The Story Beneath the Hats

Transcription

The Story Beneath the Hats
The Story Beneath
the Hats
The term “hacker” was
originally created to
give recognition to
those with exceptional
computer skills. The
term is now found to
describe both ethical
industry professionals
and their criminal counterparts. To eliminate
some of the confusion
associated with the
term, the industry uses
hat colors to distinguish
good from bad hackers.
“White Hat” hackers
are defined as proficient computer experts
who use their talents to
uphold
information
security. “Gray Hat”
hackers are defined as
those computer specialists making the transition from a criminal
past to an ethical future
in the trade. “Black
Hat” hackers are serious
criminal hackers who
use their skills to take
over information systems and commit illegal
acts. The use of this hat
terminology is not without criticism, but the
symbolism continues to
have a great impact on
the security technology
industry.
Access Granted:
Decrypting Opportunities in
Information Security
Authors
Stacey Frenton
Wei Kuan Lum
Graphic Design
Dana Kelly
Project Supervisor
Heidi Bonner
Project Manager
Jeanette Langdell
Contact Information:
The North Valley (NOVA) Workforce Board includes representatives of
local business, industry, education, and service agencies. NOVA was
founded in 1983 to implement the federal Job Training Partnership Act
(JTPA) for northern Santa Clara County, and today provides services
under the Workforce Investment Act (WIA), as well as a variety of other
funding sources. NOVA has gained a national reputation as an innovative leader in addressing workforce needs in a variety of industries.
NOVA’s services are administered by the City of Sunnyvale.
505 W. Olive Avenue, Suite 550
Sunnyvale, CA 94086
(408) 730–7232
www.novaworks.org
publications@novaworks.org
Table of Contents
Introduction to LMI+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Purpose and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Introduction to Security Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Section 1 • Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
The Growth of an Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Market Growth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Recent Security Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Section 2 • Identifying Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Recent Trends in Security Breaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Section 3 • Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Defining Security Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Existing Security Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Technologies and Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Piecing It Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Section 4 • People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Growth in the Job Market . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Demand for Information Security Professionals . . . . . . . . . . . . . . . . . . . . . . .41
Evolution of the Information Security Department . . . . . . . . . . . . . . . . . . . . .44
Deciphering Information Security Job Titles, Roles, and Responsibilities . . . . .45
The Executive Level of Information Security . . . . . . . . . . . . . . . . . . . . . . . . .49
Career Progression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Job Skills for Information Security Professionals . . . . . . . . . . . . . . . . . . . . . . .57
Salary Expectations in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . .60
Section 5 • Star Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Senior Director of Information Security (Tim M. Mather) . . . . . . . . . . . . . . . .67
Manager of Intelligent Networks (Perry J. Steines) . . . . . . . . . . . . . . . . . . . . .71
Sales Systems Engineer (Julie Wilcox) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Network Engineer (LC Boros) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Section 6 • Practices and Projections . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Future Trends in Security Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
B. Works Consulted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
C. Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
D. Education and Training Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
E. Industry Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
F Occupational Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
G. Glossary of Industry Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
H. Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125
Access Granted
Introduction to LMI+
In 1994, NOVA created the Labor Market
Information Plus (LMI+) project to aid dislocated workers and successfully enhance the
labor market information available to the
Silicon Valley community. The project
provides innovative and practical reports
on emerging industries and career transformations throughout the greater Bay Area. It
assesses the dynamics and challenges that
these industries and jobs present to the area’s
economy. By using an ethnographic model to
structure the research and present the information, LMI+ can reveal trends that go
beyond statistical data to tell the current story
of a particular industry, highlighting local
workforce issues, realities, and trends that
affect job seekers, businesses, educators, and
training providers.
The LMI+ studies are based on the concept
of a labor market triad. The three primary
stakeholders are comprised of job seekers,
businesses, and education and training
institutions. All three must communicate
freely and work together to remain successful.
LMI+ studies support the flow of timely
information among primary stakeholders,
ensuring that the local labor market can
operate effectively.
Job Seekers
Job seekers can use these studies to explore a
new industry or developing career. The
reports highlight the relevant skills and necessary abilities for candidates to embark on a
self-sustaining profession. They also demonstrate the applicable career ladders that
enable job seekers to attain a sustainable
wage, progress in their career, and be selfsufficient. Additional data such as information
about training institutions and salary expectations reflect the local area and give job
seekers holistic insight into these careers.
Businesses
Businesses can use the information presented
to get a perspective on the local workforce
climate. The studies provide insight that
allows for improved recruitment and
retention. Businesses can also use these
studies to adjust training and compensation
for employees.
Educators and Training
Providers
Educators and training providers can use
these reports to gauge the content of their
curriculum. By revealing new career demands
and skill sets, these studies assist educators
and training providers in the creation or elimination of programs and courses.
1
Access Granted
Purpose
The demand for secure computing is fueling
the growth of the security technology market.
This greater need for cyber-security has
created niche opportunities in the information security field, as well as expanded the
careers of traditional information technology
professionals.
The purpose of this report is to enhance the
availability of labor market information to job
seekers, businesses, educators, and training
providers. It strengthens today’s workforce by
transferring skills-based information between
the groups. This key information strongly
affects the health of the local economy.
Silicon Valley is the core of technological
innovation. It is home to over 16,600 technology companies and boasts the largest
quantity of venture capital firms in the world.
Although Silicon Valley is the home of prestigious universities that produce today’s and
tomorrow’s business leaders, it is marked by
an increase in employee outsourcing, heightened demand for workforce literacy, and
growing earning disparity between those with
advanced and limited skills. To further the
growth of the Silicon Valley economy,
talented and skilled labor must be available to
meet industry’s needs.
Methodology
Methods used for this report include informal
interviews and industry-related meetings.
Interviews with a cross-section of businesses,
employees, educators, training providers, and
2
professional associations and organizations
were conducted during the winter and spring
of 2003. These interviews assisted the direction of the research and determined the
content of this report. Local stakeholders
recommended the selection of industry
segments and career opportunities contained
within this report.
A thematic analysis was performed on all data
collected from in-person, telephone, and
email interviews. This analysis aided the
search for underlying issues and similarities in
responses across all participants in the
research process.
Textual and Internet-related research was
conducted as well, but it served primarily as a
foundation upon which to formulate interview questions. Information gained using
traditional research methods was only incorporated into this report if local businesses and
industry experts confirmed it to be an accurate reflection of the current, local industry.
Access Granted
Introduction to
Security Technology
It is important to note that because this industry is still emerging, and driven by emerging
technologies, there are varying titles used to
refer to both the industry market itself as well
as the job market. In general, research has
indicated two distinctions. When referring to
the products and technologies that have been
developed for the purposes of enhancing
computer and network security, the industry
is formally understood as the “security technology” industry. However, the job market
that encompasses the individuals who work as
part of the security technology industry is
formally recognized as the “information security” market. This report similarly will follow
these standards. In short, when discussing this
market as an industry for products, the term
“security technology.” When discussing security technology as a market for job seekers
and employees, the term “information security” will be used.
Narrowing the Scope:
Differences Among the
Security Subsectors
The feeling of being “secure” has been an
important aspect of both industry and individuals maintaining functional productivity.
The increasing reliance of businesses on
cyberspace, coupled with the tragedy of
September 11, 2001, have forever changed
how our nation thinks about security. In fact,
these two changes in our social fabric have
heightened the relevancy of security and
driven the security sector into the forefront of
industry attention. Silicon Valley, the heart of
the high-tech universe, has once again found
itself one of the driving centers of the latest
technology boom—the security technology
industry.
Research revealed that there are various
facets to the security technology industry, all
of which aim to increase security. However,
their methods very significantly. Given all the
various components involved in enabling
security to be enhanced, the security industry
can be broken down into the following
subsectors: physical security, personnel security, and security technology. The services and
products that emerge from each of these
subsectors, when working in tandem,
undoubtedly help to increase people’s overall
sense of security. It is also the case that the
subsectors themselves and the markets that
these industries are involved in are notably
distinct from one another.
The skills required of job seekers interested in
the security industry will vary depending
upon which facet of security an individual
chooses to pursue. For example, the skill sets
required by businesses that provide physical
security to their clients are different from the
skills required by businesses that qualify as
security technology firms. Similarly, the
customer base for companies that offer
services or products in each of these subsectors is also distinctly separate. A company that
3
Access Granted
specializes in physical security offers services
that enhance personal and organizational
security (e.g., security guards). These
companies would be hiring job seekers that
have an education or experience in physical
protection. In contrast, a security technology
company offers products that secure the
myriad of e-transactions that occur in cyberspace. The individuals that these companies
would be interested in hiring would have
technical backgrounds in computers and
knowledge of the networking technologies
that secure transactions.
It is true that the increased attention and
interest in the overall security industry has
contributed to the wealth of market and
employment opportunities made available in
the security sector. Given the skill distinctions
in these markets, however, this report will
focus only on the security technology subsector and on technologies that have been
developed to enhance security as it pertains
to computer and network systems.
Ultimately, this report will examine the security technology industry as both a market for
products and a market for jobs. There are six
sections to this report which cover the following topics: recent market trends, vulnerability
trends, information on the founding principles of the industry, and current security
technology, employment trends, the evolution of this job market, and the current state
of this market. More specifically, these topics
are broken down into the following sections.
Section I (Trends) identifies recent market
trends in security technology. Section II
(Identifying Threats) identifies the threats that
4
create the demand for security technology
products. Section III (Technology) clarifies the
technology itself. Section IV (People) discusses
the state of the job market in information
security. Section V (Star Profiles) provides
personal accounts of individuals who have
entered this market and have excelled.
Lastly, Section VI (Practices and Projections)
provides recommendations on best practices
and provides projections on future trends, as
identified by industry experts.
Access Granted
Executive Summary
Information is a powerful and critical asset.
In today’s business environment—where
e-transactions constitute a significant amount
of capital growth—computer and network
systems are more common than a pencil.
These electronic methods of communicating
and handling information bring new
technologies, responsibilities, policies, and
practices, and create specialized education
and training needs.
The Internet Age has unleashed a world of
virtual possibilities and opened the door to
cyber threats and system vulnerabilities. The
concept of securing information once meant
locking the file cabinet. Now, securing information involves the concepts of keeping data
confidential, true, and available during the
transmission, storage, and processing states.
Security technology is the use of technology to
prevent and protect against both the access to
information by unauthorized recipients, and
the intentional but unauthorized destruction
or alteration of that information. Security
technology is emerging to protect the e-business marketplace—and more importantly, the
nation’s critical infrastructure. Public and
private industry must obtain the necessary
security technology and information security
talent to stay globally competitive. Silicon
Valley, a fertile area of innovation that has its
roots in the defense industry, is dedicated to
delivering the fruits of prime security technologies and cultivated information security
professionals.
It is important to note that this publication
uses the term “security technology” to
describe the industry and the products that
have been developed to enhance the security
of electronic information, and uses the term
“information security” to describe the profession in the industry that utilizes security
technology to protect computer and network
systems. A number of the industry and workforce trends contained in this report are
highlighted below.
• The security technology industry is
projected to experience a revenue increase
from its 1999 levels by approximately 63
percent by 2004, and by the year 2006,
the security technology market is projected
to hit $45 billion. The industry’s prolific
growth is driven by the concept and value
of secure e-transactions; the increased
need to protect customer information on
shared computer and network databases;
more software and system vulnerabilities;
the expense of security breaches and
cyber attacks; and the conditions of federal
legislation.
• The “National Strategy to Secure
Cyberspace” is a federal initiative to
improve cyber security. The strategy
outlines and identifies three national strategic objectives: prevent cyber attacks;
reduce vulnerability to cyber attacks; and
minimize the damage and recovery time
due to cyber attacks. Recent legislation that
affects the security technology industry
includes: The Gramm-Leach-Bliley Act
5
Access Granted
(GLBA), The Health Insurance Portability
and Accountability Act (HIPAA), and
California State Assembly Bill 1386.
• The threat from computer crimes and other
online security breaches continues to grow.
In 2001, a Computer Security Institute
(CSI) survey of 538 security professionals in
U.S. corporations revealed 40 percent of
the respondents (versus 25 percent of the
respondents in 2000) reported they
detected penetration attacks from external
sources. In 2002, CSI conducted another
survey aimed at identifying which sources
were the most popular point of entry
for attacks into a computer system or
network. Respondents indicated that
approximately 72 percent of attacks originated from the Internet.
• Cyber attacks can strike computer and
network systems from a variety of
sources and can be structured as
computer-to-computer;
computer-tonetwork; network-to-computer; and
network-to-network. Cyber threats can
attack computer and network systems
through four main destructive programs:
network worms, trojan horses, computer
viruses, and blended threats.
• Hackers, crackers, and script kiddies are
the individuals responsible for attacking
computer and network systems. Industry
uses the term “hacker” to refer to an individual with exceptional computer skills
who is intensely interested in the workings
of a computer system. These days, the term
is found to describe both ethical industry
professionals and their criminal counter-
6
parts. To eliminate some of the term’s
confusion, the industry has attempted to
create more definitive titles. White hat
hackers are defined as the “good guys” of
information security. Gray hat hackers are
defined as those computer experts making
the transition from a criminal past to an
ethical future in the trade. The term “black
hat hackers” is used interchangeably with
the term “crackers” to describe criminal
hackers who use their skills to take over
systems and commit illegal acts. Script
kiddies are considered amateurs not well
versed in the workings of a computer or
network system.
• Ethical hacking is an assessment test used to
check system weaknesses and vulnerabilities. In these tests, a contracted gray hat
plays the role of a black hat. They find
system vulnerabilities and then report them
to the company’s internal administrators.
These penetration tests are performed with
permission and are currently an accepted
practice in the industry. These tests,
however, are not without harsh criticism.
While several companies have benefited
from this method to protect their systems,
some professionals feel this tactic is a major
conflict of security interest. Critics state that
any intrusion on a system with or without
permission is illegal. The reason? While
businesses may own the systems being
penetrated, they may not own the information that is uncovered during the test.
Despite conflicts of opinion in the industry,
ethical hacking will most likely continue
to play a significant role in vulnerability
assessment.
Access Granted
• Security technology would not exist without three key principles: authentication,
access control, and audit. Authentication is
the act of establishing and confirming the
identity of a user to some part of a
computer system or network. Access
control refers to the logical and physical
access to data. It determines user or
computer privileges to a computer or
network system. Examples of authentication and access control tools are passwords,
tokens, smart cards, and biometric signatures such as fingerprints. Auditing is the
process of gathering data about system
activity. It is an analysis used to detect plausible or evident security violations. An
example of an audit tool is an intrusion
detection system (IDS).
• Security solutions can be delivered by four
primary methods: security software, security applications, managed/outsourced
security services, and peripheral services.
Security software products are application
solutions that run on standard operating
systems. Security appliances are purposebuilt hardware that performs security
functions. Managed/outsourced security
services are services that manage installed
security solutions, such as firewalls and
virtual private networks (VPN). Peripheral
security services are practices, such as
consulting, implementation, and training
services that support the other methods of
delivery.
• There are three broad groups in which the
range of security technologies may achieve
the product’s security function: computer
infrastructure, cryptography, and biomet-
rics. Computer infrastructure refers to the
physical hardware used to interconnect computers, networks, and users.
Cryptography is mathematical formulas
that provide encryption and decryption
capabilities based on the use of either
codes or ciphers. Biometrics is composed
of technical tools that utilize some physical
human features to regulate authentication
and access control.
• Demand for information security professionals in Silicon Valley is driven by the
increased use of worldwide computer
networks for integral business operations;
the awareness for secure data; the continuous rescaling of information protection
practices to counteract new threats; an
upsurge in the allocation of government
contracts for entrepreneurial and innovative security products; requests for local
technology businesses to serve on
public/private-sector collaboratives that
identify and evaluate security efficiencies;
the increased desire for IT professionals to
have security certification; and new legislation, such as HIPAA. Opportunities for
information security professionals will exist
primarily in network design and administration, as well as systems engineering. In
California, about 98,200 job openings will
exist between 2000 and 2010 for network
and computer system occupations due to
growth and separations.
• Local industry experts attribute the
projected national shortage of 50,000 to
75,000 security professionals to the dwindling supply of minorities and women
pursuing technical careers, and on the low
7
Access Granted
number of computer science doctorate
degrees awarded in the United States.
• Experts in the industry consider it to be a
major conflict of interest to have the functions of information technology and
information security in one division.
Information security and information technology overlap to manage information
systems, but IT workers are primarily
concerned with making sure systems run
smoothly whereas information security
workers are focused on setting the rules for
how those systems run. The idea is that
security can be compromised if the same
person overseeing, implementing, or
reviewing security is the same person
responsible for the basic working order of
the technology.
• The cost and development involved with
the implementation of essential security are
two reasons why several companies have
not made the transition to divide their
information and security technology
departments. Opting to make do with
current staff, companies have expanded
the roles and responsibilities of traditional
IT personnel.
• The structure and definition of information
security jobs have yet to be fully clarified by
the industry. There exist very few universal
job titles below the executive level. It is
common to find certified information
security professionals with traditional information technology job titles.
• All information security team members are
responsible for establishing and enforcing
8
security policies. Each member plays a role
in one or more of the following: risk assessment, configuration and deployment of
architecture, the management of security
maintenance, incident response, and
forensics. Team-specific responsibilities
generally separate one job from the next,
but in some organizations, the same
employee may perform a variety of security
roles. Roles in information security can be
divided into four
basic
groups:
advisor/strategist, designer, operator/attendant, and examiner. Advisor/strategists
determine how the infrastructure should
operate. Designers create solutions to the
problems
identified
by
analysts.
Operator/attendants administer the solutions created by architects and engineers.
Examiners ensure the security functionality
of information systems.
• The job titles, responsibilities, and reporting structures of information security
management are inconsistent. The chief
security officer (CSO) and chief information
security officer (CISO) titles are used interchangeably. The CSO is considered an
executive level position that orchestrates
the overall security of business operations.
The CISO title is considered a managerial
position that oversees the security of information only in lieu of CSOs or CISOs.
Companies assign administrative security
responsibilities to traditional IT officers,
such as chief technology officers (CTO) and
chief information officers (CIO).
• The expense and up-front costs of implementing specialized security teams, staff
training, legal counseling, and new tech-
Access Granted
nologies cause some companies to
outsource their security management.
Outsourcing is not without its drawbacks.
Once outside consultants enter the organization, security is compromised. External
teams are privy to confidential and valuable information assets. To avoid the
conflicts of nondisclosure agreements,
information leaks, and the possibility of
generic security policies and practices,
businesses establish in-house executive
security positions.
• Career entry and progression is determined
internally and varies from company to
company. Security certifications give
network professionals a competitive edge,
increase base salaries, and affect career
progression. Traditional IT professionals are
welcomed into security if they possess
plenty of work experience and a willingness to learn. Job seekers who have acute
familiarity with operating systems and/or
networking can expect an easier transition
from information technology to the information security field.
• Federal government jobs in information
security emulate the private sector.
Opportunities for information security
professionals exist with the Central
Intelligence Agency (CIA), the Federal
Bureau of Investigation (FBI), and the
National Security Agency (NSA).
• Certifications in the security technology
industry exist in two distinctions:
vendor-neutral and vendor-specific.
Vendor-neutral certifications are certifications that do not focus on a specific
product, platform or technology. They
primarily focus on the concepts and knowledge of major security technology niches.
Vendor-specific certifications teach individuals how to design, install, configure,
maintain, and troubleshoot specific solutions, platforms, tools, or technologies.
They help manage the costs for technical
support and provide organizations with
knowledgeable professionals who are capable of implementing and working with
vendor solutions. Certification training is
offered at various levels: basic, intermediate, and advanced. Companies are
developing certification for technology
“specializations” that train professionals in
a specific technology, such as virtual private
network (VPN) technology.
• The security technology industry seeks
individuals with profuse knowledge of
operating systems, firewalls, authentication
methods,
and
networking
tools.
Information security management desires
professionals with soft skills, such as good
communication and the ability to work in a
team. Professionals who have a degree in
computer science, security clearances, and
experiences in psychology and law
enforcement are highly coveted. The
industry is not interested in hiring job seekers with a past in criminal hacking.
• Salaries for information security personnel
are relevant to the size of the company and
the industry. Job experience and the organization’s reporting structure play a major
role in determining compensation.
Personnel who report to higher levels of
management typically receive a higher
9
Access Granted
salary. According to DataMasters, a professional services firm specializing in
information technology, security specialists
are compensated between $87,238 and
$130,698 in the western region of the
United States.
• Industry standards are considered the key
to making information security a mature
discipline and security standards for business are ever-evolving. Some current
control practices are based on the NIST
Special Publication 800-14 (NIST 800-14)
and the International Organization for
Standardization 17799 (ISO 17799). The
Information Systems Security Association
(ISSA) is in the process of developing the
Generally Accepted Information Security
Principles (GAISP). Based on the ISO
17799 framework, the GAISP will enhance
global information security through three
levels of guiding principles.
• The security technology industry is
undoubtedly a hot marketplace and, as no
particular entity or institution is exempt
from the need to protect vulnerable assets,
this industry will only gain greater exposure
as it continues to evolve. Several factors
such as standards, convergence, and
consolidation, as well as paradigm shifts,
will be significant catalysts in shaping what
types of security technologies will be developed and what the overall security industry
will move toward in the next several
decades.
10
Section 1
Trends
Access Granted
The Growth of
an Industry
Despite their dominating influence today,
history indicates computers only served as
standard business tools and been regarded as
typical household items in the past 20 years.
In this relatively short time span, however, the
Internet, extranets, and intranets have infiltrated businesses, organizations, and
individuals’ lives as standard equipment.
Since the emergence of the Internet, businesses and society have benefited enormously
from the wealth of convenience that it
enables. Tapping into the possibilities that the
Internet, intranets, and extranets provide,
businesses and organizations have been able
to cut costs and increase the speed at which
communication occurs.
The Internet Age has made available a wealth
of information. As the digital environment
adopts more users and more locations, an
increasing majority of communication will be
electronically based. Given this fundamental
change in modes of communication, billions
of dollars have been poured into security
technology, in order to ensure the integrity of
the information sent, as well as the integrity of
the sender and the recipient. The emergence
of the security technology industry has been
driven by an overall increase in the reliance
on the Internet for data traffic, transactions,
and e-communication as a means to
streamline costs, increase the speed of
communication, maximize productivity, and
facilitate efficiency.
The economics of conducting business and
communication on the Internet has transformed all facets of the communication
model. The actual economics of utilizing the
Internet, intranets, and extranets, however,
can only be assets to organizations or individuals if communication over these systems is
secure. As “hackers,” “crackers,” and “script
kiddies” continue to launch a greater number
of cyber-attacks on vulnerable systems using
more sophisticated methodology, all players in
the digital world are in consensus that securing
information is imperative, and obtaining the
security technology necessary to secure information is of primary importance.
Market Growth
As a Silicon Valley CEO stated, “Security
threatens network availability, which directly
affects productivity;” the need for the technology has thus driven the growth of this sector.
The security technology market in 2001
1
reached $17 billion. The market is expected
to show strong continual gains over the next
several years. The security technology industry
is projected to experience a revenue increase
from its 2001 levels to $45 billion by the year
2006, as stated by Internet Data Corporation
2
(IDC) Research Firm.
13
Access Granted
The growth of this industry can be attributed
to several factors. First, the understanding that
cyberspace is inherently insecure is one aspect
that has contributed to the demand for these
technologies. Whereas security technology
was once perceived as a dispensable
component of business operation and ecommunication, it is now recognized as an
indispensable defensive measure or insurance
strategy that enables standard business operations. It also provides peace of mind to the
regular user. Moreover, the investment in
security technology is also currently regarded
as a strategic enabler that allows businesses to
stay competitive.
Second, the expectation of the everyday user
is also responsible for this sector’s growth.
Countless confidential files, personal
documents, and other critical assets are transmitted daily through the Internet, and an
even greater number have been and are
being stored on computer and network databases. The expectation is that the networks
and databases that information is stored upon
and the medium it is sent through are inaccessible except to those who are authorized.
In short, these systems must be trusted. In the
business scenario, trust is the foundation of
good business practice for all business sizes
and services. Firms that have launched their
businesses’ products and services via the
Internet must be able to assure potential
customers that e-transactions containing
confidential information are in fact secure
from sabotage. When companies have taken
the necessary measures to do this, they are
better positioned to remain competitive as
well as gain a greater share of the future
market. If a business has experienced repetitive or even a singular catastrophic security
breach, its reputation may precede the value
14
of its products and services in the market and
predetermine the firm’s growth. That said, the
reverse is also true: if a business can be
trusted with the personal assets of its
customers, the business will have a competitive advantage. With security breaches
becoming increasingly more commonplace
and incurring greater expense, security technologies and policies cannot be absent from
any network environment.
