officer, butalso required some experience in legalevidence-gathering techniques.

Security Director

Security directors are often the linebetween staff and executive manage-ment, usually leaning over to the latter.Security directors, though, make rareappearances on job search engines,because the responsibilities can be anamalgamation of higher-level dutiestaken on by a team of security managers,engineers and administrators. If such ajob listing appears, it’s rarely for a smallcompany. Typical responsibilities forsecurity directors include: overseeingand coordinating security policies for ITand company-wide for departments likeengineering, operations, legal and so on;developing and standardizing the com-munication of security, privacy policiesand disaster recovery initiatives, often inaccordance with industry regulations;and developing or driving securityawareness training. Security directorstypically report to a chief informationofficer or chief security officer.

Chief Security Officer

At or near the top of a company hierar-chy (CSO would report directly to theCTO or CEO), the chief security offi-cer often dictates the companywidesecurity mission or strategy. One highprofile member of this elite corps isHoward Schmidt, previously the CSOfor Microsoft, then pegged as cyberse-curity advisor to the White House, andmore recently vice president and chiefinformation security officer for eBay.While it’s a mystery how CSOs differfrom CIOs, many of the Fortune 500companies like Microsoft and GeneralElectric have them.

Consider these positions to be arare breed, indeed.

—Michael Domingo




http://mcpmag.com

http://www.intenseschool.com




Greg Owen is technical director for theGlobal Information AssuranceCertification (GIAC), a vendor-neutralcertification program sponsored by theSANS Institute. He holds three GIACcertifications:

• GIAC Certified Incident Handler(GCIH)

• GIAC Certified Windows SecurityAdministrator (GCWN)

• GIAC Certified Forensic Analyst(GCFA)

Part of his duties with GIAC includeexam preparation. Owen also does net-work security consulting for a consultingcompany in Boston, Massachusetts. He’sbeen working in IT, including networksecurity, for more than 10 years.

Are security certifications becoming

more important or less so in the current

market?

Greg Owen: It’s becoming more impor-tant. The larger the company, the morereliant they are on the certification.The events of the last couple of yearsare starting to drive home to everybodythe point that security is more impor-tant than it used to be. For a large com-pany, it’s hard for them to make a shiftlike that. Human resources needs tohave something they can look for todifferentiate that “this is a candidatewho can do what we want; this [oneisn’t].” At one bank I’ve worked with,their security people almost universallyhold the CISSP.

Can you get a security-related job with

certification and no experience?

I think the security certification helps alot, in the situation where someone’sbeen doing IT and has gotten certifica-tion and had to deal with corners of the

Q&A: Can Security Certifications Help Your Career?We asked a security insider to share his honest take on exactly what security certifications

can—and can’t—do for your job prospects.

security problems from time to time.That cert makes it more official thatthey do know this area. They’ve proba-bly had to deal with it, probably had tohelp out. I think that for a person withno IT experience, to go out and get acert is not as useful, but that’s not thecase for the vast majority of people whoare [pursuing security certification]. Itcan still be useful for someone withoutexperience, but employers are lookingfor the combination of experience andtestable proof.

Should you wait until you’ve been in secu-

rity for some years before getting certs?

I think a year or two is useful, but thething about security is it’s somethingpeople have to deal with all the time.Having a job on your resume that hasto do with security [is helpful].

Do security certifications help if you want

to become a security consultant?

I think so. Whenever a consulting firmor independent consultant comes in tobid for a job, the good ones will have apage on the back which has a quick bioof the people they’re proposing to sendin on the job [and certifications showup well].

Consulting [for independent con-sultants] is as much a sales issue as any-thing else, and part of the sales issue issaying, “Yes, I know what I’m doing, andhere’s what I have to prove it.”Certifications can be very helpful toprove that.

Will there be further areas of security cer-

tification specialization?

It depends on the size of the company.In larger companies, I’m definitely see-ing a trend toward specialization, simply

because they’re so big that one personcan’t do all the jobs. Having said that, Idon’t think being fully specialized is ahelpful thing, especially in security. Ithink knowing a little bit about every-thing helps you do one thing better.Broad experience and broad under-standing of the entire problem areamakes dealing with specific areas easier.

Is there value in platform-specific certifi-

cation, like Microsoft or Cisco?

