The Story Beneath the Hats
Transcription
The Story Beneath the Hats
The Story Beneath the Hats The term “hacker” was originally created to give recognition to those with exceptional computer skills. The term is now found to describe both ethical industry professionals and their criminal counterparts. To eliminate some of the confusion associated with the term, the industry uses hat colors to distinguish good from bad hackers. “White Hat” hackers are defined as proficient computer experts who use their talents to uphold information security. “Gray Hat” hackers are defined as those computer specialists making the transition from a criminal past to an ethical future in the trade. “Black Hat” hackers are serious criminal hackers who use their skills to take over information systems and commit illegal acts. The use of this hat terminology is not without criticism, but the symbolism continues to have a great impact on the security technology industry. Access Granted: Decrypting Opportunities in Information Security Authors Stacey Frenton Wei Kuan Lum Graphic Design Dana Kelly Project Supervisor Heidi Bonner Project Manager Jeanette Langdell Contact Information: The North Valley (NOVA) Workforce Board includes representatives of local business, industry, education, and service agencies. NOVA was founded in 1983 to implement the federal Job Training Partnership Act (JTPA) for northern Santa Clara County, and today provides services under the Workforce Investment Act (WIA), as well as a variety of other funding sources. NOVA has gained a national reputation as an innovative leader in addressing workforce needs in a variety of industries. NOVA’s services are administered by the City of Sunnyvale. 505 W. Olive Avenue, Suite 550 Sunnyvale, CA 94086 (408) 730–7232 www.novaworks.org publications@novaworks.org Table of Contents Introduction to LMI+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Purpose and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Introduction to Security Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Section 1 • Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 The Growth of an Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Market Growth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Recent Security Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Section 2 • Identifying Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Recent Trends in Security Breaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Section 3 • Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Defining Security Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Existing Security Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Technologies and Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Piecing It Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Section 4 • People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Growth in the Job Market . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 Demand for Information Security Professionals . . . . . . . . . . . . . . . . . . . . . . .41 Evolution of the Information Security Department . . . . . . . . . . . . . . . . . . . . .44 Deciphering Information Security Job Titles, Roles, and Responsibilities . . . . .45 The Executive Level of Information Security . . . . . . . . . . . . . . . . . . . . . . . . .49 Career Progression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Job Skills for Information Security Professionals . . . . . . . . . . . . . . . . . . . . . . .57 Salary Expectations in Information Security . . . . . . . . . . . . . . . . . . . . . . . . . .60 Section 5 • Star Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Senior Director of Information Security (Tim M. Mather) . . . . . . . . . . . . . . . .67 Manager of Intelligent Networks (Perry J. Steines) . . . . . . . . . . . . . . . . . . . . .71 Sales Systems Engineer (Julie Wilcox) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Network Engineer (LC Boros) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 Section 6 • Practices and Projections . . . . . . . . . . . . . . . . . . . . . . . . . . .87 Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89 Future Trends in Security Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 B. Works Consulted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 C. Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 D. Education and Training Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 E. Industry Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 F Occupational Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 G. Glossary of Industry Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 H. Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Access Granted Introduction to LMI+ In 1994, NOVA created the Labor Market Information Plus (LMI+) project to aid dislocated workers and successfully enhance the labor market information available to the Silicon Valley community. The project provides innovative and practical reports on emerging industries and career transformations throughout the greater Bay Area. It assesses the dynamics and challenges that these industries and jobs present to the area’s economy. By using an ethnographic model to structure the research and present the information, LMI+ can reveal trends that go beyond statistical data to tell the current story of a particular industry, highlighting local workforce issues, realities, and trends that affect job seekers, businesses, educators, and training providers. The LMI+ studies are based on the concept of a labor market triad. The three primary stakeholders are comprised of job seekers, businesses, and education and training institutions. All three must communicate freely and work together to remain successful. LMI+ studies support the flow of timely information among primary stakeholders, ensuring that the local labor market can operate effectively. Job Seekers Job seekers can use these studies to explore a new industry or developing career. The reports highlight the relevant skills and necessary abilities for candidates to embark on a self-sustaining profession. They also demonstrate the applicable career ladders that enable job seekers to attain a sustainable wage, progress in their career, and be selfsufficient. Additional data such as information about training institutions and salary expectations reflect the local area and give job seekers holistic insight into these careers. Businesses Businesses can use the information presented to get a perspective on the local workforce climate. The studies provide insight that allows for improved recruitment and retention. Businesses can also use these studies to adjust training and compensation for employees. Educators and Training Providers Educators and training providers can use these reports to gauge the content of their curriculum. By revealing new career demands and skill sets, these studies assist educators and training providers in the creation or elimination of programs and courses. 1 Access Granted Purpose The demand for secure computing is fueling the growth of the security technology market. This greater need for cyber-security has created niche opportunities in the information security field, as well as expanded the careers of traditional information technology professionals. The purpose of this report is to enhance the availability of labor market information to job seekers, businesses, educators, and training providers. It strengthens today’s workforce by transferring skills-based information between the groups. This key information strongly affects the health of the local economy. Silicon Valley is the core of technological innovation. It is home to over 16,600 technology companies and boasts the largest quantity of venture capital firms in the world. Although Silicon Valley is the home of prestigious universities that produce today’s and tomorrow’s business leaders, it is marked by an increase in employee outsourcing, heightened demand for workforce literacy, and growing earning disparity between those with advanced and limited skills. To further the growth of the Silicon Valley economy, talented and skilled labor must be available to meet industry’s needs. Methodology Methods used for this report include informal interviews and industry-related meetings. Interviews with a cross-section of businesses, employees, educators, training providers, and 2 professional associations and organizations were conducted during the winter and spring of 2003. These interviews assisted the direction of the research and determined the content of this report. Local stakeholders recommended the selection of industry segments and career opportunities contained within this report. A thematic analysis was performed on all data collected from in-person, telephone, and email interviews. This analysis aided the search for underlying issues and similarities in responses across all participants in the research process. Textual and Internet-related research was conducted as well, but it served primarily as a foundation upon which to formulate interview questions. Information gained using traditional research methods was only incorporated into this report if local businesses and industry experts confirmed it to be an accurate reflection of the current, local industry. Access Granted Introduction to Security Technology It is important to note that because this industry is still emerging, and driven by emerging technologies, there are varying titles used to refer to both the industry market itself as well as the job market. In general, research has indicated two distinctions. When referring to the products and technologies that have been developed for the purposes of enhancing computer and network security, the industry is formally understood as the “security technology” industry. However, the job market that encompasses the individuals who work as part of the security technology industry is formally recognized as the “information security” market. This report similarly will follow these standards. In short, when discussing this market as an industry for products, the term “security technology.” When discussing security technology as a market for job seekers and employees, the term “information security” will be used. Narrowing the Scope: Differences Among the Security Subsectors The feeling of being “secure” has been an important aspect of both industry and individuals maintaining functional productivity. The increasing reliance of businesses on cyberspace, coupled with the tragedy of September 11, 2001, have forever changed how our nation thinks about security. In fact, these two changes in our social fabric have heightened the relevancy of security and driven the security sector into the forefront of industry attention. Silicon Valley, the heart of the high-tech universe, has once again found itself one of the driving centers of the latest technology boom—the security technology industry. Research revealed that there are various facets to the security technology industry, all of which aim to increase security. However, their methods very significantly. Given all the various components involved in enabling security to be enhanced, the security industry can be broken down into the following subsectors: physical security, personnel security, and security technology. The services and products that emerge from each of these subsectors, when working in tandem, undoubtedly help to increase people’s overall sense of security. It is also the case that the subsectors themselves and the markets that these industries are involved in are notably distinct from one another. The skills required of job seekers interested in the security industry will vary depending upon which facet of security an individual chooses to pursue. For example, the skill sets required by businesses that provide physical security to their clients are different from the skills required by businesses that qualify as security technology firms. Similarly, the customer base for companies that offer services or products in each of these subsectors is also distinctly separate. A company that 3 Access Granted specializes in physical security offers services that enhance personal and organizational security (e.g., security guards). These companies would be hiring job seekers that have an education or experience in physical protection. In contrast, a security technology company offers products that secure the myriad of e-transactions that occur in cyberspace. The individuals that these companies would be interested in hiring would have technical backgrounds in computers and knowledge of the networking technologies that secure transactions. It is true that the increased attention and interest in the overall security industry has contributed to the wealth of market and employment opportunities made available in the security sector. Given the skill distinctions in these markets, however, this report will focus only on the security technology subsector and on technologies that have been developed to enhance security as it pertains to computer and network systems. Ultimately, this report will examine the security technology industry as both a market for products and a market for jobs. There are six sections to this report which cover the following topics: recent market trends, vulnerability trends, information on the founding principles of the industry, and current security technology, employment trends, the evolution of this job market, and the current state of this market. More specifically, these topics are broken down into the following sections. Section I (Trends) identifies recent market trends in security technology. Section II (Identifying Threats) identifies the threats that 4 create the demand for security technology products. Section III (Technology) clarifies the technology itself. Section IV (People) discusses the state of the job market in information security. Section V (Star Profiles) provides personal accounts of individuals who have entered this market and have excelled. Lastly, Section VI (Practices and Projections) provides recommendations on best practices and provides projections on future trends, as identified by industry experts. Access Granted Executive Summary Information is a powerful and critical asset. In today’s business environment—where e-transactions constitute a significant amount of capital growth—computer and network systems are more common than a pencil. These electronic methods of communicating and handling information bring new technologies, responsibilities, policies, and practices, and create specialized education and training needs. The Internet Age has unleashed a world of virtual possibilities and opened the door to cyber threats and system vulnerabilities. The concept of securing information once meant locking the file cabinet. Now, securing information involves the concepts of keeping data confidential, true, and available during the transmission, storage, and processing states. Security technology is the use of technology to prevent and protect against both the access to information by unauthorized recipients, and the intentional but unauthorized destruction or alteration of that information. Security technology is emerging to protect the e-business marketplace—and more importantly, the nation’s critical infrastructure. Public and private industry must obtain the necessary security technology and information security talent to stay globally competitive. Silicon Valley, a fertile area of innovation that has its roots in the defense industry, is dedicated to delivering the fruits of prime security technologies and cultivated information security professionals. It is important to note that this publication uses the term “security technology” to describe the industry and the products that have been developed to enhance the security of electronic information, and uses the term “information security” to describe the profession in the industry that utilizes security technology to protect computer and network systems. A number of the industry and workforce trends contained in this report are highlighted below. • The security technology industry is projected to experience a revenue increase from its 1999 levels by approximately 63 percent by 2004, and by the year 2006, the security technology market is projected to hit $45 billion. The industry’s prolific growth is driven by the concept and value of secure e-transactions; the increased need to protect customer information on shared computer and network databases; more software and system vulnerabilities; the expense of security breaches and cyber attacks; and the conditions of federal legislation. • The “National Strategy to Secure Cyberspace” is a federal initiative to improve cyber security. The strategy outlines and identifies three national strategic objectives: prevent cyber attacks; reduce vulnerability to cyber attacks; and minimize the damage and recovery time due to cyber attacks. Recent legislation that affects the security technology industry includes: The Gramm-Leach-Bliley Act 5 Access Granted (GLBA), The Health Insurance Portability and Accountability Act (HIPAA), and California State Assembly Bill 1386. • The threat from computer crimes and other online security breaches continues to grow. In 2001, a Computer Security Institute (CSI) survey of 538 security professionals in U.S. corporations revealed 40 percent of the respondents (versus 25 percent of the respondents in 2000) reported they detected penetration attacks from external sources. In 2002, CSI conducted another survey aimed at identifying which sources were the most popular point of entry for attacks into a computer system or network. Respondents indicated that approximately 72 percent of attacks originated from the Internet. • Cyber attacks can strike computer and network systems from a variety of sources and can be structured as computer-to-computer; computer-tonetwork; network-to-computer; and network-to-network. Cyber threats can attack computer and network systems through four main destructive programs: network worms, trojan horses, computer viruses, and blended threats. • Hackers, crackers, and script kiddies are the individuals responsible for attacking computer and network systems. Industry uses the term “hacker” to refer to an individual with exceptional computer skills who is intensely interested in the workings of a computer system. These days, the term is found to describe both ethical industry professionals and their criminal counter- 6 parts. To eliminate some of the term’s confusion, the industry has attempted to create more definitive titles. White hat hackers are defined as the “good guys” of information security. Gray hat hackers are defined as those computer experts making the transition from a criminal past to an ethical future in the trade. The term “black hat hackers” is used interchangeably with the term “crackers” to describe criminal hackers who use their skills to take over systems and commit illegal acts. Script kiddies are considered amateurs not well versed in the workings of a computer or network system. • Ethical hacking is an assessment test used to check system weaknesses and vulnerabilities. In these tests, a contracted gray hat plays the role of a black hat. They find system vulnerabilities and then report them to the company’s internal administrators. These penetration tests are performed with permission and are currently an accepted practice in the industry. These tests, however, are not without harsh criticism. While several companies have benefited from this method to protect their systems, some professionals feel this tactic is a major conflict of security interest. Critics state that any intrusion on a system with or without permission is illegal. The reason? While businesses may own the systems being penetrated, they may not own the information that is uncovered during the test. Despite conflicts of opinion in the industry, ethical hacking will most likely continue to play a significant role in vulnerability assessment. Access Granted • Security technology would not exist without three key principles: authentication, access control, and audit. Authentication is the act of establishing and confirming the identity of a user to some part of a computer system or network. Access control refers to the logical and physical access to data. It determines user or computer privileges to a computer or network system. Examples of authentication and access control tools are passwords, tokens, smart cards, and biometric signatures such as fingerprints. Auditing is the process of gathering data about system activity. It is an analysis used to detect plausible or evident security violations. An example of an audit tool is an intrusion detection system (IDS). • Security solutions can be delivered by four primary methods: security software, security applications, managed/outsourced security services, and peripheral services. Security software products are application solutions that run on standard operating systems. Security appliances are purposebuilt hardware that performs security functions. Managed/outsourced security services are services that manage installed security solutions, such as firewalls and virtual private networks (VPN). Peripheral security services are practices, such as consulting, implementation, and training services that support the other methods of delivery. • There are three broad groups in which the range of security technologies may achieve the product’s security function: computer infrastructure, cryptography, and biomet- rics. Computer infrastructure refers to the physical hardware used to interconnect computers, networks, and users. Cryptography is mathematical formulas that provide encryption and decryption capabilities based on the use of either codes or ciphers. Biometrics is composed of technical tools that utilize some physical human features to regulate authentication and access control. • Demand for information security professionals in Silicon Valley is driven by the increased use of worldwide computer networks for integral business operations; the awareness for secure data; the continuous rescaling of information protection practices to counteract new threats; an upsurge in the allocation of government contracts for entrepreneurial and innovative security products; requests for local technology businesses to serve on public/private-sector collaboratives that identify and evaluate security efficiencies; the increased desire for IT professionals to have security certification; and new legislation, such as HIPAA. Opportunities for information security professionals will exist primarily in network design and administration, as well as systems engineering. In California, about 98,200 job openings will exist between 2000 and 2010 for network and computer system occupations due to growth and separations. • Local industry experts attribute the projected national shortage of 50,000 to 75,000 security professionals to the dwindling supply of minorities and women pursuing technical careers, and on the low 7 Access Granted number of computer science doctorate degrees awarded in the United States. • Experts in the industry consider it to be a major conflict