Tuesday, March 20, 2007

All systems to use "common secure configuration"

I just got the following message from Allan P. (SANS Security Institute)

"FLASH ANNOUNCEMENT: The White House just released (at 9 AM Tuesday, March 20) a directive to all Federal CIOs, requiring that all new IT system acquisitions, beginning June 30, 2007, use a common secure configuration and, even more importantly, requiring information technology providers (integrators and software vendors) to certify that the products they deliver operate effectively using these secure configurations. This initiative builds on the pioneering "comply or don't connect" program of the US Air Force; it applies to both XP and Vista, and comes just in time to impact application developers building applications for Windows Vista, but impacts XP applications as well. No VISTA application will be able to be sold to federal agencies if the application does not run on the secure version (SSLF) of Vista. XP application vendors will also be required to certify that their applications run on the secure configuration of Windows XP. The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money.
The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now.
Alan PS. SANS hasn't issued a FLASH announcement in more than two years. IOW this White House action matters."

Knowing that Shon Harris (Logical Security) also consulting for Air Force and has written many security-related books (not to count the training materials for CISSP certifications), I assume that she deserved also many kudos regarding this announcement.

Going for a Big one

I remember the time when the CISSP certification was criticized by my staff instructor who actually was one of the first who passed this "tough nut" exam. His argument was that the exam is out of real life of the security practitioners and geared toward the management staff only; that the exam tests the crazy collection of knowledge from various (not always related disciplines); that the exam tests not only the background but rather your ability to memorize huge number of abbreviations of IT protocols, technologies, law definitions, terms, etc. At that time, we developed our own security training course, and later, we liked more the SCNP exam as the one that checks the hands-on knowledge, the knowledge that really matter in the real world of the cyber war (I hope you agree that this war is a matter of a fact).

Well, time has changed our perceptions because the CISSP exam became the number one exam in the cyber security world. I assume that several factors attributed to this change. First of all, then, in 2000, we had no idea what can happen just in one year - the major attack in NY. This factor was the most important in the growing popularity of the CISSP certification.

Also, more and more companies realized that protecting of their infrastructure and IT resources becomes the task number one. It is obvious that the expertise in this area is required unless you want to outsource this matter to a third party. It wasn't 100% safe to rely on someone (even with enough expertise) if you really care about your business. So, many companies tried to hire the security experts to solve the problem internally being able to control the process to higher degree.
The first pros who were hired: hands-on gurus in the cyber protection area who knew the firewalls, routers, sniffers, and were good LAN/WAN troubleshooters. As it always happened, the HR departments began to look for the definition of the professional level for this tough job. Unfortunately, the reality is that none of the HR people knows anything about the Information Security, and as it happened in a past, the certification became the definition of the professional level. Not the hands-on knowledge, not the real-world experience, not the achievements, but one exam that made the difference (see my article about IT certifications hypes written in 2002).

I have to admit that the folks at (ISC)2 were smart enough to push their certification up to the point when the Department of Defense requested all security professionals who work for DoD to be CISSP certified. Even Alan Paller and Steve Northcutt from SANS institute were not able to push hard enough their GIAC Certification Program (and those guys are good entrepreneurs and are pretty successful). So, the CISSP certification became a mainstream certification in the security world, and the de-facto standard.

Many folks around the world are jumping on this wagon and trying to pass one of the toughest certification exams. Just imaging: 250 written questions, 6 hours, $450 per test, and 10 security-related domains (including the domain with a criminal/cyber law!). The collection of knowledge required to pass the exam is described as being "2 miles wide and 2 inches in depth".

Well, considering the today's value of the CISSP certification as never before, I have decided to go for a Big one, too. I have to admit that during my study I gathered some useful knowledge that "widened my IT horizon". For instance, I was never interested to find out in-depth what the technology Microsoft uses for an authentication in Windows 2003 server except knowing that it's called Kerberos. I learned even some pieces of criminal law that might help in understanding better one of those lengthy TV serials about crime investigation (as Shon Harris mentioned in her DVD-based training course).

Only 10 days left for study, and I am overwhelmed with a stream of information that I must memorize. It's not hard to understand, but to memorize...

Wish me good luck and strength for 6 hours on March 31st!

I will add more information to this topic later. So far, if you interested, reply to my blog with your certification-related questions.

Best to all of you (but spammers)!

The Cyberteacher