There definitely is. With specific respectto security, I don’t know how much theMicrosoft [security specialization] willhelp. It’s only recently that they’veadded the security specialization. I thinkthe attitude is, “Why would you go tothe vendor who shipped the brokensoftware in the first place to tell you howto fix it?” There’s a certain amount ofhesitancy there, but specific training isdefinitely valuable if you’re going to beworking in that area. If you’re lookingfor a Windows network administrator,you definitely want them to have theirMCSE. If you have a large Cisco infra-structure and you need that supported,you’re going to want Cisco certification.

What would you tell someone who want-

ed a security certification because it’s the

“hot” field right now?

I wouldn’t recommend that somebodygo into it if they haven’t had an interestin it, just because of that [i.e., it’s popu-lar at the moment]. Like any profession,if you’re just going into it for the money,if you’re not truly interested in the chal-lenges, it will show to employers. They’llsee that. If you don’t enjoy doing thatkind of work, if you don’t enjoy walkingthat walk, I’m not sure I’d recommend it.

— Keith Ward




http://mcpmag.com

“The true source of long-run wealth isfor us to specialize in what we are bestat,” writes Brad DeLong, economicsprofessor at U.C. Berkeley. He mayhave been explaining 19th centuryeconomist David Ricardo’s principle of“comparative advantage” in simplerterms, but DeLong’s explanation hasapplication with IT careers.

Becoming a specialist can be one wayto make some personal improvements inyour career and sustain your good for-tune in these shaky times. Several currentsurveys of IT salaries among those whospecialize in security skills show modestgains against contemporaries who don’tindicate a specialty.

Take Salary.com, which offers basicongoing reporting of salaries within theU.S., compiling data from thousandsof human resources departments.Based on its report for Nov. 11, medi-an average salary for network adminis-trators across the U.S. was $54,458.Compare that to security administra-tors, whose median was $62,074, a 12percent increase.

ComputerWorld’s 2003 compensa-tion survey backs up Salary.com’s datawith a more pronounced increase.Network administrators earned$51,265 on average, while IS securityspecialists said they earned $70,780.Specialization here may account for a26 percent increase.

Salaries qualified by certificationshow increases that are just as remark-able. The Microsoft CertifiedProfessional Magazine 2003 SalarySurvey (MCP Magazine andCertCities.com are both 101communi-cations LLC companies) reports thatthe average base salary for MCPs was$61,700. Respondants who held addi-tional security-based certifications likeMicrosoft’s own ISA Server or CISSP,

as well as the MCP, made at least$4,000 more, and in some cases$30,000 more (see Table 1).

While specializing may seem to bethe next logical step, salary numberslike those shown on these reports aren’tguaranteed. Remember that salary sur-veys only provide a snapshot of salariesamong the employed as those surveyswere conducted. Obtaining a securityspecialty only means your breadth ofexpertise may give you an advantageover peers. Whether that translates toadditional compensation is up to youremployer and your powers of persua-sion over the one who signs your check.

Looking into 2004, it’s tough toknow how valuable the security focusin your portfolio will continue to be.What’s hot today can grow cold tomor-row in IT. We’d advise you to stay intouch with published information oncompensation; but remember, thosenumbers can’t pinpoint what a particu-lar individual should earn. Variablessuch as geographic location, years ofexperience, type and size of organiza-tion and negotiating skills come intoplay in any given scenario.

To find detailed salary survey infor-mation, check out these links:

• Salary.com:

(http://www.salary.com) Get dailysalary reports just by clicking on thesimple criteria. Data changes

because Salary.com gathers it on acontinual basis.

• ComputerWorld 2003 Salary

Survey:

(http://www.computerworld.com/careertopics/careers/story/0,10801,86413,00.html). Published inOctober 2003, data comes frommore than 19,000 responses.

• Microsoft Certified Professional

Magazine 2003 Salary Survey:

( h t t p : / / m c p m a g . c o m / s a l a r ysurveys/) MCP Magazine is knownfor its yearly survey of certified pro-fessionals woking with Microsoftproducts. Data collected from morethan 6,000 respondents.

• Janco Associates:

(http://www.psrinc.com/salary.htm)This technical outsourcing firmgathers compensation data frommore than 400 mid- and large-sizedcompanies twice a year. The mostrecent report was published in June.