of interest to have the functions of information technology and information security in one division. Information security and information technology overlap to manage information systems, but IT workers are primarily concerned with making sure systems run smoothly whereas information security workers are focused on setting the rules for how those systems run. The idea is that security can be compromised if the same person overseeing, implementing, or reviewing security is the same person responsible for the basic working order of the technology. • The cost and development involved with the implementation of essential security are two reasons why several companies have not made the transition to divide their information and security technology departments. Opting to make do with current staff, companies have expanded the roles and responsibilities of traditional IT personnel. • The structure and definition of information security jobs have yet to be fully clarified by the industry. There exist very few universal job titles below the executive level. It is common to find certified information security professionals with traditional information technology job titles. • All information security team members are responsible for establishing and enforcing 8 security policies. Each member plays a role in one or more of the following: risk assessment, configuration and deployment of architecture, the management of security maintenance, incident response, and forensics. Team-specific responsibilities generally separate one job from the next, but in some organizations, the same employee may perform a variety of security roles. Roles in information security can be divided into four basic groups: advisor/strategist, designer, operator/attendant, and examiner. Advisor/strategists determine how the infrastructure should operate. Designers create solutions to the problems identified by analysts. Operator/attendants administer the solutions created by architects and engineers. Examiners ensure the security functionality of information systems. • The job titles, responsibilities, and reporting structures of information security management are inconsistent. The chief security officer (CSO) and chief information security officer (CISO) titles are used interchangeably. The CSO is considered an executive level position that orchestrates the overall security of business operations. The CISO title is considered a managerial position that oversees the security of information only in lieu of CSOs or CISOs. Companies assign administrative security responsibilities to traditional IT officers, such as chief technology officers (CTO) and chief information officers (CIO). • The expense and up-front costs of implementing specialized security teams, staff training, legal counseling, and new tech- Access Granted nologies cause some companies to outsource their security management. Outsourcing is not without its drawbacks. Once outside consultants enter the organization, security is compromised. External teams are privy to confidential and valuable information assets. To avoid the conflicts of nondisclosure agreements, information leaks, and the possibility of generic security policies and practices, businesses establish in-house executive security positions. • Career entry and progression is determined internally and varies from company to company. Security certifications give network professionals a competitive edge, increase base salaries, and affect career progression. Traditional IT professionals are welcomed into security if they possess plenty of work experience and a willingness to learn. Job seekers who have acute familiarity with operating systems and/or networking can expect an easier transition from information technology to the information security field. • Federal government jobs in information security emulate the private sector. Opportunities for information security professionals exist with the Central Intelligence Agency (CIA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). • Certifications in the security technology industry exist in two distinctions: vendor-neutral and vendor-specific. Vendor-neutral certifications are certifications that do not focus on a specific product, platform or technology. They primarily focus on the concepts and knowledge of major security technology niches. Vendor-specific certifications teach individuals how to design, install, configure, maintain, and troubleshoot specific solutions, platforms, tools, or technologies. They help manage the costs for technical support and provide organizations with knowledgeable professionals who are capable of implementing and working with vendor solutions. Certification training is offered at various levels: basic, intermediate, and advanced. Companies are developing certification for technology “specializations” that train professionals in a specific technology, such as virtual private network (VPN) technology. • The security technology industry seeks individuals with profuse knowledge of operating systems, firewalls, authentication methods, and networking tools. Information security management desires professionals with soft skills, such as good communication and the ability to work in a team. Professionals who have a degree in computer science, security clearances, and experiences in psychology and law enforcement are highly coveted. The industry is not interested in hiring job seekers with a past in criminal hacking. • Salaries for information security personnel are relevant to the size of the company and the industry. Job experience and the organization’s reporting structure play a major role in determining compensation. Personnel who report to higher levels of management typically receive a higher 9 Access Granted salary. According to DataMasters, a professional services firm specializing in information technology, security specialists are compensated between $87,238 and $130,698 in the western region of the United States. • Industry standards are considered the key to making information security a mature discipline and security standards for business are ever-evolving. Some current control practices are based on the NIST Special Publication 800-14 (NIST 800-14) and the International Organization for Standardization 17799 (ISO 17799). The Information Systems Security Association (ISSA) is in the process of developing the Generally Accepted Information Security Principles (GAISP). Based on the ISO 17799 framework, the GAISP will enhance global information security through three levels of guiding principles. • The security technology industry is undoubtedly a hot marketplace and, as no particular entity or institution is exempt from the need to protect vulnerable assets, this industry will only gain greater exposure as it continues to evolve. Several factors such as standards, convergence, and consolidation, as well as paradigm shifts, will be significant catalysts in shaping what types of security technologies will be developed and what the overall security industry will move toward in the next several decades. 10 Section 1 Trends Access Granted The Growth of an Industry Despite their dominating influence today, history indicates computers only served as standard business tools and been regarded as typical household items in the past 20 years. In this relatively short time span, however, the Internet, extranets, and intranets have infiltrated businesses, organizations, and individuals’ lives as standard equipment. Since the emergence of the Internet, businesses and society have benefited enormously from the wealth of convenience that it enables. Tapping into the possibilities that the Internet, intranets, and extranets provide, businesses and organizations have been able to cut costs and increase the speed at which communication occurs. The Internet Age has made available a wealth of information. As the digital environment adopts more users and more locations, an increasing majority of communication will be electronically based. Given this fundamental change in modes of communication, billions of dollars have been poured into security technology, in order to ensure the integrity of the information sent, as well as the integrity of the sender and the recipient. The emergence of the security technology industry has been driven by an overall increase in the reliance on the Internet for data traffic, transactions, and e-communication as a means to streamline costs, increase the speed of communication, maximize productivity, and facilitate efficiency. The economics of conducting business and communication on the Internet has transformed all facets of the communication model. The actual economics of utilizing the Internet, intranets, and extranets, however, can only be assets to organizations or individuals if communication over these systems is secure. As “hackers,” “crackers,” and “script kiddies” continue to launch a greater number of cyber-attacks on vulnerable systems using more sophisticated methodology, all players in the digital world are in consensus that securing information is imperative, and obtaining the security technology necessary to secure information is of primary importance. Market Growth As a Silicon Valley CEO stated, “Security threatens network availability, which directly affects productivity;” the need for the technology has thus driven the growth of this sector. The security technology market in 2001 1 reached $17 billion. The market is expected to show strong continual gains over the next several years. The security technology industry is projected to experience a revenue increase from its 2001 levels to $45 billion by the year 2006, as stated by Internet Data Corporation 2 (IDC) Research Firm. 13 Access Granted The growth of this industry can be attributed to several factors. First, the understanding that cyberspace is inherently insecure is one aspect that has contributed to the demand for these technologies. Whereas security technology was once perceived as a dispensable component of business operation and ecommunication, it is now recognized as an indispensable defensive measure or insurance strategy that enables standard business operations. It also provides peace of mind to the regular user. Moreover, the investment in security technology is also currently regarded as a strategic enabler that allows businesses to stay competitive. Second, the expectation of the everyday user is also responsible for this sector’s growth. Countless confidential files, personal documents, and other critical assets are transmitted daily through the Internet, and an even greater number have been and are being stored on computer and network databases. The expectation is that the networks and databases that information is stored upon and the medium it is sent through are inaccessible except to those who are authorized. In short, these systems must be trusted. In the business scenario, trust is the foundation of good business practice for all business sizes and services. Firms that have launched their businesses’ products and services via the Internet must be able to assure potential customers that e-transactions containing confidential information are in fact secure from sabotage. When companies have taken the necessary measures to do this, they are better positioned to remain competitive as well as gain a greater share of the future market. If a business has experienced repetitive or even a singular catastrophic security breach, its reputation may precede the value 14 of its products and services in the market and predetermine the firm’s growth. That said, the reverse is also true: if a business can be trusted with the personal assets of its customers, the business will have a competitive advantage. With security breaches becoming increasingly more commonplace and incurring greater expense, security technologies and policies cannot be absent from any network environment. Statistics also indicate that the need to protect confidentiality and privacy in cyberspace is not just a perception but a reality. Symantec Corporation’s 2002 Internet Security Threat Report indicated that there was an estimated 81.5 percent increase over 2001 in the number of vulnerabilities or “weaknesses” in software that would allow a virus to enter a 3 system. Computer Security Institute’s 2002 Computer Crime and Security Survey confirmed that there continues to be a growing number of vulnerabilities experienced by computer systems, and of the vulnerabilities that exist, a number of them have been exploited. Approximately ninety percent of the 503 survey respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months. Of those, 80 percent acknowledged financial losses due to computer breaches and forty-four percent (223 respondents) were able to quantify their financial losses. When the number of attacks has been tabulated, and the costs totaled, it can be shown that the impacts of these security breaches in cyberspace has significantly escalated costs, especially to businesses 4 (Table 1). Third, federal legislation is a major driving force behind the demand for systems security. Access Granted While new regulations will increase the revenues of security technology companies, the intention of these regulations is not to generate profit. Even before the tragedy of September 11th, the federal government recognized that the security of cyberspace is necessary to economic growth in the twenty-first century. September 11th arguably thrust security and cyber-security to the forefront of regulatory priorities and the federal government has taken the initiative to establish legal frameworks in the interest of securing cyberspace. Recent Security Legislation The most recent and multi-organizational effort launched by the federal government to improve cyber-security was the “National Strategy to Secure Cyberspace.” The final draft of this strategy was completed in February 2003. It outlines and identifies three national strategic objectives including preventing cyber attacks against critical infrastructures, reducing national vulnerability to cyber attacks, and minimizing damage and recovery time from cyber attacks that do occur. It also dictates five national priorities including: a National Cyberspace Security Response System, a National Cyberspace Security Threat and Vulnerability Reduction Program, a National Cyberspace Security Awareness and Training Program, Security Governments’ Cyberspace, and National Security and International 5,6 Cyberspace Security Cooperation. Gramm-Leach-Bliley Act (GLBA) The Gramm-Leach-Bliley Act (GLBA) of 1999, also known as the Financial Services Modernization Act (FSMA), is intended to protect consumers’ privacy and information security. A company that fails to comply with GLBA provisions may be the target of inforcement actions. Broadly, this legislation requires financial institutions to provide clear and conspicuous notice to customers of their privacy practices and an opportunity to opt out 7 of disclosure to third parties. 15 Access Granted The Health Insurance Portability and Accountability Act (HIPAA) HIPAA is federal legislation that specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic 8 protected health information. HIPAA addresses the extensive range of security issues faced by healthcare institutions. The law focuses on the protection of patient information in the healthcare industry and defines how medical records and patient data transactions will be handled nationally. More importantly, it introduces guidelines that require data format consistencies and present several opportunities for additional technical security developments. Senate Bill 1386 The State of California has also responded to the repercussions of cyber-security attacks. 16 On July 1, 2003, SB 1386 will come into effect as a means to combat identity theft. This law requires any online business to notify its customers when computer security breaches have occurred. To trigger the law, a breach must expose certain types of information, specifically customers’ names in association with their Social Security number, driver license number, or a credit card or bank 9, 10 account number. Ultimately, there are three primary factors that have been the driving force behind the market penetration of security technology products and the growth of the security technology industry. These factors are: the understanding that cyberspace is inherently insecure, the expectation that e-communication should be secure, and the increase legislation regarding privacy and cybersecurity. As illustrated by the 11 following tables (Tables 2, 3, 4, 5), this industry is anticipated to experience strong continued growth. Access Granted 17 Access Granted Although the particular technologies identified by the preceding tables do not reflect the entirety of the products that currently make up the overall security technology market, they are evidence of the projected growth of 18 this industry over the next several years. This is an industry marked by strong growth potential, which will provide a concomitant increase in opportunities in the information security job market. Section 2 Identifying Threats Access Granted Recent Trends in Security Breaches In the world of cyber-space, the increasing challenges to secure computing have drawn significant attention from industry, government, and other organizations. Exactly what constitutes a cyber-threat? Where do they originate? Who is responsible? What is the nature of the attacks? A cyber-threat is an “intended or unintended illegal activity that has the potential to lead to unpredictable, unintended, and adverse consequences on a 12 cyberspace resource.” Cyber-threats include everything from individuals breaking into a system to the existence of computer codes that are transferred into a network system explicitly for malicious purposes. With the alarming increase in cyber-attacks, those in industry have pinned down the standard range of sources of security attacks, types of threats, and culprits responsible for the attacks. The threat from computer crimes and other online security breaches continues to grow. In 2001, the Computer Security Institute (CSI) conducted a survey of 538 security professionals in U.S. corporations. Findings revealed that 40 percent of the respondents (versus 25 percent of the respondents in 2000) detected penetration attacks from external sources. Similarly, 38 percent in 2001 reported that they detected denial of service attacks compared to 27 percent in 2000. Employee abuse of Internet privileges also 13 increased from 79 percent to 91 percent. In 2002, CSI and FBI conducted another survey aimed at identifying which sources were the most popular point of entry for attacks into a computer system or network. Based on the input of 503 respondents from private companies and private agencies, the most popular point of entry was the Internet— respondents indicated that approximately 72 percent of attacks originated from this 14 source. Other points of entry include internal 15 systems and remote dial-in connections. The growth in the number of cyber-attacks is a disconcerting yet unavoidable factor of cyberspace convenience. Points of Entry As high-tech industries develop methods to provide individuals and businesses with an increasing number of options for logging into the Internet, they also develop a growing number of entry ports that have the potential to become the point of origin for cyber-attacks. While all of these types of malicious actions and methods of affecting cyberspace can be understood as threats to computer and network security, cyberdestruction and malicious disturbance originates from a range of diverse sources using different methods. Possible sources of 16 attack include: 1. Outside attack from network 2. Outside attack from telephone 3. Inside attack from local network 4. Inside attack from local system 5. Attack from malicious codes 21 Access Granted The topography of attacks, or the structural relationships between computer systems that 17 can be attacked are: 1. Computer-to-computer 2. Computer-to-network 3. Network-to-computer 4. Network-to-network In addition to the origins of attack, it is important to understand how threats on networks systems are launched software programs. Malicious Software and Their Processes Malicious software is the term used to describe the range of destructive programs that can infect a computer system or network. The four primary types of threats to a security system are: 1. Network worms 2. Trojan horses 3. Computer viruses 4. Blended threats Network Worms Network worms can wreak havoc upon a computer or a networked system. Essentially, a network worm is a program that utilizes the network connections to spread itself from system to system. Therefore, every computer system linked via communication lines is equally vulnerable and exposed to the threat of a network worm. Network worms are one of the most serious and fastest types of cyber-attacks. One of the most recent is “Code Red 1 and 2,” which was responsible for infecting Windows 2000 22 18 machines worldwide. Considered one of the most notorious worms, Code Red at one point threatened to bring down much of the Internet by exploiting a flaw in Microsoft's Internet Information Server (IIS) that comes with Windows NT/2000. Code Red was able to replicate itself from system to system with only a single host file on a single system. Once a network worm such as Code Red has obtained entry and is active within a system, it can behave in various ways. The most common types of behaviors a worm may exhibit are mimicking a computer virus or implanting a Trojan horse. On a theoretical level, network worms are very similar to computer viruses. The difference, however, is that a worm can tunnel a path from the initial point of entry (e.g. initial computer) throughout the network and is capable of randomly selecting which computer systems and programs to infect. Essentially, worms can replicate themselves from system to system without the use of a host file. A computer virus must use a host file from each system in order to infect. In order for network worms to replicate themselves, they must use some sort of network vehicle, which is dependent on the type of network and systems. Examples of network 19 vehicles include: 1. A network mail facility where a worm can mail a copy of itself to other systems. 2. A remote execution capability, where a worm can execute a copy of itself on another system 3. A remote login capability, whereby a worm can log into a remote system as a user and then use commands to copy itself from one system to the other. The new copy of the network worm is then Access Granted run on the remote system, where it may continue to spread to more systems in a like manner. 