Reknown security expert Bruce Schneier has written an eloquent article on security certifications. It is a compelling read that is quite provacative. It makes for a good alternative view on certifications, which means that it does not tow the party line. Ultimately, it boils down to the person doing the hiring, the person looking for a job and the skill requirements for the position itself. There is no formula set in stone, therefore it is up to each person to decide for themselves whether certifications are worthwhile or not.
I’ve long been hostile to certifications — I’ve met too many bad security professionals with certifications and know many excellent security professionals without certifications. But, I’ve come to believe that, while certifications aren’t perfect, they’re a decent way for a security professional to learn some of the things he’s going to know, and a potential employer to assess whether a job candidate has the security expertise he’s going to need to know.
Many readers might come of the article wonder if obtaining a certification is really all that important. Ultimately, it boils down to your goals and aspirations. While it certainly can not hurt to have a certification, if the job you are seeking does not require certifications then it might be pointless. Although, every little edge counts, therefore I can only see having a certification as a good thing.
At the very least, it shows initiative and interest. How bad is that?
If you are new to information security, and have little to no experience, then you probably should study the Security+ materials. Ultimately, taking the exam will show that you have an understanding of basic information security principles and practices.
Most anyone else should really head towards the CISSP direction. It is the premier security certification to hold right now, no matter what some folks may say. It is especially important to have if you are planning to work for the U.S. Government in an information security capacity.
Once you have knocked out the CISSP, then you should look towards the GSEC or the CISA. If you are a techno-geek, then the GSEC is all yours. However, if you are in management, or interesting in sliding in to that arena, then the CISA is the way to go. This, along with the CISSP, is the certification to have, mainly because of the lack of truly qualified information security managers available today.
Like I said, holding a certification surely will not hinder. All it will do is help. However, it is up to you to evaluate the worthiness of spending the time and money on studying and taking the tests.
Good luck!
The federal judge overseeing the EFF -vs- AT&T case regarding alleged complicity in widespread warrantless government surveillance has ruled that the case may proceed. This is a landmark decision, mainly because the U.S. government’s argument that the suit could reveal state secrets, a rarely used claim that nearly always terminates a lawsuit, was completely dismissed.
U.S. District Court Chief Judge Vaughn Walker found that the program was not a secret since “public disclosures by the government and AT&T indicate that AT&T is assisting the government to implement some kind of surveillance program.”
“Dismissing this case at the outset would sacrifice liberty for no apparent enhancement of security,” Walker wrote.
This is extremely important because it allows the case to proceed, rather than merely being dismissed on the outset. That U.S. District Court Chief Judge Vaughn Walker was able to see through the rhetoric of the government lawyers speaks volumes. Though the war is far from being won, this small victory is extremely important as it allows the fighting to commence.
Every American should be keeping their eyes peeled to this case!
Once again Bruce Schneier hits the nail on head with his exceptionally insightful article about click fraud and the problem of authenticating people. With his usual eloquence, and his ability to get right to the point without useless prose, Schneier explains why solving the click fraud problem is imperative.
Googles $6 billion-a-year advertising business is at risk because it cant be sure that anyone is looking at its ads. The problem is called click fraud, and it comes in two basic flavors.
Google is testing a new advertising model to deal with click fraud: cost-per-action ads. Advertisers don’t pay unless the customer performs a certain action: buys a product, fills out a survey, whatever. It’s a hard model to make work — Google would become more of a partner in the final sale instead of an indifferent displayer of advertising — but it’s the right security response to click fraud: Change the rules of the game so that click fraud doesn’t matter.
That’s how to solve a security problem.
Google is definitely taking the right path on this one. The wise words, from an even wiser security expert, should not be ignored.
Secure Computings bid for security is pushing its investors to their limits. Largely using debt, the company is making its second large acquisition in the year, in the hopes to create the future of security and turn profits around 180 degrees.