Statistics also indicate that the need to protect
confidentiality and privacy in cyberspace is
not just a perception but a reality. Symantec
Corporation’s 2002 Internet Security Threat
Report indicated that there was an estimated
81.5 percent increase over 2001 in the
number of vulnerabilities or “weaknesses” in
software that would allow a virus to enter a
3
system. Computer Security Institute’s 2002
Computer Crime and Security Survey
confirmed that there continues to be a growing number of vulnerabilities experienced by
computer systems, and of the vulnerabilities
that exist, a number of them have been
exploited. Approximately ninety percent of
the 503 survey respondents (primarily large
corporations and government agencies)
detected computer security breaches within
the last twelve months. Of those, 80 percent
acknowledged financial losses due to
computer breaches and forty-four percent
(223 respondents) were able to quantify their
financial losses. When the number of attacks
has been tabulated, and the costs totaled,
it can be shown that the impacts of these
security breaches in cyberspace has significantly escalated costs, especially to businesses
4
(Table 1).
Third, federal legislation is a major driving
force behind the demand for systems security.
Access Granted
While new regulations will increase the
revenues of security technology companies,
the intention of these regulations is not to
generate profit. Even before the tragedy of
September 11th, the federal government
recognized that the security of cyberspace is
necessary to economic growth in the
twenty-first century. September 11th arguably
thrust security and cyber-security to the forefront of regulatory priorities and the federal
government has taken the initiative to establish legal frameworks in the interest of securing
cyberspace.
Recent Security
Legislation
The most recent and multi-organizational
effort launched by the federal government to
improve cyber-security was the “National
Strategy to Secure Cyberspace.” The final draft
of this strategy was completed in February
2003. It outlines and identifies three national
strategic objectives including preventing cyber
attacks against critical infrastructures, reducing
national vulnerability to cyber attacks, and
minimizing damage and recovery time from
cyber attacks that do occur. It also dictates five
national priorities including: a National
Cyberspace Security Response System, a
National Cyberspace Security Threat and
Vulnerability Reduction Program, a National
Cyberspace Security Awareness and Training
Program, Security Governments’ Cyberspace,
and National Security and International
5,6
Cyberspace Security Cooperation.
Gramm-Leach-Bliley Act
(GLBA)
The Gramm-Leach-Bliley Act (GLBA) of 1999,
also known as the Financial Services
Modernization Act (FSMA), is intended to
protect consumers’ privacy and information
security. A company that fails to comply with
GLBA provisions may be the target of inforcement actions. Broadly, this legislation requires
financial institutions to provide clear and
conspicuous notice to customers of their
privacy practices and an opportunity to opt out
7
of disclosure to third parties.
15
Access Granted
The Health Insurance
Portability and
Accountability Act (HIPAA)
HIPAA is federal legislation that specifies a
series of administrative, technical, and physical security procedures for covered entities to
use to assure the confidentiality of electronic
8
protected health information.
HIPAA
addresses the extensive range of security issues
faced by healthcare institutions. The law
focuses on the protection of patient information in the healthcare industry and defines
how medical records and patient data
transactions will be handled nationally. More
importantly, it introduces guidelines that
require data format consistencies and present
several opportunities for additional technical
security developments.
Senate Bill 1386
The State of California has also responded to
the repercussions of cyber-security attacks.
16
On July 1, 2003, SB 1386 will come into effect
as a means to combat identity theft. This law
requires any online business to notify its
customers when computer security breaches
have occurred. To trigger the law, a breach
must expose certain types of information,
specifically customers’ names in association
with their Social Security number, driver
license number, or a credit card or bank
9, 10
account number.
Ultimately, there are three primary factors that
have been the driving force behind the market
penetration of security technology products
and the growth of the security technology
industry. These factors are: the understanding
that cyberspace is inherently insecure, the
expectation that e-communication should be
secure, and the increase legislation regarding
privacy and cybersecurity. As illustrated by the
11
following tables (Tables 2, 3, 4, 5), this industry is anticipated to experience strong
continued growth.
Access Granted
17
Access Granted
Although the particular technologies identified by the preceding tables do not reflect the
entirety of the products that currently make
up the overall security technology market,
they are evidence of the projected growth of
18
this industry over the next several years. This
is an industry marked by strong growth potential, which will provide a concomitant
increase in opportunities in the information
security job market.
Section 2
Identifying
Threats
Access Granted
Recent Trends in
Security Breaches
In the world of cyber-space, the increasing
challenges to secure computing have
drawn significant attention from industry,
government, and other organizations. Exactly
what constitutes a cyber-threat? Where do
they originate? Who is responsible? What is
the nature of the attacks? A cyber-threat is an
“intended or unintended illegal activity that
has the potential to lead to unpredictable,
unintended, and adverse consequences on a
12
cyberspace resource.” Cyber-threats include
everything from individuals breaking into a
system to the existence of computer codes
that are transferred into a network system
explicitly for malicious purposes. With the
alarming increase in cyber-attacks, those in
industry have pinned down the standard
range of sources of security attacks, types of
threats, and culprits responsible for the
attacks.
The threat from computer crimes and other
online security breaches continues to grow. In
2001, the Computer Security Institute
(CSI) conducted a survey of 538 security
professionals in U.S. corporations. Findings
revealed that 40 percent of the respondents
(versus 25 percent of the respondents in 2000)
detected penetration attacks from external
sources. Similarly, 38 percent in 2001
reported that they detected denial of service
attacks compared to 27 percent in 2000.
Employee abuse of Internet privileges also
13
increased from 79 percent to 91 percent.
In 2002, CSI and FBI conducted another
survey aimed at identifying which sources
were the most popular point of entry for
attacks into a computer system or network.
Based on the input of 503 respondents from
private companies and private agencies, the
most popular point of entry was the Internet—
respondents indicated that approximately
72 percent of attacks originated from this
14
source. Other points of entry include internal
15
systems and remote dial-in connections. The
growth in the number of cyber-attacks is a
disconcerting yet unavoidable factor of cyberspace convenience.
Points of Entry
As high-tech industries develop methods to
provide individuals and businesses with an
increasing number of options for logging into
the Internet, they also develop a growing
number of entry ports that have the potential
to become the point of origin for
cyber-attacks. While all of these types of malicious actions and methods of affecting
cyberspace can be understood as threats to
computer and network security, cyberdestruction and malicious disturbance
originates from a range of diverse sources
using different methods. Possible sources of
16
attack include:
1. Outside attack from network
2. Outside attack from telephone
3. Inside attack from local network
4. Inside attack from local system
5. Attack from malicious codes
21
Access Granted
The topography of attacks, or the structural
relationships between computer systems that
17
can be attacked are:
1. Computer-to-computer
2. Computer-to-network
3. Network-to-computer
4. Network-to-network
In addition to the origins of attack, it is important to understand how threats on networks
systems are launched software programs.
Malicious Software and
Their Processes
Malicious software is the term used to
describe the range of destructive programs
that can infect a computer system or network.
The four primary types of threats to a security
system are:
1. Network worms
2. Trojan horses
3. Computer viruses
4. Blended threats
Network Worms
Network worms can wreak havoc upon a
computer or a networked system. Essentially, a
network worm is a program that utilizes the
network connections to spread itself from
system to system. Therefore, every computer
system linked via communication lines is
equally vulnerable and exposed to the threat
of a network worm.
Network worms are one of the most serious
and fastest types of cyber-attacks. One of the
most recent is “Code Red 1 and 2,” which was
responsible for infecting Windows 2000
22
18
machines worldwide. Considered one of the
most notorious worms, Code Red at one point
threatened to bring down much of the
Internet by exploiting a flaw in Microsoft's
Internet Information Server (IIS) that comes
with Windows NT/2000. Code Red was able
to replicate itself from system to system with
only a single host file on a single system.
Once a network worm such as Code Red has
obtained entry and is active within a system, it
can behave in various ways. The most
common types of behaviors a worm may
exhibit are mimicking a computer virus or
implanting a Trojan horse. On a theoretical
level, network worms are very similar to
computer viruses. The difference, however, is
that a worm can tunnel a path from the initial
point of entry (e.g. initial computer) throughout the network and is capable of randomly
selecting which computer systems and
programs to infect. Essentially, worms can
replicate themselves from system to system
without the use of a host file. A computer virus
must use a host file from each system in order
to infect.
In order for network worms to replicate themselves, they must use some sort of network
vehicle, which is dependent on the type of
network and systems. Examples of network
19
vehicles include:
1. A network mail facility where a worm can
mail a copy of itself to other systems.
2. A remote execution capability, where a
worm can execute a copy of itself on
another system
3. A remote login capability, whereby a
worm can log into a remote system as a
user and then use commands to copy
itself from one system to the other. The
new copy of the network worm is then
Access Granted
run on the remote system, where it may
continue to spread to more systems in a
like manner.
4. Depending on the size of a network, a
network worm can spread to many
systems in a relatively short amount of
time, thus the damage it can cause to one
system is multiplied by the number of
systems to which it can spread.
Trojan Horses
Trojan horses are named after the Trojan horse
of myth. True to its namesake, Trojan horses in
the world of cyberspace refer to programs that
appear to have one function but actually
perform another function. A Trojan horse will
resemble a program that the user wishes to
run—a game, a spreadsheet, or an editor.
While the Trojan horse program appears to be
doing what the user wants, it is also doing
something else unrelated to its advertised
purpose, and without the user’s knowledge. In
most cases, Trojan horses propagate via email.
They are usually found within attachments
because their authors exploit vulnerabilities of
the email client. Some other well-known functions of this threat include: managing files on
the victim computer, managing processes,
remote activation of commands, intercepting
keystrokes, and restarting and closing down
infected hosts. These possibilities vary according to individual Trojan horses. The following
have been targeted as the most notorious:
NetBus, Back Orifice 2000, SubSeven, and
20
Hack’a’tack.
Computer Viruses
Computer viruses are the most widely recognized class of programs written to cause some
form of intentional damage to computer
systems or networks. A computer virus essentially performs two basic functions: it copies
itself to other programs, thereby infecting
them; and it executes the instructions the
author has included within it.
Depending upon the computer code used,
the virus is used for time-specific attacks. This
means that a program infected with a virus
may cause damage immediately upon its
execution, or it could be written to stall its
attack until a certain event (such as a particular date and time). The damage that computer
viruses can inflict can be so extensive as to
require the complete rebuilding of all system
software and data. This is because viruses
spread so rapidly to other programs and
systems that they multiply the range of
damage. An example of an infamous virus is
the Melissa virus. It was first observed on
March 26, 1999. It actually did not do
damage in the sense of deleting, or stealing
files. In fact, only sites with desktop systems
running Microsoft’s Outlook email client were
directly affected. However, even though
systems did not spread the virus directly by
email, these systems still had their Microsoft
Word documents infected and continued to
pass on the virus. Because Melissa exploited
one of the most valuable benefits of the net—
the ability to share documents—to propagate
and to multiply itself, it affected more people
21
and spread faster than earlier viruses.
Blended Threats
Blended threats use multiple methods to
attack or propagate. They are intended to
cause more than one injury to the system,
which makes a blended threat particularly
23
Access Granted
difficult to clean up because of the multiple
points of damage. One of the most dangerous
characteristics of a blended threat is that it
22
exploits vulnerabilities.
compromise. These characteristics combined
basically allow blended threats to be more
prolific and deliver more damage than the
24
typical virus or worm.
Nimda is an example of a blended threat that
made headlines in the summer and fall of
2001. Part of the reason it wreaked havoc
upon computers and network systems is
because it had five methods of propagation.
First, it could infect users who visited the web
pages of compromised web servers by embedding itself into the .html files of an infected
web server. Second, it could also propagate
via email; it did this by harvesting email
addresses from any MAPI-compliant email
program’s mailboxes. It could also extract
email addresses from .html and .htm files.
Third, systems infected with Nimda scanned
the network looking for unpatched Microsoft
Internet information servers and attempted to
use a specific exploit (the Unicode Web
Traversal exploit) to gain control of the target
server. Fourth, it also attacked web servers
comprised by Code Red 2. It did this by
exploiting a backdoor installed by Code Red 2
to install and execute the worm. Lastly, Nimda
attacked hard disks of systems that had
enabled file sharing over the network. During
this process, it would create a guest account
23
with Administrator privileges.
Identifying the Culprits:
Hackers, Crackers, and
Script Kiddies
As exemplified in the example of Nimda,
blended threats have multiple methods of
propagation, which renders containment of a
threat challenging. A blended threat can automatically use one of various vulnerabilities it
understands to compromise a system. Even if
one security patch eliminates one vulnerability, another unpatched vulnerability or
misconfiguration of the system may allow
24
Behind every attack on a computer system or
network is an individual who is responsible for
the design or application of malicious code. As
the number of security breaches has increased
since the introduction of computers and
networked systems, journalists and industry
members have coined names for these individuals. Based on the intentions of the
individual responsible for planning or executing the cyber-attack, the individual can either
be defined as a “hacker,” “cracker,” or “script
kiddy.”
Dispelling the Myth behind a Hacker
The term “hacker” is frequently and
commonly misused. While it is thought that a
hacker is an individual who has broken into a
computer system or network with malicious
intent, that is not always the case.
Industry uses the term “hacker” to refer to an
individual with exceptional computer skills
who is intensely interested in the workings of
a computer operating system. The term is
often used to describe both ethical industry
professionals and their criminal counterparts.
To eliminate some of the term’s confusion, the
industry has attempted to create more definitive titles. White hat hackers are defined as the
“good guys” of information security. Gray hat
hackers are defined as those computer experts
Access Granted
making the transition from a criminal past to
an ethical future in the trade. The term “black
hat hacker” is used interchangeably with the
term “cracker” to describe criminal hackers
who use their skills to take over systems and
commit illegal acts.
computer systems, and writes codes driven by
a malicious intent and a desire for a destructive outcome to a computer system or
network.
Traits of a Hacker
A cracker is someone who breaks into or
otherwise violates the system integrity of
remote machines with malicious intent.
Crackers who obtain unauthorized access use
it to do one of the following: destroy vital data,
deny legitimate users service, or wreak overall
havoc on the targeted system.
Unlike a cracker, when a hacker creates a
program that can automatically check for the
security structure of a remote machine, it is to
improve the information on security risks and
threats that now exists. A hacker’s intent is not
to write a code that will break down a system.
Hackers constantly seek further knowledge,
and freely share what they have discovered.
As such, hackers usually possess advanced
knowledge of operating systems and programming languages.
Hackers can often be found probing a
computer system or network at both a macro
and microscopic level, looking for holes in
software and snags in logic. They write
programs to check the integrity of other
programs, creating and improving security
25
measures through the process of analysis.
The Real Culprits: Crackers
The word “cracker” used in the security technology industry is in fact a merger of two
words: “criminal” and “hacker.“ As these two
words suggest when combined, they describe
the intent of the individual who is accessing a
system. A cracker is one who is arguably
comparable in skill level and knowledge of a
hacker in the workings of a computer system.
The critical difference, however, lies in the
intent. A cracker creates programs, targets
Traits of a Cracker
To further distinguish hackers from crackers,
crackers rarely write their own programs.
Instead, they “beg, borrow, or steal tools from
others.” Crackers use these tools to subvert
Internet security rather than improve it.
A true cracker creates nothing and aims to
only destroy. This individual’s chief pleasure
and goal is derived from disrupting or otherwise adversely affecting the computer services
26
of others.
The Amateurs: Script Kiddies
Unlike hackers and crackers, “script kiddies”
are usually amateurs not well versed in the
workings of a computer system or network
and are typically part of the younger population. Similar to hackers and crackers, these
individuals gain unauthorized access into a
computer system or network. However, this
group of unauthorized entrants is considered
to be amateurs by members of industry as well
as by the hacker and cracker community.
Their experimentations in cyberspace,
although disruptive, may generally be considered non-malicious.
25
Access Granted
Traits of a Script Kiddy
Script kiddies are people who are driven by
one goal—to gain access to a system. The
attacks that script kiddies perform upon a
networked system are, for the most part,
random. Unlike hackers and crackers who
are knowledgeable, script kiddies are considered amateurs. They are generally after easy
targets and are not concerned with how
much noise they make while they are trying
to acquire them.
The objective of script kiddies is volume; the
number of systems a script kiddie has gained
access to, and therefore “owns,” elevates that
individual into a higher rank in the script
kiddies’ world.
They generally have a small arsenal of tools,
which are freely available on the Internet. The
tools they have allow them to exploit a
small number of holes in systems. Script
kiddies usually do not have much programming knowledge or experience, and are
limited to the tools that they have already
27
learned to use.
Ethical Hacking:
A Gray Area
Ethical hacking is an assessment test used to
check system weaknesses and vulnerabilities.
Companies typically hire gray hat hackers to
perform these penetration tests. In these tests,
the hired gray hat plays the role of a black hat
or cracker. They find system vulnerabilities
and then report them to the company’s internal administrators. Unconventional methods
of ethical hacking have taken the form of
26
public contests in which large companies offer
prizes to hackers who can crack their latest
hardware or software. Since these penetration
tests are performed with permission and the
purpose is “good intent,” this type of hacking
is considered to be relatively acceptable.
While several companies have benefited from
this method to protect their systems, some
professionals feel this tactic is flawed. Some
see granting permission to outsiders to penetrate the system as a major conflict of security
interest. Other critics state that any intrusion
on a system with or without permission is illegal. The reason? While businesses may own
the systems being penetrated, they may not
own the information that is uncovered during
the test. Additionally, there is no way to guarantee that the hired gray hat is purely
motivated by good intent and determining
“good intent” is nebulous. There are rogue
gray hat hackers who claim to perform ethical
hacking, but are in fact infiltrating and repairing systems without permission. Political
interests and the possibility of fame often drive
these gray hats. Also, the penetration process
can leave the system more susceptible to harm
than it was prior to the test. Contracted
hackers will often clean up the system or leave
instructions for staff to do so following the test.
A minority of critics weigh the possibility of the
gray hat leaving a door open in the system for
later exploits. Despite conflicts of opinion in
the industry, ethical hacking will most likely
continue to play a significant role in vulnera28
bility assessment.
Access Granted
“
Ethical hacking
works—and works
well, but it is proof
of how infantile the
state of information
”
security is.
—Chief Technical Officer
27
Section 3
Technology
Access Granted
Defining Security
Technology
In the seemingly chaotic world of cyberattacks, malicious software, hackers, crackers,
and script kiddies, both government and
industry are attempting to respond to the
need for a more secure cyberspace through
the implementation of regulations and the
development of security technology. So what
is security technology?
Security is “freedom from risk or danger.”
Security technology, therefore, is the use of
technology to prevent and protect against
both the access to information by unauthorized recipients, and the intentional but
unauthorized destruction or alteration of that
information. In addition to prevention and
protection, security technology includes technologies that help professionals and/or
technicians respond to security breaches that
29
have occurred.
The technologies that are intended to
enhance security are developed in response
to an identified problem that has occurred in
cyberspace. They are created to function
either before, during, or in response to a
security violation. In short, the functions of
security technology are to provide a solution
to an identified problem, namely the need to
prevent against, detect, or respond to an
existing security breach or the potential of this
type of attack.
When security technology is applied to
protect a networked system from security
breaches and threats, this is known as
“system security.” System security is the
ongoing implementation of protections for
the confidentiality and integrity of information and system resources. More simply
stated, system security is when a networked
system can claim the following: the system
can be trusted to retain sensitive information;
data transfers in a network are virtually free
of threats; and unauthorized access into a
system is prevented.
Existing Security
Technologies
Existing security technologies in today’s
market are geared to prevent, identify, and/or
respond to security threats and breaches.
Accordingly, the security market is both highly
segmented and integrally intertwined. In
terms of methods of delivery, the security
market has clear and defined divisions. In
contrast, the existing technology, and the
techniques used to create a product to fulfill a
security role, are extremely interdependent.
These are four goals of this section given the
complexity of the security technology industry. First, it will identify and provide a basic
overview of the background and originating
principles upon which the existence of security technologies is founded upon. Second, it
will provide clarification of the divisions in the
security market, based on the four primary
31
Access Granted
methods of delivery. Third, it will identify the
techniques used in the major categories of
security technology to enhance computer and
network security. Lastly, a matrix will be
provided to illustrate how each of these
components is connected.
Examples of security technologies that put this
principle into practice include: passwords,
credit-card-sized cryptographic tokens or
smart cards, or biometric signatures such as
31
fingerprints or voiceprints.
Principle 2: Access Control
The 3 “A’s”–Founding
Principles of Security
Technology
Companies, security technology experts, and
researchers have contributed to transforming
the conceptual definition of security technology into ideas and goals that ultimately take
the form of tools and techniques. Security
tools and techniques are subsequently transformed by companies into products. The
evolution of security technology can be
traced back to the original “triple A’s” of security: authentication, access control, and audit.
Without these three principles, the concepts,
techniques and tools that enable existing
30
cyber-security would not exist.
Principle 1: Authentication
Authentication is a principle that refers to the
act of establishing and confirming the identity
of one party to another. When the principle
of authentication is applied, it protects
computer-to-computer or process-to-process
communication in both directions. Most
commonly, authentication establishes the
identity of a user to some part of a computer
system or network. A product that “authenticates,” in effect, prevents a user’s access to
information stored in a computer system.
Authentication is also intended to prevent the
transmission of an unauthorized transaction
through a computer system or network.
32
Access control is a principle that deems that
logical and physical privileges onto a
computer system or to data should be regulated. In application, it is a method that
determines what one party will allow
another to do with respect to gaining entry
into a computer system and gaining logical
privileges. Logical privileges include the
authorization to administer changes in a
computer’s operations, add or delete data,
and block out data transfers in computer-to32
computer traffic.
When the principle of access control is
applied to security technology to create a
product, these products often are designed to
work in combination with authentication.
For example, when access control is implemented in a system, it theoretically allows the
owner to ensure that a computer system is
secure from unauthorized physical access
through a computer system or network. It also
theoretically allows the owner of a system or
a third party to control the legitimacy of
cyber-transactions between computers.
However, neither of these capabilities would
be possible without the additional application
of the authentication principle. Because
access control, by and large, is intended to
work in tandem with the authentication principle, examples of products that are based on
the principle of access control are similar to
the tools associated with authentication.
Access Granted
“ ”
Security is
an art form.
—Security Technologist
Principle 3: Audit
Auditing as a principle refers to the identified
need for log gathering and monitoring in
order to secure cyber-transactions. In application, it is a process of gathering data about
activity occurring within a computer system
and analyzing it in order to detect and
discover security violations or diagnose their
cause. Analysis can occur either offline after
the fact or online in real time. An example of
a tool that helps to carry out audit controls is
an intrusion detection system (IDS). An IDS
can take the form of either a passive or an
active system.
Passive Intrusion Detection System
A passive intrusion detection system is when
analysis of audit data is occurring offline and
the intent is to bring possible intrusions or
violations to the attention of the auditor.
Physical vs. Logical
Prevention and Protection
When companies evaluate which types of
security technology should be integrated into
existing networks, the realm of security that a
product will enhance must be considered.
With respect to computers and networks,
these are physical and logical prevention and
34
protection (Table 6).
Physical access prevention refers to protecting
a computer system or network from unauthorized use by an individual.
Logical access is the protection provided by
techniques, tools, and products in order to
secure data and/or communications in etransactions in the following scenarios:
between a single computer system and a
global network, among networked computers, and between a network and other cyber
information systems.
Physical access is considered to precede logical access, because in order for an individual
to obtain or manipulate data in a computer
system, it is first necessary for that individual
Active Intrusion Detection System
An active intrusion detection system is when
analysis of audit data is occurring in real time
and may take an immediate protective
response, such as aborting the suspected
33
process.
33
Access Granted
to gain physical authorization to use that
system. Nevertheless, the view that restricting
physical access therefore relieves the need for
logical access restrictions is misleading. Any
system that has communication links to
cyberspace is in fact at risk for a logical
vulnerability.
External vs. Internal
Apparatus
In distinguishing between the actual tools of
the security technology industry, it is important to note that security technology products
can be physically located either external to or
internal to a computer system or network.
When a tool lies internally within a computer
or networked system, it is designed to protect,
prevent or respond to breaches in e-transactions and other e-traffic. These tools often
promote logical access by ensuring that the
transfer of information into a computer
system or through a networked system is both
secure from external sabotage and that the
data itself is not a vulnerability to the
computer system or network.
When security technologies are installed as a
tool external to a computer system, these tools
generally serve the function of preventing and
protecting a computer system from the unauthorized physical access to a computer.
Methods of Delivery
Based on method of delivery, security solutions may be divided into four primary
segments: security software, security appliances, managed/outsourced security services,
35
and peripheral security services (Table 7).
34
Technologies and
Techniques
When considering the existing technologies in
this market, there are three broad groups in
which the range of technologies, based on
the technique used, may be segmented:
computer infrastructure, cryptography, and
biometrics. The products in the market may
use one or more of the following methods to
achieve the product’s security function.
Computer Infrastructure
In the context of the computer industry,
computer infrastructure is a broad term that is
used to capture the range of technologies that
allow computers and users to be connected.
Accordingly, it refers to the physical hardware
used to interconnect computers, networks,
and users, which can include routers,
switches, and other devices that allow for etransactions to occur over the internet.
Infrastructure also includes the software used
to send, receive, and manage the signals that
are transmitted.
In application to security technology,
computer infrastructure is the term used to
refer to the hardware and software designed
explicitly for the purposes of enhancing
systems security. The methods used to
enhance security in the computer infrastructure category of this industry take the form of
programs or hardware devices that enable
security because they are generally run or
activated as part of operating system environments.