4. Depending on the size of a network, a network worm can spread to many systems in a relatively short amount of time, thus the damage it can cause to one system is multiplied by the number of systems to which it can spread. Trojan Horses Trojan horses are named after the Trojan horse of myth. True to its namesake, Trojan horses in the world of cyberspace refer to programs that appear to have one function but actually perform another function. A Trojan horse will resemble a program that the user wishes to run—a game, a spreadsheet, or an editor. While the Trojan horse program appears to be doing what the user wants, it is also doing something else unrelated to its advertised purpose, and without the user’s knowledge. In most cases, Trojan horses propagate via email. They are usually found within attachments because their authors exploit vulnerabilities of the email client. Some other well-known functions of this threat include: managing files on the victim computer, managing processes, remote activation of commands, intercepting keystrokes, and restarting and closing down infected hosts. These possibilities vary according to individual Trojan horses. The following have been targeted as the most notorious: NetBus, Back Orifice 2000, SubSeven, and 20 Hack’a’tack. Computer Viruses Computer viruses are the most widely recognized class of programs written to cause some form of intentional damage to computer systems or networks. A computer virus essentially performs two basic functions: it copies itself to other programs, thereby infecting them; and it executes the instructions the author has included within it. Depending upon the computer code used, the virus is used for time-specific attacks. This means that a program infected with a virus may cause damage immediately upon its execution, or it could be written to stall its attack until a certain event (such as a particular date and time). The damage that computer viruses can inflict can be so extensive as to require the complete rebuilding of all system software and data. This is because viruses spread so rapidly to other programs and systems that they multiply the range of damage. An example of an infamous virus is the Melissa virus. It was first observed on March 26, 1999. It actually did not do damage in the sense of deleting, or stealing files. In fact, only sites with desktop systems running Microsoft’s Outlook email client were directly affected. However, even though systems did not spread the virus directly by email, these systems still had their Microsoft Word documents infected and continued to pass on the virus. Because Melissa exploited one of the most valuable benefits of the net— the ability to share documents—to propagate and to multiply itself, it affected more people 21 and spread faster than earlier viruses. Blended Threats Blended threats use multiple methods to attack or propagate. They are intended to cause more than one injury to the system, which makes a blended threat particularly 23 Access Granted difficult to clean up because of the multiple points of damage. One of the most dangerous characteristics of a blended threat is that it 22 exploits vulnerabilities. compromise. These characteristics combined basically allow blended threats to be more prolific and deliver more damage than the 24 typical virus or worm. Nimda is an example of a blended threat that made headlines in the summer and fall of 2001. Part of the reason it wreaked havoc upon computers and network systems is because it had five methods of propagation. First, it could infect users who visited the web pages of compromised web servers by embedding itself into the .html files of an infected web server. Second, it could also propagate via email; it did this by harvesting email addresses from any MAPI-compliant email program’s mailboxes. It could also extract email addresses from .html and .htm files. Third, systems infected with Nimda scanned the network looking for unpatched Microsoft Internet information servers and attempted to use a specific exploit (the Unicode Web Traversal exploit) to gain control of the target server. Fourth, it also attacked web servers comprised by Code Red 2. It did this by exploiting a backdoor installed by Code Red 2 to install and execute the worm. Lastly, Nimda attacked hard disks of systems that had enabled file sharing over the network. During this process, it would create a guest account 23 with Administrator privileges. Identifying the Culprits: Hackers, Crackers, and Script Kiddies As exemplified in the example of Nimda, blended threats have multiple methods of propagation, which renders containment of a threat challenging. A blended threat can automatically use one of various vulnerabilities it understands to compromise a system. Even if one security patch eliminates one vulnerability, another unpatched vulnerability or misconfiguration of the system may allow 24 Behind every attack on a computer system or network is an individual who is responsible for the design or application of malicious code. As the number of security breaches has increased since the introduction of computers and networked systems, journalists and industry members have coined names for these individuals. Based on the intentions of the individual responsible for planning or executing the cyber-attack, the individual can either be defined as a “hacker,” “cracker,” or “script kiddy.” Dispelling the Myth behind a Hacker The term “hacker” is frequently and commonly misused. While it is thought that a hacker is an individual who has broken into a computer system or network with malicious intent, that is not always the case. Industry uses the term “hacker” to refer to an individual with exceptional computer skills who is intensely interested in the workings of a computer operating system. The term is often used to describe both ethical industry professionals and their criminal counterparts. To eliminate some of the term’s confusion, the industry has attempted to create more definitive titles. White hat hackers are defined as the “good guys” of information security. Gray hat hackers are defined as those computer experts Access Granted making the transition from a criminal past to an ethical future in the trade. The term “black hat hacker” is used interchangeably with the term “cracker” to describe criminal hackers who use their skills to take over systems and commit illegal acts. computer systems, and writes codes driven by a malicious intent and a desire for a destructive outcome to a computer system or network. Traits of a Hacker A cracker is someone who breaks into or otherwise violates the system integrity of remote machines with malicious intent. Crackers who obtain unauthorized access use it to do one of the following: destroy vital data, deny legitimate users service, or wreak overall havoc on the targeted system. Unlike a cracker, when a hacker creates a program that can automatically check for the security structure of a remote machine, it is to improve the information on security risks and threats that now exists. A hacker’s intent is not to write a code that will break down a system. Hackers constantly seek further knowledge, and freely share what they have discovered. As such, hackers usually possess advanced knowledge of operating systems and programming languages. Hackers can often be found probing a computer system or network at both a macro and microscopic level, looking for holes in software and snags in logic. They write programs to check the integrity of other programs, creating and improving security 25 measures through the process of analysis. The Real Culprits: Crackers The word “cracker” used in the security technology industry is in fact a merger of two words: “criminal” and “hacker.“ As these two words suggest when combined, they describe the intent of the individual who is accessing a system. A cracker is one who is arguably comparable in skill level and knowledge of a hacker in the workings of a computer system. The critical difference, however, lies in the intent. A cracker creates programs, targets Traits of a Cracker To further distinguish hackers from crackers, crackers rarely write their own programs. Instead, they “beg, borrow, or steal tools from others.” Crackers use these tools to subvert Internet security rather than improve it. A true cracker creates nothing and aims to only destroy. This individual’s chief pleasure and goal is derived from disrupting or otherwise adversely affecting the computer services 26 of others. The Amateurs: Script Kiddies Unlike hackers and crackers, “script kiddies” are usually amateurs not well versed in the workings of a computer system or network and are typically part of the younger population. Similar to hackers and crackers, these individuals gain unauthorized access into a computer system or network. However, this group of unauthorized entrants is considered to be amateurs by members of industry as well as by the hacker and cracker community. Their experimentations in cyberspace, although disruptive, may generally be considered non-malicious. 25 Access Granted Traits of a Script Kiddy Script kiddies are people who are driven by one goal—to gain access to a system. The attacks that script kiddies perform upon a networked system are, for the most part, random. Unlike hackers and crackers who are knowledgeable, script kiddies are considered amateurs. They are generally after easy targets and are not concerned with how much noise they make while they are trying to acquire them. The objective of script kiddies is volume; the number of systems a script kiddie has gained access to, and therefore “owns,” elevates that individual into a higher rank in the script kiddies’ world. They generally have a small arsenal of tools, which are freely available on the Internet. The tools they have allow them to exploit a small number of holes in systems. Script kiddies usually do not have much programming knowledge or experience, and are limited to the tools that they have already 27 learned to use. Ethical Hacking: A Gray Area Ethical hacking is an assessment test used to check system weaknesses and vulnerabilities. Companies typically hire gray hat hackers to perform these penetration tests. In these tests, the hired gray hat plays the role of a black hat or cracker. They find system vulnerabilities and then report them to the company’s internal administrators. Unconventional methods of ethical hacking have taken the form of 26 public contests in which large companies offer prizes to hackers who can crack their latest hardware or software. Since these penetration tests are performed with permission and the purpose is “good intent,” this type of hacking is considered to be relatively acceptable. While several companies have benefited from this method to protect their systems, some professionals feel this tactic is flawed. Some see granting permission to outsiders to penetrate the system as a major conflict of security interest. Other critics state that any intrusion on a system with or without permission is illegal. The reason? While businesses may own the systems being penetrated, they may not own the information that is uncovered during the test. Additionally, there is no way to guarantee that the hired gray hat is purely motivated by good intent and determining “good intent” is nebulous. There are rogue gray hat hackers who claim to perform ethical hacking, but are in fact infiltrating and repairing systems without permission. Political interests and the possibility of fame often drive these gray hats. Also, the penetration process can leave the system more susceptible to harm than it was prior to the test. Contracted hackers will often clean up the system or leave instructions for staff to do so following the test. A minority of critics weigh the possibility of the gray hat leaving a door open in the system for later exploits. Despite conflicts of opinion in the industry, ethical hacking will most likely continue to play a significant role in vulnera28 bility assessment. Access Granted “ Ethical hacking works—and works well, but it is proof of how infantile the state of information ” security is. —Chief Technical Officer 27 Section 3 Technology Access Granted Defining Security Technology In the seemingly chaotic world of cyberattacks, malicious software, hackers, crackers, and script kiddies, both government and industry are attempting to respond to the need for a more secure cyberspace through the implementation of regulations and the development of security technology. So what is security technology? Security is “freedom from risk or danger.” Security technology, therefore, is the use of technology to prevent and protect against both the access to information by unauthorized recipients, and the intentional but unauthorized destruction or alteration of that information. In addition to prevention and protection, security technology includes technologies that help professionals and/or technicians respond to security breaches that 29 have occurred. The technologies that are intended to enhance security are developed in response to an identified problem that has occurred in cyberspace. They are created to function either before, during, or in response to a security violation. In short, the functions of security technology are to provide a solution to an identified problem, namely the need to prevent against, detect, or respond to an existing security breach or the potential of this type of attack. When security technology is applied to protect a networked system from security breaches and threats, this is known as “system security.” System security is the ongoing implementation of protections for the confidentiality and integrity of information and system resources. More simply stated, system security is when a networked system can claim the following: the system can be trusted to retain sensitive information; data transfers in a network are virtually free of threats; and unauthorized access into a system is prevented. Existing Security Technologies Existing security technologies in today’s market are geared to prevent, identify, and/or respond to security threats and breaches. Accordingly, the security market is both highly segmented and integrally intertwined. In terms of methods of delivery, the security market has clear and defined divisions. In contrast, the existing technology, and the techniques used to create a product to fulfill a security role, are extremely interdependent. These are four goals of this section given the complexity of the security technology industry. First, it will identify and provide a basic overview of the background and originating principles upon which the existence of security technologies is founded upon. Second, it will provide clarification of the divisions in the security market, based on the four primary 31 Access Granted methods of delivery. Third, it will identify the techniques used in the major categories of security technology to enhance computer and network security. Lastly, a matrix will be provided to illustrate how each of these components is connected. Examples of security technologies that put this principle into practice include: passwords, credit-card-sized cryptographic tokens or smart cards, or biometric signatures such as 31 fingerprints or voiceprints. Principle 2: Access Control The 3 “A’s”–Founding Principles of Security Technology Companies, security technology experts, and researchers have contributed to transforming the conceptual definition of security technology into ideas and goals that ultimately take the form of tools and techniques. Security tools and techniques are subsequently transformed by companies into products. The evolution of security technology can be traced back to the original “triple A’s” of security: authentication, access control, and audit. Without these three principles, the concepts, techniques and tools that enable existing 30 cyber-security would not exist. Principle 1: Authentication Authentication is a principle that refers to the act of establishing and confirming the identity of one party to another. When the principle of authentication is applied, it protects computer-to-computer or process-to-process communication in both directions. Most commonly, authentication establishes the identity of a user to some part of a computer system or network. A product that “authenticates,” in effect, prevents a user’s access to information stored in a computer system. Authentication is also intended to prevent the transmission of an unauthorized transaction through a computer system or network. 32 Access control is a principle that deems that logical and physical privileges onto a computer system or to data should be regulated. In application, it is a method that determines what one party will allow another to do with respect to gaining entry into a computer system and gaining logical privileges. Logical privileges include the authorization to administer changes in a computer’s operations, add or delete data, and block out data transfers in computer-to32 computer traffic. When the principle of access control is applied to security technology to create a product, these products often are designed to work in combination with authentication. For example, when access control is implemented in a system, it theoretically allows the owner to ensure that a computer system is secure from unauthorized physical access through a computer system or network. It also theoretically allows the owner of a system or a third party to control the legitimacy of cyber-transactions between computers. However, neither of these capabilities would be possible without the additional application of the authentication principle. Because access control, by and large, is intended to work in tandem with the authentication principle, examples of products that are based on the principle of access control are similar to the tools associated with authentication. Access Granted “ ” Security is an art form. —Security Technologist Principle 3: Audit Auditing as a principle refers to the identified need for log gathering and monitoring in order to secure cyber-transactions. In application, it is a process of gathering data about activity occurring within a computer system and analyzing it in order to detect and discover security violations or diagnose their cause. Analysis can occur either offline after the fact or online in real time. An example of a tool that helps to carry out audit controls is an intrusion detection system (IDS). An IDS can take the form of either a passive or an active system. Passive Intrusion Detection System A passive intrusion detection system is when analysis of audit data is occurring offline and the intent is to bring possible intrusions or violations to the attention of the auditor. Physical vs. Logical Prevention and Protection When companies evaluate which types of security technology should be integrated into existing networks, the realm of security that a product will enhance must be considered. With respect to computers and networks, these are physical and logical prevention and 34 protection (Table 6). Physical access prevention refers to protecting a computer system or network from unauthorized use by an individual. Logical access is the protection provided by techniques, tools, and products in order to secure data and/or communications in etransactions in the following scenarios: between a single computer system and a global network, among networked computers, and between a network and other cyber information systems. Physical access is considered to precede logical access, because in order for an individual to obtain or manipulate data in a computer system, it is first necessary for that individual Active Intrusion Detection System An active intrusion detection system is when analysis of audit data is occurring in real time and may take an immediate protective response, such as aborting the suspected 33 process. 33 Access Granted to gain physical authorization to use that system. Nevertheless, the view that restricting physical access therefore relieves the need for logical access restrictions is misleading. Any system that has communication links to cyberspace is in fact at risk for a logical vulnerability. External vs. Internal Apparatus In distinguishing between the actual tools of the security technology industry, it is important to note that security technology products can be physically located either external to or internal to a computer system or network. When a tool lies internally within a computer or networked system, it is designed to protect, prevent or respond to breaches in e-transactions and other e-traffic. These tools often promote logical access by ensuring that the transfer of information into a computer system or through a networked system is both secure from external sabotage and that the data itself is not a vulnerability to the computer system or network. When security technologies are installed as a tool external to a computer system, these tools generally serve the function of preventing and protecting a computer system from the unauthorized physical access to a computer. Methods of Delivery Based on method of delivery, security solutions may be divided into four primary segments: security software, security appliances, managed/outsourced security services, 35 and peripheral security services (Table 7). 