• Foote Partners LLC:

(http://www.footepartners.com/salaryresearch.htm) Collects salary datafrom 35,000 IT workers on a quar-terly basis. Reports are costly, butthe sample versions have a signifi-cant amount of data.More links to salary surveys can be

found on CertCities.com at http://certcities.com/editorial/salary_surveys/.

—Michael Domingo

Salary Data for IT Security Professionals

Title Salary

MCP* $61,700

ISA Server $65,100

(ISC)2 Systems Security Certified Practitioner $77,500

Check Point Certified Security Expert $78,500

(ISC)2: Certified Information System Security Professional (CISSP) $78,800

Cisco Certified Security Professional $93,500

Table 1. Comparing salaries of MCPs and those holding security-specific certifications.* Average base salary of all MCPs; all other figures come from Chart 8, “Salary by Other

Certifications,” from the 2003 MCP Magazine Salary Survey. More at http://mcpmag.com.




http://mcpmag.com

http://mcpmag.com

http://www.salary.com

http://www.computerworld.com/careertopics/careers/story/0,10801,86413,00.html





http://www.psrinc.com/salary.htm

http://www.footepartners.com/salaryresearch.htm

http://www.footepartners.com/salaryresearch.htm

http://www.certcities.com



http://certcities.com/editorial/salary_surveys/



You’ve found a job whose description fitsyou perfectly except for one small matter:It requires a security clearance and youdon’t have one. As with many things inlife, getting this particular positionwould be a long shot for you, but thatdoesn’t mean you shouldn’t try anyway.

The fact is that security clearance issomething you can’t obtain for yourself.Your current or prospective employer hasto set the wheels in motion to get it foryou. Since the process is costly and time-consuming, organizations won’t do itunless it’s absolutely essential. Let’sreview the basics.

You typically need a security clear-ance when you hold a sensitive positionwithin the federal government or whenyou work for a government contractor orsome other organization that has accessto classified information or deal withother restricted information relating tonational security. Clearances come inmany different flavors, primarily confi-dential, secret, top secret, and sensitivecompartmented information (SCI).

Once a person has been offered aposition that requires a clearance, theemployer opens up a request with theOffice of Personnel Managementthrough a federal security officer. TheOPM gives the candidate undergoingthe clearance check access to an onlinesystem called e-Qip, or ElectronicQuestionnaire for Investigations Pro-cessing, a digital version of StandardForm 86 (http://www.usaid.gov/procurement_bus_opp/procurement/forms/SF-86/sf-86.pdf).

SF 86 is a 13-page document thatasks you to list your vitals—name, socialsecurity number, place of birth, etc.—and then drills down on your personalhistory going back at least seven years.You’re expected to list where you’ve livedfor the last seven years, where you wentto school, your employment activities—

including titles, supervisor names andsupervisor addresses—people who knowyou well aside from spouses and rela-tives, relatives and associates (along withtheir dates of birth, country of birth andcurrent address), your military historyand foreign activities (including travelfor business and pleasure), policerecords, medical records, financialrecords and delinquencies, use of illegaldrugs and alcohol, and groups you asso-ciate with that espouse the violent over-throw of the government.

Sound comprehensive? The idea isto weed out those who aren’t (accordingto SF 86) “reliable, trustworthy, of goodconduct and character, and loyal to theUnited States.” The same form alsowarns that your current employer will becontacted and questioned, whether youwant them to be or not.

Your form and your fingerprints goto the Federal Investigations ProcessingCenter, which calls on investigators—both federal employees and contract—tostart confirming what you’ve said on theform. During this phase of the process,investigators review available records(including your presence on theInternet), check with the police, run acredit check on you and talk to peoplewho know you—those you’ve listed onthe form as well as people in a position toobserve you, such as neighbors. Plus,you’ll be interviewed yourself.

All the data that’s collected ends upin a single file, called “The Report ofInvestigation,” which is sent to the feder-al agency that asked for the investigationin the first place. At that point, it’s up tothe federal security officer at the agencyof hire to determine your eligibility tohave a position with access to secureinformation. You may get the chance toexplain or refute negative or unclearinformation during this “adjudicationphase.” Then your clearance is either

granted or denied.If it’s granted, the fun doesn’t stop

there. Depending on what level of clear-ance you have, you’ll have to undergoreinvestigation every five, 10 or 15 years.If you leave that position, the clearance isstill active, but it may not be usable byyour next employer—depending onwhat type of security clearance the newjob requires. Let enough time pass andthe clearance will have no merit at all.