Access Granted
Table 7: Methods of Delivery for
Security Solutions
Method of Delivery
Definition
Security Software
Security software consists of pure software products that are licensed to users.
These products typically run on off-theshelf servers, workstations, or desktops
running standard operating systems.
Security Appliances
Security appliances include purpose-built
hardware performing one or more security functions. Security appliances
typically have a hardened (better
secured) version of off-the-shelf operating
systems.
Managed/Outsourced Security Services
Managed/outsourced security services
include services that involve either
managing a customer’s installed security
solution (e.g., firewalls and VPNs) or
providing a pure service (e.g., trust services such as outsourced PKI service).
Peripheral Security Services
Peripheral security services include services that are supportive in nature to the
other three segments. These peripheral
services include consulting, implementation, and training services. Given the
complex nature of security solutions,
limited understanding of the involved
issues, and lack of trained personnel
(often times in small- and mid-sized
businesses), a healthy market has developed for peripheral services.
Source: Sigmond and Kaura, RBC Capital Markets
35
Access Granted
codes or ciphers. Cryptography is most often
used for the purposes of enhancing security
during e-transactions. “Code” is one of the
two major methods of cryptography and
involves the replacement of complete words
or phrases by code words or numbers.
“Cipher” works on the principal of replacing
individual letters by other numbers or letters.
Companies that focus on producing security
enhancements that come in the form of
computer infrastructure play a significant part
in evolving the Internet and security. In fact,
security tools and techniques that fall
under the category of computer infrastructure comprise a majority of the security
technology market because these are the
technologies that determine the physical locations of interconnections as well as determine
how much information can be carried, and at
what speed. Some examples of technologies
that protect and/or prevent security breaches
include: software programs, virtual private
networks, firewalls, anti-virus solutions, and
intrusion detection systems. It is important to
note that the security enhancements that the
listed tools provide can come in the form of
36
either physical hardware or software.
Cryptography
Cryptography is based on mathematical
formulas that provide encryption and decryption capabilities based on the use of either
36
The use of encryption and decryption
methods comprises what is known as
cryptosystems. There are two basic
cryptosystems: symmetric and asymmetric.
Symmetric cryptosystems use the same key
(the secret/private key) to encrypt and decrypt
a message. In contrast, an asymmetric cryptosystem uses one key (the public key) to
encrypt a message and a different key (the
private key) to decrypt it. Asymmetric cryptosystems are also referred to as public key
cryptosystems. When adapted to the market,
these are known as public key infrastructures,
37
or PKI.
The general tools that are based upon
cryptography include: digital certificates,
certificate authority, and digital signatures.
How do these work? A certificate authority, or
a trusted third-party organization, issues the
digital certificates or the certificate that establishes the validity of a users request to a
website. Essentially, the URL on the certificate must match the URL of the website that
the browser is connecting to in order for the
private/secret key to be sent or received. In
short, a certification authority, after verifying
the authenticity of a requester for a digital
certificate, will generate a digital signature for
the certificate, which in turn, enables connec38
tion into a secured site.
Access Granted
On a snapshot level, cryptographic tools are
generally designed to ensure that data is being
received and sent by the intended recipient
and sender. Technology products that are
based on cryptosystems convert data into
some unreadable form; this is known as
encryption. In order for the encrypted data to
be comprehensible, decryption or the transformation of the encrypted data back into its
original form must occur. Theoretically, it was
intended that only the two individuals who
are the intended sender and receiver of data
would possess the secret key that encrypts
and decrypts messages. The fact that it is not
entirely possible to develop a tamperproof
method of transporting the secret key from
the sender to the recipient creates the potential for security breaches to occur, and thus
the need for multiple methods to enhance
cyber security.
Biometrics
Biometrics is the third broad category of security technology tools. Biometric security
technologies utilize physical human features
as the method by which to enhance security.
Current biometeric tools identify physical
human features such as fingerprints, eye retinas and irises, voice patterns, and facial
patterns and measurements. On a basic level,
biometric tools compare the personally identifying physical feature of the individual
requesting access with the data stored in the
biometric tool regarding the supposed individual. If the data stored in the biometric tool
matches the targeted physical feature(s) of the
requested user, access to the system will be
granted. If there is a mismatch, access is
denied.
When identifying physical features are used
as the means to achieve protection for a
system, they are largely used in the context of
regulating or preventing a user’s access.
Biometric tools are typically external equipment that regulate an individual’s access
either into a physical area or provide regu39
lated access to a computer system.
Piecing It Together
The security technologies that investors,
customers, and clients purchase have undergone an evolutionary process. The following
matrix specifically pieces together the components of the security technology industry
(Table 8).
“
Security technology is
protecting the integrity
and availability of
data assets.
—Chief Technical Officer
”
37
Access Granted
38
Section 4
People
Access Granted
Growth in the Job Market
Government is heightening awareness of the
need for security, and high-tech companies
are transferring their attention to security technologies by investing in a long-term and
relatively collaborative effort to enable a more
secure cyberspace. Market trends validate that
the growth in the security technology industry
will result in the subsequent demand for a
workforce that can not only develop these
technologies, but implement these processes
when attacks occur. There are no credible
signs that attacks in cyberspace will halt in
either the short term or long term. As such,
demand for a workforce prepared with the
skills and the knowledge to work in the security and technology interface has been
stimulated.
Demand for Information
Security Professionals
The demand for information security professionals, in effect, starts with the concept of
security. Security is an ever-evolving measure,
a process, and an ongoing objective. As more
information about computer hardware and
software vulnerabilities, malicious scripts, virus
data, and other critical infrastructure-related
security trends becomes publicly available,
script kiddies and black hat hackers will make
alterations to cyber-attacks to compensate for
new safeguards. In turn, the best information
protection practices are continuously rescaled
to counteract new threats. This cyclical
combat of “shield and conquer,” combined
with businesses’ continuous need to build
trustworthy infrastructures, propels the global
voracity for skilled technical professionals in
information security. It appears that there will
always be a demand for technical professionals who maintain the security of sensitive
information.
Technology has created a wealth of high
impact applications that benefit business and
government. Enterprises increasingly utilize
worldwide computer networks for integral
business operations. E-commerce is a calculated and significant ingredient in business
structure. Governments depend on information technology to collect, analyze, and
distribute essential intelligence, as well as
create and refine military hardware. The
protection of critical assets and information
has always been a priority for public and
private sectors. This need for data protection
escalated after the devastating events of
September 11th. In the wake of the World
Trade Center and Pentagon terrorist attacks,
the perceived value of information increased,
as well as the comprehension that information translates into money. As public and
private industries examine and redefine their
concepts around logical and physical security
efforts, they will need the expertise of information security specialists.
The urgency for skilled security specialists will
continue to intensify as federal agencies
restructure to fully actualize the Department
of Homeland Security, and businesses create
and deploy security technologies. Silicon
Valley is the location of nearly 400 corporate
headquarters—many of which are IT-based
and focus on the development of security
technologies. Silicon Valley businesses have
41
Access Granted
already experienced an upsurge in the
award of government contracts for entrepreneurial and innovative security products, and
have received requests to serve on
public/private-sector collaboratives that identify and evaluate security efficiencies across
industries. As information security continues
to be a pivotal area of concern, Silicon Valley
will be repeatedly looked upon for leadership
in security technology development and
implementation. As such, this makes Silicon
Valley a fundamental market for valuable
information security talent.
Experts suggest that many opportunities in
information security will sprout from the
“National Strategy to Secure Cyberspace” and
new legislation, such as the Health Insurance
Portability and Accountability Act (HIPAA) and
the Aviation and Transportation Act. The
Aviation and Transportation Security Act is a
direct response to the September 11th terrorist
attacks. In an effort to limit and secure the
vulnerabilities of the transportation industry, the
law establishes a Transportation Security
Administration within the Department of
Transportation. The law requires the administration to adopt stricter security standards for
baggage screening and implement various
protection devices. Silicon Valley is a major
player in the administration’s efforts for airport
safety. The Norman Y. Mineta San Jose
International Airport is one of five national
airports selected to serve as a beta test site for
these new security standards and technologies.
HIPAA will stimulate the growth of information
security jobs as healthcare institutions strive to
leverage networks. Skilled security professionals will be needed in healthcare institutions to
deploy security architectures that not only
meet government regulations, but also
42
guarantee trust. (See page 16 for more information about HIPAA).
The demand for information security professionals can also be measured by the increased
desire for security certification in traditional IT
job descriptions and by the lack of qualified
candidates. Silicon Valley IT managers partially
blame the challenge of finding information
security talent on the low number of computer
science doctorate degrees awarded in the
United States. Computer science doctorates
are used to measure the U.S. education
system’s production of qualified people for the
technology industry. According to the Survey
of Earned Doctorates released by the National
Science Foundation, doctoral degrees
awarded in science and engineering dropped
seven percent from 1998 to 2001. Computer
science doctorates awarded in the United
States peaked in 1995 with 997 doctorate
degrees, but declined to 826 in 2001.
California awards the most science and engineering doctorates, but only 125 of the 4,801
doctoral degrees awarded in 2001 were in the
computer science field. In their 2002 report,
the Information Technology Association of
America (ITAA) projects a national need of
over one million technology workers within
40
the next year. Despite the current downturn
in the IT sector, there remain consistent
projections of a 50 percent gap between the
supply and demand of technology talent.
Information security professionals will be
some of the most sought after employees
because they have the greatest disparity
between the supply and demand of any IT
occupation. A national shortage of 50,000 to
75,000 security professionals is expected to
occur in the next few years. Compounding this
supply problem is the dwindling number of
minorities and women pursuing technical
careers. To attract the best talent from the
Access Granted
limited pool of candidates, most employers
have increased salaries and benefits for security specialists. A Foote Partners LLC study
found that while salaries in traditional IT positions declined by an average of 5.5 percent for
the first quarter of 2002 versus the first quarter
of 2001, salaries for information security
professionals increased on average by 3.1
41
percent. The average yearly compensation
for information security professionals, including bonuses, now exceeds $100,000. Table 9
shows the salary and bonuses earned by information security professionals as of the first
quarter of 2000 and the first quarter of 2002.
Source: Foote Partners, LLC
43
Access Granted
Opportunities for information security professionals will exist primarily in security network
design and administration, as well as systems
engineering. According to the Robert Half
Technology 2003 IT Hiring Index, large
companies employing 1,000 or more workers
42
will hire the majority of these professionals.
Information security roles are statistically clas-
sified under computer and mathematical
occupations. In California, the total number
of job openings due to growth and separations between 2000 and 2010 for network
and computer system occupations are
projected to be 98,200. Table 10 provides a
breakdown by occupational classification.
Table 10: California Occupational Projections
SOC Code
11-3021
15-1051
15-1071
15-1081
Occupational Title
Computer Information Systems Managers
Computer Systems Analysts
Network and Computer Systems Administrators
Network Systems and Data Communications Analysts
TOTAL
Number of
Openings
21,500
28,400
34,100
14,200
98,200
Source: California Employment Development Department
Evolution of the
Information Security
Department
The growing divergence between information
technology and information security can be
defined as a slow yet steady process. Experts
in the industry advocate that businesses
should separate their information technology
and information security into two distinct
departments. The reason? It is considered a
major conflict of interest to have the functions
of information technology and information
security in one division. Information security
44
focuses on protecting information assets and
information systems. Information technology
primarily focuses on technology as a functional tool for systems. Both roles overlap to
manage information systems, but IT workers
are primarily concerned with making sure
systems run smoothly and information security workers are focused on setting the rules
for how those systems run. The idea is that
security can be compromised if the same
person overseeing, implementing, or reviewing security is the same person responsible for
the basic working order of the technology.
The cost and development involved with the
implementation of essential security are two
reasons why many companies have not made
Access Granted
the transition to divide their technology
departments. The perception is that by having
a separate security department there is a
substantial trade off with par performance
and a slowing down of business operations.
The expense for information security measures is like an insurance policy premium, and
the industry continues to debate security’s
return-on-investment (ROI) value. Opting to
make do with current staff, companies have
expanded the roles and responsibilities of
traditional IT personnel. Local experts are
uncertain how long this trend of blending
roles inside of information technology departments will last. The prediction is that smaller
companies, operating on lesser budgets, will
continue to utilize IT workers for both
information functions, but larger companies
will have the means to invest in the actualization of two distinct departments to protect
their assets.
Deciphering
Information Security
Job Titles, Roles, and
Responsibilities
The structure and definition of information
security jobs have yet to be fully clarified by
the industry. There exist very few universal
job titles below the executive level. This is
partly due to the fact that most companies are
utilizing traditional IT roles to handle the
responsibilities of information security. This is
also why it is common to find certified information security professionals with traditional
information technology job titles. Because the
information security industry is still in the
process of development, this section will
examine those roles and responsibilities that
are currently common to the trade. The job
titles listed reveal the most recent labels given
to information security personnel and may
not correspond to those designations in all
companies; however, the tasks described
reflect the roles of information security
specialists. These job descriptions are a
sample of opportunities available in security
and are not intended to be an all-inclusive
representation.
All information security team members are
responsible for establishing and enforcing
security policies. Each member plays a role
in one or more of the following: risk assessment, configuration and deployment of
architecture, the management of security
maintenance, incident response, and forensics. Team-specific responsibilities generally
separate one job from the next, but in some
organizations, the same employee may
perform a variety of security roles.
Since networking is where security measures
have increased the most, this section will
focus on those jobs that deal directly with
protecting those systems. These positions are
involved with the engineering and support of
e-business infrastructures, as well as the
inspection of these information systems.
These jobs exist in the North American
Industry Classification System (NAICS) under
industry sector 54: “Professional, Scientific,
and Technical Services.”
Roles in information security can be divided
into four basic groups:
• Advisor/Strategist
• Designer
• Operator/Attendant
• Examiner
45
Access Granted
Most information security jobs overlap several
of these general divisions and can be further
classified by either organizational or functional responsibilities. In short, those who
advise and strategize are the people determining how the infrastructure should operate;
those who design are the people creating
solutions to the problems identified by
analysts; those who tend and operate security
equipment are the people administering
those solutions created by architects
and engineers; and those who examine
operations are those people ensuring the
functionality of information systems.
Advisor/Strategist Roles
Advisor/strategist roles and responsibilities are
generally found under the following job titles:
• Computer security consultant
• Data security analyst
• Data security specialist
• IT security analyst
• Information security advisor
• Information security analyst
• Information security consultant
• Information systems security analyst
• Security analyst
• Security policy administrator
• Security system analyst
Security specialists who have an advisor/
strategist role are primarily focused on identifying and assessing information security risks.
This role figures into all aspects of the information security department. It greatly crosses
over into the designer and examiner duties. In
some companies, one employee may perform
the analyst, architect, and engineer roles.
Much of what advisor/strategist professionals
46
do is evaluate security projects, implement
best practices, and provide guidance for security architectures. They observe and arrange
the security posture of the enterprise by
studying the needs of the company. They
implement security policies and govern the
implementation of countermeasure technologies that direct the security function. These
specialists assess new systems or redirect the
application of existing systems. By continuously assessing the adequacy of security
controls and procedures, these professionals
propose, develop, and respond to the policies
and methods necessary to serve the organization’s system needs.
Outside of performing tasks such as structured analysis, penetration testing, data
modeling, information engineering, mathematical model building, and sampling, this
role requires the preparation of cost-benefit
and return-on-investment (ROI) analyses.
These ROI analyses are presented to business
management and typically determine the fate
of proposed security solutions. Once management sanctions security solutions and
technologies, these specialists coordinate with
workers in the IT and/or security technology
departments to implement these solutions.
Professionals in advisor/strategist roles are
often called upon to recommend training and
certifications for IT staff. These specialists
regularly receive requests for reports on
specific security technologies and usually
serve as upper security management’s initial
point of contact for security concerns.
Advisor/strategist roles typically require basic
to advanced knowledge of business management and organizational objectives. It is
Access Granted
crucial for these workers to have expert
knowledge of authentication, access control,
and audit technologies. A disciplined knowledge of security testing procedures and
techniques combined with an understanding
of engineering is important. Individuals
should also possess strong familiarity with
implementing security architectures, such as
firewalls, intrusion detection systems, and
virus software that work in tandem.
components, such as firewalls, intrusion
detection systems, and Public Key
Infrastructures (PKIs). They perform quality
assurance testing and code inspections for
security flaws. This role requires the professional to measure, detect, review, and
improve the security infrastructure through
additional products or security services. A
great deal of the job is concentrated in
research and development.
Designer Roles
Architects
and
engineers
document
operational procedures and indicate the
availability of patches to update systems.
They assist in the training of operations staff
and give input on product development.
Designers often advise users on the application of security services through user
documentation or training .
Designer roles and responsibilities are generally found under the following job titles:
• Data architect
• Enterprise security engineer
• Information security architect
• IT security specialist
• Network security specialist
• Security engineer
• Security architect
• Security systems architect
• Security systems engineer
Security specialists who have a designer role
configure, develop, and deploy infrastructure
technology and mechanisms that accomplish
security goals. Designer tasks cross over into
advisor/strategist and operator/attendant
roles. These professionals plan and execute
all aspects of new security service development projects. Designer professionals have
the responsibility of coordinating and
handling issues with vendors. Their focus is
on the development and integrity of architecture, product selection, and the procurement
of services.
Professionals who have a designer role structure and assist in the installation of security
Designers should possess advanced analytical
thinking skills. Developing security architectures is a detailed process. Workers should
have extensive knowledge of various
programming languages, code standards, and
all aspects of security engineering tasks.
Successful designer professionals have the
ability to identify fundamental issues in
complex circumstances.
Operator/Attendant Roles
Operator/attendant roles and responsibilities
are generally found under the following
job titles:
• Firewall administrator
• Firewall security expert
• Help desk security assistant
• Information security administrator
• Information security coordinator
• Network security administrator
47
Access Granted
• Security administrator
• Security support specialist
• Security systems administrator
• Security technician
Security specialists who have an operator/
attendant role install security software, oversee network traffic, and develop response
plans to security dilemmas. Operator/attendant responsibilities link directly into
advisor/strategist and designer roles. Security
professionals who perform operator/attendant
roles support the security infrastructure. They
are often referred to as the day-to-day system
detectives who ensure the regular cyberoperations of the organization.
Operator/attendant professionals perform
routine tasks, such as checking firewall and
server logs, monitoring network traffic, and
remaining alert to system vulnerabilities. They
activate and control the technologies that
contribute to the security of communication
networks, and computer hardware and software. Administrators support analysts and
engineers with the development and implementation of security policies. They are
responsible for monitoring and reviewing
operation practices and mechanisms to
ensure security policy compliance.
Administrative professionals promote security
awareness and implement strategies to effectively deal with internal and external threats.
To keep systems dependable, administrators
regularly assess and analyze the effectiveness
and appropriateness of information security
policies and procedures.
Companies rely heavily on operator/attendant
professionals for their ability to detect
discrepancies, so having a keenness for detail
48
is absolute. These professionals must have
acute knowledge of database and network
technologies. Those who can educate technical staff and end users are considered to be
very valuable.
Examiner Roles
Examiner roles and responsibilities are generally found under the following job titles:
• Computer forensic analyst
• Computer forensics examiner
• Electronic Data Processing (EDP) auditor
• Forensic analyst
• Information security auditor
• Intrusion analyst
• Network security auditor
Security specialists who have examiner roles
review systems for security functionality. Their
duties closely align with advisor/strategist
responsibilities. Examiner professionals evalu ate the adequacy of internal security controls
prior to implementation. They manage and
evaluate risks to guard against theft and disasters, such as fires and floods. They initiate
corrective and preventative measures within
the infrastructure to reduce security flaws.
They also make recommendations for
changes that ensure system integrity and
accuracy. Their primary goal is to ensure that
all aspects of a company’s information
systems are appropriate and function as
designed. These specialists create security
audit reports that address the aptness of the
organization’s security policy.
To verify the accuracy of a computer program,
auditors test the processing accuracy and
control procedures that are built into the
program. They examine the precision of
Access Granted
computer input and output and compare the
results of the audit program with the output of
the company’s programs. These comparisons
reveal unauthorized modifications in the
organization’s programs. Once an examiner
discovers input and output discrepancies,
they communicate findings to upper management and discuss corrective action.
Examiner professionals need an in-depth
understanding of penetration testing and
computer forensic techniques, as well as
familiarity with multiple computer platforms.
The most successful auditors are fluent
programmers who know a variety of script
languages. Those who have extensive experience in computer forensic analysis, network
protocols, network devices, and data recovery are highly coveted.
The Executive Level
of Information
Security
Similar to subordinate-level positions, the job
titles, responsibilities, and reporting structures
of information security management are
inconsistent. Companies frequently assign
administrative security responsibilities to
traditional IT officers when they do not have
chief security officer or chief information
security officer positions. This approach to
computer security is relatively effective, but
experts cite that this method should be
temporary if a company wants to successfully
block security vulnerabilities. The theory is
that using chief technology officers (CTO) and
chief information officers (CIO) to manage the
responsibility will become ineffective as the
leadership role of security evolves. In particular, CIOs present a conflict of interest when
they oversee security efforts. Security is
constrained when the CIO must balance the
need to save money with the need for secure
and current network systems. The steady
change of security architectures and the
increasing pressure from legislative efforts,
federal agencies, and financial auditors are
slowly influencing companies to rethink their
blended security and IT hierarchies.
The challenge to meet security requirements
on limited budgets forces some companies to
outsource their security management. There
are benefits to keeping the responsibilities of
information security in-house, but currently
only larger companies can afford such
business indulgence. The expense and upfront costs of implementing specialized
security teams, staff training, legal counseling,
and new technologies can significantly
impact the bottom line of a company. For
small- to mid-size organizations, outsourcing
security is a feasible solution for security costeffectiveness. Outsourced consultants offer
service-level agreements (SLAs) that allow
companies to control the budget and tailor
security architecture to meet their needs.
Outsourcing is not without its drawbacks.
Once outside consultants enter the organization, security is compromised. It is opening
the door to strangers and trusting these
strangers to lock other strangers out. External
teams are privy to confidential and valuable
information assets. Businesses that contract
talent need to draw up nondisclosure agreements to protect the company from any
information leaks.
49
Access Granted
There is often a lack of communication
between outsourced teams and business
management. Organizations can become
completely dependent on outsourced specialists because of this. To avoid these conflicts
and the possibility of generic security policies
and practices, businesses are establishing inhouse executive security positions.
Chief Security Officers
(CSO)/ Chief Information
Security Officers (CISO)
The chief security officer (CSO) and chief
information security officer (CISO) titles are
often used interchangeably. The CSO is typically regarded as a more executive level
position that orchestrates the overall security
of business operations. The CISO title is
considered a managerial position that oversees the security of information only.
The main duty of a CSO or CISO is to protect
the assets of the enterprise. In the case of the
CSO, this responsibility would extend to
physical security as well information security.
CSO/CISOs frequently interact with top
management and explain the security risks to
non-technical administration. They oversee
the policies and procedures that secure dayto-day operations. CSO/CISOs supervise
several technical management teams and are
responsible for hiring security staff.
CSO/CISOs direct the business relationships
between lower-level technical security
personnel and vendors, as well as outside
consultants. In addition, CSOs manage the
creation and installation of global security
policies that coincide with the organization’s
strategic plan. CSO/CISO executives set the
50
guidelines and procedures for the ongoing
maintenance of security and supervise security breach investigations.
CSO/CISO executives need to have
combined strengths in technology, business
management, and law. Effective officers
possess a strong understanding of the
company’s assets and business culture.
Experience in business continuity planning,
auditing, and risk management, as well as
contract and vendor negotiations, will support
individual success. Many accomplished
CSO/CISOs with a background in law
enforcement or military intelligence have a
better understanding of logical and physical
security measures.
Career Progression
The business world is not in agreement about
how information security should be structured.
Currently, organizations are literally creating
their security departments by trial and error.
Cookie-cutter pathways in information security
do not exist. Career progression is greatly determined internally and varies from company to
company. The procurement of security certifications greatly affects the progression of security
professionals. (See page 52 for more information about certifications.) The following career
ladders are examples of possible job advancement within the field but are not exhaustive
illustrations of information security career paths.
Access Granted
Career Ladders in Information Security
Transitioning from a
Traditional IT Position
Experience in IT is beneficial for any candidate seeking an opportunity in information
security. Some traditional IT professionals may
find their job duties expanded into security
due to the fact that a vast majority of companies blend security into the IT department. IT
professionals are generally welcomed in security when they have plenty of work
experience and the willingness to learn new
tools. Professionals who have acute familiarity
with operating systems and/or networking can
expect easier moves into the security field.
Many information security professionals have
come from networking or systems administration backgrounds. Experts suggest that those
professionals who have expertise in the applications side of technology should further their
technical education and obtain role-specific
security certification.
Opportunities in the
Federal Government
Federal government jobs in information
security emulate the private sector. The qualifications for employment are more stringent
and the salary is typically lower. Job seekers
51
Access Granted
interested in protecting the nation’s security
should consider a career with the Central
Intelligence Agency (CIA), the Federal Bureau
of Investigation (FBI), or the National Security
Agency (NSA).