34 Technologies and Techniques When considering the existing technologies in this market, there are three broad groups in which the range of technologies, based on the technique used, may be segmented: computer infrastructure, cryptography, and biometrics. The products in the market may use one or more of the following methods to achieve the product’s security function. Computer Infrastructure In the context of the computer industry, computer infrastructure is a broad term that is used to capture the range of technologies that allow computers and users to be connected. Accordingly, it refers to the physical hardware used to interconnect computers, networks, and users, which can include routers, switches, and other devices that allow for etransactions to occur over the internet. Infrastructure also includes the software used to send, receive, and manage the signals that are transmitted. In application to security technology, computer infrastructure is the term used to refer to the hardware and software designed explicitly for the purposes of enhancing systems security. The methods used to enhance security in the computer infrastructure category of this industry take the form of programs or hardware devices that enable security because they are generally run or activated as part of operating system environments. Access Granted Table 7: Methods of Delivery for Security Solutions Method of Delivery Definition Security Software Security software consists of pure software products that are licensed to users. These products typically run on off-theshelf servers, workstations, or desktops running standard operating systems. Security Appliances Security appliances include purpose-built hardware performing one or more security functions. Security appliances typically have a hardened (better secured) version of off-the-shelf operating systems. Managed/Outsourced Security Services Managed/outsourced security services include services that involve either managing a customer’s installed security solution (e.g., firewalls and VPNs) or providing a pure service (e.g., trust services such as outsourced PKI service). Peripheral Security Services Peripheral security services include services that are supportive in nature to the other three segments. These peripheral services include consulting, implementation, and training services. Given the complex nature of security solutions, limited understanding of the involved issues, and lack of trained personnel (often times in small- and mid-sized businesses), a healthy market has developed for peripheral services. Source: Sigmond and Kaura, RBC Capital Markets 35 Access Granted codes or ciphers. Cryptography is most often used for the purposes of enhancing security during e-transactions. “Code” is one of the two major methods of cryptography and involves the replacement of complete words or phrases by code words or numbers. “Cipher” works on the principal of replacing individual letters by other numbers or letters. Companies that focus on producing security enhancements that come in the form of computer infrastructure play a significant part in evolving the Internet and security. In fact, security tools and techniques that fall under the category of computer infrastructure comprise a majority of the security technology market because these are the technologies that determine the physical locations of interconnections as well as determine how much information can be carried, and at what speed. Some examples of technologies that protect and/or prevent security breaches include: software programs, virtual private networks, firewalls, anti-virus solutions, and intrusion detection systems. It is important to note that the security enhancements that the listed tools provide can come in the form of 36 either physical hardware or software. Cryptography Cryptography is based on mathematical formulas that provide encryption and decryption capabilities based on the use of either 36 The use of encryption and decryption methods comprises what is known as cryptosystems. There are two basic cryptosystems: symmetric and asymmetric. Symmetric cryptosystems use the same key (the secret/private key) to encrypt and decrypt a message. In contrast, an asymmetric cryptosystem uses one key (the public key) to encrypt a message and a different key (the private key) to decrypt it. Asymmetric cryptosystems are also referred to as public key cryptosystems. When adapted to the market, these are known as public key infrastructures, 37 or PKI. The general tools that are based upon cryptography include: digital certificates, certificate authority, and digital signatures. How do these work? A certificate authority, or a trusted third-party organization, issues the digital certificates or the certificate that establishes the validity of a users request to a website. Essentially, the URL on the certificate must match the URL of the website that the browser is connecting to in order for the private/secret key to be sent or received. In short, a certification authority, after verifying the authenticity of a requester for a digital certificate, will generate a digital signature for the certificate, which in turn, enables connec38 tion into a secured site. Access Granted On a snapshot level, cryptographic tools are generally designed to ensure that data is being received and sent by the intended recipient and sender. Technology products that are based on cryptosystems convert data into some unreadable form; this is known as encryption. In order for the encrypted data to be comprehensible, decryption or the transformation of the encrypted data back into its original form must occur. Theoretically, it was intended that only the two individuals who are the intended sender and receiver of data would possess the secret key that encrypts and decrypts messages. The fact that it is not entirely possible to develop a tamperproof method of transporting the secret key from the sender to the recipient creates the potential for security breaches to occur, and thus the need for multiple methods to enhance cyber security. Biometrics Biometrics is the third broad category of security technology tools. Biometric security technologies utilize physical human features as the method by which to enhance security. Current biometeric tools identify physical human features such as fingerprints, eye retinas and irises, voice patterns, and facial patterns and measurements. On a basic level, biometric tools compare the personally identifying physical feature of the individual requesting access with the data stored in the biometric tool regarding the supposed individual. If the data stored in the biometric tool matches the targeted physical feature(s) of the requested user, access to the system will be granted. If there is a mismatch, access is denied. When identifying physical features are used as the means to achieve protection for a system, they are largely used in the context of regulating or preventing a user’s access. Biometric tools are typically external equipment that regulate an individual’s access either into a physical area or provide regu39 lated access to a computer system. Piecing It Together The security technologies that investors, customers, and clients purchase have undergone an evolutionary process. The following matrix specifically pieces together the components of the security technology industry (Table 8). “ Security technology is protecting the integrity and availability of data assets. —Chief Technical Officer ” 37 Access Granted 38 Section 4 People Access Granted Growth in the Job Market Government is heightening awareness of the need for security, and high-tech companies are transferring their attention to security technologies by investing in a long-term and relatively collaborative effort to enable a more secure cyberspace. Market trends validate that the growth in the security technology industry will result in the subsequent demand for a workforce that can not only develop these technologies, but implement these processes when attacks occur. There are no credible signs that attacks in cyberspace will halt in either the short term or long term. As such, demand for a workforce prepared with the skills and the knowledge to work in the security and technology interface has been stimulated. Demand for Information Security Professionals The demand for information security professionals, in effect, starts with the concept of security. Security is an ever-evolving measure, a process, and an ongoing objective. As more information about computer hardware and software vulnerabilities, malicious scripts, virus data, and other critical infrastructure-related security trends becomes publicly available, script kiddies and black hat hackers will make alterations to cyber-attacks to compensate for new safeguards. In turn, the best information protection practices are continuously rescaled to counteract new threats. This cyclical combat of “shield and conquer,” combined with businesses’ continuous need to build trustworthy infrastructures, propels the global voracity for skilled technical professionals in information security. It appears that there will always be a demand for technical professionals who maintain the security of sensitive information. Technology has created a wealth of high impact applications that benefit business and government. Enterprises increasingly utilize worldwide computer networks for integral business operations. E-commerce is a calculated and significant ingredient in business structure. Governments depend on information technology to collect, analyze, and distribute essential intelligence, as well as create and refine military hardware. The protection of critical assets and information has always been a priority for public and private sectors. This need for data protection escalated after the devastating events of September 11th. In the wake of the World Trade Center and Pentagon terrorist attacks, the perceived value of information increased, as well as the comprehension that information translates into money. As public and private industries examine and redefine their concepts around logical and physical security efforts, they will need the expertise of information security specialists. The urgency for skilled security specialists will continue to intensify as federal agencies restructure to fully actualize the Department of Homeland Security, and businesses create and deploy security technologies. Silicon Valley is the location of nearly 400 corporate headquarters—many of which are IT-based and focus on the development of security technologies. Silicon Valley businesses have 41 Access Granted already experienced an upsurge in the award of government contracts for entrepreneurial and innovative security products, and have received requests to serve on public/private-sector collaboratives that identify and evaluate security efficiencies across industries. As information security continues to be a pivotal area of concern, Silicon Valley will be repeatedly looked upon for leadership in security technology development and implementation. As such, this makes Silicon Valley a fundamental market for valuable information security talent. Experts suggest that many opportunities in information security will sprout from the “National Strategy to Secure Cyberspace” and new legislation, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Aviation and Transportation Act. The Aviation and Transportation Security Act is a direct response to the September 11th terrorist attacks. In an effort to limit and secure the vulnerabilities of the transportation industry, the law establishes a Transportation Security Administration within the Department of Transportation. The law requires the administration to adopt stricter security standards for baggage screening and implement various protection devices. Silicon Valley is a major player in the administration’s efforts for airport safety. The Norman Y. Mineta San Jose International Airport is one of five national airports selected to serve as a beta test site for these new security standards and technologies. HIPAA will stimulate the growth of information security jobs as healthcare institutions strive to leverage networks. Skilled security professionals will be needed in healthcare institutions to deploy security architectures that not only meet government regulations, but also 42 guarantee trust. (See page 16 for more information about HIPAA). The demand for information security professionals can also be measured by the increased desire for security certification in traditional IT job descriptions and by the lack of qualified candidates. Silicon Valley IT managers partially blame the challenge of finding information security talent on the low number of computer science doctorate degrees awarded in the United States. Computer science doctorates are used to measure the U.S. education system’s production of qualified people for the technology industry. According to the Survey of Earned Doctorates released by the National Science Foundation, doctoral degrees awarded in science and engineering dropped seven percent from 1998 to 2001. Computer science doctorates awarded in the United States peaked in 1995 with 997 doctorate degrees, but declined to 826 in 2001. California awards the most science and engineering doctorates, but only 125 of the 4,801 doctoral degrees awarded in 2001 were in the computer science field. In their 2002 report, the Information Technology Association of America (ITAA) projects a national need of over one million technology workers within 40 the next year. Despite the current downturn in the IT sector, there remain consistent projections of a 50 percent gap between the supply and demand of technology talent. Information security professionals will be some of the most sought after employees because they have the greatest disparity between the supply and demand of any IT occupation. A national shortage of 50,000 to 75,000 security professionals is expected to occur in the next few years. Compounding this supply problem is the dwindling number of minorities and women pursuing technical careers. To attract the best talent from the Access Granted limited pool of candidates, most employers have increased salaries and benefits for security specialists. A Foote Partners LLC study found that while salaries in traditional IT positions declined by an average of 5.5 percent for the first quarter of 2002 versus the first quarter of 2001, salaries for information security professionals increased on average by 3.1 41 percent. The average yearly compensation for information security professionals, including bonuses, now exceeds $100,000. Table 9 shows the salary and bonuses earned by information security professionals as of the first quarter of 2000 and the first quarter of 2002. Source: Foote Partners, LLC 43 Access Granted Opportunities for information security professionals will exist primarily in security network design and administration, as well as systems engineering. According to the Robert Half Technology 2003 IT Hiring Index, large companies employing 1,000 or more workers 42 will hire the majority of these professionals. Information security roles are statistically clas- sified under computer and mathematical occupations. In California, the total number of job openings due to growth and separations between 2000 and 2010 for network and computer system occupations are projected to be 98,200. Table 10 provides a breakdown by occupational classification. Table 10: California Occupational Projections SOC Code 11-3021 15-1051 15-1071 15-1081 Occupational Title Computer Information Systems Managers Computer Systems Analysts Network and Computer Systems Administrators Network Systems and Data Communications Analysts TOTAL Number of Openings 21,500 28,400 34,100 14,200 98,200 Source: California Employment Development Department Evolution of the Information Security Department The growing divergence between information technology and information security can be defined as a slow yet steady process. Experts in the industry advocate that businesses should separate their information technology and information security into two distinct departments. The reason? It is considered a major conflict of interest to have the functions of information technology and information security in one division. Information security 44 focuses on protecting information assets and information systems. Information technology primarily focuses on technology as a functional tool for systems. Both roles overlap to manage information systems, but IT workers are primarily concerned with making sure systems run smoothly and information security workers are focused on setting the rules for how those systems run. The idea is that security can be compromised if the same person overseeing, implementing, or reviewing security is the same person responsible for the basic working order of the technology. The cost and development involved with the implementation of essential security are two reasons why many companies have not made Access Granted the transition to divide their technology departments. The perception is that by having a separate security department there is a substantial trade off with par performance and a slowing down of business operations. The expense for information security measures is like an insurance policy premium, and the industry continues to debate security’s return-on-investment (ROI) value. Opting to make do with current staff, companies have expanded the roles and responsibilities of traditional IT personnel. Local experts are uncertain how long this trend of blending roles inside of information technology departments will last. The prediction is that smaller companies, operating on lesser budgets, will continue to utilize IT workers for both information functions, but larger companies will have the means to invest in the actualization of two distinct departments to protect their assets. Deciphering Information Security Job Titles, Roles, and Responsibilities The structure and definition of information security jobs have yet to be fully clarified by the industry. There exist very few universal job titles below the executive level. This is partly due to the fact that most companies are utilizing traditional IT roles to handle the responsibilities of information security. This is also why it is common to find certified information security professionals with traditional information technology job titles. Because the information security industry is still in the process of development, this section will examine those roles and responsibilities that are currently common to the trade. The job titles listed reveal the most recent labels given to information security personnel and may not correspond to those designations in all companies; however, the tasks described reflect the roles of information security specialists. These job descriptions are a sample of opportunities available in security and are not intended to be an all-inclusive representation. All information security team members are responsible for establishing and enforcing security policies. Each member plays a role in one or more of the following: risk assessment, configuration and deployment of architecture, the management of security maintenance, incident response, and forensics. Team-specific responsibilities generally separate one job from the next, but in some organizations, the same employee may perform a variety of security roles. Since networking is where security measures have increased the most, this section will focus on those jobs that deal directly with protecting those systems. These positions are involved with the engineering and support of e-business infrastructures, as well as the inspection of these information systems. These jobs exist in the North American Industry Classification System (NAICS) under industry sector 54: “Professional, Scientific, and Technical Services.” Roles in information security can be divided into four basic groups: • Advisor/Strategist • Designer • Operator/Attendant • Examiner 45 Access Granted Most information security jobs overlap several of these general divisions and can be further classified by either organizational or functional responsibilities. In short, those who advise and strategize are the people determining how the infrastructure should operate; those who design are the people creating solutions to the problems identified by analysts; those who tend and operate security equipment are the people administering those solutions created by architects and engineers; and those who examine operations are those people ensuring the functionality of information systems. Advisor/Strategist Roles Advisor/strategist roles and responsibilities are generally found under the following job titles: • Computer security consultant • Data security analyst • Data security specialist • IT security analyst • Information security advisor • Information security analyst • Information security consultant • Information systems security analyst • Security analyst • Security policy administrator • Security system analyst Security specialists who have an advisor/ strategist role are primarily focused on identifying and assessing information security risks. This role figures into all aspects of the information security department. It greatly crosses over into the designer and examiner duties. In some companies, one employee may perform the analyst, architect, and engineer roles. Much of what advisor/strategist professionals 46 do is evaluate security projects, implement best practices, and provide guidance for security architectures. They observe and arrange the security posture of the enterprise by studying the needs of the company. They implement security policies and govern the implementation of countermeasure technologies that direct the security function. These specialists assess new systems or redirect the application of existing systems. By continuously assessing the adequacy of security controls and procedures, these professionals propose, develop, and respond to the policies and methods necessary to serve the organization’s system needs. Outside of performing tasks such as structured analysis, penetration testing, data modeling, information engineering, mathematical model building, and sampling, this role requires the preparation of cost-benefit and return-on-investment (ROI) analyses. These ROI analyses are presented to business management and typically determine the fate of proposed security solutions. Once management sanctions security solutions and technologies, these specialists coordinate with workers in the IT and/or security technology departments to implement these solutions. Professionals in advisor/strategist roles are often called upon to recommend training and certifications for IT staff. These specialists regularly receive requests for reports on specific security technologies and usually serve as upper security management’s initial point of contact for security concerns. Advisor/strategist roles typically require basic to advanced knowledge of business management and organizational objectives. It is Access Granted crucial for these workers to have expert knowledge of authentication, access control, and audit technologies. A disciplined knowledge of security testing procedures and techniques combined with an understanding of engineering is important. Individuals should also possess strong familiarity with implementing security architectures, such as firewalls, intrusion detection systems, and virus software that work in tandem. components, such as firewalls, intrusion detection systems, and Public Key Infrastructures (PKIs). They perform quality assurance testing and code inspections for security flaws. This role requires the professional to measure, detect, review, and improve the security infrastructure through additional products or security services. A great deal of the job is concentrated in research and development. Designer Roles Architects and engineers document operational procedures and indicate the availability of patches to update systems. They assist in the training of operations staff and give input on product development. Designers often advise users on the application of security services through user documentation or training . Designer roles and responsibilities are generally found under the following job titles: • Data architect • Enterprise security engineer • Information security architect • IT security specialist • Network security specialist • Security engineer • Security architect • Security systems architect • Security systems engineer Security specialists who have a designer role configure, develop, and deploy infrastructure technology and mechanisms that accomplish security goals. Designer tasks cross over into advisor/strategist and operator/attendant roles. These professionals plan and execute all aspects of new security service development projects. Designer professionals have the responsibility of coordinating and handling issues with vendors. Their focus is on the development and integrity of architecture, product selection, and the procurement of services. Professionals who have a designer role structure and assist in the installation of security Designers should possess advanced analytical thinking skills. Developing security architectures is a detailed process. Workers should have extensive knowledge of various programming languages, code standards, and all aspects of security engineering tasks. Successful