By Tuesday afternoon it had already been a rough week for John McNulty. The chief executive of Secure Computing (SCUR) was feeling anything but secure as he got on a conference call with investors to tell them he was buying Alpharetta (Ga.) CipherTrust for $273 million—largely using debt, since his company had only about $100 million in the bank and a market share not much bigger than the size of the deal. It had been less than a year since Secure Computing took a private equity investment from Warburg Pincus to help buy another security company, CyberGuard, for $295 million.
I really adore Secure Computing, especially their Sidewinder G2 firewall package. While it is priced extremely high, it does offer the best protection available today. I will be closely watching to see what the company is capable of producing after all the mergers.
A new phishing site was recently located, which ended up breaking the two-factor authentication in use by Citibank by conducting a man in the middle attack. Two-factor authentication is any authentication protocol that requires two independent ways to establish identity and privileges. By necessitating the need to have a combination of something you know (i.e. username and password), something you have (i.e. a token or smart card) or something you are (i.e. biometrics), security is greatly enhanced. This contrasts with traditional password authentication, which requires only one factor (knowledge of a password) in order to gain access to a system.
Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called “two-factor authentication” — the second factor being something the user has in their physical possession like an access card — as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data.
This attack was fairly complex and done exceptionally well. Most security experts would have been able to spot it immediately, however the lay person might not know any better. Just goes to show that just because something is two-factor does not automatically mean that the entirety of its security design is better than if it were single-factor.
It would appear as if the U.S. Navy is attempting to patent firewall. Apparently they figure that since the USPTO is handing patents out like candy that they might be able to get away with this.
Looks as if CompTIA is going to be making some changes to the A+ certification. I can only see this as a good thing, even though this is just a minor certification.
The first notable change is that there are now four exams instead of two. One of the four, called CompTIA A+ Essentials, is required and there is no way to become certified without it. In addition to it, candidates must pass another exam — an elective — but this time there are three to choose from and they are named after their exam numbers: 220-602, 220-603, and 220-604. The first exam, 220-602, is really a mirror of the Essentials exam with the same topic categories (called domains) and just a few deviations here and there. The other two exams (220-603 and 220-604) resemble subsets of the 220-602 exam.
It is good to see that CompTIA finally added multiple electives. This should help to create a more diverse skill set for those with the certification, rather than essentially forcing individuals to learn Microsoft products in order to pass the exams. Overall, this is a smart move.
27B Stroke 6 as some more on the VA data theft, which contained an immense amount of information on US veterans and active duty military. This whole story is turning in to something very interesting. More specifically, a test case on how not to handle stolen sensitive material.
The FBI has done some forensic work on the laptop and says it can’t find any evidence that the data was accessed. InfoWorld’s Robert Grimes chimes in to say, Rumsfeld style, that the absence of evidence is not the evidence of absence, since any fool could have simply cloned the disk and then accessed the database on the cloned disk.
Now, there’s also some back in forth in the VA about whether the data analyst was authorized to take the data home. The analyst, who has been fired, says he has a letter authorizing him to take the data home, while the VA says the letter is for a different computer.
What really concerns me is this: why was this analyst working with social security numbers on a laptop, rather than in the office while connected to the network? I can not, for the life of me, come up with a good reason for why this analyst was doing what he was doing, with the data that ultimately ended up stolen.
This guy retrofitted his MacBook Pro with a biometric scanner. It has to be the worlds first. Very neat way to engage added security for a notebook.
The upcoming patch Tuesday from Microsoft will offer 7 security patches to reconcile vulnerabilities found in their widely used software.
Although Microsoft does not disclose in advance what flaws are to be patched, two vulnerabilities in Excel are likely to be among the fixes. One issue relates to maliciously crafted spreadsheet files that could lead to a full system compromise, while the other relates to hyperlinks in Excel documents.
Two security flaws affecting Internet Explorer were also reported last week, including a cross-site scripting issue where an attacker could view information in an open browser window from another that is visiting a malicious site.
As usual, Internet Explorer is being fixed yet again. For the second month straight Excel will receive some patch love among a few others that we are not yet aware of. If you are a corporate system administrator then ensure you test these patches on a closed network before deploying throughout your enterprise.