The CIA has positions in network design and
management and systems engineering. The
CIA recruits individuals who are U.S. citizens
and have a degree in computer science or
computer engineering. Job seekers with
specialty knowledge in information security
and systems engineering and architecture are
highly desired. There are two types of oppor-
Basic Qualification
Requirements for FBI
Opportunities
Special Agent
• U.S. citizen
• Four-year degree from accredited
college/university
• Age 23-36
• Valid driver’s license
• Drug free
• Uncorrected vision not worse than
20/200
• Corrected vision 20/20 in one eye and
not worse than 20/40 in the other eye.
Professional
Support Personnel
• U.S. citizen
• High school diploma or equivalent
• Drug free
• Specific qualifications are defined
for each support position
52
tunities available for information security
professionals in the FBI: special agent positions and professional support personnel
positions. The FBI is recruiting individuals for
special agent positions who: are U.S. citizens,
have critical skills in the areas of computer
science and information technology; possess
an information technology related degree;
and have Cisco Certified Network
Professional (CCNP) or Cisco Certified
Internetworking Expert certification. The FBI
recruits candidates for professional support
personnel opportunities who have critical
skills in computer networking and forensics.
Protecting the United States’ information
systems through the Information Systems
Security (INFOSEC) mission, the NSA recruits
systems analysts and engineers, cryptologists,
and computer scientists who are U.S. citizens.
Professionals who have advanced skills in
designing cipher systems, developing security
architectures, and implementing data
communications will have the greatest opportunities in the NSA.
Certifications
Current trends in the security technology
industry indicate that security still pays. For
those with security certifications, this industry
pays even more. As the security technology
sector is expected to burgeon over the course
of the next several years, significant growth in
jobs can also be expected. Whether the job
market is experiencing growth or is in a
down-cycle, job seekers will be required to
hone their skills and increase their marketability in order to ensure that their technical
expertise is noticed in the hiring process.
Access Granted
“Security certifications are
the fastest growing certifications at Cisco. Security is
critical to the safe and proper
functioning of any network
activity. The skills and knowledge necessary to configure,
operate, maintain, and
troubleshoot security devices
and functions continue to be
in high demand.”
–Rick Stiffler, Senior Manager of
Security and Emerging
Technologies Training, Internet
Learning Solutions Group,
43
Cisco Systems Inc.
“In today’s tough job market, certifications
are critical. Your certifications will get you
into the interview; your experience will earn
you the job,” stated Karl Childs, Certification
44
Program Manager, Novell.
Table 11 indicates the growth in base salary
increases attributable to certifications. The
table reflects increases based on a particular
area of information security certifications
training.
Certifications in the security technology
market allow network professionals to gain a
competitive edge over others in the hiring
process and provide an opportunity for career
mobility and flexibility.
Vendor-Neutral vs. VendorSpecific Distinctions
Job seekers in the information security job
market have the option of pursuing either a
vendor-neutral or vendor-specific certification.
Understanding these two distinctions in certification opportunities is important when
considering the option of pursuing a securityrelated certification (Table 12).
53
Access Granted
Vendor-neutral certifications are certifications
that primarily focus on “concepts, policies,
45
practices, and principles.” They do not focus
on a specific product, platform or technology
implementations unless there is no other realistic alternative available. Instead they test
concepts and knowledge of major security
technology niches such as cryptography,
network security, architecture, and ethics. A
number of the vendor-neutral certifications
require the trainee to take a code of ethics
oath prior to receipt of certification.
According to Certification Magazine,
“Vendor-neutral security certifications are
good because they force candidates to
develop a sense of the whole field and its
history and conceptual underpinnings. You
will find a mixture of user and industry associations behind such programs, as well as
training companies, consortia and other
groups of like-minded IT professionals from
46
all walks of life.”
While there are benefits to receiving a
vendor-neutral certification, there are also
advantages to pursuing vendor-specific
certifications. Vendor-specific certifications
originate from a particular vendor. Typically,
the concentration of the certification training
is to teach individuals how to design, install,
configure, maintain and troubleshoot specific
solutions, platforms, tools, or technologies
that relate to information security. When a
company is looking to hire an individual who
will allow the company to expand the
management of security technology or reduce
the vulnerability of their company’s security
infrastructure, there are essentially two things
that are considered in the hiring decision:
whether the job seeker is versed in information security, and whether he or she
54
has obtained certification in a particular
vendor-specific technology. Vendor-specific
certifications were developed and continue to
be developed by companies with two goals in
mind. First, to help manage the costs for technical support in an organization. Second, to
provide organizations and companies that
have integrated a vendor’s tools and technologies computer architecture with
knowledgeable professionals who are capable
of implementing and working with the
47
vendor’s solutions.
Important Decision Making
Elements in Seeking
Certification
Individuals who pursue certification training
are not necessarily sponsored by companies,
so there are definitely elements to consider
when making a decision to pursue a certification. An individual who is currently employed
by a company that uses a specific vendor for
its platform or technologies would benefit
from obtaining the pertinent vendor-specific
certifications.
When the decision at hand is based upon
selecting among vendor-neutral certifications,
Certification Magazine offers the following
criteria to consider.
• Name recognition: How well is the
program known? Does it appear in any job
postings online or classified ads that you
can find? Do your peers or co-workers
know about this program?
• Size of the certified population: Many large
players in the certification industry regard a
program worthy of consideration only if it
Access Granted
Source: Certification Magazine, February 2003
can claim 10,000 or more certified professionals among its group. It is important to
know the numbers prior to making the decision to pursue that certification offering.
• Costs: How much do exams cost? How long
will it take to prepare? What is the ROI on
your paycheck?
Certification Levels
Once the decision has been made to pursue
certifications, the next factors to consider are
the level of certification and the training
method. Certification training, in general, is
offered at various levels—basic, intermediate,
and advanced. An advanced level of training
allows an individual to learn about a greater
number of the technologies that require
protection, in addition to gaining a more indepth training on the various methods that can
be used to prevent, identify, and respond to a
security breach. When a person opts for an
advanced level of training, that individual is
gaining a more comprehensive and in-depth
knowledge of the various technologies that
require protection as well as the various methods that can be used in response to attacks that
have occurred. In addition to these levels of
certification, companies are also beginning to
develop certifications based on technology
“specializations.” For example, an employee or
job seeker who is only interested in working
with virtual private network (VPN) technology
may prefer to pursue a certification that only
trains in this technology. Most companies
create certification programs that allow their
trainees to gain certification in a specific technology and also offer these trainees
opportunities to upgrade their certification
without having to repeat courses.
55
Access Granted
Certifications training and courses are available from various sources. Table 13 provides a short
48
list of popular certifications. For a more complete listing of company-specific certifications as
well as vendor-neutral options, please see Appendix H.
Source: CSO Online
56
Access Granted
Most companies offering security technology
certifications offer two methods of training:
instructor-led and online courses. Courses are
designed to teach individuals about the technical details involved with security
technologies; as such, coursework is largely
book-based. Some companies offer courses
that are a hands-on approach to learning the
technology. These types of courses frequently
incorporate a simulation exercise as part of
the certifying exam. Because technologies
continually change, companies offering certifications have also developed programs that
offer re-certification exams and courses,
which are taken every two years on average.
Certification and Salaries in
Security
So why should an individual pursue a certification in security technology? Even in the
midst of the dot-com bust and the struggling
economy, statistics show job security and a
competitive salary can be found among those
who have obtained security technology certifications. Most major companies in the Bay
Area that offer certification training agree on
the career potential afforded through this
training—it not only opens up opportunities,
but lends credibility to the job seeker who is
equipped with this specialized knowledge. In
Foote Partners’ annual review for Information
Security Magazine, in which nearly 30,000
public- and private-sector IT professionals in
the U.S. and Canada were interviewed, the
finding was that there is a “…marked divergence between security jobs and the rest of IT
in nearly every compensation statistic.”
During the first part of the downturn in the
information and high-tech sectors, the market
for security professionals actually grew as a
subsector. Employees in this sector not only
survived, but those who upgraded their skills,
on average, received salary increases or some
49
form of increased compensation.
Tables 14–16 depict the typical salary
increase attributable to vendor certification.
In a lean economy, whether or not security
certifications provide a sufficient ROI for the
consumer to warrant training is a question
that a large majority of IT professionals are
already asking themselves. According to
research, the bottom line on certifications in
security technology is that they are an asset to
the prospective and current information security professional. The rapidly changing nature
of security technologies necessitate that job
seekers and employees continually upgrade
and up-train their technical skills.
Certifications offer job seekers and current
employees of this market opportunities for
career growth, not to mention the additional
perk of increased compensation during an
otherwise high-tech slump.
Job Skills for
Information Security
Professionals
Opportunities in information security are
extensive. There is currently a lack of qualified
professionals who can fill the growing number
of positions. Those individuals who have the
necessary skills to succeed in the field are reaping the rewards of progressive careers and
elevated salaries. Although the industry has not
reached a consensus about how to organize
these professionals, the industry is in agreement about what skills these specialists should
possess.
57
Access Granted
“
Security technology is
protecting the
integrity and
availability of
data assets
”
—Chief Technical Officer
In terms of technical skill, the industry
would like to hire individuals with profuse
knowledge of operating systems, firewalls,
authentication methods, and networking
tools. Certifications in information security
are an accepted means for hiring managers
to measure individual skill level. Table 17
details some of the suggested disciplines and
tools for information security specialists.
Technical skills alone will not predict success
for job seekers. Experts in management
suggest that candidates have a love for the
technical side of the industry, but balance
that devotion with a variety of real world
experiences. Even the most adroit technologist will not succeed in the industry if he or
she possesses poor interpersonal skills.
Overall, local experts suggest that candidates
seeking information security jobs have the
following soft skills:
• Good communication
• Ability to work in a team
• Diplomacy
58
Access Granted
• Patience
• Flexibility
• Integrity
• Attention to detail
• Self-motivation
• Strong problem-solving skills
• Understanding of business culture and
corporate politics
• Ability to negotiate
• Good management skills
• Good writing skills
• Desire for continuous learning
The industry increasingly desires security
specialists who are business savvy. These jobs
require a balance of technology and business
protocol. Security specialists who communicate well with the technical team, as well as all
levels of management, will be effective and
indispensable. Based on return-on-investment
(ROI) debates, business executives often see
security measures as a necessary evil.
Specialists increasingly need developed negotiating skills to influence administrative approval
of effective security policies. The constant
change of security architectures, technology,
laws, and vulnerabilities require job seekers to
continue their education on a regular basis.
Senior security specialists reveal that in addition to re-certification, they spend up to two
hours per day reading trade journals and
industry news to remain current in their field.
The industry recognizes the importance of
physical and logical security working in
unison. Individuals who have experience in
Source: NOVA 2003
59
Access Granted
law enforcement, as well as proficient knowledge of existing security laws, will have access
to more career opportunities in the field.
Experts also suggest individuals pursuing
information security jobs should study
psychology. The people aspect of information
security is the most crucial area of concern.
Information security professionals with a
background in psychology have greater
insight into how people use computers,
process information, and make decisions. By
understanding how humans organize and
analyze information, professionals can understand how a cyber attack is orchestrated and
reveal the motivations and skill level of the
perpetrator.
Career Enhancers for
Information Security Specialists
• Business Management Experience
• Computer Science Degree
• Information Security Certification
• Knowledge of Security Practices
• Law Enforcement Experience
• Psychology Background
• Security Clearances
ethics required for a security-oriented job.
Although the media may vest in the idea that
somehow criminal hackers lead glamorous
lives, the truth is what these people do is
neither heroic nor alluring .
Criminal hackers are credited with the ability
to offer a new perspective on protecting the
infrastructure. In spite of the fact that a few
businesses have held focus group discussions
with would-be intruders and even allowed
some criminal hackers to perform penetration
testing on their systems, most businesses have
no intention of hiring these people to watch
over their networks.
There is not much of a future for criminal
hackers in information security. Experts simply
say the skills of felonious hackers are limited.
Criminal hackers may possess the talent to
break into networks but are without the technical skill to keep these systems safe. It is
essentially easier to break into a system than
it is to sustain it. The story of a prosecuted
hacker who spends years in federal prison
and then makes good as a popular security
consultant is a rare one. The best wager for a
thriving career in information security would
be for job seekers to keep their moral high
ground.
• Security System Design & Implementation Experience
No-Tolerance Policy
While it is true the security industry is looking
for the best talent, they are not particularly
desperate for any job seekers with a criminal
past. Black hat hackers or crackers are considered to be without the necessary morals and
60
Salary Expectations
in Information
Security
Salaries for security professionals are not
determined by an exact science. For the most
part, salaries for information security person-
Access Granted
nel are relevant to the size of the company
and the industry. Job experience plays a major
role in determining compensation and local
experts indicate that job seekers can increase
their earning potential by acquiring niche
certifications. Compensation can also be
determined by the organization’s reporting
structure. Personnel who report to higher
levels of management typically receive a
higher salary. According to DataMasters, a
professional services firm specializing in information technology, security specialists are
compensated between $87,238 and
$130,698 in the western region of the United
50
States. Tables 18-22 summarize salaries for
the metropolitan area of San Jose, California,
in April 2003 for five common information
security jobs.
“
Don’t overestimate the
talent or value of a
so-called ‘’black hat’
hacker. It’s far easier to
break a system than it
is to protect one.
–Educator
”
61
Access Granted
Source: www.salary.com
62
Source: www.salary.com
* Total exceeds 100% due to rounding
Access Granted
Source: www.salary.com
Source: www.salary.com
* Total exceeds 100% due to rounding
63
Access Granted
Source: www.salary.com
64
Section 5
Star Profiles
Access Granted
Tim M. Mather
Senior Director of Information Security
Symantec Corporation
Certifications:
CISSP, CISM, CISSA
Career Ladder:
Senior Director of Information Security
Manager of Security
Manager of Information Security
Introduction to Computer Technology: Apple II
Please tell us about your current position
and how you arrived there. How did your
career progress?
I am responsible for Symantec’s information
security. That includes all of the internal facing
and external facing systems, as well as ensuring the security of our vendors. We levy
requirements on our vendors, and I make
certain that they meet these provisions. I do
the upfront policy and architecture and the
back-end auditing. It’s my job to make security recommendations to the business, as well
as make sure the business understands the
possible ramifications if they choose not to
take my advice. My role is somewhat enforcer
and, to a large extent, advisor. The role is not
100 percent enforcer. If you think the role is
100 percent enforcer then you are going to
fail. It’s not about being just a cop. It’s also
about being a teacher. Most of the day-to-day
“
It’s not about being
just a cop. It’s also
”
about being a teacher.
functions, like the firewalls and the servers,
belong to other groups within IT. I started
working in the defense industry. I was an
Army reservist in military intelligence and had
a security clearance. I worked on a seven-year
67
Access Granted
project doing defense intelligence type work. I
then moved back to the Bay Area and did
some independent consulting work with some
small businesses. At that time, the government
world had more advanced security standards
than the commercial environment. The
commercial sector hadn’t even heard of a firewall at that point. Quite honestly, there was
one firewall on the market. You had to educate
people about what a firewall was, and frankly,
in that respect, it was a bit ahead of the curve.
I have held the same position essentially, but
with greater responsibility at the last three
companies that I have been with. I was
Manager of Information Security at Apple
Computer, and then the Manager of Security at
Verisign. The only difference at Verisign was
that I was responsible for all security, such as
physical security and personnel security. Here
at Symantec, I don’t have physical or personnel
security. Quite frankly, that stuff just isn’t
appealing to me, but essentially the jobs I’ve
held have been the same—all have been
billion-dollar companies, etc. It’s just a question of more responsibilities.
Describe your typical workday.
Very hectic. There are always fires to fight.
Usually way too many meetings. I tell my
admin not to schedule me for more than four
hours of meetings a day. Lots of phone calls. It’s
a lot of juggling. It really is. There are up to
eighteen or two dozen issues a day to deal
with. Some of them are relatively small—“Hey,
what about this?” Some of them are major
decisions—“Hey, where are we going?” I
receive 150 to 200 emails and twenty-five to
forty phone calls a day. It’s a long day. I am
generally here by 8:30 A.M. at the latest. I don’t
leave before 6:30 P.M. It’s a fairly stressful job. I
mean, I’m the security person at a security
company.
68
“
Having this basic
knowledge gets you to
a certain point in your
career. To go further,
you need to under-
stand the business that
”
you are working in.
Which aspects of your education and/or
training made you more marketable and
capable in this field? Did you have any
non-traditional training that helped you in
your career?
I would say my knowledge of the field and my
certifications. You have to have the basic technical knowledge. Does that mean that I need
to know how to program in my job? No, it
doesn’t. Does that mean that I have to know
how to configure version X.Y of a specific firewall? No, there are people who do that for me.
But do I need to know what type of firewall
is which and what the capabilities are?
Absolutely. I don’t need to configure that
sort of thing per se, but if you don’t know the
basics as far as functionality and design are
concerned, you’re not going anywhere. Having
this basic knowledge gets you to a certain point
in your career. To go further, you need to
understand the business that you are working
in. Security doesn’t drive the train. The business drives the train and you have to make sure
Access Granted
the business is secure. You also have to have
some skills as far as when to say no and how
to say that gracefully. Basically, I am paid to
say no. My colleagues sometimes jokingly
refer to me as Director No, but I’m not here
to be a speed bump in the hallway that
people can run over. That’s not what I am
paid for.
What are the most exciting aspects of your
job? What do you like most about your job?
I like the challenge. Being Symantec, we get a
lot of trash thrown [we get a lot of hack
attempts] at us and so there is always something to do. Often times it’s new and I have to
work hard to figure out what it is. In that
regard, it’s interesting. In this role, I am often
working with our own product groups. Being
able to help shape our products is very nice.
I really like to see new technology. I work
fairly closely with our mergers and acquisitions. After they have done their initial sniff
test—checking the company’s viability, etc.—
they’ll often bring the technology to me and
ask, “So, what do you think of this technology?” I get to see a lot of technology. Some of
it is mature and a lot of it is from immature
companies but is really cutting-edge. It is very
interesting. I continue to be educated on the
job and that is important to me.
What do you dislike or find challenging
about your job?
This is easy. It is extremely hectic. The hours
tend to be hellacious. There is effectively no
down time. Other than if I am out of the
country on vacation in some place that is so
remote that it has no cell phones and
pagers—which I’ve actually done just to get
away—other than that I am on call twentyfour hours a day. There are certain things that
happen in which I absolutely better be called.
Many of those calls come at 3:00 A.M. or
whatever the case may be. You walk in the
door on a Friday night—drained from the
week, begin enjoying a glass of wine, and just
as you take off your shoes, the phone rings
and you have to head back because there are
perceived problems. I go back to make sure
that these “perceived problems” aren’t real
problems.
What advice would you give to a person
seeking a job in your field?
If you are a less experienced, more juniortype person, you absolutely have to have
technical certifications. The best ones out
there are SANS. It says a lot. When you get
more experienced, you have to have some
sort of management certifications, such as
Certified Information System Security
Professional (CISSP) and Certified Information
Security Manager (CISM). The certifications
are important because they are a third-party
seal of approval that you have some degree of
competency in the job. They are not a hardcore statement of your technical or security
management capabilities, but they do say that
you have a certain level of knowledge and a
certain level of experience to get the credential. So, it’s not to say that you would be the
perfect employee, but it does say to a
prospective employer that you are someone
worth checking out for available positions. If
somebody came to me and said, “I’m a security person. I’ve been doing this for ten years,”
and they had no credentials to show for it, I
probably wouldn’t even give them an interview because, number one, I have no idea of
what their skills are. I have no independent
evaluation of that from a third party whom I
trust to make that evaluation. And number
two, it says to me that they haven’t taken their
career seriously enough to invest the time and
the effort into getting those certifications.
69
Access Granted
Would you go to somebody who was not a
certified financial planner and allow them to
manage your portfolio? Probably not. Would
you go to a doctor who wasn’t licensed to
perform an appendectomy on you? I really
doubt it. Why would you turn your security
over to somebody who doesn’t at least have
some field credential?
The other thing that I look for when I screen
candidates—and perhaps it is a bit old-fashioned—but I really want someone with a BA
or BS degree. Not having a college education
is a red flag for me. People who have a
college education tend to be more well
rounded. Well-roundedness is important
when moving up the chain and dealing with
teams and management. People who haven’t
been to college probably have a fairly straight
technical track. They probably have very
good technical skills, but try and put them
into a management position or try to get them
to talk to management and they often fail. It
doesn’t work.
I think it is very important in a technology
field like this to stay current. You really have
to stay up with the developments in your
field. Taking a six-month break may very well
make you a dinosaur. There is a lot of reading
that people should be doing to stay current
with developments in the field. I spend a fair
amount of time every day just reading various
sources. I read websites, mailing lists, and
various digests that stay up with security information. I probably spend an hour a day doing
just that to stay relevant. If you don’t do that,
it’s to your own detriment.
70
What qualities make someone a star
performer in this occupation?
Balancing technical knowledge with management skills is a star quality. The management
skills are not only project related, but frankly,
they are people related. Those who can
manage subordinates, their boss, and other
superiors will succeed.
“
Well-roundedness is
important when
moving up the chain
and dealing with teams
”
and management.
Access Granted
Perry J. Steines
Manager of Intelligent Networks
Sprint Corporation, Enterprise Services Division
Certifications:
Cisco Certified Network Professional (CCNP)
Cisco Certified Design Professional (CCDP)
Cisco Certified Security Professional (CCSP)
Cisco Wireless LAN Support Specialist
Cisco Wireless LAN Design Specialist
Cisco Security Specialist I
Cisco Certified Network Associate (CCNA)
Cisco Certified Design Associate (CCDA)
Certified Novell Engineer (CNE)
Career Ladder:
Manager of Intelligent Networks
Manager Engineering of LAN/WAN Group
Systems Programmer V
Senior Systems Integrator I/Supervisor
Engineering of LAN/WAN Group
Systems Integrator V
Systems Integrator IV
Information Analyst III
Introduction to Computer Technology:
Radio & TV
Please tell us about your current position
and how you arrived there. How did your
career progress?
I have been involved in computers and
networking for almost eighteen years. My
degree is in electronic engineering and I
explored everything from mainframes up to
current technology. I have been at Sprint for
nine years and have traveled through various
positions from working as a design engineer,
systems level engineer, and systems programmer to figuring out what we should do with
routers. Programming the command-set for
any network equipment is extensive, because
you need to put in the commands in a certain
order to gain certain results.
In my current role, I am the manager of intelligent networks at Sprint. This position
requires me to understand the wireless LAN
technology on the Sprint campus—we have
the need to understand it better, have a better
design, and to deploy it on the campus, so
that we can have an infrastructure we can
build on.
I progressed to this position through a combi nation of obtaining additional certifications
and proactively investigating the high-tech
71
Access Granted
market. Prior to Sprint, I was at various
companies installing and supporting Novell
networks, where I had obtained the Certified
Novell Engineer (CNE) certification. I had
pursued that line of technology for a while
but then decided it was time to transition into
a different market. I was actually a vendor
contractor when I was at a previous company
and Sprint was one of my customers. The
Sprint customer I was working with held a
conversation with me one day and said,
“Sprint needs some new technology also has
some new technology, and could use someone to solve these problems.” I was able to
convince HR of the necessity of this role at a
company such as Sprint, and when the job
opened up, I took it. My first job here was
supporting the SprintFAX platform from
Novell servers, routers, programming, and
automated systems.
The first step for me when I made this transition to Sprint was that I decided to pursue
additional certifications to confirm for others
regarding what I know about technology. It
also seemed like I should have these Cisco
certifications in order to invest into my own
career potential. Having a certification on the
résumé indicates to the employer that the
candidate at least has knowledge that is past
a certain level. I gained a lot from going
through the training courses. Certification
training in networking gave me a better
understanding of how to tie things together; it
provided an overview of how the network
works, which is critical to a large host of technologies and companies today.
Some comments on how I chose a training
company. When l Iooked into taking a training course, I not only looked at price, I looked
at value. This is defined to me as: what am I
getting for what I paid. I looked at the quality
72
“
Having a certification
on the résumé
indicates to the
employer that the
candidate at least has
knowledge that is past
a certain level….
”
of instructors, the support the training
company provides to the instructors, as well
as a training partner that is professional and
understands the customer’s needs.
Describe your typical workday.
There are two different pieces of my job. One
is the enhanced services side. This is a
revenue-generating platform for Sprint
Corporation. As the manager, I take care of
design engineering roles, as well as the security. I help design systems to be more resilient
than they are today. I deal with designing
more resilient internal and external connectivity, and place an emphasis on reliability and
scalability when I think about designing these
products.
Sprint has 15,000 people and 4 million
square feet of office space that encompasses
Access Granted
two regional data centers. In my second role,
I am in charge of making sure everyone in
these locations has connectivity. I manage a
group of engineers who do the engineering
for this network. I take the requests when
people are moving in and out of buildings.
Sprint is a large corporation that has many
business different units. In my role and in my
group, we have to make sure that we have
engineered solutions that enable our employees to perform their jobs by providing them
with reliable and resilient connectivity. This
now includes wireless LAN.
In terms of what goes on in a typical workday,
I check email and see what is going on—if
there are any issues people are having that has
an escalation possibility. I also interface with
executives and VPs. From there, it is communicating with my team, finding out the status
of a product, if there are any challenges or any
outages we may have had from the evening
before. Essentially when these outages occur, I
need to understand and identify the root
cause and perhaps what could happen in the
future and see if this is preventable. On average, if I can work eight hours a day, that would
be a good thing. I look at my schedule more
as a work-week, which is more or less around
fifty to sixty hours.