designer professionals have the ability to identify fundamental issues in complex circumstances. Operator/Attendant Roles Operator/attendant roles and responsibilities are generally found under the following job titles: • Firewall administrator • Firewall security expert • Help desk security assistant • Information security administrator • Information security coordinator • Network security administrator 47 Access Granted • Security administrator • Security support specialist • Security systems administrator • Security technician Security specialists who have an operator/ attendant role install security software, oversee network traffic, and develop response plans to security dilemmas. Operator/attendant responsibilities link directly into advisor/strategist and designer roles. Security professionals who perform operator/attendant roles support the security infrastructure. They are often referred to as the day-to-day system detectives who ensure the regular cyberoperations of the organization. Operator/attendant professionals perform routine tasks, such as checking firewall and server logs, monitoring network traffic, and remaining alert to system vulnerabilities. They activate and control the technologies that contribute to the security of communication networks, and computer hardware and software. Administrators support analysts and engineers with the development and implementation of security policies. They are responsible for monitoring and reviewing operation practices and mechanisms to ensure security policy compliance. Administrative professionals promote security awareness and implement strategies to effectively deal with internal and external threats. To keep systems dependable, administrators regularly assess and analyze the effectiveness and appropriateness of information security policies and procedures. Companies rely heavily on operator/attendant professionals for their ability to detect discrepancies, so having a keenness for detail 48 is absolute. These professionals must have acute knowledge of database and network technologies. Those who can educate technical staff and end users are considered to be very valuable. Examiner Roles Examiner roles and responsibilities are generally found under the following job titles: • Computer forensic analyst • Computer forensics examiner • Electronic Data Processing (EDP) auditor • Forensic analyst • Information security auditor • Intrusion analyst • Network security auditor Security specialists who have examiner roles review systems for security functionality. Their duties closely align with advisor/strategist responsibilities. Examiner professionals evalu ate the adequacy of internal security controls prior to implementation. They manage and evaluate risks to guard against theft and disasters, such as fires and floods. They initiate corrective and preventative measures within the infrastructure to reduce security flaws. They also make recommendations for changes that ensure system integrity and accuracy. Their primary goal is to ensure that all aspects of a company’s information systems are appropriate and function as designed. These specialists create security audit reports that address the aptness of the organization’s security policy. To verify the accuracy of a computer program, auditors test the processing accuracy and control procedures that are built into the program. They examine the precision of Access Granted computer input and output and compare the results of the audit program with the output of the company’s programs. These comparisons reveal unauthorized modifications in the organization’s programs. Once an examiner discovers input and output discrepancies, they communicate findings to upper management and discuss corrective action. Examiner professionals need an in-depth understanding of penetration testing and computer forensic techniques, as well as familiarity with multiple computer platforms. The most successful auditors are fluent programmers who know a variety of script languages. Those who have extensive experience in computer forensic analysis, network protocols, network devices, and data recovery are highly coveted. The Executive Level of Information Security Similar to subordinate-level positions, the job titles, responsibilities, and reporting structures of information security management are inconsistent. Companies frequently assign administrative security responsibilities to traditional IT officers when they do not have chief security officer or chief information security officer positions. This approach to computer security is relatively effective, but experts cite that this method should be temporary if a company wants to successfully block security vulnerabilities. The theory is that using chief technology officers (CTO) and chief information officers (CIO) to manage the responsibility will become ineffective as the leadership role of security evolves. In particular, CIOs present a conflict of interest when they oversee security efforts. Security is constrained when the CIO must balance the need to save money with the need for secure and current network systems. The steady change of security architectures and the increasing pressure from legislative efforts, federal agencies, and financial auditors are slowly influencing companies to rethink their blended security and IT hierarchies. The challenge to meet security requirements on limited budgets forces some companies to outsource their security management. There are benefits to keeping the responsibilities of information security in-house, but currently only larger companies can afford such business indulgence. The expense and upfront costs of implementing specialized security teams, staff training, legal counseling, and new technologies can significantly impact the bottom line of a company. For small- to mid-size organizations, outsourcing security is a feasible solution for security costeffectiveness. Outsourced consultants offer service-level agreements (SLAs) that allow companies to control the budget and tailor security architecture to meet their needs. Outsourcing is not without its drawbacks. Once outside consultants enter the organization, security is compromised. It is opening the door to strangers and trusting these strangers to lock other strangers out. External teams are privy to confidential and valuable information assets. Businesses that contract talent need to draw up nondisclosure agreements to protect the company from any information leaks. 49 Access Granted There is often a lack of communication between outsourced teams and business management. Organizations can become completely dependent on outsourced specialists because of this. To avoid these conflicts and the possibility of generic security policies and practices, businesses are establishing inhouse executive security positions. Chief Security Officers (CSO)/ Chief Information Security Officers (CISO) The chief security officer (CSO) and chief information security officer (CISO) titles are often used interchangeably. The CSO is typically regarded as a more executive level position that orchestrates the overall security of business operations. The CISO title is considered a managerial position that oversees the security of information only. The main duty of a CSO or CISO is to protect the assets of the enterprise. In the case of the CSO, this responsibility would extend to physical security as well information security. CSO/CISOs frequently interact with top management and explain the security risks to non-technical administration. They oversee the policies and procedures that secure dayto-day operations. CSO/CISOs supervise several technical management teams and are responsible for hiring security staff. CSO/CISOs direct the business relationships between lower-level technical security personnel and vendors, as well as outside consultants. In addition, CSOs manage the creation and installation of global security policies that coincide with the organization’s strategic plan. CSO/CISO executives set the 50 guidelines and procedures for the ongoing maintenance of security and supervise security breach investigations. CSO/CISO executives need to have combined strengths in technology, business management, and law. Effective officers possess a strong understanding of the company’s assets and business culture. Experience in business continuity planning, auditing, and risk management, as well as contract and vendor negotiations, will support individual success. Many accomplished CSO/CISOs with a background in law enforcement or military intelligence have a better understanding of logical and physical security measures. Career Progression The business world is not in agreement about how information security should be structured. Currently, organizations are literally creating their security departments by trial and error. Cookie-cutter pathways in information security do not exist. Career progression is greatly determined internally and varies from company to company. The procurement of security certifications greatly affects the progression of security professionals. (See page 52 for more information about certifications.) The following career ladders are examples of possible job advancement within the field but are not exhaustive illustrations of information security career paths. Access Granted Career Ladders in Information Security Transitioning from a Traditional IT Position Experience in IT is beneficial for any candidate seeking an opportunity in information security. Some traditional IT professionals may find their job duties expanded into security due to the fact that a vast majority of companies blend security into the IT department. IT professionals are generally welcomed in security when they have plenty of work experience and the willingness to learn new tools. Professionals who have acute familiarity with operating systems and/or networking can expect easier moves into the security field. Many information security professionals have come from networking or systems administration backgrounds. Experts suggest that those professionals who have expertise in the applications side of technology should further their technical education and obtain role-specific security certification. Opportunities in the Federal Government Federal government jobs in information security emulate the private sector. The qualifications for employment are more stringent and the salary is typically lower. Job seekers 51 Access Granted interested in protecting the nation’s security should consider a career with the Central Intelligence Agency (CIA), the Federal Bureau of Investigation (FBI), or the National Security Agency (NSA). The CIA has positions in network design and management and systems engineering. The CIA recruits individuals who are U.S. citizens and have a degree in computer science or computer engineering. Job seekers with specialty knowledge in information security and systems engineering and architecture are highly desired. There are two types of oppor- Basic Qualification Requirements for FBI Opportunities Special Agent • U.S. citizen • Four-year degree from accredited college/university • Age 23-36 • Valid driver’s license • Drug free • Uncorrected vision not worse than 20/200 • Corrected vision 20/20 in one eye and not worse than 20/40 in the other eye. Professional Support Personnel • U.S. citizen • High school diploma or equivalent • Drug free • Specific qualifications are defined for each support position 52 tunities available for information security professionals in the FBI: special agent positions and professional support personnel positions. The FBI is recruiting individuals for special agent positions who: are U.S. citizens, have critical skills in the areas of computer science and information technology; possess an information technology related degree; and have Cisco Certified Network Professional (CCNP) or Cisco Certified Internetworking Expert certification. The FBI recruits candidates for professional support personnel opportunities who have critical skills in computer networking and forensics. Protecting the United States’ information systems through the Information Systems Security (INFOSEC) mission, the NSA recruits systems analysts and engineers, cryptologists, and computer scientists who are U.S. citizens. Professionals who have advanced skills in designing cipher systems, developing security architectures, and implementing data communications will have the greatest opportunities in the NSA. Certifications Current trends in the security technology industry indicate that security still pays. For those with security certifications, this industry pays even more. As the security technology sector is expected to burgeon over the course of the next several years, significant growth in jobs can also be expected. Whether the job market is experiencing growth or is in a down-cycle, job seekers will be required to hone their skills and increase their marketability in order to ensure that their technical expertise is noticed in the hiring process. Access Granted “Security certifications are the fastest growing certifications at Cisco. Security is critical to the safe and proper functioning of any network activity. The skills and knowledge necessary to configure, operate, maintain, and troubleshoot security devices and functions continue to be in high demand.” –Rick Stiffler, Senior Manager of Security and Emerging Technologies Training, Internet Learning Solutions Group, 43 Cisco Systems Inc. “In today’s tough job market, certifications are critical. Your certifications will get you into the interview; your experience will earn you the job,” stated Karl Childs, Certification 44 Program Manager, Novell. Table 11 indicates the growth in base salary increases attributable to certifications. The table reflects increases based on a particular area of information security certifications training. Certifications in the security technology market allow network professionals to gain a competitive edge over others in the hiring process and provide an opportunity for career mobility and flexibility. Vendor-Neutral vs. VendorSpecific Distinctions Job seekers in the information security job market have the option of pursuing either a vendor-neutral or vendor-specific certification. Understanding these two distinctions in certification opportunities is important when considering the option of pursuing a securityrelated certification (Table 12). 53 Access Granted Vendor-neutral certifications are certifications that primarily focus on “concepts, policies, 45 practices, and principles.” They do not focus on a specific product, platform or technology implementations unless there is no other realistic alternative available. Instead they test concepts and knowledge of major security technology niches such as cryptography, network security, architecture, and ethics. A number of the vendor-neutral certifications require the trainee to take a code of ethics oath prior to receipt of certification. According to Certification Magazine, “Vendor-neutral security certifications are good because they force candidates to develop a sense of the whole field and its history and conceptual underpinnings. You will find a mixture of user and industry associations behind such programs, as well as training companies, consortia and other groups of like-minded IT professionals from 46 all walks of life.” While there are benefits to receiving a vendor-neutral certification, there are also advantages to pursuing vendor-specific certifications. Vendor-specific certifications originate from a particular vendor. Typically, the concentration of the certification training is to teach individuals how to design, install, configure, maintain and troubleshoot specific solutions, platforms, tools, or technologies that relate to information security. When a company is looking to hire an individual who will allow the company to expand the management of security technology or reduce the vulnerability of their company’s security infrastructure, there are essentially two things that are considered in the hiring decision: whether the job seeker is versed in information security, and whether he or she 54 has obtained certification in a particular vendor-specific technology. Vendor-specific certifications were developed and continue to be developed by companies with two goals in mind. First, to help manage the costs for technical support in an organization. Second, to provide organizations and companies that have integrated a vendor’s tools and technologies computer architecture with knowledgeable professionals who are capable of implementing and working with the 47 vendor’s solutions. Important Decision Making Elements in Seeking Certification Individuals who pursue certification training are not necessarily sponsored by companies, so there are definitely elements to consider when making a decision to pursue a certification. An individual who is currently employed by a company that uses a specific vendor for its platform or technologies would benefit from obtaining the pertinent vendor-specific certifications. When the decision at hand is based upon selecting among vendor-neutral certifications, Certification Magazine offers the following criteria to consider. • Name recognition: How well is the program known? Does it appear in any job postings online or classified ads that you can find? Do your peers or co-workers know about this program? • Size of the certified population: Many large players in the certification industry regard a program worthy of consideration only if it Access Granted Source: Certification Magazine, February 2003 can claim 10,000 or more certified professionals among its group. It is important to know the numbers prior to making the decision to pursue that certification offering. • Costs: How much do exams cost? How long will it take to prepare? What is the ROI on your paycheck? Certification Levels Once the decision has been made to pursue certifications, the next factors to consider are the level of certification and the training method. Certification training, in general, is offered at various levels—basic, intermediate, and advanced. An advanced level of training allows an individual to learn about a greater number of the technologies that require protection, in addition to gaining a more indepth training on the various methods that can be used to prevent, identify, and respond to a security breach. When a person opts for an advanced level of training, that individual is gaining a more comprehensive and in-depth knowledge of the various technologies that require protection as well as the various methods that can be used in response to attacks that have occurred. In addition to these levels of certification, companies are also beginning to develop certifications based on technology “specializations.” For example, an employee or job seeker who is only interested in working with virtual private network (VPN) technology may prefer to pursue a certification that only trains in this technology. Most companies create certification programs that allow their trainees to gain certification in a specific technology and also offer these trainees opportunities to upgrade their certification without having to repeat courses. 55 Access Granted Certifications training and courses are available from various sources. Table 13 provides a short 48 list of popular certifications. For a more complete listing of company-specific certifications as well as vendor-neutral options, please see Appendix H. Source: CSO Online 56 Access Granted Most companies offering security technology certifications offer two methods of training: instructor-led and online courses. Courses are designed to teach individuals about the technical details involved with security technologies; as such, coursework is largely book-based. Some companies offer courses that are a hands-on approach to learning the technology. These types of courses frequently incorporate a simulation exercise as part of the certifying exam. Because technologies continually change, companies offering certifications have also developed programs that offer re-certification exams and courses, which are taken every two years on average. Certification and Salaries in Security So why should an individual pursue a certification in security technology? Even in the midst of the dot-com bust and the struggling economy, statistics show job security and a competitive salary can be found among those who have obtained security technology certifications. Most major companies in the Bay Area that offer certification training agree on the career potential afforded through this training—it not only opens up opportunities, but lends credibility to the job seeker who is equipped with this specialized knowledge. In Foote Partners’ annual review for Information Security Magazine, in which nearly 30,000 public- and private-sector IT professionals in the U.S. and Canada were interviewed, the finding was that there is a “…marked divergence between security jobs and the rest of IT in nearly every compensation statistic.” During the first part of the downturn in the information and high-tech sectors, the market for security professionals actually grew as a subsector. Employees in this sector not only survived, but those who upgraded their skills, on average, received salary increases or some 49 form of increased compensation. Tables 14–16 depict the typical salary increase attributable to vendor certification. In a lean economy, whether or not security certifications provide a sufficient ROI for the consumer to warrant training is a question that a large majority of IT professionals are already asking themselves. According to research, the bottom line on certifications in security technology is that they are an asset to the prospective and current information security professional. The rapidly changing nature of security technologies necessitate that job seekers and employees continually upgrade and up-train their technical skills. Certifications offer job seekers and current employees of this market opportunities for career growth, not to mention the additional perk of increased compensation during an otherwise high-tech slump. Job Skills for Information Security Professionals Opportunities in information security are extensive. There is currently a lack of qualified professionals who can fill the growing number of positions. Those individuals who have the necessary skills to succeed in the field are reaping the rewards of progressive careers and elevated salaries. Although the industry has not reached a consensus about how to organize these professionals, the industry is in agreement about what skills these specialists should possess. 