The whole process of obtaining aclearance can take many months—sometimes longer than a year—and costseveral thousands (even tens of thou-sands) of dollars. The more sensitive thejob, the deeper—and the costlier andmore time-consuming—the investiga-tion. You can’t speed up the effort, norcan you offer to pay the cost. That’s whyso many jobs listing security clearance asa requirement are anxious to find candi-dates who already possess a clearance ofthe right type—the project may be overby the time somebody new to theprocess obtains his or her clearance. Ifyou’ve noticed the propensity of govern-ment contractors to intensely recruit ex-military people for open positions, it’sbecause vets frequently come with thesecurity clearance that’s needed as partof their portfolio.

If you don’t already have a securityclearance but there’s a particular organi-zation you’re determined to work for,your best approach is to obtain employ-ment that doesn’t require the clearancewith the agency or firm. Then put inyour time and make it clear to your man-ager that should the right opportunitypresent itself, you’d be willing to undergothe investigation. But temper yourenthusiasm: Too much eagerness toundergo this in-depth exploration intoyour personal and professional life mightbe viewed as suspicious behavior.

— Dian Schaffhauser

About Those U.S. Government Security Clearances




http://mcpmag.com

http://www.usaid.gov/procurement_bus_opp/procurement/forms/SF-86/sf-86.pdf



1. Microsoft TechNet IT Pro Security

Zone

http://www.microsoft.com/technet/security/community/default.mspxThe IT Pro Security Zone is Microsoft’snewest security portal. It’s your one-stop shop for Microsoft-related securitynewsgroups, latest patches, chats andspecial events, security articles, FAQsand lots more.

2. CERT Coordination Center

http://www.cert.org/The Computer Emergency ResponseTeam helps protect the Internet throughvarious means. It constantly monitorspublic networks for attacks, and normal-ly knows one is coming before it hits. Atreasure trove of great information.

3. NTBugtraq

http://www.ntbugtraq.comEveryone in the security communityknows Russ Cooper, TruSecure’s Sur-geon General. This is his Web site,which offers one of the most activesecurity newsgroups on the Net.

4. InfoSec Reading Room

http://www.sans.org/rr/SANS is well-known for its securitytraining. Its InfoSec Reading Room hasmore than 1,200 security white papersin 70 different categories. All the majorplatforms are covered, including main-frames, Unix, Linux, Mac/Apple andWindows.

5. WildList Organization International

http://www.wildlist.org/The best source of information on whatviruses are currently out there “in thewild.” Serious security people checkthis list constantly.

6. LinuxSecurity.com

http://linuxsecurity.comThis is an excellent site for Linux secu-rity administrators. Contains Linuxsecurity-specific news, advisories, toolsand research.

7. Windows 2000 Security Operations

Guide

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=f0b7b4ee-201a-4b40-a0d2-cdd9775aeff8This guide is a must-have document foranyone with Windows 2000 servers ontheir network. Following the step-by-step instructions can drastically reducesuccessful attacks on your network.

8. Common Criteria

http://www.commoncriteria.org/Common Criteria provides a set ofstandards for information security.Products are submitted to CC for test-ing and then given a rating based ontheir overall level of security. The high-er the number, the better.

9. InfoSec News

http://www.infosecnews.com/One of the few sites that specializes incomputer security news. It’s updateddaily and contains a broad range ofcontent.

10. SecurityStats.com

http://www.securitystats.com/Want to follow the legal trials andtribulations of your favorite hackers?Find out how much the MS BlasterWorm cost companies? Keep up onWeb defacements? Security Stats is theplace to do that and get lots of othergood security information.

11. Hacker Wacker

http://www.hackerwhacker.com/One of the best features of this securi-ty-packed Web site is the ability to dofree remote security scans of your net-work and firewall. See what the hackersare seeing.

12. InfoSysSec

http://www.infosyssec.org/Like many of the sites listed here, thisone offers a wealth of security-relatedinformation. However, this site alsolists the Top 10 IP addresses fromwhich Internet attacks are beinglaunched and the Top 10 ports that arebeing attacked.

13. HIPAA.org

http://www.hipaa.org/Are you unsure of how the HealthInsurance Portability and Accountabi-lity Act (HIPAA) works? If you’re asecurity consultant, you should know,since there’s a lot of money to bemade by ensuring HIPAA compli-ance. This site is a good startingpoint.