Which aspects of your education and/or
training made you more marketable and
capable in this field? Did you have any nontraditional training that helped you in your
career?
I think that pursuing certifications definitely
gave me a broader scope of technical knowledge. There is more to networking than
routers and switches. For example, there is
also web-caching and wireless LAN. Going
through training courses allowed me to
understand networking technology more
extensively, and that ultimately has helped me
to understand and better solve the business
problems that we have at Sprint, as well as to
meet the service-level demands of organizations that we have as customers. Without
continued training, as with certifications, we
tend to learn only what we need to know
today, but that doesn’t position us for the
future. Certifications give individuals an
opportunity to learn what the evolving
technologies are out there, which is critical to
a field such as technology. If I see a technology that I need to learn more about, I go to
training in order to learn that technology,
which helps with developing my career. It
happens with this training that I end up with
certifications.
My intent with training is not and has not
been to see the receipt of the certification as
the end point. Instead, I see the technology
and focus on the knowledge I gain as a result
of going through the training courses. I put an
emphasis on the technology so that I can
apply this knowledge to understanding business problems and come up with business
solutions—the side result of certifications is
that it confirms what I do know, which of
course helps to market my qualifications.
Recertification is also something that I
consider extremely important and I definitely
will pursue. Technology always evolves, so the
only way to keep current is to read, learn, and
stay constant with it. Because this is true, a
person would need to get recertified to
remain constant. So really, to me, the key is
always to understand the technology; the
tests just confirm to someone else that you
know this certain level of knowledge. It’s
73
Access Granted
absolutely critical to be current, so becoming
recertified with my Cisco certifications is
something that I will be pursuing. The
process at Cisco for recertifying security
specialists is not a generic one: they make
each individual take four different tests. This
requires you to put in much more work,
requires you to stay active with the technology and understand it thoroughly.
What are the most exciting aspects of your
job? What do you like most about your job?
I enjoy being presented with a business challenge. When we do something as a
corporation it is very visible to our customers.
There is the desire to take all these technologies and put them together in a way that
meets business objectives that will meet
needs. We aim for a technology that is
resilient and reliable when customers use the
new service that Sprint is offering.
In my job, I can’t control the applications,
because I work from a network perspective.
Networking is a foundation that enables
everything to happen, but it is not like the
products that Sprint creates. Success in the
networking arena, along with security, is evaluated differently. We have to make sure that
networking is not causing problems, and we
have to make sure that we are in fact securing
the environment. When a customer uses a
credit card, that person wants to be sure that
they are using something that does not put
privacy at risk.
So in my job, I know when I’m successful
when no one knows I exist. If a problem
arises, then it means that I have not been
successful at my task. The example I often
use, especially with my team, is that doing a
74
“
So in my job, I
know when I’m
successful when no
”
one knows I exist.
“successful” job in this team is akin to nerves
in a body. Nerves that are functioning in the
body carry about their operation with nobody
ever really thinking about what those nerves
are doing. Essentially, no one pays attention
to the nerves until someone can’t walk, can’t
talk, or has difficulty doing things like breathing. Nerve systems are similar to building a
secure network. If I do the job right, no one
knows I exist. If there are no problems in the
system and no one knows that we exist, that’s
when I know I’ve done something right and
our team is successful.
What do you dislike or find challenging
about your job?
I’m going to be honest: with today’s economy
and with businesses faced with the economy
going down, businesses are faced repetitively
with budgeting issues. Right now, we must be
able to find great solutions with less money.
As such, we are forced to reallocate
resources—tight budgets are the biggest challenges today in the business world and in my
job. A couple of years ago, that wasn’t quite
the challenge. Before, the challenge would be
to meet the market demand. The projects
would require network connectivity that had
never been done by companies, and in some
Access Granted
cases, we still may not yet have done. We had
to think of and develop products that we
never thought could quite exist. It was also
about trying to develop and create these
products in a compressed timeline in order to
get to the market first and gain the majority of
the market share. Making it to the market in a
timely manner demanded logistics to work
like clockwork—we had to design, test,
deploy, implement, and get our products to
the vendor and get them into production
within three months and often less.
Currently, the timeline is more extended
because of the state of the economy. Now,
there is also a significantly more rigorous
selection process. The selection of whether or
not your product is going to be offered into
the market is looked at more for ROI. If it is
more risky, they may not select it. Now, it is
more than just theory; you also need to test
the product, come up with the results, send it
on to finance where the finance people will
take a while to make the calculations on
whether or not sending a product to market
has a significant ROI. After those calculations,
the product will then be reconsidered for
entrance into the market, but not guaranteed.
What advice would you give to a person
seeking a job in your field?
I believe the security industry right now has a
lack of qualified experts, so this is a great
industry to get involved in, and certifications
are a great way to learn about this industry
and become better qualified. While existence
of security products is not a problem in the
security environment, this industry is greatly
lacking people that have the knowledge of
the total scope of security and how to implement a broad-based plan. While there had
been a market some time ago for security
knowledge and security networking knowledge, there has actually never been a greater
market than there is today. Given the incidences in the last year and a half, businesses
are becoming more interested in investing in
security technology and seeing it as being vital
to business operations.
The problem is that businesses can go out and
buy a bunch of intrusion detection systems
and firewalls, but to get it all to work is the
trick. The problem that this industry is
currently facing is that there are people out
there who do not understand it, because
traditionally, the departments of networking
and security have been separate. Security
tends to focus on securing hosts and implementing security. Networking is about
connectivity.
The next thing is that there are different
mindsets for people in networking than there
are for people in security. Currently, there is a
really big vacuum for people who understand
both sides. It is quite often the case that it is
difficult to move from networking into security. Technologies are out there, but there is
the need to implement networking and security into a single, cohesive environment. I
talked to a manager of a fairly large corporation recently, and they took the position and
said if anyone knew how bad security
management was in this company, they may
have had second thoughts about doing business with them. Yet they still have firewalls,
IDS, and other security solutions. The problem is that individuals don’t have knowledge
of both; this is where individuals need to act
on this opportunity. One way I recommend to
do so, is to pursue certifications.
75
Access Granted
When an employer is familiar with a type of
certification program, they know that the
individual was not only required to have an
understanding of theory but was also required
to perform real-time applications of learned
solutions and can be effective on the job. This
is key to entrance into this job market.
Overall, my advice to people is to seek the
technology first when in training, especially in
the developing security-technology/networking market.
What qualities make someone a star
performer in this occupation?
As a manager, the soft skills are really very
important to me when looking at an
employee—that was also true for myself. Soft
skills are not usually mentioned as being
a requirement because they are neither
communicated nor can be communicated in
a résumé. From a manager’s perspective, we
call it the “behavior interview.” In this interview, we are not only evaluating technical
skills but behavior. I look for people who are
not that opinionated—in the sense that the
individual thinks they know everything. I’m
more interested in people who say, “I know a
lot, I have a lot of good experience, but I realize I have a lot more to learn and want to
learn from other people.” I want them to be
proactive in sharing what they have learned
with other engineers. Similarly, I find an
employee valuable when that person also
wants to learn from other engineers.
Teamwork is another quality that is crucial for
the job—this is something I really try to scan
for during the interviewing process.
76
Also, it is extremely important in this industry
that employees know how to relate to people
not only in their group, but also external to
their group and outside the organization or
company itself. The IT department of an
organization is largely a service group, in the
sense that its employees provide services
external to their group as well as external to
the organization. Because of that, these
individuals need to have the skills to communicate technical terms in such a way that their
customers and clients can understand the
technology or product. Not only do these
individuals have to gather what their clients’
and customers’ requests are, but they must
understand what the customer actually wants,
and communicate the solutions to the problems in a way that also does not insult the
customer. There is definitely a communication piece to being successful in technology.
Access Granted
Julie Wilcox
Sales Systems Engineer
Sun Microsystems, Inc.
Degree/Certifications:
MA in Science in Information Systems
Career Ladder:
Sales Systems Engineer
Graduate Student at Northeastern University
Environmental Consultant
Introduction to Computer Technology:
Circuit Tester
IBM
Apple
HP PC
Sun Workstations
Please tell us about your current position
and how you arrived there. How did your
career progress?
My current position is a sales systems engineer. This is basically someone who
understands what the software products are,
can explain how the product could be implemented in a real-life environment, can
identify any components that are missing
from the solution, and help the customer
understand the full range of technology that
Sun offers. This involves explaining how the
technology can fit into their architecture.
Sometimes this involvement with the
customer takes a proactive engagement with
the IT department. At other times, it is a reaction to a request where someone has
identified a hole and the customer will seek
me out to help them with figuring out the
possible solutions to the identified problem.
In terms of how I transitioned to this job and
this position--I am originally from the Bay
Area and after I graduated with an
Environmental Studies degree, I moved to
Massachusetts and went into an environmental consulting job. I learned at that job that
working outdoors on the East Coast was not
for me, and I did not feel like I could change
much of what was going on in the environment. Looking back, I think I came in with a
naïve view of what environmental consulting
would be like.
Finding my first job out of college took a long
time, so in making decisions along my career
path, one of my main objectives was to have
skills that would allow me to be employable.
After a couple of years working in environmental consulting, I looked into getting a
higher degree. I went to a college fair and was
looking into doing an Environmental
Engineering Master’s degree. I talked with
someone at Northeastern University and told
77
Access Granted
them I was kind of on the fence and
wondering if I should go into something
computer-related. And his suggestion was,
“Well, why don’t you open the ‘Help
Wanted’ section of the newspaper and see
where all the jobs are right now?” In looking
at the paper, it was clear to me that the
computer field was where the jobs were and
would be in the future. The person I talked
with at Northeastern told me of a program
offered there for people who don’t necessarily come from a high-tech background, but
still offered the opportunity for these people
to get a Master’s degree in two years from
their College of Engineering. The program is
focused for women in engineering and it
sounded like it would be the perfect place for
me to go. The Northeastern program was
really great; it was focused on programming,
data structures, computer architecture,
networking, and project management. I
looked into the program, took the GRE,
applied, and enrolled in 1996. Two years
later, I found my first job at Sun Microsystems.
Even after my two years in graduate school, I
wasn’t exactly sure what I wanted to get into.
I spoke with a friend who graduated the year
before me and had a job as a systems engineer at Sun. I found out what her job
description was like, and it seemed like
something I could do well. This job basically
allows me to interact with people as
customers and utilize my technical background.
Because of my technical
background, I am in a position to explain new
technologies to customers.
78
Describe your typical workday.
The great part of this job is that there is always
something new to learn, investigate, and
discover. On a typical workday, I come into
the office and I look at the hot emails that I
have received. Of course then I have my giant
list of things to do, which are added onto the
day’s work. In answering my emails, it is a lot
about responding to requests that people
have for product information.
Right now, Sun IT has a number of projects
where they have requested additional feature
enhancements to our products. As a team, we
take the feature requests for enhancements
and get a detailed sense of what the IT
department is looking for. We then send those
to the product team and they give us an idea
of the timeline when these requested features
can be built into the product. Currently, we
are focusing a lot on product quality: providing account management and product
support, making sure that the products don’t
have bugs, and relaying the problems that
have arisen to the appropriate individuals.
“
I think one of the
greatest challenges
about this job is
”
staying current.
Access Granted
On the customer side, our team meets with
the developers and the operations and strategy and planning departments. We strive to
achieve complete customer satisfaction from
all IT departments.
Which aspects of your education and/or
training made you more marketable and
capable in this field? Did you have any
nontraditional training that helped you in
your career?
At Northeastern, I attended a number of
career seminars, and took advantage of
learning about what is required to make it in
the high-tech industry. These seminars were
not necessarily focused on the technical
end of learning. Some of the courses or additional training opportunities that I took
advantage of focused on interviewing skills,
team-building, giving presentations, and
other soft skills. Taking these courses definitely
made me aware of a fuller picture of what
makes a successful candidate for a position in
high tech.
For the future, I have always thought about
getting an MBA in technology or taking some
additional courses. It’s not so much that I
need the MBA—but a need to fulfill the
desire to obtain the knowledge that such a
degree program offers. I think that being in a
formal program makes you committed to
learning the material. It is important that you
make the effort to learn on your own, but you
may not end up spending as much time learning what you need to know if there is not a
broad-based course structure to teach you the
realm of knowledge you will need.
What are the most exciting aspects of your
job? What do you like most about your job?
I have always been interested in learning,
especially learning something new. When I
came into this job, I didn’t know how an IT
group as large as Sun Microsystems worked. It
has been extremely interesting for me to
learn how all of the different systems and
applications are networked across the world.
I have also found it a great experience to
learn more about how each department has
its own application—whether it is for HR or
the sales department—and how applications
all tie into a single authentication system
where users are given access to specific
areas. I had no idea prior to being at Sun how
this all works.
Specifically in terms of security, it has been
very interesting learning and understanding
how an outside customer deals with security.
In my current role, I am learning how Sun
ensures security. Security is definitely something Sun is very focused on. Sun has very
high standards on how data sits in a system
and who has control of it. There are clearances that everyone has to get in order to
access an application or to be granted access
to a server. That clearance must go through
several different levels of approval. In sum, I
have definitely learned a significant amount
of the organizational aspects of how a large
company functions.
79
Access Granted
What do you dislike or find challenging
about your job?
I think one of the greatest challenges about
this job is staying current. While it is true that
there has always been and will continue to be
programming languages and software, there
will also always be the evolution of these
technologies. The theory behind these may
stay the same, but the structure and how they
are programmed into an application may
change. The specifications and the actual
language is always evolving and changing.
Therefore, one of the biggest challenges is
staying current on all of the latest technologies. The fact that you learned XML which is
based on previous Markup Languages may
have been sufficient for one job, and then
another job requires that you must also
understand how it is extended to be used in
business transactions. There are also new
methods to web design, as well as changes to
the architecture of web services. The theories
behind them are similar, but it is critical in this
industry to understand the nuances of each
new development in order to work most
effectively.
What advice would you give to a person
seeking a job in your field?
For people who are already in IT, I would
recommend that they seek out a job rotation.
At Sun, this is something they promote. My
suggestion would be to do a job rotation as
part of a sales team. Try out what it’s like to
be part of professional services, pull yourself
out of your typical world and try something
you’ve never done before. You’ll get out of
your routine, and this will help keep you from
getting stale.
80
For someone who is completely outside of
technology and interested in entering into this
field, my recommendation would be to take a
couple of classes and take the time to talk to
as many people as you know who work in
different job functions at different high-tech
companies. Take the time as well to talk with
people who work in the IT departments of
[non-technology] companies such as banks
and insurance firms. There are a number of IT
people who are needed in industries such
as banking and insurance. Because these
industries have very forward-thinking IT
departments, this will keep the job interesting, especially in terms of security technology,
because that is becoming extremely important to businesses.
When I think of people I work with who are
also involved in security and security applications, I think there is a lot of information that
is specific to security protocols that needs to
be learned. Also, I think you definitely need a
lot of heavy-duty training in network security
wrapped around a good overview of
computer technology in general. For example, a person could be talking about SSL
(Secure Sockets Layer), but they may also
need to know how Java or Java security
works.
What qualities make someone a star
performer in this occupation?
This is definitely the type of job where you
must be independent, be able to work in a
team, and be resourceful. People here at Sun
are always willing to help; there are definitely
a lot of resources to tap into. The company
has over 30,000 people, so you definitely can
and should take the initiative to seek people
Access Granted
out. My style of learning, in particular, is
through interaction: if I can learn something
in ten minutes, because I have someone who
[has] the knowledge and can teach it to me,
it’s much more efficient and beneficial than
spending several hours trying to learn it over
the Internet.
In this job specifically, it is important to be
confident about what you know, as well as to
be able to explain complex products to
people who want to turn around and decide
to purchase them after only a couple of
conversations. It is important to be able to
communicate effectively and be organized.
You have to deal with hundreds of projects
and over thirty products. You need to organize in your mind whom you’re dealing with in
certain projects, the products that exist in the
company as a whole, the types of products
that are being requested, and the main goals
of the projects you’re dealing with.
Right now, I work with the Sun One suite that
has thirty products. You definitely can’t be an
expert on all thirty products, but you need to
have a good idea about what they all do and
know who the expert is on that product. The
point is, a person needs to be resourceful and
seek out the appropriate expert. Currently, I
work in a team of systems engineers, support
engineers, an account manager and a
program manager and we all have to be
somewhat familiar with all the products. In
that, you lose a lot of detail, but that is where
you need to take the initiative and be
resourceful.
81
Access Granted
LC Boros
Network Engineer, CCNA
PGP Corporation
Career Ladder:
Network Engineer
Systems Engineer
ResNet Manager
Systems Specialist
Network Administrator
Introduction to Computer Technology:
Macintosh 512K
Please tell us about your current position
and how you arrived there. How did your
career progress?
Right now, I handle everything from our email
and web servers to anything that has to do
with a computer or a computer system. About
30 percent of my time is dealing with systems
and security, but I also take care of the safety
and security of the building by making sure
that the alarm system is functional and the
drains and the gutters out on the roof are
clear. I manage all the additions, removals,
and changes on our PBX phone switching
system and then I take care of all the computers, network servers, web servers, and the
network gear. The work I’m doing now is
mid-to-senior system/network administration,
and the problems are fairly complex—mostly
planning and putting new security measures
in place. I have to figure out what’s going on
or going wrong. Sometimes it’s a bug in the
system. Sometimes it's, “Oh dear, I did that?
That was stupid.” Ultimately, I sort it out and
usually don’t make the same mistake twice, so
who knows.
As for how I ended up working with computers, it all started in 1994, when I was hired for
two months to build a Macintosh-based small
network for a manufacturing set-up in
Cleveland, Ohio. Then I went to England and
was faced with having to use Microsoft
Windows, so I learned SunOS instead. When
I came back from living in England, I decided
that it would be nice to have a job to pay
back the loan I had taken out for oversea
expenses. I started as a student tech at the
Ohio State University (OSU) and that turned
into a full time job after I graduated. Over the
years there, I held several different positions
until I ended up managing the residential
network in the dorms. It was a huge
network—about 11,000 ports—and I had
about 40 college kids working for me. It was
a great job, but there never seemed to be
enough time in the day, so I eventually left
Ohio and the snow there. I moved out west
to work for a telecom as a sales engineer.
Sales jobs are fun and all, but they are frustrating because you can’t be the one to
actually fix the problem. You have this poor
customer on the phone who just wants their
issue resolved and you are completely powerless. You can only go and find people and
83
Access Granted
harangue them until the problem gets fixed.
Anyway, to make this long, convoluted story
short, a friend of mine knows my boss at PGP,
and he was looking for someone to replace
contractors. It took about a month of phone
calls back and forth, but eventually they
brought me in for an interview and then
made me an offer.
Describe your typical workday.
Sometimes I wake up in my office. I'm not
kidding. I have a beanbag chair under one of
my desks for such events. Usually though, I
stumble out of bed and check from home if
anything is “on fire” at work. I usually make
it into the office between 9:00 A.M. and noon,
unless I’ve been at work until 2:00 A.M. or
3:00 A.M. doing network changes. In that
case, I won’t be in until the afternoon. Once
I get in, there’s an average of three “fires” that
need my attention. My assistant, Jason, may
have questions on something, and then I have
to deal with all of the purchase requests. By
the time things quiet down, it is usually 2:00
or 3:00 in the afternoon. I then start working
on regular tasks, although sometimes around
3:00 P.M., I give up and go home to work, as
it is quieter there and I can get more done.
Which aspects of your education and/or
training made you more marketable and
capable in this field? Did you have any nontraditional training that helped you in your
career?
I’m an English major with minors in theater
and Spanish literature. None of those have a
lot to do with my career, but when I first
started, I could tell people very nicely to “go
84
away,” or solve their problems and tell them
that they were wrong while making them feel
good about it all at the same time. Seriously,
my education enhanced my critical thinking
and made me more capable of strategically
picking things apart. I love those little logic
puzzles where they say, “Jan has apples,
oranges and pears in bins. One bin can hold
five items….” I love those things, and
computers are one puzzle after the next.
What are the most exciting aspects of your
job? What do you like most about your job?
This work is fun and very challenging, and I
like the people I work with. I came into this
company knowing what PGP is, and the idea
of working for PGP was a major draw. In
terms of “geek points,” when you tell people
that you work for this company and they
know anything about computers, they say
“The PGP?” I also like my office because it has
a door. That comes in very handy when I'm
here all night and need a nap before I can
safely get myself home.
What do you dislike or find challenging
about your job?
It is very demanding and very tiring. When I
was hired, my boss was worried that this job
would take over my life, but I make sure I get
some down time—otherwise my health
would slip and I just wouldn’t be a happy
person. I try very hard to make sure that
I have some kind of normality in my life. I
know that I have to have some time when I
can just stop working for a bit or otherwise I’d
go insane. I don’t leave it often. I mean, I
haven't had a weekend off in… I don’t know.
Access Granted
“
Seriously, my education enhanced my
critical thinking and
made me more
capable of strategically
”
picking things apart.
When I do get away, it may just be for a
couple of hours and I may just do things like
sit in front of the TiVo for an hour with my
crocheting, my dog, or my birds—but not
with a computer.
What advice would you give to a person
seeking a job in your field?
It’s a bit tricky giving advice to people about
how to get a job. Usually for me, it’s all about
networking and building bridges. I mean
those in the non-computer sense. In many
cases, your friends, coworkers, and contacts
are your best assets. Another thing to remember is never be too hasty. Value all of the
contacts you make because if you burn one
relationship, you most likely won’t get it back.
Being a woman, I’ve been on both ends of
the spectrum and my experiences have varied
greatly. I‘ve worked in jobs where being a
woman was an asset or didn’t make any
difference. I’ve also worked in places where it
was a problem. When I worked for OSU, I
had to recruit women. It was very difficult.
Women in the networking and programming
field are rather scarce. My advice— especially
for women—is just be yourself and don't
worry about what others think. In terms of
actually acquiring the knowledge you need
to do a job—just do it. Computers are so
cheap now that there is no reason why you
shouldn’t know at least three operating
systems. I know Windows and I’m also fluent
or just pretty good with Linux, Solaris, Cisco
IOS, FreeBSD, NetBSD, and of course Mac
OS. I recommend acquiring a broad range of
skills. Take a class. Read a book. There’s no
excuse for not having some skills if you want
to work in this industry. Once you have a few
skills—assuming you have some personality
and don’t live under a rock—you’ll find something to do with them.
What qualities make someone a star
performer in this occupation?
A lot of perseverance and some logical intelligence. Success is mainly achieved by those
who know what they know; know what they
don’t know; and know who to ask so that
they will know.
85
Section 6
Practices
and
Projections
Access Granted
Best Practices
Best practices are those routines and/or
procedures that have proven to be effective in
achieving a set goal. In the security technology industry, there are some basic methods
that have been established as a “best practice.” Most of these practices (i.e. using a
firewall, controlling physical access to terminals, and backing up critical data) are
considered to be elementary methods of data
security. Although the controls that fall under
best practices are essential for the security of
data, they are ineffective if users are ignorant
about the role they play in protecting the
integrity, confidentiality, and availability of
information.
Security Standards for
Business
It is increasingly important for companies to
manage security as a vital component of their
business strategy. In an effort to protect assets,
the business world is beginning to put extensive control practices in place. Industry
standards are the key to making information
security a mature discipline and security standards for business are ever-evolving. Every
few years, a new standard or set of guidelines
is presented to further clarify the same basic
principles and practices of its model predecessors. None, thus far, have been mandated
as strict industry rules. The industry recognizes that information security cannot rely on
technical abilities. The increase of legal liabilities, physical and cyber terrorist threats, as
well as elevated concerns from business
stakeholders is pressuring the industry to
establish a cohesive and global security
framework.
In 1996, the National Institute of Standards
and Technology (NIST) introduced a set of
guidelines in a whitepaper known as the NIST
Special Publication 800-14 (NIST 800-14).
NIST 800-14 theoretically assists the installation and management of security systems. It
describes eight principles based on the guidelines set forth in 1992 by the Organization for
Economic Cooperation and Development
and contains 14 practices (Tables 23 and
51
24). For some businesses, NIST 800-14 still
serves as a resource to develop a sound security structure, but the latest standard of best
practice, ISO Standard 17799, is receiving
stronger recognition.
Table 23: NIST 800-14 Principles
1. Computer security supports the
mission of the organization.
2. Computer security is an integral
element of sound management.
3. Computer security should be cost
effective.
4. Systems owners have security
responsibilities outside their own
organizations.
5. Computer security responsibilities
and accountability should be made
explicit.
6. Computer security requires a
comprehensive and integrated
approach.
7. Computer security should be periodically reassessed.
8. Computer security is constrained by
societal factors.