57 Access Granted “ Security technology is protecting the integrity and availability of data assets ” —Chief Technical Officer In terms of technical skill, the industry would like to hire individuals with profuse knowledge of operating systems, firewalls, authentication methods, and networking tools. Certifications in information security are an accepted means for hiring managers to measure individual skill level. Table 17 details some of the suggested disciplines and tools for information security specialists. Technical skills alone will not predict success for job seekers. Experts in management suggest that candidates have a love for the technical side of the industry, but balance that devotion with a variety of real world experiences. Even the most adroit technologist will not succeed in the industry if he or she possesses poor interpersonal skills. Overall, local experts suggest that candidates seeking information security jobs have the following soft skills: • Good communication • Ability to work in a team • Diplomacy 58 Access Granted • Patience • Flexibility • Integrity • Attention to detail • Self-motivation • Strong problem-solving skills • Understanding of business culture and corporate politics • Ability to negotiate • Good management skills • Good writing skills • Desire for continuous learning The industry increasingly desires security specialists who are business savvy. These jobs require a balance of technology and business protocol. Security specialists who communicate well with the technical team, as well as all levels of management, will be effective and indispensable. Based on return-on-investment (ROI) debates, business executives often see security measures as a necessary evil. Specialists increasingly need developed negotiating skills to influence administrative approval of effective security policies. The constant change of security architectures, technology, laws, and vulnerabilities require job seekers to continue their education on a regular basis. Senior security specialists reveal that in addition to re-certification, they spend up to two hours per day reading trade journals and industry news to remain current in their field. The industry recognizes the importance of physical and logical security working in unison. Individuals who have experience in Source: NOVA 2003 59 Access Granted law enforcement, as well as proficient knowledge of existing security laws, will have access to more career opportunities in the field. Experts also suggest individuals pursuing information security jobs should study psychology. The people aspect of information security is the most crucial area of concern. Information security professionals with a background in psychology have greater insight into how people use computers, process information, and make decisions. By understanding how humans organize and analyze information, professionals can understand how a cyber attack is orchestrated and reveal the motivations and skill level of the perpetrator. Career Enhancers for Information Security Specialists • Business Management Experience • Computer Science Degree • Information Security Certification • Knowledge of Security Practices • Law Enforcement Experience • Psychology Background • Security Clearances ethics required for a security-oriented job. Although the media may vest in the idea that somehow criminal hackers lead glamorous lives, the truth is what these people do is neither heroic nor alluring . Criminal hackers are credited with the ability to offer a new perspective on protecting the infrastructure. In spite of the fact that a few businesses have held focus group discussions with would-be intruders and even allowed some criminal hackers to perform penetration testing on their systems, most businesses have no intention of hiring these people to watch over their networks. There is not much of a future for criminal hackers in information security. Experts simply say the skills of felonious hackers are limited. Criminal hackers may possess the talent to break into networks but are without the technical skill to keep these systems safe. It is essentially easier to break into a system than it is to sustain it. The story of a prosecuted hacker who spends years in federal prison and then makes good as a popular security consultant is a rare one. The best wager for a thriving career in information security would be for job seekers to keep their moral high ground. • Security System Design & Implementation Experience No-Tolerance Policy While it is true the security industry is looking for the best talent, they are not particularly desperate for any job seekers with a criminal past. Black hat hackers or crackers are considered to be without the necessary morals and 60 Salary Expectations in Information Security Salaries for security professionals are not determined by an exact science. For the most part, salaries for information security person- Access Granted nel are relevant to the size of the company and the industry. Job experience plays a major role in determining compensation and local experts indicate that job seekers can increase their earning potential by acquiring niche certifications. Compensation can also be determined by the organization’s reporting structure. Personnel who report to higher levels of management typically receive a higher salary. According to DataMasters, a professional services firm specializing in information technology, security specialists are compensated between $87,238 and $130,698 in the western region of the United 50 States. Tables 18-22 summarize salaries for the metropolitan area of San Jose, California, in April 2003 for five common information security jobs. “ Don’t overestimate the talent or value of a so-called ‘’black hat’ hacker. It’s far easier to break a system than it is to protect one. –Educator ” 61 Access Granted Source: www.salary.com 62 Source: www.salary.com * Total exceeds 100% due to rounding Access Granted Source: www.salary.com Source: www.salary.com * Total exceeds 100% due to rounding 63 Access Granted Source: www.salary.com 64 Section 5 Star Profiles Access Granted Tim M. Mather Senior Director of Information Security Symantec Corporation Certifications: CISSP, CISM, CISSA Career Ladder: Senior Director of Information Security Manager of Security Manager of Information Security Introduction to Computer Technology: Apple II Please tell us about your current position and how you arrived there. How did your career progress? I am responsible for Symantec’s information security. That includes all of the internal facing and external facing systems, as well as ensuring the security of our vendors. We levy requirements on our vendors, and I make certain that they meet these provisions. I do the upfront policy and architecture and the back-end auditing. It’s my job to make security recommendations to the business, as well as make sure the business understands the possible ramifications if they choose not to take my advice. My role is somewhat enforcer and, to a large extent, advisor. The role is not 100 percent enforcer. If you think the role is 100 percent enforcer then you are going to fail. It’s not about being just a cop. It’s also about being a teacher. Most of the day-to-day “ It’s not about being just a cop. It’s also ” about being a teacher. functions, like the firewalls and the servers, belong to other groups within IT. I started working in the defense industry. I was an Army reservist in military intelligence and had a security clearance. I worked on a seven-year 67 Access Granted project doing defense intelligence type work. I then moved back to the Bay Area and did some independent consulting work with some small businesses. At that time, the government world had more advanced security standards than the commercial environment. The commercial sector hadn’t even heard of a firewall at that point. Quite honestly, there was one firewall on the market. You had to educate people about what a firewall was, and frankly, in that respect, it was a bit ahead of the curve. I have held the same position essentially, but with greater responsibility at the last three companies that I have been with. I was Manager of Information Security at Apple Computer, and then the Manager of Security at Verisign. The only difference at Verisign was that I was responsible for all security, such as physical security and personnel security. Here at Symantec, I don’t have physical or personnel security. Quite frankly, that stuff just isn’t appealing to me, but essentially the jobs I’ve held have been the same—all have been billion-dollar companies, etc. It’s just a question of more responsibilities. Describe your typical workday. Very hectic. There are always fires to fight. Usually way too many meetings. I tell my admin not to schedule me for more than four hours of meetings a day. Lots of phone calls. It’s a lot of juggling. It really is. There are up to eighteen or two dozen issues a day to deal with. Some of them are relatively small—“Hey, what about this?” Some of them are major decisions—“Hey, where are we going?” I receive 150 to 200 emails and twenty-five to forty phone calls a day. It’s a long day. I am generally here by 8:30 A.M. at the latest. I don’t leave before 6:30 P.M. It’s a fairly stressful job. I mean, I’m the security person at a security company. 68 “ Having this basic knowledge gets you to a certain point in your career. To go further, you need to under- stand the business that ” you are working in. Which aspects of your education and/or training made you more marketable and capable in this field? Did you have any non-traditional training that helped you in your career? I would say my knowledge of the field and my certifications. You have to have the basic technical knowledge. Does that mean that I need to know how to program in my job? No, it doesn’t. Does that mean that I have to know how to configure version X.Y of a specific firewall? No, there are people who do that for me. But do I need to know what type of firewall is which and what the capabilities are? Absolutely. I don’t need to configure that sort of thing per se, but if you don’t know the basics as far as functionality and design are concerned, you’re not going anywhere. Having this basic knowledge gets you to a certain point in your career. To go further, you need to understand the business that you are working in. Security doesn’t drive the train. The business drives the train and you have to make sure Access Granted the business is secure. You also have to have some skills as far as when to say no and how to say that gracefully. Basically, I am paid to say no. My colleagues sometimes jokingly refer to me as Director No, but I’m not here to be a speed bump in the hallway that people can run over. That’s not what I am paid for. What are the most exciting aspects of your job? What do you like most about your job? I like the challenge. Being Symantec, we get a lot of trash thrown [we get a lot of hack attempts] at us and so there is always something to do. Often times it’s new and I have to work hard to figure out what it is. In that regard, it’s interesting. In this role, I am often working with our own product groups. Being able to help shape our products is very nice. I really like to see new technology. I work fairly closely with our mergers and acquisitions. After they have done their initial sniff test—checking the company’s viability, etc.— they’ll often bring the technology to me and ask, “So, what do you think of this technology?” I get to see a lot of technology. Some of it is mature and a lot of it is from immature companies but is really cutting-edge. It is very interesting. I continue to be educated on the job and that is important to me. What do you dislike or find challenging about your job? This is easy. It is extremely hectic. The hours tend to be hellacious. There is effectively no down time. Other than if I am out of the country on vacation in some place that is so remote that it has no cell phones and pagers—which I’ve actually done just to get away—other than that I am on call twentyfour hours a day. There are certain things that happen in which I absolutely better be called. Many of those calls come at 3:00 A.M. or whatever the case may be. You walk in the door on a Friday night—drained from the week, begin enjoying a glass of wine, and just as you take off your shoes, the phone rings and you have to head back because there are perceived problems. I go back to make sure that these “perceived problems” aren’t real problems. What advice would you give to a person seeking a job in your field? If you are a less experienced, more juniortype person, you absolutely have to have technical certifications. The best ones out there are SANS. It says a lot. When you get more experienced, you have to have some sort of management certifications, such as Certified Information System Security Professional (CISSP) and Certified Information Security Manager (CISM). The certifications are important because they are a third-party seal of approval that you have some degree of competency in the job. They are not a hardcore statement of your technical or security management capabilities, but they do say that you have a certain level of knowledge and a certain level of experience to get the credential. So, it’s not to say that you would be the perfect employee, but it does say to a prospective employer that you are someone worth checking out for available positions. If somebody came to me and said, “I’m a security person. I’ve been doing this for ten years,” and they had no credentials to show for it, I probably wouldn’t even give them an interview because, number one, I have no idea of what their skills are. I have no independent evaluation of that from a third party whom I trust to make that evaluation. And number two, it says to me that they haven’t taken their career seriously enough to invest the time and the effort into getting those certifications. 69 Access Granted Would you go to somebody who was not a certified financial planner and allow them to manage your portfolio? Probably not. Would you go to a doctor who wasn’t licensed to perform an appendectomy on you? I really doubt it. Why would you turn your security over to somebody who doesn’t at least have some field credential? The other thing that I look for when I screen candidates—and perhaps it is a bit old-fashioned—but I really want someone with a BA or BS degree. Not having a college education is a red flag for me. People who have a college education tend to be more well rounded. Well-roundedness is important when moving up the chain and dealing with teams and management. People who haven’t been to college probably have a fairly straight technical track. They probably have very good technical skills, but try and put them into a management position or try to get them to talk to management and they often fail. It doesn’t work. I think it is very important in a technology field like this to stay current. You really have to stay up with the developments in your field. Taking a six-month break may very well make you a dinosaur. There is a lot of reading that people should be doing to stay current with developments in the field. I spend a fair amount of time every day just reading various sources. I read websites, mailing lists, and various digests that stay up with security information. I probably spend an hour a day doing just that to stay relevant. If you don’t do that, it’s to your own detriment. 70 What qualities make someone a star performer in this occupation? Balancing technical knowledge with management skills is a star quality. The management skills are not only project related, but frankly, they are people related. Those who can manage subordinates, their boss, and other superiors will succeed. “ Well-roundedness is important when moving up the chain and dealing with teams ” and management. Access Granted Perry J. Steines Manager of Intelligent Networks Sprint Corporation, Enterprise Services Division Certifications: Cisco Certified Network Professional (CCNP) Cisco Certified Design Professional (CCDP) Cisco Certified Security Professional (CCSP) Cisco Wireless LAN Support Specialist Cisco Wireless LAN Design Specialist Cisco Security Specialist I Cisco Certified Network Associate (CCNA) Cisco Certified Design Associate (CCDA) Certified Novell Engineer (CNE) Career Ladder: Manager of Intelligent Networks Manager Engineering of LAN/WAN Group Systems Programmer V Senior Systems Integrator I/Supervisor Engineering of LAN/WAN Group Systems Integrator V Systems Integrator IV Information Analyst III Introduction to Computer Technology: Radio & TV Please tell us about your current position and how you arrived there. How did your career progress? I have been involved in computers and networking for almost eighteen years. My degree is in electronic engineering and I explored everything from mainframes up to current technology. I have been at Sprint for nine years and have traveled through various positions from working as a design engineer, systems level engineer, and systems programmer to figuring out what we should do with routers. Programming the command-set for any network equipment is extensive, because you need to put in the commands in a certain order to gain certain results. In my current role, I am the manager of intelligent networks at Sprint. This position requires me to understand the wireless LAN technology on the Sprint campus—we have the need to understand it better, have a better design, and to deploy it on the campus, so that we can have an infrastructure we can build on. I progressed to this position through a combi nation of obtaining additional certifications and proactively investigating the high-tech 71 Access Granted market. Prior to Sprint, I was at various companies installing and supporting Novell networks, where I had obtained the Certified Novell Engineer (CNE) certification. I had pursued that line of technology for a while but then decided it was time to transition into a different market. I was actually a vendor contractor when I was at a previous company and Sprint was one of my customers. The Sprint customer I was working with held a conversation with me one day and said, “Sprint needs some new technology also has some new technology, and could use someone to solve these problems.” I was able to convince HR of the necessity of this role at a company such as Sprint, and when the job opened up, I took it. My first job here was supporting the SprintFAX platform from Novell servers, routers, programming, and automated systems. The first step for me when I made this transition to Sprint was that I decided to pursue additional certifications to confirm for others regarding what I know about technology. It also seemed like I should have these Cisco certifications in order to invest into my own career potential. Having a certification on the résumé indicates to the employer that the candidate at least has knowledge that is past a certain level. I gained a lot from going through the training courses. Certification training in networking gave me a better understanding of how to tie things together; it provided an overview of how the network works, which is critical to a large host of technologies and companies today. Some comments on how I chose a training company. When l Iooked into taking a training course, I not only looked at price, I looked at value. This is defined to me as: what am I getting for what I paid. I looked at the quality 72 “ Having a certification on the résumé indicates to the employer that the candidate at least has knowledge that is past a certain level…. ” of instructors, the support the training company provides to the instructors, as well as a training partner that is professional and understands the customer’s needs. Describe your typical workday. There are two different pieces of my job. One is the enhanced services side. This is a revenue-generating platform for Sprint Corporation. As the manager, I take care of design engineering roles, as well as the security. I help design systems to be more resilient than they are today. I deal with designing more resilient internal and external connectivity, and place an emphasis on reliability and scalability when I think about designing these products. Sprint has 15,000 people and 4 million square feet of office space that encompasses Access Granted two regional data centers. In my second role, I am in charge of making sure everyone in these locations has connectivity. I manage a group of engineers who do the engineering for this network. I take the requests when people are moving in and out of buildings. Sprint is a large corporation that has many business different units. In my role and in my group, we have to make sure that we have engineered solutions that enable our employees to perform their jobs by providing them with reliable and resilient connectivity. This now includes wireless LAN. In terms of what goes on in a typical workday, I check email and see what is going on—if there are any issues people are having that has an escalation possibility. I also interface with executives and VPs. From there, it is communicating with my team, finding out the status of a product, if there are any challenges or any outages we may have had from the evening before. Essentially when these outages occur, I need to understand and identify the root cause and perhaps what could happen in the future and see if this is preventable. On average, if I can work eight hours a day, that would be a good thing. I look at my schedule more as a work-week, which is more or less around fifty to sixty hours. Which aspects of your education and/or training made you more marketable and capable in this field? Did you have any nontraditional training that helped you in your career? I think that pursuing certifications definitely gave me a broader scope of technical knowledge. There is more to networking than routers and switches. For example, there is also web-caching and wireless LAN. Going through training courses allowed me to understand networking technology more extensively, and that ultimately has helped me to understand and better solve the business problems that we have at Sprint, as well as to meet the service-level demands of organizations that we have as customers. Without continued training, as with certifications, we tend to learn only what we need to know today, but that doesn’t position us for the future. Certifications give individuals an opportunity to learn what the evolving technologies are out there, which is critical to a field such as technology. If I see a technology that I need to learn more about, I go to training in order to learn that technology, which helps with developing my career. It happens with this training that I end up with certifications. My intent with training is not and has not been to see the receipt of the certification as the end point. Instead, I see the technology and focus on the knowledge I gain as a result of going through the training courses. I put an emphasis on the technology so that I can apply this knowledge to understanding business problems and come up with business solutions—the side result of certifications is that it confirms what I do know, which of course helps to market my qualifications. Recertification is also something that I consider extremely important and I definitely will pursue. Technology always evolves, so the only way to keep current is to read, learn, and stay constant with it. Because this is true, a person would need to get recertified to remain constant. So really, to me, the key is always to understand the technology; the tests just confirm to someone else that you know this certain level