14. CSRC NIST PKI Program

http://csrc.nist.gov/pki/Thinking about instituting a PublicKey Infrastructure? If so, this site fromthe National Institute of Standards andTechnology is the best place to beginyour research.

15. 2600

http://www.2600.com/Why is the most famous hacker Website of all on this list? Because to fighthackers, it’s important to understandtheir mindset.

— Keith Ward

15 Best Web Sites for Security




http://mcpmag.com

http://www.microsoft.com/technet/security/community/default.mspx

http://www.microsoft.com/technet/security/community/default.mspx

http://www.cert.org/

http://www.ntbugtraq.com

http://www.sans.org/rr/

http://www.wildlist.org/

http://www.securitystats.com/

http://www.commoncriteria.org/

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=f0b7b4ee-201a-4b40-a0d2-cdd9775aeff8

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=f0b7b4ee-201a-4b40-a0d2-cdd9775aeff8

http://linuxsecurity.com

http://www.hackerwhacker.com/

http://www.infosyssec.org/

http://www.hipaa.org/

http://csrc.nist.gov/pki/

http://www.2600.com/

http://www.infosecnews.com/

http://www.hipaa.org/

1. CCCure.org

http://www.cccure.org

This top-notch site for CISSP candidates is packed with useful preparation tools,

including exam reviews, news, research and an expansive collection of practice

questions. A similar site worthy of prospective CISSP candidates can be found at

http://www.cissps.com/.

2. Rtek2000 Security Links

http://www.rtek2000.com/Tech/InternetSecureLinks.html

This page from training company Rtek2000 hosts one of the most comprehen-

sive security link collections available, covering just about every baseline topic

tested on security certification exams (and then some). The perfect place to

begin your online studies.

3. CertCities.com Security Exam Reviews

http://www.certcities.com/certs/security/exams/

Go here to read CertCities.com’s collection of security-related exam reviews,

including Microsoft’s 70-214, CompTIA’s Security+ and (ISC)2’s CISSP.

4.Certification-Crazy’s Security+ Resources

http://www.certification-crazy.net/security+.htm

Scroll down to view a nice list of online Security+ resources from a fellow candidate.

5. GetCertified4Less.com

http://www.getcertified4less.com/testvoucher.asp

Offers discounted vouchers for Microsoft, Cisco, Check Point and CompTIA exams.

— Becky Nagel

5 Web Picks for Security Certification

1. TechNet Flash

http://www.microsoft.com/technet/subscriptions/current/suboserv.aspTechNet Flash is Microsoft’s bi-weeklynewsletter covering all things TechNet.Of course, one of its main purposes isto alert you of the newest security vul-nerabilities, patches, hotfixes and pro-cedures for securing your network.

2. Security Watch

http://lists.101com.com/nl/main.asp?NL=mcpmagSecurity Watch, published by the samefolks who produce Microsoft CertifiedProfessional Magazine, provides lots oforiginal content (something often diffi-cult to find in newsletters). Included ineach issue is a commentary byWindows security expert RobertaBragg and a roundup of top securitystories by ENTMag.com editor ScottBekker. If you have security responsi-bilities on a Windows network, thisnewsletter is a must-read.

3. Crypto-Gram

http://www.counterpane.com/crypto-gram.htmlCrypto-Gram is a free monthly news-letter from Bruce Schneier, the field’sforemost expert in cryptography.Schneier comments on a host of securi-ty topics, covering a broad range ofissues. He’s never at a loss for a strongopinion on any security-related topic.

4. SANS Critical Vulnerability

Analysis Report

http://www.sans.org/newsletters/cva

5 Must-Read Security Newsletters

The SANS Critical VulnerabilityAnalysis Report is a weekly bulletin oftop vulnerabilities. SANS, a securitytraining company, lists the risk levelswith each vulnerability, potential dam-age of each and links to learn moreabout them.

5. Asian School of Cyber Laws

http://www.asianlaws.org/infosec/newsletter/index.htmThe first reaction to the “Asian Schoolof Cyber Laws” is usually, “What theheck is that?” It’s a public organization

based in India that, among other activ-ities, publishes a bi-weekly securitynewsletter that’s mostly news, but alsohas sprinklings of opinion scatteredthroughout. Solid coverage of securitynews throughout the world, not justthe United States.