89
Access Granted
Table 24: NIST 800-14 Practices
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Policy
Program management
Risk management
Life cycle planning
Personnel/user issues
Preparing for contingencies and
disasters
Computer security incident handling
Awareness and training
Security considerations in computer
support and operations
Physical and environmental security
Identification and authentication
Logical access control
Audit trails
Cryptography
ISO Standard 17799
ISO 17799 is an international security standard
set by the International Organization for
Standardization (ISO). Businesses are progressively using ISO 17799 as a framework to
define, implement, and measure their organizational security posture. According to an
online poll conducted by CSO Magazine, 69
percent of those surveyed indicated that they
were using the ISO 17799 to manage the information security of their business. Based on the
British Standard 7799, ISO 17799 is currently
the most globally recognized security standard
for managing information security systems.
Although called a “standard,” ISO 17799 is a
set of guidelines that spotlights 10 control
areas:
• Overall security policy
• Organizational security
• Asset classification and control
• Communications and operations
management
• Personnel security
90
Access Granted
• Physical and environmental security
• System access control
• System development and maintenance
• Business continuity planning
• Legal or contractual compliance
Generally Accepted Information
Security Principles (GAISP)
The Information Systems Security Association
(ISSA) is in the process of developing the
Generally Accepted Information Security
Principles (GAISP). Much like the Generally
Accepted Accounting Principles in the
finance industry, GAISP is intended to standardize the information security industry. It
will also serve as a measuring tool to evaluate
a business’s level of security. This effort will
take the ISO 17799 framework and create a
common method of guidance that will give
organizations a specific three-tiered body of
security governance. The first version of the
GAISP will debut at the end of 2003 and is
expected to enhance global information
security in the following ways:
• Promotion of good information security
practices at all levels of organization
• Increase of management confidence that
information security is being assured in a
consistent measurable and cost-efficient
manner
• Increase of productivity and operational
cost efficiency in well-secured and
controlled environments
• Decrease in costs of meeting global principles rather than piecemeal and varied,
local guidelines
GAISP Three Levels of
Guiding Principles
• Pervasive Principles—Targeting governance and executive-level management, the Pervasive Principles outline
high-level guidance to help organizations solidify an effective information
security strategy.
• Broad Functional Principles—Broad
Functional Principles are the building
blocks of the Pervasive Principles and
more precisely define recommended
tactics from a management perspective.
• Detailed Principles—Written for information security professionals, the
Detailed Principles provide specific,
comprehensive guidance for consideration in day-to-day information risk
management activity.
91
Access Granted
NSTISSI 4011 and 4014
Having good security practices and principles
is a futile effort if employees are not properly
trained to implement and evaluate security
procedures. The Committee on National
Security Systems (CNSS), formerly known as
the National Security Telecommunications
and Information Systems Security Committee,
created the National Training Standard for
Information Systems Security Professionals
(NSTISSI 4011) and the National Training
Standard for Information Security Officers
(NSTISSI 4014).
NSTISSI 4011 establishes a minimum set of
education standards and training requirements for information systems security
professionals. NSTISSI 4011 and 4014 are
specifically intended for government training ,
but the guidelines are applicable to industry
and the academic world. The 4011 model
provides two levels of knowledge: Awareness
and Performance. The Awareness Level presents information security professionals with
information about security threats and vulnerabilities. It builds the need to protect data
through accepted principles and practices.
The Performance Level gives professionals the
necessary skills to advise, design, implement,
52
and evaluate procedures and practices.
NSTISSI 4014 sets minimum training guidelines for information systems security officers
(ISSO), such as chief security officers or chief
information security officers. It is divided into
three training objectives: Entry, Intermediate,
and Advanced.
• Entry Level- Given a series of hypothetical
system security breaches, the ISSO will
92
identify system vulnerabilities and recommend security solutions required to return
the systems to operational level of trust.
• Intermediate Level- Given a proposed new
system architecture requirement, the ISSO
will investigate and document system security technology, policy, and training
requirements to assure system operation at
a specified level of trust.
• Advanced Level- Given a proposed information system accreditation action, the
ISSO will analyze and evaluate the system
security technology, policy, and training
requirements in support of designated
approving authority approval to operate the
system at a specified level of trust. This
analysis will include a description of the
management/technology team required to
successfully complete the accreditation
53
process.
Future Trends in
Security Technologies
The security technology industry is undoubtedly a hot marketplace and, as no particular
entity or institution is exempt from the need
to protect vulnerable assets, this industry will
only gain greater exposure as it continues to
evolve. Several factors such as standards,
convergence, and consolidation, as well as
paradigm shifts, will be significant catalysts in
shaping what types of security technologies
will be developed and what the overall security industry will move toward in the next
several decades.
Access Granted
Where Have We Been?
It was originally believed that firewalls were
the essence and key to maintaining a secure
system. The standard method of protecting
a computer system was through perimeter
defense or, in other words, a hard exterior but
a soft interior. Technologies used to achieve
such a model include firewalls, intrusion
detection systems (IDS), application proxies,
54
and virtual private network (VPN) servers.
However, while there is a growing amount of
software, new patches, and new configurations, each of these emerging technologies
poses a potential new risk, not to mention the
fact that with each new added device, there
is a resulting exponential increase in both the
complexity and the vulnerability of the
system. Given that a system is only as secure
as its weakest link, a growing number of links
means a growing number of weaknesses. The
perimeter defense system still exists and functions but, as the industry matures, different
ways of thinking about security evolve.
Standard technology, like firewalls, intrusion
detection systems, and virus software can
help defend against cyber-risk, but by all
accounts, is not presently positioned to
remove such risk. The inescapable reality is
that no one connected to a network is safe
from crackers.
What Has Changed?
Another factor shaping the direction of this
industry is that attackers of information security systems are creating and utilizing
increasingly complex methods of attacks. For
example, blended threats—threats that use
multiple means of propagation and an
integrated response from more than one tech-
nology—have infected multiple systems. With
Nimda, 2.2 million systems were affected in
three days, and infection occurred by email,
web server, files on affected machines, web
browsing, and shared drives. “Klez,” another
blended threat, traveled around the world in
2.5 hours. Real-time awareness of infections
is critical, and as the complexity and speed
with which systems are infected grows,
today’s information security solutions have
only fragmented functionality and lack an
integrated approach. Because management
of these solutions has traditionally been noncohesive, the advantages of an integrated
approach are increasingly viewed as a greater
55
necessity.
Where Are We Going?
There are several new methods of thinking
through the direction in which security
technology is headed. Major industry leaders
agree that it is not cost efficient to have a
range of non-integrated approaches to solving
a weakness in a system. There is a growing
agreement among industry leaders that physical, operational, and technological control in
combination will be the only method to
achieving a cost-efficient security solution in
the future. Addressing only one portion of a
complex problem through a piece-meal
approach is not only inefficient but costly.
The buzz phrase of “integrated security
systems” is gaining greater attention among
companies and the demand for such solutions
are the latest trends in the security technology
industry.
93
Access Granted
Secure Identity Management (SIM)
One of the latest cutting-edge technologies
that is gaining an increasing share of the
current market—and the anticipation is that it
will continue to do so—is Security Identity
56
Management (SIM). SIM serves as the platform on which the entire identity
management infrastructure of a networked
system is connected to one automated
system. The thought behind this technology is
that there is a comprehensive approach that
allows companies to deal with all products
with respect to access control of information
based on the identification of the user. SIM is
software that, when installed, is responsible
for automating the accessibility of information
requested by a user from any particular database in a network. Bill Maxey, Product Line
Manager of Novell Security Solutions, Access
Management and Security stated:
“It is not sufficient to have just a firewall
anymore; instead, we need a comprehensive approach to the entire realm of
components that are included in a security
architecture. SIM is the cutting edge of technology and is a completely new way of
57
thinking of the future of this industry.”
One example of how this technology has
been aiding security in transactions within
the business world is the Star Alliance—the
global airline alliance consisting of United
Airlines, Scandinavian Airlines, Thai Airways
International, and Air Canada. As recently
implemented by the Star Alliance, SIM
provides employees, customers, partners, and
suppliers real-time information about changes
58
and updates. This is achieved by governing
access for all employees of member airlines,
synchronizing critical information about
94
changes in individual member airlines, and
thereby supporting cross-airline application
access, while meeting security requirements
for complex identity management.
In addition to SIM, which is focused on
managing the identities of users of a system,
there has been collaborative movement
around the integration of physical and cybersecurity technologies as the next hot trend on
the market. Although the design, production,
and implementation of such a device has not
yet evolved into a product, there is a considerable amount of effort among companies to
head in that direction. The effort is aimed at
exploring how to integrate security management software, such as SIM, with physical
security devices, such as smart cards, into one
security system. Groups that are working
to this end include the Open Security
Exchange, which is committed to determining
how to link building security systems with
cyber-security systems by delivering “an interoperability specification to support the
effective integration of these diverse areas of
59
security management.”
Understanding that there is greater costefficiency when physical, personnel, and
technological security are viewed as a single
entity requiring protection, industry leaders
are introducing products and beginning
discussions around vendor-neutral solutions
to address this new paradigm shift in security
technology. According to Bruce Lowry,
Director of Public Relations at Novell, “Unless
companies, organizations, and individuals
have an awareness that there is a fundamental shift in the industry toward the integration
of the various parts of security, the industry
will not be successful in keeping the growing
60
wealth of critical information secure.”
Appendix
A. Acknowledgements
B. Works Consulted
C. Endnotes
D. Education and Training Resources
E. Industry Resource Websites
F. Occupational Definitions
G. Glossary of Industry Terms
H. Certifications
Access Granted
Acknowledgements
Anagram Laboratories
Palo Alto, CA
Thomas A. Berson, Ph.D., Founder and Owner
Ascolta Training Company
Irvine, CA
Irene Kinoshita, President and CEO
Cisco Systems, Inc.
Austin, TX
Rick Stiffler, Senior Manager of Security and Emerging Technologies Training,
Internet Learning Solutions Group
San Jose, CA
John Knopp, Product Line Manager for the Internet Learning Solutions Group
Chi Wong, Director of Product Marketing
City of Sunnyvale Information Technology Department
Sunnyvale, CA
Shawn Hernandez, Director of Information Technology
Bob Trepa, Technical Support Manager
Cryptography Research, Inc.
San Francisco, CA
Benjamin Jun, Vice President
FBI San Francisco Division
Martin Mijalski, Special Agent Recruiter
ISSA Silicon Valley Chapter
Cupertino, CA
Nancy Bianco, President
InfoSecurity Infrastructure, Inc.
Sausalito, CA
Charles Cresson Wood, Independent Information Security Consultant & Author
Latham & Watkins
Menlo Park, CA
Anthony R. Klein, Partner, Corporate Department
97
Access Granted
Marsh Risk & Insurance Services
San Francisco, CA
Arturo Perez-Reyes, Vice President
MediaSnap
San Jose, CA
Peter Murray, CFO and Executive Vice President
Mission College
Corporate Education & Training
Santa Clara, CA
Gloria DeMarco, Program Manager
Lin Marelick, Dean of Workforce and Economic Development
David Patrick, Faculty
Ingrid Thompson, Program Manager
Nadel Phelan: Strategic Technology Communications
Scotts Valley, CA
Karin Walsh, Senior Account Mangager
Novell, Inc.
San Francisco, CA
Bruce Lowry, Director of Public Relations
Provo, UT
Karl Childs, Certification Program Manager
Tampa, FL
Bill Maxey, Product Line Manager , Access Management & Security
NOVA Information Technology Department
City of Sunnyvale, Department of Employment Development
Elton Hughes, Information Technology Specialist
Charles Serfoss, Information Technology Specialist
Ortega Infosystems, Inc.
Santa Clara, CA
Steve Chu, CTO
PGP Corporation
Palo Alto, CA
LC Boros, Network Engineer
Jon Callas, CTO and CSO
98
Access Granted
Qualys, Inc.
Redwood Shores, CA
Gerhard Eschelbeck, CTO
RSA Security
Bedford, MA
Art Coviello, President and CEO
Seagate Technology, Inc.
San Jose, CA
Edward Scalco, Researcher
Software Productivity Consortium
Herndon, VA
Bill Brykczynski, Chief Technologist
Sprint Corporation
Overland Park, KS
Perry J. Steines, Manager of Intelligent Networks
Sun Educational Services
Broomfield, CO
Douglas Engle, Sun Education Customer Support Representative
Bee Ng, Certification Manager
Sun Microsystems, Inc.
Santa Clara, CA
Sheila Couch, Senior Program Manager, Global Emerging Talent Trends
Julie Wilcox, Systems Engineer
Symantec Corporation
Cupertino, CA
Robert A. Clyde, CTO
Larry Dietz, Director of Marketing Intelligence
Neils Johnson, Principal Technologist, Enterprise Security
Melissa Martin, PR Manager
Tim M. Mather, Senior Director of Information Security
99
Access Granted
Works Consulted
Actel Definitions. Available: http://www.actel.com/products/rescenter/security/resources/glossary/glossary-body.html?print=true (3 January 2003).
Baumann, Reto. “Ethical Hacking: GSEC Practical Version 1.4 (Option 1),” 24 November
2002, Available: http://www.giac.org/practical/GSEC/Reto_Baumann_GSEC.pdf
(30 April 2003).
Blakeley, Tanisha. “Staying Ahead of the Curve,” Certification Magazine, March 2003,
Available:
http://www.certmag.com/articles/templates/cmag_department.asp?articleid=91&zoneid=63
(31 March 2003).
“Blended Threats: Case Study and Countermeasures,” Symantec Enterprise Security White
Paper, December 2001, Available:
http://www.istart.co.nz/index/HM20/PC0/PV21902/EX239/CS2206 (1 April 2003).
Blum, Daniel. “Federating Identity: Trends, Technologies and Best Practices.”, RSA Security
Conference 2003. Moscone Center. (14 April 2003).
Bobkiewicz, Bartosz. “Layman’s Guide to Using Digital Signatures and Certificates,”
WindowsSecurity.com, 23 January 2003. Available:
http://www/cs.rit.edu/~jstl1734/crypt_paper.html (8 May 2003).
Boulton, Clint. “Studies: Security Services, Software on the Rise.” Internetnews.com, 5
February 2002, Available: http://www.internetnews.com/ent-news/article.php/968991 (17
March 2003).
“Bouncing Back: Jobs, Skills and the Continuing Demand for IT Workers,” Information
Technology Association of America, May 2002, Available: http://www.itaa.org/workforce/studies/02execsumm.pdf (9 April 2003).
Brocaglia, J., D. Foote, T. Lenzner, L. Kushner, L. Regener, and A. Briney “Infosec Job Market
Flies.” Information Security, January 2001, Available: http://www.infosecuritymag.com/articles/january01/features.shtml (23 January 2003).
Brown, Ken Spencer. “Valley Answering Nation’s Call for New, Better Security Technologies,”
San Jose Business Journal, 1 March 2002, Available:
http://sanjose.bizjournals.com/sanjose/stories/2002/03/04/story7.html (25 March 2003).
Brykczynski, Bill. “Using ISO 17799, Code of Practice for Information Security Management,
to Best Advantage.” RSA Security Conference 2003. Moscone Center. (14 April 2003).
100
Access Granted
California Employment Development Department, Labor Market Information Division,
“Employment Projections by Occupation,” 2003, Available:
http://www.calmis.ca.gov/htmlfile/subject/occproj.htm (2 May 2003).
“Cyber Crime Bleeds U.S. Corporations, Survey Shows; Financial Losses from Attacks Climb for
Third Year in a Row,” Computer Security Institute, 7 April 2002, Available:
http://www.gocsi.com/press/20020407.html (23 March 2003).
DataMasters. “2003 DataMasters Salary Survey.” Available: http://www.datamasters.com
(2 May 2003).
“Definitions,” SearchCIO.com, 30 July 2001, Available:
http://searchcio.techtarget.com/sDefinition/0,,si19_gci212346,00.html (8 April 2003).
Delio, Michelle. “Why FBI Computer Force Ain’t Fat,” Wired News, 3 September 2002,
Available: http://www.wired.com/news/politics/0,1283,54850,00.html (16 January 2003).
Ducklin, Paul. “The ABC of Computer Security.” Sophos Anti-Virus for Business, April 1999,
Available: http://www.sophos.com/virusinfo/whitepapers/abc.html (23 January 2003).
Duffy, Daintry. “Pro and Con,” CIO Magazine on the Web, 1 June 2000, Available:
http://www.cio.com/archive/060100_con.html, (21 February 2003).
“E-Transaction Privacy: The New Requirement for Information Security Across the Extended
Enterprise,” Ingrian Networks, 7 March 2003, (12 March 2003).
Erbschloe, Michael. “Action Steps for Improving Information Security,” Cisco Systems, 19
November 2002, Available: http://www.cisco.com/warp/public/cc/so/neso/sqso/roi5_wp.htm
(17 March 2003).
Feldman, William and Patti Feldman. “Access Control Products—Specific Examples,”
Electricsmarts.com, 25 March 2003, Available: http://www.electricsmarts.com/content/security_accessspecific.asp (27 March 2003).
Foote, David. “Companies Need Security Pros with More Varied Skills,” Computerworld on the
Web, 9 July 2001, Available:
http://www.computerworld.com/securitytopics/security/story/0,10801,61965,00.html
(10 March 2003).
101
Access Granted
Foote, David. “Info Security Job Boom Inevitable,” ComputerWorld, 2 September 2002,
Available:
http://www.computerworld.com/securitytopics/security/story/0,10801,73893,00.html.
(1 April 2003).
Foote, David. “Security Still Pays,” Information Security Magazine, August 2002, Available:
http://www.infosecuritymag.com/2002/aug/securitymarket.shtml (21 January 2003).
Gabelhouse, Gary. “Certification, Salaries, & the IT Market,” Certification Magazine.
December 2002. Available: http://www.certmag.com/issues/dec02/feature_gabelhouse.cfm
(14 April 2003).
Gabelhouse, Gary. “Certification: Something of Value.” Certification Magazine, 2 April
2003, Available: http://ww.certmag.com/issues/dec01/feature_gabelhouse.cfm
(14 April 2003).
“Hackers, Crackers and Trojan Horses: A Primer,” Insurgency on the Internet, 29 March
1999, Available: http://www.cnn.com/TECH/specials/hackers/primer/
(1 April 2003).
Hasson, Judi. “Techies Turn to Security Training: Credentials Can be a Differentiator.” Federal
Computer Week., 7 January 2002, Available:
http://www.fcw.com/fcw/articles/2002/01017/mgt-train-01-07-02.asp. (27 March 2003).
“HIPAA Administrative Simplification News,” Center for Medicare & Medicaid Services, 31
January 2003, Available:
http://www.cms.hhs.gov/hipaa/hipaa2/news/NewsReleaseFull.asp#NewsItem12
(17 April 2003).
Hunt, Steve. “The Changing Nature of the Chief Security Officer,” 23 May 2002, Available:
www.gigaweb.com (30 April 2003).
Hurley, Edward. “Corporate Security Career Path Often Cultivated Internally,” Search
Security.com, 3 March 2003, Available:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci883476,00.html
(1 April 2003).
Johnson, Amy Helen. “Guardians of the Gate,” Computerworld on the Web, 15 July 2002,
Available: http://www.computerworld.com/printthis/2002/0,4814,72636,00.html
(25 November 2002).
102
Access Granted
Johnson, Neils. “Symantec Enterprise Security.” Data Security: Under Siege. Latham & Watkins.
Garden Court Hotel. (2 April 2003).
Jun, Benjamin. “It Takes A Village: Managing A Mission-Critical Security Project.” RSA Security
Conference 2003. Moscone Center. (14 April 2003).
Kabay, M.E. and Philip S. Holt, “Career Advice: Breaking into Infosec,” Information Security,
May 2001, Available:
http://www.infosecuritymag.com/articles/may01/features_career_advice.shtml. (24 March 2003).
Kizza, Joseph. “Types of Cyber-Attacks,” Chapter 3, Available:
http://www.utc.edu/Faculty/Joseph-Kizza/Books/CyberEthics/Notes/Chapter3.ppt
(23 March 2003).
Klein, Anthony. “Legal and Contract Issues Regarding Data Security.” Data Security: Under
Siege. Latham & Watkins. Garden Court Hotel. (2 April 2003).
“Latest Computer Security News,” Security Stats.com, Available: http://www.securitystats.com
(23 March 2003).
Lowery, Jessica. “Penetration Testing: The Third Party Hacker,” Sans.org, 11 February 2002,
available: http://www.sans.org/rr/penetration/third_party.php (31 January 2003).
McFadden, Joanne. “New Demand for Engineers: Security Services.” SiliconValley/San Jose
Business Journal, 7 February 2003, Available:
http://www.bizjournals.com/sanjose/stories/2003/02/10/focus3.html (17 March 2003).
McWilliams, Brian. “White-Hat Hate Crimes on the Rise,” Wired News, 13 August 2002,
http://www.wired.com/news/culture/0,1284,54400,00.html (19 February 2003).
Mitchell, Bradley. “Firewalls and Firewall Technology,” Computer Networking, 21 March 2003,
Available: http://compnetworking.about.com/cs/firewalls/index.htm (24 March 2003).
Munster, Eugene, Fischman, Eric, Meyer, David, and Jennings, Tom. “Wall Street’s Perspective
on the Security Industry.” RSA Security Conference 2003. Moscone Center. (14 April 2003).
National Science Foundation, Division of Science Resources Ststistics. “Science and Engineering
Doctorate Awards: 2001, NSF 03-300,” Susan T. Hill, Project Officer (Arlington, VA 2002).
National Security Telecommunications and Information Systems Security Committee. National
Training Standard for Information Systems Security Officers (ISSO) NSTISSI No. 4014,
August 1997.
103
Access Granted
National Security Telecommunications and Information Systems Security Committee. National
Training Standard for Information Systems Security (INFOSEC) Professionals NSTISSI No. 4011,
20 June 1994.
“National Strategy to Secure Cyberspace,” Educause. Available:
http://www.educause.edu/security/nation-strategy/ (1 April 2003).
“Novell UDDI Server Supports Secure Identity Management,” The Cover Pages, 11
December 2002, Available: http://xml.coverpages.org/Novell-UDDI200212.html (3 February
2003).
Paterson, Kenneth G., Piper F., and Robshaw M. “Smart Cards and the Associated
Infrastructure Problem,” 2002, Information Security Group. Available: http://www.compseconline.com/gej-ng/10/23/44/76/52/26/article.html. (27 March 2003).
Patrick, Thibodeau. “California Leads Way on ID Theft Legislation.” ComputerWorld, 13
December 2002, Available:
http://www.computerworld.com/securitytopics.privacy/story/0,10801,76721,00.html?SKC=hac
king-76721 (18 April 2003).
Perez-Reyes, Arturo. “Cyber-Insurance Solutions: First and Third Party Covers.” Data Security:
Under Siege. Latham & Watkins. Garden Court Hotel. (2 April 2003).
Pescatore, John. “The Future of the Information Security Market.” RSA Security Conference
2003. Moscone Center. (14 April 2003.)
Phillips, Heather Fleming. “Domestic Security a Tech Bonanza,” The Mercury News on the
Web, 11 November 2002, Available:
http://www.bayarea.com/mld/mercurynews/4579521.htm (11 March 2003).
Poulsen, Kevin. “California Disclosure Law has National Reach,” SecurityFocus Online, 3
January 2003, Available: http://online.securityfocus.com/news/1984 (3 February 2003).
Price, Kori and Jason Dean. “E-commerce Security Countermeasures.” Florida State
University’s School of Information Studies, 16 June 2000, Available:
http://slis-two.lis.fsu.edu/~security/ecom2.html (17 March 2003).
Price, Kori and Jason Dean. “Hackers & Crackers: What’s the Difference?” Florida State
University’s School of Information Systems Studies, 16 June 2000, Available: http://slistwo.lis.fsu.edu/~security/HackersCrackers.html (27 March 2003).
104
Access Granted
Price, Kori and Jason Dean. “How Viruses Work: Understanding the Computer Virus
Infection Process,” Florida State University’s School of Information Systems Studies, 16 June
2000, Available: http://slis-two.lis.fsu.edu/~security/HowVirusesWork.html (26 March 2003).
Price, Kori and Jason Dean. “Network Worms.” Florida State University’s School of
Information Systems Studies, 16 June 2000, Available: http://slistwo.lis.fsu.edu/~security/NetworkWormsPG.html (26 March 2003).
Rasmussen, Michael. “IT Trends 2003: Information Security Standards, Regulations and
Legislation.” CSO Online. Available: http://www.csoonline.com/analyst/report721.html
(30 April 2003).
“Report: IT Security Market to Hit $45B.” Silicon Valley Business Journal, 4 February 2003,
Available: http://www.bizjournals.com/sanjose/stories/2003/02/03/daily28.html.
(28 February 2003).
“Robert Half Technology IT Hiring Index,” Robert Half Technology, February 2003, Available:
http://www.rhic.com (9 April 2003).
Rosenberg, Tim, Ron Plesco and Scott Zimmerman. “Legal Limitations of Ethical Hacking:
How Far is Too Far?” RSA Security Conference 2003. Moscone Center. (14 April 2003.)
Ross, Seth T. “Computer Security: A Practical Definition”. Excerpt from Unix System Security
Tools Albion.com, Available: http://www.albion.com/security/intro-4.html. (3 March 2003).
Salois, Gene. “Driving Your Career: The Intrinsic Value of Certification,” Certification
Magazine, March 2003, Available:
http://www.certmag.com/articles/templates/cmag_feature.asp?articleid=89&zoneid=8
(31 March 2003).