of knowledge. It’s 73 Access Granted absolutely critical to be current, so becoming recertified with my Cisco certifications is something that I will be pursuing. The process at Cisco for recertifying security specialists is not a generic one: they make each individual take four different tests. This requires you to put in much more work, requires you to stay active with the technology and understand it thoroughly. What are the most exciting aspects of your job? What do you like most about your job? I enjoy being presented with a business challenge. When we do something as a corporation it is very visible to our customers. There is the desire to take all these technologies and put them together in a way that meets business objectives that will meet needs. We aim for a technology that is resilient and reliable when customers use the new service that Sprint is offering. In my job, I can’t control the applications, because I work from a network perspective. Networking is a foundation that enables everything to happen, but it is not like the products that Sprint creates. Success in the networking arena, along with security, is evaluated differently. We have to make sure that networking is not causing problems, and we have to make sure that we are in fact securing the environment. When a customer uses a credit card, that person wants to be sure that they are using something that does not put privacy at risk. So in my job, I know when I’m successful when no one knows I exist. If a problem arises, then it means that I have not been successful at my task. The example I often use, especially with my team, is that doing a 74 “ So in my job, I know when I’m successful when no ” one knows I exist. “successful” job in this team is akin to nerves in a body. Nerves that are functioning in the body carry about their operation with nobody ever really thinking about what those nerves are doing. Essentially, no one pays attention to the nerves until someone can’t walk, can’t talk, or has difficulty doing things like breathing. Nerve systems are similar to building a secure network. If I do the job right, no one knows I exist. If there are no problems in the system and no one knows that we exist, that’s when I know I’ve done something right and our team is successful. What do you dislike or find challenging about your job? I’m going to be honest: with today’s economy and with businesses faced with the economy going down, businesses are faced repetitively with budgeting issues. Right now, we must be able to find great solutions with less money. As such, we are forced to reallocate resources—tight budgets are the biggest challenges today in the business world and in my job. A couple of years ago, that wasn’t quite the challenge. Before, the challenge would be to meet the market demand. The projects would require network connectivity that had never been done by companies, and in some Access Granted cases, we still may not yet have done. We had to think of and develop products that we never thought could quite exist. It was also about trying to develop and create these products in a compressed timeline in order to get to the market first and gain the majority of the market share. Making it to the market in a timely manner demanded logistics to work like clockwork—we had to design, test, deploy, implement, and get our products to the vendor and get them into production within three months and often less. Currently, the timeline is more extended because of the state of the economy. Now, there is also a significantly more rigorous selection process. The selection of whether or not your product is going to be offered into the market is looked at more for ROI. If it is more risky, they may not select it. Now, it is more than just theory; you also need to test the product, come up with the results, send it on to finance where the finance people will take a while to make the calculations on whether or not sending a product to market has a significant ROI. After those calculations, the product will then be reconsidered for entrance into the market, but not guaranteed. What advice would you give to a person seeking a job in your field? I believe the security industry right now has a lack of qualified experts, so this is a great industry to get involved in, and certifications are a great way to learn about this industry and become better qualified. While existence of security products is not a problem in the security environment, this industry is greatly lacking people that have the knowledge of the total scope of security and how to implement a broad-based plan. While there had been a market some time ago for security knowledge and security networking knowledge, there has actually never been a greater market than there is today. Given the incidences in the last year and a half, businesses are becoming more interested in investing in security technology and seeing it as being vital to business operations. The problem is that businesses can go out and buy a bunch of intrusion detection systems and firewalls, but to get it all to work is the trick. The problem that this industry is currently facing is that there are people out there who do not understand it, because traditionally, the departments of networking and security have been separate. Security tends to focus on securing hosts and implementing security. Networking is about connectivity. The next thing is that there are different mindsets for people in networking than there are for people in security. Currently, there is a really big vacuum for people who understand both sides. It is quite often the case that it is difficult to move from networking into security. Technologies are out there, but there is the need to implement networking and security into a single, cohesive environment. I talked to a manager of a fairly large corporation recently, and they took the position and said if anyone knew how bad security management was in this company, they may have had second thoughts about doing business with them. Yet they still have firewalls, IDS, and other security solutions. The problem is that individuals don’t have knowledge of both; this is where individuals need to act on this opportunity. One way I recommend to do so, is to pursue certifications. 75 Access Granted When an employer is familiar with a type of certification program, they know that the individual was not only required to have an understanding of theory but was also required to perform real-time applications of learned solutions and can be effective on the job. This is key to entrance into this job market. Overall, my advice to people is to seek the technology first when in training, especially in the developing security-technology/networking market. What qualities make someone a star performer in this occupation? As a manager, the soft skills are really very important to me when looking at an employee—that was also true for myself. Soft skills are not usually mentioned as being a requirement because they are neither communicated nor can be communicated in a résumé. From a manager’s perspective, we call it the “behavior interview.” In this interview, we are not only evaluating technical skills but behavior. I look for people who are not that opinionated—in the sense that the individual thinks they know everything. I’m more interested in people who say, “I know a lot, I have a lot of good experience, but I realize I have a lot more to learn and want to learn from other people.” I want them to be proactive in sharing what they have learned with other engineers. Similarly, I find an employee valuable when that person also wants to learn from other engineers. Teamwork is another quality that is crucial for the job—this is something I really try to scan for during the interviewing process. 76 Also, it is extremely important in this industry that employees know how to relate to people not only in their group, but also external to their group and outside the organization or company itself. The IT department of an organization is largely a service group, in the sense that its employees provide services external to their group as well as external to the organization. Because of that, these individuals need to have the skills to communicate technical terms in such a way that their customers and clients can understand the technology or product. Not only do these individuals have to gather what their clients’ and customers’ requests are, but they must understand what the customer actually wants, and communicate the solutions to the problems in a way that also does not insult the customer. There is definitely a communication piece to being successful in technology. Access Granted Julie Wilcox Sales Systems Engineer Sun Microsystems, Inc. Degree/Certifications: MA in Science in Information Systems Career Ladder: Sales Systems Engineer Graduate Student at Northeastern University Environmental Consultant Introduction to Computer Technology: Circuit Tester IBM Apple HP PC Sun Workstations Please tell us about your current position and how you arrived there. How did your career progress? My current position is a sales systems engineer. This is basically someone who understands what the software products are, can explain how the product could be implemented in a real-life environment, can identify any components that are missing from the solution, and help the customer understand the full range of technology that Sun offers. This involves explaining how the technology can fit into their architecture. Sometimes this involvement with the customer takes a proactive engagement with the IT department. At other times, it is a reaction to a request where someone has identified a hole and the customer will seek me out to help them with figuring out the possible solutions to the identified problem. In terms of how I transitioned to this job and this position--I am originally from the Bay Area and after I graduated with an Environmental Studies degree, I moved to Massachusetts and went into an environmental consulting job. I learned at that job that working outdoors on the East Coast was not for me, and I did not feel like I could change much of what was going on in the environment. Looking back, I think I came in with a naïve view of what environmental consulting would be like. Finding my first job out of college took a long time, so in making decisions along my career path, one of my main objectives was to have skills that would allow me to be employable. After a couple of years working in environmental consulting, I looked into getting a higher degree. I went to a college fair and was looking into doing an Environmental Engineering Master’s degree. I talked with someone at Northeastern University and told 77 Access Granted them I was kind of on the fence and wondering if I should go into something computer-related. And his suggestion was, “Well, why don’t you open the ‘Help Wanted’ section of the newspaper and see where all the jobs are right now?” In looking at the paper, it was clear to me that the computer field was where the jobs were and would be in the future. The person I talked with at Northeastern told me of a program offered there for people who don’t necessarily come from a high-tech background, but still offered the opportunity for these people to get a Master’s degree in two years from their College of Engineering. The program is focused for women in engineering and it sounded like it would be the perfect place for me to go. The Northeastern program was really great; it was focused on programming, data structures, computer architecture, networking, and project management. I looked into the program, took the GRE, applied, and enrolled in 1996. Two years later, I found my first job at Sun Microsystems. Even after my two years in graduate school, I wasn’t exactly sure what I wanted to get into. I spoke with a friend who graduated the year before me and had a job as a systems engineer at Sun. I found out what her job description was like, and it seemed like something I could do well. This job basically allows me to interact with people as customers and utilize my technical background. Because of my technical background, I am in a position to explain new technologies to customers. 78 Describe your typical workday. The great part of this job is that there is always something new to learn, investigate, and discover. On a typical workday, I come into the office and I look at the hot emails that I have received. Of course then I have my giant list of things to do, which are added onto the day’s work. In answering my emails, it is a lot about responding to requests that people have for product information. Right now, Sun IT has a number of projects where they have requested additional feature enhancements to our products. As a team, we take the feature requests for enhancements and get a detailed sense of what the IT department is looking for. We then send those to the product team and they give us an idea of the timeline when these requested features can be built into the product. Currently, we are focusing a lot on product quality: providing account management and product support, making sure that the products don’t have bugs, and relaying the problems that have arisen to the appropriate individuals. “ I think one of the greatest challenges about this job is ” staying current. Access Granted On the customer side, our team meets with the developers and the operations and strategy and planning departments. We strive to achieve complete customer satisfaction from all IT departments. Which aspects of your education and/or training made you more marketable and capable in this field? Did you have any nontraditional training that helped you in your career? At Northeastern, I attended a number of career seminars, and took advantage of learning about what is required to make it in the high-tech industry. These seminars were not necessarily focused on the technical end of learning. Some of the courses or additional training opportunities that I took advantage of focused on interviewing skills, team-building, giving presentations, and other soft skills. Taking these courses definitely made me aware of a fuller picture of what makes a successful candidate for a position in high tech. For the future, I have always thought about getting an MBA in technology or taking some additional courses. It’s not so much that I need the MBA—but a need to fulfill the desire to obtain the knowledge that such a degree program offers. I think that being in a formal program makes you committed to learning the material. It is important that you make the effort to learn on your own, but you may not end up spending as much time learning what you need to know if there is not a broad-based course structure to teach you the realm of knowledge you will need. What are the most exciting aspects of your job? What do you like most about your job? I have always been interested in learning, especially learning something new. When I came into this job, I didn’t know how an IT group as large as Sun Microsystems worked. It has been extremely interesting for me to learn how all of the different systems and applications are networked across the world. I have also found it a great experience to learn more about how each department has its own application—whether it is for HR or the sales department—and how applications all tie into a single authentication system where users are given access to specific areas. I had no idea prior to being at Sun how this all works. Specifically in terms of security, it has been very interesting learning and understanding how an outside customer deals with security. In my current role, I am learning how Sun ensures security. Security is definitely something Sun is very focused on. Sun has very high standards on how data sits in a system and who has control of it. There are clearances that everyone has to get in order to access an application or to be granted access to a server. That clearance must go through several different levels of approval. In sum, I have definitely learned a significant amount of the organizational aspects of how a large company functions. 79 Access Granted What do you dislike or find challenging about your job? I think one of the greatest challenges about this job is staying current. While it is true that there has always been and will continue to be programming languages and software, there will also always be the evolution of these technologies. The theory behind these may stay the same, but the structure and how they are programmed into an application may change. The specifications and the actual language is always evolving and changing. Therefore, one of the biggest challenges is staying current on all of the latest technologies. The fact that you learned XML which is based on previous Markup Languages may have been sufficient for one job, and then another job requires that you must also understand how it is extended to be used in business transactions. There are also new methods to web design, as well as changes to the architecture of web services. The theories behind them are similar, but it is critical in this industry to understand the nuances of each new development in order to work most effectively. What advice would you give to a person seeking a job in your field? For people who are already in IT, I would recommend that they seek out a job rotation. At Sun, this is something they promote. My suggestion would be to do a job rotation as part of a sales team. Try out what it’s like to be part of professional services, pull yourself out of your typical world and try something you’ve never done before. You’ll get out of your routine, and this will help keep you from getting stale. 80 For someone who is completely outside of technology and interested in entering into this field, my recommendation would be to take a couple of classes and take the time to talk to as many people as you know who work in different job functions at different high-tech companies. Take the time as well to talk with people who work in the IT departments of [non-technology] companies such as banks and insurance firms. There are a number of IT people who are needed in industries such as banking and insurance. Because these industries have very forward-thinking IT departments, this will keep the job interesting, especially in terms of security technology, because that is becoming extremely important to businesses. When I think of people I work with who are also involved in security and security applications, I think there is a lot of information that is specific to security protocols that needs to be learned. Also, I think you definitely need a lot of heavy-duty training in network security wrapped around a good overview of computer technology in general. For example, a person could be talking about SSL (Secure Sockets Layer), but they may also need to know how Java or Java security works. What qualities make someone a star performer in this occupation? This is definitely the type of job where you must be independent, be able to work in a team, and be resourceful. People here at Sun are always willing to help; there are definitely a lot of resources to tap into. The company has over 30,000 people, so you definitely can and should take the initiative to seek people Access Granted out. My style of learning, in particular, is through interaction: if I can learn something in ten minutes, because I have someone who [has] the knowledge and can teach it to me, it’s much more efficient and beneficial than spending several hours trying to learn it over the Internet. In this job specifically, it is important to be confident about what you know, as well as to be able to explain complex products to people who want to turn around and decide to purchase them after only a couple of conversations. It is important to be able to communicate effectively and be organized. You have to deal with hundreds of projects and over thirty products. You need to organize in your mind whom you’re dealing with in certain projects, the products that exist in the company as a whole, the types of products that are being requested, and the main goals of the projects you’re dealing with. Right now, I work with the Sun One suite that has thirty products. You definitely can’t be an expert on all thirty products, but you need to have a good idea about what they all do and know who the expert is on that product. The point is, a person needs to be resourceful and seek out the appropriate expert. Currently, I work in a team of systems engineers, support engineers, an account manager and a program manager and we all have to be somewhat familiar with all the products. In that, you lose a lot of detail, but that is where you need to take the initiative and be resourceful. 