— Keith Ward

Note: Only free newsletters were consid-ered for this list. Most of us have enoughthings to pay for without shelling out forelectronic newsletters.




http://mcpmag.com

http://www.microsoft.com/technet/subscriptions/current/suboserv.asp

http://lists.101com.com/nl/main.asp?NL=mcpmag

http://lists.101com.com/nl/main.asp?NL=mcpmag

http://www.counterpane.com/cryptogram.html

http://www.sans.org/newsletters/cva

http://www.getcertified4less.com/testvoucher.asp

http://www.certification-crazy.net/security+.htm

http://www.certcities.com/certs/security/exams/

http://www.rtek2000.com/Tech/InternetSecureLinks.html


http://www.asianlaws.org/infosec/newsletter/index.htm

http://www.asianlaws.org/infosec/newsletter/index.htm

http://www.ENTmag.com

http://www.cissps.com/


• A technical track will focus on tools and

technical solutions for systems adminis-

trators, network managers, analysts,

IT managers and administrators –

anyone fighting spam in the trenches.

• A business track will focus on legislation,

regulation, costs, and other business issues

for IT managers, vice presidents,

technical developers, and chief privacy

officers, chief security officers, and

other C-level executives.

RE G I S T E R TO D AY! W W W.101T E C H S T R AT E G I E S .C O M

Hear from top names fighting the spam problemtoday: Experts from AOL, Yahoo, Microsoft, theFTC, California's Office of Privacy Protection, andmany more.

W H A T T H E S U M M I T O F F E R S :

P R E S E N T E R S :

MARCH 17-19, 2004THE PALACE SAN FRANCISCO, CA

C O M E L E A R N A B O U T:

• The best-of-breed tool overviews

• The latest technologies

• Case studies straight from your peers

• Legislation and regulation

• What the major ISPs are doing

THE ANTI-SPAM SUMMIT

You know what e-mail abuse costs your business.

You’ve tried to stop it.

Now attend the only industry summit focused solely on the technical and business issues surrounding spam.

Sponsored by 101communications and Microsoft Certified Professional Magazine

• Ryan HamlinGeneral Manager, Microsoft’s Anti-SpamTechnology and Strategy Group

• Jon PraedFounding Partner,Internet Law Group

TechStrategies 1pg MCP2.pdf 12/1/03 11:43 AM Page 1

http://www.101techstrategies.com




Security Bookshelf

.NET Framework Security

Brian A.LaMacchia,SebastianLange,MatthewLyons, RudiMartin, KevinT. PriceAddison-Wesley 067232184X April 24, 2002$57.99

Anti-Hacker Tool Kit

Keith J. Jones, Mike Shema,Bradley C. Johnson McGraw-Hill Osborne Media0072222824 June 25, 2002$59.99

The Art of Deception :

Controlling the Human

Element of Security

Kevin D.Mitnick,William L.SimonHungryMinds076454280X October 2003$16.95

Authentication: From

Passwords to Public Keys

Richard E. SmithAddison-Wesley 0201615991October 1, 2001$44.99

Beyond Fear: Thinking

Sensibly About Security in

an Uncertain World

Bruce Schneier Copernicus Books0387026207 September 2003$25

Building Secure Software:

How to Avoid Security

Problems the Right Way

John Viega, Gary McGraw Addison-Wesley 020172152XSeptember 24, 2001$54.99

Building an Information

Security Awareness Program

Mark B. Desman Auerbach 0849301165 October 30, 2001$49.95

Building Internet Firewalls

(2nd Edition)

Elizabeth D. Zwicky, SimonCooper, D. Brent ChapmanO’Reilly & Associates1565928717 January 15, 2000$49.95

The CERT Guide to System

and Network Security

Practices

Julia H. AllenAddison-Wesley 020173723X June 7, 2001$39.99

Computer Forensics:

Incident Response Essentials

Warren G. Kruse II, Jay G.HeiserAddison-Wesley 0201707195 September 26, 2001$44.99

Computer Security Incident

Handling: Step-by-Step

(Version 2.3.1)

Stephen NorthcuttSANS Institute0972427376 March 2003$29.99

Counter Hack: A Step-by-

Step Guide to Computer

Attacks and Effective

Defenses

Ed SkoudisPrentice HallPTR0130332739 July 23, 2001$49.99

Computer Security

Handbook

Seymour Bosworth and MichelE. Kabay, EditorsJohn Wiley & Sons0471412589 April 2002$80