Sandhu, Ravi and Pierangela Samarati. “Authentication, Access Control, and Audit.” George
Mason University. ACM Computing Surveys, Vol. 28, No.1, March 1996.
Scalet, Sarah. “Risk: A Whole New Game. Economics is Changing Information Security. You
Can Help Write the New Rule Book,” CSO Online.com, 9 December 2002, Available:
http://www.csoonline.com/read/120902/intro.html (17 March 2003).
Schneier, Bruce. “Following the Money, Negotiating for Security.” RSA Security Conference
2003. Moscone Center. (16 April 2003).
105
Access Granted
Shachtman, Noah. “Hackers Being Jobbed Out of Work,” Wired News, 30 August 2002,
Available: http://www.wired.com/news/culture/0,1284,54838,00.html (21 February 2003).
Sigmond, Steve and Vikram Kaura. “Safe and Sound: A Treatise on Internet Security,” RBC
Capital Markets (1 November 2001) Available:
http://www.rbccmresearch.com/SafeandSound.pdf (19 April 2003).
Stephens, Andrew. “Script Kiddies—What Are They and What Are They Doing?” SANS Info
Sec Reading Room, November 13, 2000, Available:
http://www.sans.org/rr/hackers/kiddies.php (23 March 2003).
Stiffler, Rick. “Security Training and Certifications Update” (PowerPoint slides presented at
Cisco Systems, Inc. for Analyst Briefing, San Jose, CA, April 2003).
“Survey of 538 IT Security Professionals,” Computer Security Institute/FBI Computer Intrusion
Squad, as quoted in “Security Statistics: Risk of Doing E-business,” Computerworld, 9 July
2001, Available:
http://www.computerworld.com/securitytopics/security/story/0,10801,62002,00.html
(23 March 2003).
“Symantec Corporation 2002 Internet Security Threat Report,” quoted in Mullins, Robert.
“Cyber Attacks Decrease as Potential for Trouble Increases,” Silicon Valley San Jose Business
Journal, 3 February 2003, Available:
http://www.bizjournals.com/sanjose/stories/2003/02/03/daily8.html (21 February 2003).
“The Difference of Cipher & Code Encryption,” Cipher Encryption: Cryptography Software
and Resources. Available: http://www.cipher-encryption.com/cipher-code.html
(8 May 2003).
Tobias, Zachary. “Getting Started in Computer Forensics,” Computerworld on the Web, 9 July
2001, Available: http://www.computerworld.com/printthis/2001/0,4814,61876,00.html (25
November 2002).
“US Federal Security Legislation and Regulations.” Baker & McKenzie: Global E-Commerce
Law, 14 February 2003. Available: http://www.bmck.com/ecommerce/fedlegis-s.htm
(23 March 2003).
VaaseWeek, Lisa. “Breaking the Code on Security Certs,” Security Supersite: News and
Resources for Security Professionals, 17 March 2003, Available:
http://security.ziffdavis.com/print_article?0,4281,a=38811,00.asp (27 March 2003).
106
Access Granted
“Viral Infection, Worms & Klez.” Network Abuse Report Site Viral Infection, Worms & Klez, 2
April 2003, Available: http://abuse.dragnet.com/au/content.php?mid=3&cid=5
(14 April 2003).
Wagner, Dave. “Why Firewalls are a Poor Investment.” RSA Security Conference 2003.
Moscone Center. (16 April 2003).
“What’s New: Presidential Strategies Released by The White House—February 14, 2003.”
Partnership for Critical Infrastructure Security. Available: http://www.pcis.org/
(6 March 2003).
Winkler, Ira. “Zen and the Art of Information Security.” RSA Security Conference 2003.
Moscone Center. (16 April 2003).
Worrall, John. “Beyond Technology: Impact of Security on Tomorrow’s Business.” RSA Security
Conference 2003. Moscone Center. (14 April 2003).
107
Access Granted
Endnotes
1. “Report: IT Security Market to Hit $45B.” Silicon Valley Business Journal, 4 February
2003, Available: http://www.bizjournals.com/sanjose/stories/2003/02/03/daily28.html. (28
February 2003).
2. “Report: IT Security Market to Hit $45B.” Silicon Valley Business Journal.
3. “Symantec Corporation 2002 Internet Security Threat Report,” quoted in Mullins, Robert.
“Cyber Attacks Decrease as Potential for Trouble Increases.” Silicon Valley San Jose
Business Journal, 3 February 2003, Available:
http://www.bizjournals.com/sanjose/stories/2003/02/03/daily8.html (21 February 2003).
4. “Cyber Crime bleeds U.S. Corporations, Survey Shows; Financial Losses from Attacks Climb
for Third Year in a Row.” Computer Security Institute, 7 April 2002, Available:
http://www.gocsi.com/press/20020407.html (21 February 2003).
5. “What’s New: Presidential Strategies Released by The White House—February 14, 2003.”
Partnership for Critical Infrastructure Security. Available: http://www.pcis.org/ (6 March
2003).
6. “National Strategy to Secure Cyberspace.” Educause. Available:
http://www.educause.edu/security/nation-strategy/ (1 April 2003).
7. “US Federal Security Legislation and Regulations.” Baker & McKenzie:
Global E-Commerce Law, 14 February 2003.
Available: http://www.bmck.com/ecommerce/fedlegis-s.htm (23 March 2003).
8. “HIPAA Administrative Simplification News.” Center for Medicare & Medicaid Services,
31 January 2003, Available:
http://www.cms.hhs.gov/hipaa/hipaa2/news/NewsReleaseFull.asp#NewsItem12 (17 April
2003).
9. Poulsen, Kevin. “California Disclosure Law has National Reach.” SecurityFocus Online, 3
January 2003, Available: http://online.securityfocus.com/news/1984. (23 March 2003).
10. Patrick, Thibodeau. “California Leads Way on ID Theft Legislation.” ComputerWorld, 13
December 2002, Available:
http://www.computerworld.com/securitytopics.privacy/story/0,10801,76721,00.html?SKC
=hacking-76721 (18 April 2003).
11. Sigmond, Steve and Vikram Kaura. “Safe and Sound: A Treatise on Internet Security.”
RBC Capital Markets, 1 November 2001, Available:
http://www.rbccmresearch.com/SafeandSound.pdf (19 April 2003).
108
Access Granted
12. Kizza, Joseph. “Types of Cyber-Attacks.” Chapter 3, Available:
http://www.utc.edu/Faculty/Joseph-Kizza/Books/CyberEthics/Notes/Chapter3.ppt (23
March 2003).
13. “Survey of 538 IT Security Professionals.” Computer Security Institute/FBI Computer
Intrusion Squad, as quoted in “Security Statistics: Risk of Doing E-business.”
Computerworld, 9 July 2001, Available: http://www.computerworld.com/securitytopics/security/story/0,10801,62002,00.html (23 March 2003).
14. “Cyber Crime Bleeds U.S. Corporations, Survey Shows; Financial Losses from Attacks
Climb for Third Year in a Row.” Computer Security Institute, 7 April 2002, Available:
http://www.gocsi.com/press/20020407.html (23 March 2003).
15. “Cyber Crime Bleeds U.S. Corporations, Survey Shows; Financial Losses from Attacks
Climb for Third Year in a Row.” Computer Security Institute.
16. Kizza, Joseph. “Types of Cyber-Attacks.” Chapter 3, Available:
http://www.utc.edu/Faculty/Joseph-Kizza/Books/CyberEthics/Notes/Chapter3.ppt (23
March 2003).
17. Kizza, Joseph. “ Types of Cyber-Attacks.” Chapter 3.
18. “Viral infection, Worms & Klez.” Network Abuse Report Site, 2 April 2003, Available:
http://abuse.dragnet.com.au/content.php?mid=3&cid=5 (23 March 2003).
19. Price, Kori and Jason Dean. “Network Worms.” Florida State University’s School of
Information Systems Studies, 16 June 2000, Available: http://slis-two.lis.fsu.edu/~security/NetworkWormsPG.html (26 March 2003).
20. Bobkiewicz, Bartosz. “Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows
Environment.” WindowSecurity.com, 23 January 2003. Available: http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_
Environment.html (5 May 2003).
21. Northcutt, Stephen. “What Was the Melissa Virus and What Can We Learn from It?”
SANS Reading Room, 22 April 1999, Available:
http://www.sans.org/resources/idfaq/what_melissa_teaches_us.php#4 (5 May 2003).
22. “Blended Threats: Case Study and Countermeasures.” Symantec Enterprise Security
White Paper, December 2001, Available:
http://enterprisesecurity.symantec.com/content/displaypdf.cfm?PDFID=152&EID=0 (13
March 2003).
23. “Blended Threats: Case Study and Countermeasures.” Symantec Enterprise Security
White Paper.
109
Access Granted
24. “Blended Threats: Case Study and Countermeasures.” Symantec Enterprise Security
White Paper.
25. Price, Kori and Jason Dean. “Hackers & Crackers: What’s the Difference?” Florida State
University’s School of Information Systems Studies, 16 June 2000, Available: http://slistwo.lis.fsu.edu/~security/HackersCrackers.html (27 March 2003).
26. Price and Dean. “Hackers & Crackers: What’s the Difference?”
27. Stephens, Andrew. “Script Kiddies—What Are They and What Are They Doing?” SANS
Info Sec Reading Room, November 13, 2000, Available:
http://www.sans.org/rr/hackers/kiddies.php (23 March 2003).
28. Baumann, Reto. “Ethical Hacking: GSEC Practical Version 1.4.” SANS Institute, 24
November 2002, Available: www.giac.org/practical/GSEC/Reto_Baumann_GSEC.pdf (23
April 2003).
29. Ross, Seth T. “Computer Security: A Practical Definition.” Excerpt from Unix System
Security Tools Albion.com, Available: http://www.albion.com/security/intro-4.html. (3
March 2003).
30. Sandhu, Ravi and Pierangela Samarati. “Authentication, Access Control, and Audit.”
George Mason University, ACM Computing Surveys, Vol. 28, No.1, March 1996,
Available: www.list.gmu.edu/journals/acm/survey96(org).pdf (5 April 2003).
31. Sandhu and Samarati. “Authentication, Access Control, and Audit.”
32. Sandhu and Samarati. “Authentication, Access Control, and Audit.”
33. Sandhu and Samarati. “Authentication, Access Control, and Audit.”
34. Actel Definitions. Actel, Available:
http://www.actel.com/products/rescenter/security/resources/glossary/glossarybody.html?print=true (3 January 2003).
35. Sigmond, Steve and Vikram Kaura. “Safe and Sound: A Treatise on Internet Security.”
RBC Capital Markets, 1 November 2001, Available:
http://www.rbccmresearch.com/SafeandSound.pdf (19 April 2003).
36. “Definitions.” SearchCIO.com, 30 July 2001, Available:
http://searchcio.techtarget.com/sDefinition/0,,si19_gci212346,00.html (8 April 2003).
37. “The Difference of Cipher & Code Encryption.” Cipher Encryption: Cryptography
Software and Resources, Available: http://www.cipher-encryption.com/cipher-code.html
(8 May 2003).
110
Access Granted
38. Bobkiewicz, Bartosz. “Layman’s Guide to Using Digital Signatures and Certificates.”
WindowsSecurity.com, 23 January 2003. Available:
http://www/cs.rit.edu/~jstl1734/crypt_paper.html (8 May 2003).
39. “Definitions: Biometrics.” SearchSecurity.com, 18 December 2002, Available:
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211666,00.html. (28 March
2003).
40. “Bouncing Back: Jobs, Skills and the Continuing Demand for IT Workers.” Information
Technology Association of America, May 2002, Available: http://www.itaa.org/workforce/studies/02execsumm.pdf (9 April 2003)
41. Foote, David. “Security Still Pays.” Information Security Magazine, August 2002,
Available: http://www.infosecuritymag.com/2002/aug/securitymarket.shtml (21 January
2003).
42. “Robert Half Technology IT Hiring Index.” Robert Half Technology, February 2003,
Available: http://www.rhic.com. (9 April 2003).
43. Stiffler, Rick. E-mail Response from Interviewee, Senior Manager of Security and
Emerging Technologies Training, 13 May 2003.
44. Childs, Karl. Conference Call Interview with Novell’s Certification Program Manager by
Wei Kuan Lum, 24 April 2003.
45. Tittel, Ed. “Security Certification: A Marketplace Overview.” Certification Magazine,
(February 2003), Available: http://www.certmag.com/articles/templates/cmag_sg.asp?articleid=71&zoneid=74. (8 May 2003).
46. Tittel, Ed. “Security Certification: A Marketplace Overview.” Certification Magazine.
47. Tittel, Ed. “Security Certification: A Marketplace Overview.” Certification Magazine.
48. Robinson, Chad. “Security Certifications and Backgrounds: Identifying Real Employees.”
CSOonline.com, (25 April 2003), Available:
http://www.csoonline.com/analyst/report1279.html (7 May 2003)
49. Foote, David. “Security Still Pays.” Information Security Magazine, August 2002,
Available: http://www.infosecuritymag.com/2002/aug/securitymarket.shtml (21 January
2003).
50. “2003 DataMasters Salary Survey.” DataMasters, Available: http://www.datamasters.com
(2 May 2003)
111
Access Granted
51. Swanson, Marianne and Barbara Guttman. “Generally Accepted Principles and Practices
for Securing Information Technology.” September 1996, Available:
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf (17 April 2003)
52. National Security Telecommunications and Information Systems Security Committee.
National Training Standard for Information Systems Security (INFOSEC) Professionals
NSTISSI No. 4011, 20 June 1994.
53. National Security Telecommunications and Information Systems Security Committee.
National Training Standard for Information Systems Security Officers (ISSO) NSTISSI No.
4014, August 1997.
54. "Layers of Defense for the Small Office and Home Network." SANS Reading Room,
Available: www.sans.org/rr/homeoffice/layers.php (23 April 2003).
55. “Symantec Blended Threats: Case Study and Countermeasures.” iStart: New Zealand’s
e-Business Portal, December 2001, Available:
http://www.istart.co.nz/index/HM20/PC0/PV21902/EX239/CS2206 (8 May 2003).
56. “NetVision Product in Novell’s Nsure/SIM Solution.” Netvision, 27 February 2003,
Available: http://netvision.com/partners/novellnsure.html (23 April 2003).
57. Maxey, Bill. Conference Call Interview with Novell’s Global Solution Manager of Security
Solutions by Wei Kuan Lum, 24 April 2003.
58. Ranger, Steve. “Novell Lands Airline Security Deal.” Vnunet.com, 22 April 2003,
Available: http://www.vnunet.com/News/1140320 (23 April 2003).
59. “Comprehensive Security Management: Enabling the Convergence of IT and Physical
Security,” Open Security Exchange, 2003 RSA Conference (14 April 2003).
60. Lowry, Bruce. Conference Call Interview with Novell by Wei Kuan Lum, 24 April 2003.
112
Access Granted
Education and
Training Resources
American Business College International
650 North King Road
San Jose, CA 95133
Ph: (408) 258-0800
Fax: (408) 258-8553
www.americanbci.com
Institute of Computer Technology
589 West Fremont Avenue
Sunnyvale, CA 94087
Ph: (408) 736-4291
Fax: (408) 735-6059
www.ict.org
Computer Training Consultants
144 North San Tomas Aquino Road
Campbell, CA 95008
Ph: (408) 871-6636
Fax: (408) 871-6633
www.comptraining.com
International Technological University
1650 Warburton Avenue
Santa Clara, CA 95050
Ph: (408) 556-9010
Fax: (408) 556-9212
www.itu.edu
Evergreen Valley College
3095 Yerba Buena Road
San Jose, CA 95135
Ph: (408) 274-7900
www.evc.edu
Micro-Polytech Institute
1108-1110 Walsh Avenue
Santa Clara, CA 95050
Ph: (408) 492-9048
Fax: (408) 492-1464
www.micropolytech.com
Foothill College
12345 El Monte Road
Los Altos, CA 94022
Ph: (650) 949-7777
Fax: (650) 949-7375
www.foothill.fhda.edu
Mission College
3000 Mission College Boulevard
Santa Clara, CA 95054
Ph: (408) 988-2200
www.missioncollege.org
Institute for Business and Technology
2550 Scott Boulevard
Santa Clara, CA 95050
Ph: (408) 727-1060
Fax: (408) 980-9548
www.ibttech.com
National Hispanic University
14271 Story Road
San Jose, CA 95127
Ph: (408) 254-6900
Fax: (408) 254-1369
www.nhu.edu
113
Access Granted
National Institute of Technology
235 Charcot Avenue
San Jose, CA 95131
Ph: (408) 441-6990
Fax: (408) 441-6994
www.nitschools.com
OTI/Foothill-De Anza Colleges
21250 Steven Creek Boulevard
Cupertino, CA 95014
Ph: (408) 864-8869
Fax: (408) 864-8462
www.oti.fhda.edu
Portnov Computer School
1580 West El Camino Real #12
Mountain View, CA 94040
Ph: (650) 961-2044
Fax: (650) 9179977
www.portnov.com
San Jose City College
2100 Moorpark Avenue
San Jose, CA 95128
Ph: (408) 288-3708
Fax: (408) 223-3000
www.sjcc.edu
San Jose State University
One Washington Square
San Jose, CA 95192
Ph: (408) 924-1000
Fax: (408) 924-2050
www.sjsu.edu
Santa Clara Adult Education
1840 Benton Street
Santa Clara, CA 95050
Ph: (408) 423-3500
Fax: (408) 423-3580
www.scae.org
114
Santa Clara County Regional Occupational
Program-North
575 West Fremont Avenue
Sunnyvale, CA 94087
Ph: (408) 733-0881
Fax: (408) 733-0894
www.ncrop.sccoe.net
UCSC – Extension
Cupertino Campus
10420 Bubb Road
Cupertino, CA 95014
Ph: (408) 752-1300
UCSC – Extension
Sunnyvale Campus
Moffett Business Park
1180 Bordeaux Drive
Sunnyvale, CA 94089
Ph: (408) 752-1300
www.ucsc-extension.edu
University of Phoenix
3590 North First Street
San Jose, CA 95134
Ph: (877) 478-8336
www.phoenix.edu
West Valley College
1400 Fruitvale Avenue
Saratoga, CA 95070
Ph: (408) 741-2000
www.wvmccd.cc.ca.us/wvc
Access Granted
Industry Websites
Government
Central Intelligence Agency (CIA)
www.cia.gov
CSO Magazine
www.csoonline.com
Committee on National Security Systems
www.nstissc.gov
Information Security Magazine
www.infosecuritymag.com
Federal Bureau of Investigation (FBI)
www.fbi.gov
SC Infosecurity News
www.infosecnews.com
National Infrastructure Protection Center
(NIPC)
www.nipc.gov
SC Magazine
www.scmagazine.com
National Security Agency (NSA)
www.nsa.gov
National Strategy to Secure Cyberspace
www.whitehouse.gov/pcipb
U.S. Department of Homeland Security
www.dhs.gov
Search Security.com
http://searchsecurity.techtarget.com
SecurityFocus
www.securityfocus.com
Security Magazine
www.securitymagazine.com
Industry News & Magazines
Sys Admin Magazine
www.samag.com
All-Internet-Security.com
www.all-internet-security.com
TCP Magazine
www.tcpmag.com
Certification Magazine
www.certmag.com
Organizations and
Associations
CertCities.com
www.certcities.com
Cert Coordination Center
www.cert.org
CIO Magazine
www.cio.com
Computer Security Institute (CSI)
www.gocsi.com
115
Access Granted
Human Firewall
www.humanfirewall.org
Information Systems Audit and Control
Association
www.isaca.org
Information Systems Security Association
(ISSA)
www.issa.org
Information Technology Association of
America (ITAA)
www.itaa.org
International Information Systems Security
Certification Consortium, Inc.
www.isc2.org
National Security Institute
www.nsi.org
SANS Institute
www.sans.org
Annual Conferences
CardTech SecurTech Conference
www.ctst.com
CSI Annual NetSec
www.gocsi.com
RSA Conference
www.rsasecurity.com/conference
116
2003 Bay Area Events
Datacenter Ventures 2003
http://datacenterventures.com
Access Granted
Occupational
Definitions
The following occupational classifications and
definitions come directly from the Standard
Occupational Classification (SOC) codes. The
SOC system is used by all federal statistical
agencies to classify workers into occupational
categories. It is structured into 23 major
groups, 96 minor groups, and 449 broad
occupations. The following are from major
groups 11-0000 Management Occupations
and 15-0000 Computer and Mathematical
Occupations.
11-3021
Computer and Information Systems
Managers
Plan, direct, or coordinate activities in such
fields as electronic data processing, information systems, systems analysis, and computer
programming.
15-1051
Computer Systems Analysts
15-1071
Network and Computer Systems
Administrators
Install, configure, and support an organization's local area network (LAN), wide area
network (WAN), and Internet system or a
segment of a network system. Maintain and
monitor network hardware and software to
ensure network availability to all system users.
15-1081
Network Systems and Data
Communications Analysts
Analyze, design, and evaluate network
systems, such as local area networks (LAN),
wide area networks (WAN), and Internet.
Perform network modeling, analysis, and
planning. Research and recommend network
and data communications hardware and software. Include telecommunications specialist
who deal with the interfacing of computer
and communications equipment.
Analyze data processing problems for application to electronic data processing systems.
Analyze user requirements, procedures, and
problems to automate or improve existing
systems and review computer system capabilities, workflow, and scheduling limitations.
117
Access Granted
Glossary of Industry
Terms
Source: Actel http://www.actel.com/products/rescenter/security/resources/glossary
intro.html
Access Control
BS 7799
Access control refers to the rules and deployment of mechanisms that control access to
information systems, and physical access to
premises and systems. The entire subject of
information security is based upon access
control, without which information security
cannot, by definition, exist.
The British Standard for Information Security,
which was re-issued in 1999 in two parts. Part
1 is the Code of Practice for Information
Security Management and Part 2 specifies the
requirements for implementing Information
Security in compliance with the Code of
Practice. In October 2000, BS 7799 was
elevated to become an International
Organization for Standardization (ISO) standard - ISO 17799.
Authentication
118
Authentication refers to the verification of the
authenticity of either a person or of data, e.g .
a message may be authenticated to have
been originated by its claimed source.
Authentication techniques usually form the
basis for all forms of access control to systems
and data.
Security access control systems, which
authenticate (verify the identity of) users by
means of physical characteristics, e.g. face,
fingerprints, voice, or retina pattern.
Authorization
Business Assets
The process whereby a person approves a
specific event or action. In companies with
access rights hierarchies it is important that
audit trails identify both the creator and the
authorizer of new or amended data. It is an
unacceptably high risk situation for one to
have the power to create new entries and
then to authorize those same entries oneself.
The term ‘business assets,’ as it relates to
information security, refers to any information
upon which the organization places a measurable value. By implication, the information
is not in the public domain and would result
in loss, damage, or even business collapse,
were the information to be lost, stolen,
corrupted, or in any way compromised.
Biometric Access Controls
Access Granted
By identifying and valuing the business assets
in an organization, and the systems that store
and process them, an appropriate emphasis
may be placed upon safeguarding those assets
which are of higher value than those that are
considered easily replaceable—such as information in the public domain.
Change Control
An internal control procedure by which only
authorized amendments are made to the
organization’s software, hardware, network
access privileges, or business process. This
method usually involves the need to perform
an analysis of the problem and for the results
to be appended to a formal request prepared
and signed by the senior representative of the
area concerned. This proposal should be
reviewed by management (or committee)
prior to being authorized. Implementation
should be monitored to ensure security
requirements are not breached or diluted.
Clear Desk Policy
A policy of the organization, which directs all
personnel to clear their desks at the end of
each working day, and file everything appropriately. Desks should be cleared of all
documents and papers, including the
contents of the ‘in’ and ‘out’ trays! The
purpose of the Clear Desk Policy is not simply
to give the cleaners a chance to do their job,
but to ensure that sensitive papers and documents are not exposed to unauthorized
persons out of working hours.
Clear Screen Policy
A policy of the organization, which directs all
users of screens or terminals to ensure that
the contents of the screen are protected from
prying eyes and other opportunistic breaches
of confidentially. Typically, the easiest means
of compliance is to use a screen saver that will
engage, either on request, or after a specified
time.
Communications Line
Within a communications network, the route
by which data is conveyed from one point to
another. Recently the term has started to be
replaced by ‘communications link’ to reflect
the fact that a growing number of small
networks, even within the same building, are
using radio ('wireless') communications rather
than fixed cables.
Communications Network
A system of communications equipment and
communication links (by line, radio, satellite,
etc.) that enables computers to be separated
geographically while remaining connected to
each other.
Confidentiality
Assurance that information is shared only
among authorized persons or organizations.
Breaches of confidentiality can occur when
data is not handled in a manner adequate to
safeguard the confidentiality of the information concerned. Such disclosure can take
place by word of mouth, by printing, copying,
emailing or creating documents and other
119
Access Granted
data. The classification of the information
should determine its confidentiality and
hence the appropriate safeguards.
Configuration
The act of programming an SRAM-based
FPGA at system power up to make it functional. Configuration requires the use of a
configuration device, which is typically a
PROM (see PROM) or other type of memory.
Contingency Planning
Contingency planning plans for the unexpected or for the possibility of circumstances
changing. Contingency plans are individual
plans associated with individual projects or
programs.
A contingency plan is never expected to be
executed; as a result, situations in which
attention to detail and the budget allocation
are clearly inadequate guarantee failures if it
is executed.
As with any plan, it is essential to agree on the
‘trigger(s)’ that will result in the plan coming
into force and the subsequent 'chain of
command' that will take over during that
period.
Corrupt Data
Data that has been received, stored, or
changed, so that it cannot be read or used by
the program that originally created the data.
Cracker
A cracker is either a piece of software
(program) whose purpose is to 'crack' the
code to a password, encryption key, or configuration bitstream; or 'cracker' refers to a
person who attempts to gain unauthorized
access to a computer system, hardware, or
board level components. Such persons are
usually ill intentioned and perform malicious
acts of crime and vandalism.
Cryptography
The subject of cryptography is primarily
concerned with maintaining the privacy of
communications, and modern methods use a
number of techniques to achieve this.
Encryption is the transformation of data into
another usually unrecognizable form. The
only means to read the data is to de-crypt the
data using a (secret) key, in the form of a
secret character string, itself encapsulated
within a pre-formatted (computer) file.
Cybercrime
Cybercrime may be internal or external, with
the former easier to perpetrate. Cybercrime is
any criminal activity that uses network access
to commit a criminal act. With the exponential growth of Internet connection, the
opportunities for the exploitation of any
weaknesses in information security are multiplying.
Data Encryption
Data encryption is a means of scrambling the
data so that it can only be read by the
person(s) holding the ‘key’—a password of
120
Access Granted
some sort. Without the 'key,' the cipher
cannot be broken and the data remains
secure. Using the key, the cipher is decrypted
and the data is returned to its original value or
state.
Decryption
The process by which encrypted data is
restored to its original form in order to be
understood/usable by another computer or
person.
Denial of Service (DoS)
DoS attacks deny service to valid users trying
to access a site. DoS attacks do not usually
have theft or corruption of data as their
primary motive and will often be executed by
persons who have a grudge against the organization concerned.
Consistently ranked as the single greatest
security problem for IT professionals, DoS
attacks are an Internet attack against a
website whereby a client is denied the level of
service expected. In a mild case, the impact
can be unexpectedly poor performance. In
the worst case, the server can become so
overloaded as to cause a crash of the system.
Encryption
The process by which data is temporarily rearranged into an unreadable or unintelligible
form for confidentiality, transmission, or other
security purposes.
Hacker
An individual whose primary aim in life is to
penetrate the security defenses of large,
sophisticated, computer systems. A truly
skilled hacker can penetrate a system right to
the core and withdraw again without leaving
a trace of the activity. Hackers are a threat to
all computer systems that allow access from
outside the organization’s premises, and the
fact that most ‘hacking’ is just an intellectual
challenge should not allow it to be dismissed
as a prank. Clumsy hacking can do extensive
damage to systems even when such damage
was not intentional.
Identity Hacking
Posting on the Internet or bulletin board(s)
anonymously, pseudonymously, or giving a
completely false name/address/telephone
with intent to deceive.
Impact Analysis
As part of an information security risk assessment, you should identify the threats to your
business assets and the impact such threats
could have, if the threat resulted in a genuine
incident. Such analysis should quantify the
value of the business assets being protected to
decide on the appropriate level of safeguards.
Incursion
A penetration of the system by an unauthorized source. Similar to an intrusion, the
primary difference is that incursions are
classed as ‘hostile.’
121
Access Granted
Information Asset
Logical Access
An information asset is a definable piece of
information, stored in any manner that is
recognized as ‘valuable’ to the organization.
The information that comprises an information asset may be little more than a prospect
name and address file; or it may be the plans
for the release of the latest in a range of products to compete with competitors.
The process of being able to enter, modify,
delete, or inspect records, designs, schematics, source code, and other data held on a
computer system or device by means of
providing an ID and password (if required).
The view that restricting physical access
relieves the need for logical access restrictions
is misleading. Any organization, systems, or
devices within a system with communications
links to the outside world has a security risk of
logical access.
Information
Warfare/Infowar
Also cyberwar and netwar. Infowar is the use
of information and information systems as
weapons in a conflict in which the information and information systems are the targets.
Infowar has been divided into three classes:
1. Individual privacy
2. Industrial and economic espionage
3. Global information warfare, i.e.,
nation state versus nation state
Most organizations will not need to be
concerned over classes I and III, but clearly
Class II is relevant to any organization wishing
to protect its confidential information.
Intrusion
The technology equivalent of trespassing. An
uninvited and unwelcome entry into a system
by an unauthorized source. While incursions
are always seen as hostile, intrusions may well
be innocent, having occurred in error. Strong
verification and security systems can minimize intrusions.
122
Malicious Code
Malicious code includes all and any programs
(including macros and scripts) that are deliberately coded in order to cause an
unexpected (and usually, unwanted) event on
a PC or other system. However, whereas
antivirus definitions (‘vaccines’) are released
weekly or monthly, they operate retrospectively. In other words, someone’s PC has to
become infected with the virus before the
antivirus definition can be developed. In May
2000, when the ‘Love Bug’ was discovered,
although the antivirus vendors worked
around the clock, the virus had already
infected tens of thousands of organizations
around the world before the vaccine became
available.
Non-Repudiation
For e-commerce and other electronic transactions, including ATMs (cash machines), all
parties to a transaction must be confident that
the transaction is secure, that the parties are
who they say they are (authentication), and
Access Granted
that the transaction is verified as final. Systems
must ensure that a party cannot subsequently
repudiate (reject) a transaction. To protect
and ensure digital trust, the parties to such
systems may employ digital signatures, which
will not only validate the sender, but will also
‘time stamp’ the transaction, so it cannot be
claimed subsequently that the transaction was
not authorized or not valid.
Penetration
Intrusion, trespassing, unauthorized entry into
a system. Merely contacting the system or
using a keyboard to enter a password is not
penetration, but gaining access to the
contents of the data files by these or other
means does constitute penetration.
Penetration Testing
The execution of a testing plan, the sole
purpose of which is to attempt to hack into a
system using known tools and techniques.
Physical Access
The process of obtaining use of a computer
system, development tools, or direct access to
a system and its components. For example by
sitting down at a keyboard, or being able to
enter specific area(s) of the organization
where the main computer systems are
located, or accessing system level hardware or
in some cases even board level components.
Physical Security
restrictions on entry to computer department
and tank, locking/disabling equipment,
disconnection, fire-resistant and tamperresistant storage facilities, anti-theft measures,
and anti-vandal measures.
Public Key Infrastructure
(PKI)
Where encryption of data is required,
perhaps between the organization's internal
networks and between clients and representatives, a means of generating and managing
the encryption keys is required. PKI is the use
and management of cryptographic keys—a
public key and a private key—for the secure
transmission and authentication.
Security Breach
A breach of security occurs when a stated
organizational policy or legal requirement
regarding information security has been
contravened. However, every incident
suggesting that the confidentiality, integrity
and availability of the information have been
inappropriately changed can be considered a
security incident. Every security breach will
always be initiated via a security incident.
Only if confirmed does it become a security
breach.
Security Incident
A security incident is an alert to the possibility
that a breach of security may be taking, or
may have taken, place.
Physical protection measures to safeguard the
organization’s systems. Including, but not
limited to, restrictions on entry to premises,
123
Access Granted
Smart Card
Smart cards look and feel like credit cards,
but have one important difference: they have
a ‘programmable’ microchip embedded.
Their uses are extremely varied but, for information security, they are often used not only
to authenticate the holder, but also to present
the range of functions associated with that
user's profile. Smart Cards will often have an
associated PIN number or password to
provide a further safeguard. The main benefits of using Smart Cards is that their allocation
can be strictly controlled, they are hard to
forge and are required to be physically
inserted into a ‘reader’ to initiate the authenticate process.
Virus
A virus is a form of malicious code and, as
such it is potentially disruptive. It may also be
transferred unknowingly from one computer
to another. The term virus includes all sort of
variations on a theme, including the nastier
variants of macro-viruses, Trojans, and
worms, but, for convenience, all such
programs are classed simply as ‘viruses.’
124
Access Granted
Certifications from Symantec
Title
Basic-Level
Symantec Product Specialist (SPS)
Specializations include:
Symantec Enterprise Firewall
Symantec Firewall Advanced Topics
Enterprise Security Manager (ESM)
Symantec NetRecon
Intermediate-Level
Symantec Technology Architect (STA)
Specializations include:
Firewall and VPN Technologies
Vulnerability Management
Intrusion Detection
Virus Protection and Content Filtering
Advanced-Level
Symantec Certified Security Engineer (SCSE)
Specializations include:
Firewall and VPN Technologies
Vulnerability Management
Virus Protection and Content Management
Symantec Certified Security Practitioner (SCSP)
Description
For individuals who wish to demonstrate
expertise with a particular Symantec product and its functionality in an overall
security system.
Focuses on vendor-neutral security knowledge of how to design, plan, deploy and
manage effective security solutions. STA
certification is awarded for each Symantec
Security Solutions Exam passed.
This certification provides a high-level
understanding of a broad range of security
solutions plus in-depth knowledge and skills
within a specific security focus (ie:
Vulnerability Management, Intrusion
Detection, etc). An SCSE is involved in the
design, integration and deployment of
comprehensive enterprise security solutions.
For senior security consultants who wish to
demonstrate in-depth expertise. This certification is achieved after all SCSE have been
obtained.
125
Access Granted
Requirements for Certification
Symantec Certification
Designation
Pre-Requisite Knowledge Passed Technology Passed Security
and Experience
Exams
Solutions Exam
Symantec Product
Specialist
TCP/IP Networking,
OS Proficiency
1
N/A
Symantec Technology
Architect
TCP/IP Networking ,
OS Proficiency,
Security Essentials Course
None
1
Symantec Certified
Security Engineer
TCP/IP Networking,
OS Proficiency,
Security Essentials Course
All within
security focus
1 of targeted
security focus
Symantec Certified
Security Practitioner
SCSE Certifications
All
All
Recertification Timeline:
• Product certification is granted for
specific versions of a product only.
• All certifications are valid for 18
months and must be renewed
prior to expiration to maintain
credentials.
126
Access Granted
Certifications from Cisco Systems, Inc.
Title
Description
Associate-Level (Basic)
Cisco Certified Design Associate (CCDA®)
This certification indicates a foundation or
apprentice knowledge of network design for
the Cisco Internetwork Infrastructure. CCDA
certified professionals can design routed and
switched network infrastructures involving
LAN, WAN, and dial access services for businesses and organizations.
Cisco Certified Network Associate (CCNA®)
This is an entry-level certification that validates an individual’s ability to install,
configure, and operate LAN, WAN, and dial
access services for small networks of 100
nodes or fewer.
Professional-Level (Intermediate)
Cisco Certified Design Professional
(CCDP®)
With this certification, a network professional
can design routed and switched networks
involving LAN, WAN, and dial access services, applying modular design practices and
making sure the whole solution responds
optimally to the business and technical
needs.
Cisco Certified Internetworking Professional
(CCIP®)
This certification provides individuals working in service provider organizations with
competencies in infrastructure IP networking
solutions. CCIP professionals have detailed
understanding of networking technologies in
the service provider arena including IP routing, IP QoS, BGP, and MPLS.
Cisco Certified Network Professional
(CCNP®)
This certification indicates advanced or journeyman knowledge of networks. With a
CCNP, a network professional can install,
configure, and troubleshoot local and wide
area networks for enterprise organizations
with networks from 100 to more than 500
nodes.
127
Access Granted
Title
Description
Cisco Certified Security Professional (CCSP)
This certification provides network professionals with professional level recognition in
designing and implementing Cisco secure
networks. CCSP holders are actively
involved in developing business solutions
and designing and delivering multiple levels
of security departments.
Expert-Level (Advanced)
Cisco Certified Internetworking Expert (CCIE™)
Routing & Switching
CCIE™ Security
This certification covers IP and IP routing as
well as specific security components.
CCIE™ Communication & Services
This certification covers IP and IP routing,
Optical, DSL, Dial, Cable, Wireless, Wan
Switching, Content Networking, and IP
Telephony.
CCIE™ Voice
This certification covers those technologies
and applications that comprise a Cisco
Enterprise Voice over IP solution.
Cisco Qualified Specialist Program
Cisco Cable Communications Specialist 1
Cisco Content Networking Specialist
128
This expert-level certification covers IP, IP
routing, non-IP desktop protocols such as
IPX, as well as bridge and switch-related
technologies. This is currently one of the
premier IT certifications.
This certification focuses on the knowledge
and skills required to support and deploy
Cisco cable two-way data services. This
certification includes proficiency in
DOCSIS, DVB, RF, and Cisco IOS®.
This certification validates an individual's
knowledge of content edge delivery,
content distribution and management,
content switching, and content routing.
Access Granted
Title
Description
Cisco Firewall Specialist
This certification focuses on securing
network access using Cisco IOS Software
and Cisco PIX Firewall Technologies.
Cisco IDS Specialist
Cisco IDS Specialists can operate and monitor Cisco IOS Software and IDS
technologies to detect and respond to intrusion activities. expertise in operating and
monitoring Cisco IOS Software and IDS
technologies to detect and respond to intrusion activities.
Cisco IP Telephony Design Specialist, Cisco
IP Telephony Operations Specialist and
Cisco IP Telephony Support Specialist
The Cisco IP Telephony Support, Design
and Operations Specialist focused certifications validate proficiency in designing,
installing, and supporting a multi-service
network solution. These certifications are for
individuals who plan, implement, and
support Cisco advanced IP telephony
network solutions. The focus is on implementing and supporting Cisco data and
voice integration solutions over Frame Relay,
ATM, and IP.
Cisco Multiservice Switching Specialist
For individuals who install, configure,
support, troubleshoot, and design complex
ATM-based networks in the service provider
market segment.
Cisco MxU Specialist
This certification addresses network professionals who need to successfully implement
ATM Multiservice switching and service
provisioning based on Cisco BPX® and
MGX™ networks.
Cisco Optical Specialist 1
This certification is for network professionals
who design, install, operate, and maintain
optical networking systems.
129
Access Granted
Title
Description
Cisco VPN Specialist
A Cisco VPN Specialist can configure VPNs
across shared public networks using Cisco
IOS Software and Cisco VPN 3000 Series
Concentrator technologies.
Cisco Wireless LAN Design Specialist and
the Cisco Wireless LAN Support Specialist
These certifications indicate significant
knowledge of relevant factors involved in
deploying Cisco Wireless LAN solutions.
Cisco Wireless LAN Specialists understand
radio technologies associated with WLAN
802.11 standards, understand WLAN and
bridge topologies and applications, can
configure WLAN products, can explain
Aironet software and management features,
can configure various security methods for
Wireless LAN environments, understand
basic antenna theory, understand how to
perform a site survey covering WLAN topology and design, and understand vertical
market deployment and challenges.
Instructor-Level
Certified Cisco Systems Instructor (CCSI)
Certifications Notes:
130
This certification is for individuals who want
to teach authorized Cisco courses. You
must be employed or sponsored by a Cisco
Learning Partner.
• There are three levels of certification and
four different options for areas of focus.
These four areas of focus are: (1)
Network Installation and Support, (2)
Network Engineering and Design, (3)
Communications and Services, (4)
Network Security. Each of these four
areas of focus are available in the three
levels (Associate, Professional, Expert).
Access Granted
Recertification Timeframes:
• CCNA, CCDA, CCNP, CCDP, and CCIP
certifications are valid for three years.
• All CCIE and Cisco Qualified Specialist
certifications are valid for two years.
131
Access Granted
Certifications from Novell
Title
Description
Basic-Level
Certified Novell Administrator (CNA)
Intermediate-Level
Certified Linux Engineer (CLE)
Certified Novell Engineer (CNE)
Expert-Level
Master Certified Novell Engineer (CNE)
132
For individuals who are interested in providing on-site administration for software users
in a variety of work environments, including
professional offices and small businesses,
workgroups or departments, and corporate
information services. CNAs handle day-today administration of an installed Novell
networking product: NetWare, Novell
eDirectory and GroupWise.
For individuals who wish to expand their IT
expertise in the area of Novell’s services for
Linux including eGuide, iFolder, NMAS,
DirXML, NetMail, ZENwworks, and Novell’s
eDirectory.
For individuals who already work in the
Information Systems/Information Technology
(IS/IT) industry as well as individuals are
interested in entering this industry.
For individuals are interested in becoming
some of the information technology industry’s leading integration specialist. This
program is designed to give individuals
advanced skills that are required to provide
solutions to complex networking problems
that may span across several different platforms and product solutions.
Access Granted
Title
Description
Certified Directory Engineer (CDE)
For individuals who are interested in maximizing their knowledge and skills in Novell’s
eDirectory, as well as on the platform-independent directory information needed to
implement and troubleshoot directories
effectively in real, working environments.
Instructor-Level
Certified Novell Instructor (CNI)
For individuals who are interested in
becoming instructors of Novell’s certifications programs. They are able to gain
access to Novell’s latest information and
technology in order to equip individuals to
become instructors.
Certifications Notes:
• The CLE is the latest certification introduced by Novell.
Recertification Timeframe:
• Recertification is an ongoing embedded
process
133
Access Granted
Certifications from Sun Microsystems, Inc.
Title
Description
Basic-Level
134
Sun Certified System Administrator for the
Solaris Operating Environment
Solaris™ Operating Environment
Certification Learning Path
This certification is for system administrators
tasked with performing essential system
administration procedures on the Solaris™
Operating Environment (Solaris OE) and
technical application support staff responsible for administering a networked server
running on the Solaris OE.
Sun Certified Programmer for the Java 2
Platform
This certification is for programmers interested in demonstrating proficiency in the
fundamentals of the Java™ programming
language using the Java 2 Platform,
Standard Edition (J2SE™ technology).
Sun Certified Data Management Engineer
This certification is for storage managers and
system administrators responsible for administering disk array storage systems. This
certification covers the skills required to
implement, configure, operate and administer a disk array storage system. Students
select from two paths for certification Solstice DiskSuite™ or VERITAS Volume
Manager Software.
Sun Certified Backup and Recovery
Engineer
This certification is being developed for
backup and recovery engineers responsible
for the design and implementation of
backup systems in the data center. The
examination is designed to measure a
student's knowledge of reliable backup
methodology, restoring data and meeting
design requirements.
Access Granted
Title
Description
Sun Certified Storage Architect
This certification is for storage architects
responsible for designing and administering
a storage area network. This examination
focuses on the student’s knowledge of SAN
design and implementation, installation,
administration and troubleshooting of SAN
hardware and software.
Sun Certified Developer for Sun ONE
Application Server 6.0
The Sun™ ONE Application Server provides
the foundation for delivering enterpriseclass application services and Web services.
Sun Certified Developer for Sun ONE
Application Server 6.0 is for architects and
developers who are using Java™ 2 Platform,
Enterprise Edition (J2EE™ technology) to
develop, deploy and run applications on
Sun ONE Application Server 6.0.
Sun Certified Engineer for Sun ONE
Directory Server 5.x
The Sun™ ONE Directory Server is a software product that provides a central
repository for storing and managing identity
profiles, access privileges and application
and network resource information. The Sun
Certified Engineer for Sun ONE Directory
Server 5.x is recommended for professionals
who design, deploy, configure, administer
and troubleshoot the Sun ONE Directory
Server 5.x for enterprise-level solutions with
up to 5-10 million users.
Intermediate
Sun Certified Network Administrator for
Solaris Operating Environment
This certification is for experienced system
administrators who are or will be responsible for administering Sun™ systems in a
networked environment that includes LANs
and the Solaris™ Operating Environment
(Solaris OE).
135
Access Granted
Title
Description
Sun Certified Security Administrator for the
Solaris Operating Environment
The Sun Certified Security Administrator for
Solaris 9 OE is geared toward candidates
with six to twelve months ofexperience
administering security in a Solaris[tm]
Operating Environment. It is recommended
that candidates attend SC-300
Administering Security on the Solaris OE,
have six to twelve months Security administration job role experience and have
previous Solaris system and network administration certification.
Sun Certified Developer for the Java 2
Platform
This performance-based certification is for
programmers and developers who are
already familiar with the basic structure and
syntax of the Java™ programming language,
and who have a need to demonstrate
advanced proficiency in developing
complex, production-level applications
using Java 2 Platform, Standard Edition
(J2SE™ technology).
Advanced
Sun Certified Web Component Developer
for the Java 2 Platform, Enterprise Edition
(J2EE)
Sun Certified Enterprise Architect for J2EE
Technology
136
This certification is for programmers specializing in the application of JavaServer
Pages™ and servlet technologies used to
present Web services and dynamic Web
content using Java™ 2 Platform, Enterprise
Edition (J2EE™ technology).
This certification is for enterprise architects
responsible for architecting and designing
Java™ 2 Platform, Enterprise Edition (J2EE™
technology) compliant applications, which
are scalable, flexible and highly secure.
Access Granted
Other Popular Industry Certifications, as targeted by CSOonline.com
Title
Basic
Check Point Certified Security Administrator
(CCSA)
Description
Vendor-specific: For individuals interested in
developing greater expertise on their product-base.
CompTIA Security+
Vendor-neutral: For individuals interested in
obtaining vendor-neutral competency in
worldwide standards for foundation-level
security practitioners.
ProSoft Certified Internet Webmaster (CIW)
Associate
Vendor-neutral: For individuals who want to
demonstrate knowledge of Networking ,
HTML and Internet fundamentals. Must be
earned before you can continue on to any
other CIW designation. Offered by Prosoft
Training Center.
SANS GIAC Certified Security Leadership
Certification (GSLC)
Vendor-neutral: For individuals with managerial or supervisory responsibility for
information security staff.
SANS GIAC Security Essentials Certification
(GSEC)
Vendor-neutral: Entry level designation for
individuals who are or will be responsible for
managing and protecting important information systems and networks. GIAC is the
Global Incident Analysis Center established
in 1999 by the SANS Institute to monitor
new attacks and provide immediate analysis
and response.
TruSecure ICSA Certified Security Associate
Vendor-neutral: For individuals who are
involved in security administration of corporatesystems or networks. Typical candidates
have experience in networking, system
administration, may hold a security-related
position, or arewell-versed in the area of
network security.
137
Access Granted
Title
Intermediate
CIW Professional
138
Description
Vendor-neutral: For individuals who work
with Internet/web technologies and are
working toward a master CIW designation.
SANS GIAC Certified Firewall Analyst
(GCFW)
Vendor-neutral: For security engineers who
wish to show proficiency in firewalls and
perimeter defense.
GIAC Certified Intrusion Analyst (GCIA)
Vendor-neutral: For security engineers who
wish to show proficiency in intrusion analysis.
GIAC Certified UNIX Security Administrator
(GCUX)
Vendor-neutral: For security engineers who
wish to show proficiency in securing Unix
systems.
Master CIW Designer
Intermediate/General: For individuals interested in a career in Web Design. This
certification covers both site and ecommerce design.
GIAC Certified Windows Security
Administrator (GCWN)
Vendor-neutral: For security engineers who
wish to show proficiency in securing
Windows NT and Windows 2000 systems.
GIAC Certified Incident Handler (GCIH)
Vendor-neutral: For security engineers who
wish to show proficiency in advanced incident handling and hacker exploits.
GIAC Certified Forensic Analyst (GCFA)
Vendor-neutral: For individuals who are
responsible for forensic investigation/analysis,
advanced incident handling, or formal incident investigation.
GIAC Systems and Network Auditor (GSNA)
Vendor-neutral: Technical staff responsible
for securing and auditing information
systems; auditors who wish to demonstrate
technical knowledge of the systems they are
responsible for auditing .
Access Granted
Title
Advanced
2
(ISC) Certified Information Systems Security
Professional (CISSP)
2
Description
Vendor-neutral: For experienced professionals in the computer security field who are
responsible for developing the information
security policies, standards, and procedures
and managing their implementation across
an organization.
(ISC) Systems Security Certified Practitioner
(SSCP)
Vendor-neutral: For individuals involved in
network and systems security administration
who are responsible for developing the information security policies, standards, and
procedures and managing their implementation across various hardware and software
programs in their organization.
CIW Security Analyst
Vendor-neutral: For individuals who are
interested in an Administration certification
and want to add evidence of security skills.
Master CIW Administrator
Vendor-neutral: For individuals interested in
a career in Network Administration. This
certification covers Server Administration,
Internetworking, and Security for the
Internet.
Master CIW Enterprise Developer
Vendor-neutral: For individuals who are
interested in a career in programming.
Certification covers Perl and Java languages,
object-oriented analyst and design, application and database development.
Master CIW Web Site Manager
Vendor-neutral: For individuals who want to
be familiarized with the majority of Internetrelated tasks and concepts. Certification
covers Server Administration, Perl and
JavaScript, and Site Design for the Internet.
139
Access Granted
Check Point Certified Management Security
Expert (CCMSE)
140
Vendor-specific: For individuals interested in
developing greater expertise on Check
Point’s Internet security solutions including
VPN-1/FireWall-1 and Provider-1 in a
network operating Center Environment.
Access Granted
141