Designing Security

Architecture Solutions

Jay RamachandranJohn Wiley & Sons0471206024March 1, 2002$55

The E-Policy Handbook:

Designing and Implementing

Effective E-Mail, Internet,

and Software Policies

Nancy L. Flynn AMACOM0814470912 November 2000$19.95

The Effective Incident

Response Team

Julie Lucas,Brian MoellerAddison-Wesley 0201761750 September 26,2003$39.99

Firewall Architecture for the

Enterprise

Norbert Pohlmann, TimCrothersJohn Wiley & SonsJuly 8, 2002076454926X $49.99

Firewalls: The Complete

Reference

by Keith Strassberg, GaryRollie, Richard GondekMcGraw-Hill Osborne Media0072195673 May 28, 2002$59.99

Firewalls and Internet

Security: Repelling the Wily

Hacker, Second Edition

William R. Cheswick, StevenM. Bellovin, Aviel D. RubinAddison-Wesley 020163466X February 24, 2003$49.99

The Hack Counter-Hack

Training Course: A Desktop

Seminar

Edward SkoudisPrentice Hall PTR013047729X June 14, 2002$69.99

Hacker’s Challenge 2: Test

Your Network Security &

Forensic Skills

MikeSchiffman,BillPennington,David Pollino,Adam J.O’Donnell McGraw-HillOsborne Media0072226307 December 18, 2002$39.99

Popular print resources for security technology and certification.





http://mcpmag.com

Hacking Exposed: Network

Security Secrets &

Solutions, Fourth Edition

StuartMcClure, JoelScambray,George Kurtz McGraw-HillOsborneMedia0072227427 February 25, 2003$49.99

Hacking Exposed Web

Applications

Joel Scambray, Mike Shema McGraw-Hill Osborne Media007222438X June 19, 2002$49.99

Hacking Exposed

Windows 2000

JoelScambray,StuartMcClure0072192623 August 29,2001$49.99

Hacking Exposed Windows

Server 2003

Joel Scambray, Stuart McClure McGraw-Hill Osborne Media0072230614 October 27, 2003$49.99

Hacking Linux Exposed

Brian Hatch, James B. Lee,George Kurtz0072127732 March 27, 2001$39.99

HackNotes Web Security

Pocket Reference

Mike Shema McGraw-Hill Osborne Media0072227842 June 30, 2003$29.99

Honeypots: Tracking Hackers

LanceSpitznerAddison-Wesley 0321108957 September 10,2002$44.99

Incident Response:

Investigating Computer Crime

Chris Prosise, Kevin Mandia McGraw-Hill Osborne Media0072131829 June 21, 2001 $39.99

Information Security

Architecture, Second Edition

Jan Killmeyer TudorCRC Press0849315492 June 28, 2003$79.95


Architecture: An Integrated

Approach to Security in the

Organization

Jan Killmeyer Tudor CRC Press0849399882 September 25, 2000$69.95


Management Handbook,

Fourth Edition, Volume 4

Micki Krauseand Harold F.Tipton,Editors Auerbach 0849315182 November 26,2002$69.95


Policies, Procedures, and

Standards: Guidelines for

Effective Information

Security Management

Thomas R. Peltier CRC Press0849311373 December 20, 2001$69.95

Information Security Policy

Manual

Edmond D. JonesRothstein Associates1931332096 February 23, 2001$89


Risk Analysis

Thomas R.Peltier Auerbach 0849308801 January 23,2001$69.95

The Information Systems

Security Officer’s Guide:

Establishing and Managing

an Information Protection

Program

Gerald L. Kovacich Butterworth-Heinemann0750698969 May 1998$41.95

Inside Network Perimeter

Security: The Definitive

Guide to Firewalls, Virtual

Private Networks (VPNs),

Routers, and Intrusion

Detection Systems

Stephen Northcutt, LennyZeltser, Scott Winters, KarenFredrick, Ronald W. Ritchey Que0735712328 June 28, 2002$49.99

Intrusion Detection with Snort

Jack Koziol SAMS157870281X May 20, 2003$45

Intrusion Signatures and

Analysis

Mark Cooper, StephenNorthcutt, Matt Fearnow,Karen Frederick Que0735710635 January 29, 2001$39.99

Kerberos: A Network

Authentication System

Brian TungAddison-Wesley 0201379244May 4, 1999$19.95

Know Your Enemy: Revealing

the Security Tools, Tactics,

and Motives of the Blackhat

Community

TheHoneynetProjectAddison-Wesley 0201746131 August 31, 2001$39.99

Linux Security Cookbook

Daniel J. Barrett, Richard E.Silverman, Robert G. Byrnes O’Reilly & Associates0596003919 June 2003$39.95

Linux Server Hacks

Rob Flickenger, EditorO’Reilly & Associates0596004613 January 2003$24.95

Malware: Fighting

Malicious Code

Ed Skoudis,Lenny ZeltserPrentice HallPTR0131014056 November 9,2003$44.99

Managing A Network

Vulnerability Assessment

Justin Peltier, John A. Blackley,Thomas R. Peltier Auerbach 0849312701 May 30, 2003$59.95





http://mcpmag.com

Network Intrusion

Detection, Third Edition

Stephen Northcutt, JudyNovakQue0735712654 August 27, 2002$49.99

Network Security: Private

Communication in a Public

World

Charlie Kaufman, RadiaPerlman, Mike SpecinerPrentice Hall PTR0130460192April 15, 2002$54.99

PKI: Implementing &

Managing E-Security

Andrew Nash,Bill Duane,Derek Brink,Celia JosephMcGraw-HillOsborneMedia0072131233 March 27, 2001$49.99

Practical Unix & Internet

Security, 3rd Edition

Simson Garfinkel, GeneSpafford, Alan SchwartzO’Reilly & Associates0596003234 February 2003$54.95

Real World Linux Security:

Intrusion Prevention,

Detection and Recovery

Bob ToxenPrentice Hall PTRNovember 20000130281875 $44.99

Secrets and Lies: Digital

Security in a Networked

World

Bruce SchneierJohn Wiley & Sons0471453803 January 2004$17.95

Security Architecture:

Design, Deployment and

Operations

Christopher King, ErtemOsmanoglu (Editor), CurtisDaltonMcGraw-Hill Osborne Media0072133856 July 30, 2001$49.99

The Shellcoder’s Handbook :

Discovering and Exploiting

Security Holes

Jack Koziol, David Litchfield,Dave Aitel, Chris Anley, SinanEren, Neel Mehta, RileyHassellJohn Wiley & Sons0764544683 March 2004$50

Snort 2.0 Intrusion

Detection

Brian Caswell, Jay Beale, JamesC. Foster (Editor), JeremyFaircloth (Editor) McGraw-Hill Osborne Media0072226307 December 18, 2002$39.99

Special Ops: Host and

Network Security for

Microsoft, UNIX, and Oracle

Erik Pace Birkholz, StuartMcClureSyngress1931836698 February 17, 2003$69.95

Stealing the Network: How

to Own the Box

Ryan Russell(Editor), IdoDubrawsky,FX Syngress1931836876 June 2003$49.95

SQL Server Security

Chip Andrews, DavidLitchfield, Bill Grindlay McGraw-Hill Osborne Media0072225157 August 27, 2003$49.99

SQL Server Security Distilled

Morris LewisAPress1590591925 July 1, 2003$39.99

Web Hacking: Attacks

and Defense

StuartMcClure,Saumil Shah,Shreeraj Shah Addison-Wesley 0201761769 August 8, 2002$49.99

Writing Information

Security Policies

by Scott BarmanQue157870264X November 9, 2001$34.99

Writing Secure Code

Michael Howard and DavidLebl, David LeBlancMicrosoft Press0735615888 December 15, 2001$39.99

—Michael Domingo



Global Knowledge

www.global knowledge.com

Global Knowledge is a worldwide leader

in IT education and offers over 31

hands-on security training courses.

Intense School

www.intenseschool.com

The Security Training Experts. 2003

Award Winners.

LearnKey, Inc.

www.learnkey.com/mcpsecurity

Free Security Training CD. Sec+, CISSP,

SECUR. Hurry 50 only!

Advertiser Index


http://mcpmag.com




Documents

Security Certification Resource Guide 2003 - 1105 Mediadownload.101com.com/certcities/security/security_cert.pdf · SANS:A Practical Approach 6 ... Security Certification Resource