81 Access Granted LC Boros Network Engineer, CCNA PGP Corporation Career Ladder: Network Engineer Systems Engineer ResNet Manager Systems Specialist Network Administrator Introduction to Computer Technology: Macintosh 512K Please tell us about your current position and how you arrived there. How did your career progress? Right now, I handle everything from our email and web servers to anything that has to do with a computer or a computer system. About 30 percent of my time is dealing with systems and security, but I also take care of the safety and security of the building by making sure that the alarm system is functional and the drains and the gutters out on the roof are clear. I manage all the additions, removals, and changes on our PBX phone switching system and then I take care of all the computers, network servers, web servers, and the network gear. The work I’m doing now is mid-to-senior system/network administration, and the problems are fairly complex—mostly planning and putting new security measures in place. I have to figure out what’s going on or going wrong. Sometimes it’s a bug in the system. Sometimes it's, “Oh dear, I did that? That was stupid.” Ultimately, I sort it out and usually don’t make the same mistake twice, so who knows. As for how I ended up working with computers, it all started in 1994, when I was hired for two months to build a Macintosh-based small network for a manufacturing set-up in Cleveland, Ohio. Then I went to England and was faced with having to use Microsoft Windows, so I learned SunOS instead. When I came back from living in England, I decided that it would be nice to have a job to pay back the loan I had taken out for oversea expenses. I started as a student tech at the Ohio State University (OSU) and that turned into a full time job after I graduated. Over the years there, I held several different positions until I ended up managing the residential network in the dorms. It was a huge network—about 11,000 ports—and I had about 40 college kids working for me. It was a great job, but there never seemed to be enough time in the day, so I eventually left Ohio and the snow there. I moved out west to work for a telecom as a sales engineer. Sales jobs are fun and all, but they are frustrating because you can’t be the one to actually fix the problem. You have this poor customer on the phone who just wants their issue resolved and you are completely powerless. You can only go and find people and 83 Access Granted harangue them until the problem gets fixed. Anyway, to make this long, convoluted story short, a friend of mine knows my boss at PGP, and he was looking for someone to replace contractors. It took about a month of phone calls back and forth, but eventually they brought me in for an interview and then made me an offer. Describe your typical workday. Sometimes I wake up in my office. I'm not kidding. I have a beanbag chair under one of my desks for such events. Usually though, I stumble out of bed and check from home if anything is “on fire” at work. I usually make it into the office between 9:00 A.M. and noon, unless I’ve been at work until 2:00 A.M. or 3:00 A.M. doing network changes. In that case, I won’t be in until the afternoon. Once I get in, there’s an average of three “fires” that need my attention. My assistant, Jason, may have questions on something, and then I have to deal with all of the purchase requests. By the time things quiet down, it is usually 2:00 or 3:00 in the afternoon. I then start working on regular tasks, although sometimes around 3:00 P.M., I give up and go home to work, as it is quieter there and I can get more done. Which aspects of your education and/or training made you more marketable and capable in this field? Did you have any nontraditional training that helped you in your career? I’m an English major with minors in theater and Spanish literature. None of those have a lot to do with my career, but when I first started, I could tell people very nicely to “go 84 away,” or solve their problems and tell them that they were wrong while making them feel good about it all at the same time. Seriously, my education enhanced my critical thinking and made me more capable of strategically picking things apart. I love those little logic puzzles where they say, “Jan has apples, oranges and pears in bins. One bin can hold five items….” I love those things, and computers are one puzzle after the next. What are the most exciting aspects of your job? What do you like most about your job? This work is fun and very challenging, and I like the people I work with. I came into this company knowing what PGP is, and the idea of working for PGP was a major draw. In terms of “geek points,” when you tell people that you work for this company and they know anything about computers, they say “The PGP?” I also like my office because it has a door. That comes in very handy when I'm here all night and need a nap before I can safely get myself home. What do you dislike or find challenging about your job? It is very demanding and very tiring. When I was hired, my boss was worried that this job would take over my life, but I make sure I get some down time—otherwise my health would slip and I just wouldn’t be a happy person. I try very hard to make sure that I have some kind of normality in my life. I know that I have to have some time when I can just stop working for a bit or otherwise I’d go insane. I don’t leave it often. I mean, I haven't had a weekend off in… I don’t know. Access Granted “ Seriously, my education enhanced my critical thinking and made me more capable of strategically ” picking things apart. When I do get away, it may just be for a couple of hours and I may just do things like sit in front of the TiVo for an hour with my crocheting, my dog, or my birds—but not with a computer. What advice would you give to a person seeking a job in your field? It’s a bit tricky giving advice to people about how to get a job. Usually for me, it’s all about networking and building bridges. I mean those in the non-computer sense. In many cases, your friends, coworkers, and contacts are your best assets. Another thing to remember is never be too hasty. Value all of the contacts you make because if you burn one relationship, you most likely won’t get it back. Being a woman, I’ve been on both ends of the spectrum and my experiences have varied greatly. I‘ve worked in jobs where being a woman was an asset or didn’t make any difference. I’ve also worked in places where it was a problem. When I worked for OSU, I had to recruit women. It was very difficult. Women in the networking and programming field are rather scarce. My advice— especially for women—is just be yourself and don't worry about what others think. In terms of actually acquiring the knowledge you need to do a job—just do it. Computers are so cheap now that there is no reason why you shouldn’t know at least three operating systems. I know Windows and I’m also fluent or just pretty good with Linux, Solaris, Cisco IOS, FreeBSD, NetBSD, and of course Mac OS. I recommend acquiring a broad range of skills. Take a class. Read a book. There’s no excuse for not having some skills if you want to work in this industry. Once you have a few skills—assuming you have some personality and don’t live under a rock—you’ll find something to do with them. What qualities make someone a star performer in this occupation? A lot of perseverance and some logical intelligence. Success is mainly achieved by those who know what they know; know what they don’t know; and know who to ask so that they will know. 85 Section 6 Practices and Projections Access Granted Best Practices Best practices are those routines and/or procedures that have proven to be effective in achieving a set goal. In the security technology industry, there are some basic methods that have been established as a “best practice.” Most of these practices (i.e. using a firewall, controlling physical access to terminals, and backing up critical data) are considered to be elementary methods of data security. Although the controls that fall under best practices are essential for the security of data, they are ineffective if users are ignorant about the role they play in protecting the integrity, confidentiality, and availability of information. Security Standards for Business It is increasingly important for companies to manage security as a vital component of their business strategy. In an effort to protect assets, the business world is beginning to put extensive control practices in place. Industry standards are the key to making information security a mature discipline and security standards for business are ever-evolving. Every few years, a new standard or set of guidelines is presented to further clarify the same basic principles and practices of its model predecessors. None, thus far, have been mandated as strict industry rules. The industry recognizes that information security cannot rely on technical abilities. The increase of legal liabilities, physical and cyber terrorist threats, as well as elevated concerns from business stakeholders is pressuring the industry to establish a cohesive and global security framework. In 1996, the National Institute of Standards and Technology (NIST) introduced a set of guidelines in a whitepaper known as the NIST Special Publication 800-14 (NIST 800-14). NIST 800-14 theoretically assists the installation and management of security systems. It describes eight principles based on the guidelines set forth in 1992 by the Organization for Economic Cooperation and Development and contains 14 practices (Tables 23 and 51 24). For some businesses, NIST 800-14 still serves as a resource to develop a sound security structure, but the latest standard of best practice, ISO Standard 17799, is receiving stronger recognition. Table 23: NIST 800-14 Principles 1. Computer security supports the mission of the organization. 2. Computer security is an integral element of sound management. 3. Computer security should be cost effective. 4. Systems owners have security responsibilities outside their own organizations. 5. Computer security responsibilities and accountability should be made explicit. 6. Computer security requires a comprehensive and integrated approach. 7. Computer security should be periodically reassessed. 8. Computer security is constrained by societal factors. 89 Access Granted Table 24: NIST 800-14 Practices • • • • • • • • • • • • • • Policy Program management Risk management Life cycle planning Personnel/user issues Preparing for contingencies and disasters Computer security incident handling Awareness and training Security considerations in computer support and operations Physical and environmental security Identification and authentication Logical access control Audit trails Cryptography ISO Standard 17799 ISO 17799 is an international security standard set by the International Organization for Standardization (ISO). Businesses are progressively using ISO 17799 as a framework to define, implement, and measure their organizational security posture. According to an online poll conducted by CSO Magazine, 69 percent of those surveyed indicated that they were using the ISO 17799 to manage the information security of their business. Based on the British Standard 7799, ISO 17799 is currently the most globally recognized security standard for managing information security systems. Although called a “standard,” ISO 17799 is a set of guidelines that spotlights 10 control areas: • Overall security policy • Organizational security • Asset classification and control • Communications and operations management • Personnel security 90 Access Granted • Physical and environmental security • System access control • System development and maintenance • Business continuity planning • Legal or contractual compliance Generally Accepted Information Security Principles (GAISP) The Information Systems Security Association (ISSA) is in the process of developing the Generally Accepted Information Security Principles (GAISP). Much like the Generally Accepted Accounting Principles in the finance industry, GAISP is intended to standardize the information security industry. It will also serve as a measuring tool to evaluate a business’s level of security. This effort will take the ISO 17799 framework and create a common method of guidance that will give organizations a specific three-tiered body of security governance. The first version of the GAISP will debut at the end of 2003 and is expected to enhance global information security in the following ways: • Promotion of good information security practices at all levels of organization • Increase of management confidence that information security is being assured in a consistent measurable and cost-efficient manner • Increase of productivity and operational cost efficiency in well-secured and controlled environments • Decrease in costs of meeting global principles rather than piecemeal and varied, local guidelines GAISP Three Levels of Guiding Principles • Pervasive Principles—Targeting governance and executive-level management, the Pervasive Principles outline high-level guidance to help organizations solidify an effective information security strategy. • Broad Functional Principles—Broad Functional Principles are the building blocks of the Pervasive Principles and more precisely define recommended tactics from a management perspective. • Detailed Principles—Written for information security professionals, the Detailed Principles provide specific, comprehensive guidance for consideration in day-to-day information risk management activity. 91 Access Granted NSTISSI 4011 and 4014 Having good security practices and principles is a futile effort if employees are not properly trained to implement and evaluate security procedures. The Committee on National Security Systems (CNSS), formerly known as the National Security Telecommunications and Information Systems Security Committee, created the National Training Standard for Information Systems Security Professionals (NSTISSI 4011) and the National Training Standard for Information Security Officers (NSTISSI 4014). NSTISSI 4011 establishes a minimum set of education standards and training requirements for information systems security professionals. NSTISSI 4011 and 4014 are specifically intended for government training , but the guidelines are applicable to industry and the academic world. The 4011 model provides two levels of knowledge: Awareness and Performance. The Awareness Level presents information security professionals with information about security threats and vulnerabilities. It builds the need to protect data through accepted principles and practices. The Performance Level gives professionals the necessary skills to advise, design, implement, 52 and evaluate procedures and practices. NSTISSI 4014 sets minimum training guidelines for information systems security officers (ISSO), such as chief security officers or chief information security officers. It is divided into three training objectives: Entry, Intermediate, and Advanced. • Entry Level- Given a series of hypothetical system security breaches, the ISSO will 92 identify system vulnerabilities and recommend security solutions required to return the systems to operational level of trust. • Intermediate Level- Given a proposed new system architecture requirement, the ISSO will investigate and document system security technology, policy, and training requirements to assure system operation at a specified level of trust. • Advanced Level- Given a proposed information system accreditation action, the ISSO will analyze and evaluate the system security technology, policy, and training requirements in support of designated approving authority approval to operate the system at a specified level of trust. This analysis will include a description of the management/technology team required to successfully complete the accreditation 53 process. Future Trends in Security Technologies The security technology industry is undoubtedly a hot marketplace and, as no particular entity or institution is exempt from the need to protect vulnerable assets, this industry will only gain greater exposure as it continues to evolve. Several factors such as standards, convergence, and consolidation, as well as paradigm shifts, will be significant catalysts in shaping what types of security technologies will be developed and what the overall security industry will move toward in the next several decades. Access Granted Where Have We Been? It was originally believed that firewalls were the essence and key to maintaining a secure system. The standard method of protecting a computer system was through perimeter defense or, in other words, a hard exterior but a soft interior. Technologies used to achieve such a model include firewalls, intrusion detection systems (IDS), application proxies, 54 and virtual private network (VPN) servers. However, while there is a growing amount of software, new patches, and new configurations, each of these emerging technologies poses a potential new risk, not to mention the fact that with each new added device, there is a resulting exponential increase in both the complexity and the vulnerability of the system. Given that a system is only as secure as its weakest link, a growing number of links means a growing number of weaknesses. The perimeter defense system still exists and functions but, as the industry matures, different ways of thinking about security evolve. Standard technology, like firewalls, intrusion detection systems, and virus software can help defend against cyber-risk, but by all accounts, is not presently positioned to remove such risk. The inescapable reality is that no one connected to a network is safe from crackers. What Has Changed? Another factor shaping the direction of this industry is that attackers of information security systems are creating and utilizing increasingly complex methods of attacks. For example, blended threats—threats that use multiple means of propagation and an integrated response from more than one tech- nology—have infected multiple systems. With Nimda, 2.2 million systems were affected in three days, and infection occurred by email, web server, files on affected machines, web browsing, and shared drives. “Klez,” another blended threat, traveled around the world in 2.5 hours. Real-time awareness of infections is critical, and as the complexity and speed with which systems are infected grows, today’s information security solutions have only fragmented functionality and lack an integrated approach. Because management of these solutions has traditionally been noncohesive, the advantages of an integrated approach are increasingly viewed as a greater 55 necessity. Where Are We Going? There are several new methods of thinking through the direction in which security technology is headed. Major industry leaders agree that it is not cost efficient to have a range of non-integrated approaches to solving a weakness in a system. There is a growing agreement among industry leaders that physical, operational, and technological control in combination will be the only method to achieving a cost-efficient security solution in the future. Addressing only one portion of a complex problem through a piece-meal approach is not only inefficient but costly. The buzz phrase of “integrated security systems” is gaining greater attention among companies and the demand for such solutions are the latest trends in the security technology industry. 93 Access Granted Secure Identity Management (SIM) One of the latest cutting-edge technologies that is gaining an increasing share of the current market—and the anticipation is that it will continue to do so—is Security Identity 56 Management (SIM). SIM serves as the platform on which the entire identity management infrastructure of a networked system is connected to one automated system. The thought behind this technology is that there is a comprehensive approach that allows companies to deal with all products with respect to access control of information based on the identification of the user. SIM is software that, when installed, is responsible for automating the accessibility of information requested by a user from any particular database in a network. Bill Maxey, Product Line Manager of Novell Security Solutions, Access Management and Security stated: “It is not sufficient to have just a firewall anymore; instead, we need a comprehensive approach to the entire realm of components that are included in a security architecture. SIM is the cutting edge of technology and is a completely new way of 57 thinking of the future of this industry.” One example of how this technology has been aiding security in transactions within the business world is the Star Alliance—the global airline alliance consisting of United Airlines, Scandinavian Airlines, Thai Airways International, and Air Canada. As recently implemented by the Star Alliance, SIM provides employees, customers, partners, and suppliers real-time information about changes 58 and updates. This is achieved by governing access for all employees of member airlines, synchronizing critical information about 94 changes in individual member airlines, and thereby supporting cross-airline application access, while meeting security requirements for complex identity management. In addition to SIM, which is focused on managing the identities of users of a system, there has been collaborative movement around the integration of physical and cybersecurity technologies as the next hot trend on the market. Although the design, production, and implementation of such a device has not yet evolved into a product, there is a considerable amount of effort among companies to head in that direction. The effort is aimed at exploring how to integrate security management software, such as SIM, with physical security devices, such as smart cards, into one security system. Groups that are working to this end include the Open Security Exchange, which is committed to determining how to link building security systems with cyber-security systems by delivering “an interoperability specification to support the effective integration of these diverse areas of 59 security management.” Understanding that there is greater costefficiency when physical, personnel, and technological security are viewed as a single entity requiring protection, industry leaders are introducing products and beginning discussions around vendor-neutral solutions to address this new paradigm shift in security technology. According to Bruce Lowry, Director of Public Relations at Novell, “Unless companies, organizations, and individuals have an awareness that there is a fundamental shift in the industry toward the integration of the various parts of security, the industry will not be successful in keeping the growing 60 wealth of critical information secure.” Appendix A. Acknowledgements B. Works Consulted C. Endnotes D. Education and Training Resources E. Industry Resource Websites F. Occupational Definitions G. Glossary of Industry Terms H. Certifications Access Granted Acknowledgements Anagram Laboratories Palo Alto, CA Thomas A. Berson, Ph.D., Founder and Owner Ascolta Training Company Irvine, CA Irene Kinoshita, President and CEO Cisco Systems, Inc. Austin, TX Rick Stiffler, Senior Manager of Security and Emerging Technologies Training, Internet Learning Solutions Group San Jose, CA John Knopp, Product Line Manager for the Internet Learning Solutions Group Chi Wong, Director of Product Marketing City of Sunnyvale Information Technology Department Sunnyvale, CA Shawn Hernandez, Director of Information Technology Bob Trepa, Technical Support Manager Cryptography Research, Inc. San Francisco, CA Benjamin Jun, Vice President FBI San Francisco Division Martin Mijalski, Special Agent Recruiter ISSA Silicon Valley Chapter Cupertino, CA Nancy Bianco, President InfoSecurity Infrastructure, Inc. Sausalito, CA Charles Cresson Wood, Independent Information Security Consultant & Author Latham & Watkins Menlo Park, CA Anthony R. Klein, Partner, Corporate Department 97 Access Granted Marsh Risk & Insurance Services San Francisco, CA Arturo Perez-Reyes, Vice President MediaSnap San Jose, CA Peter Murray, CFO and Executive Vice President Mission College Corporate Education & Training Santa Clara, CA Gloria DeMarco, Program Manager Lin Marelick, Dean of Workforce and Economic Development David Patrick, Faculty Ingrid Thompson, Program Manager Nadel Phelan: Strategic Technology Communications Scotts Valley, CA Karin Walsh, Senior Account Mangager Novell, Inc. San Francisco, CA Bruce Lowry, Director of Public Relations Provo, UT Karl Childs, Certification Program Manager Tampa, FL Bill Maxey, Product Line Manager , Access Management & Security NOVA Information Technology Department City of Sunnyvale, Department of Employment Development Elton Hughes, Information Technology Specialist Charles Serfoss, Information Technology Specialist Ortega Infosystems, Inc. Santa Clara, CA Steve Chu, CTO PGP Corporation Palo Alto, CA LC Boros, Network Engineer Jon Callas, CTO and CSO 98 Access Granted Qualys, Inc. Redwood Shores, CA Gerhard Eschelbeck, CTO RSA Security Bedford, MA Art Coviello, President and CEO Seagate Technology, Inc. San Jose, CA Edward Scalco, Researcher Software Productivity Consortium Herndon, VA Bill Brykczynski, Chief Technologist Sprint Corporation Overland Park, KS Perry J. Steines, Manager of Intelligent Networks Sun Educational Services Broomfield, CO Douglas Engle, Sun Education Customer Support Representative Bee Ng, Certification Manager Sun Microsystems, Inc. Santa Clara, CA Sheila Couch, Senior Program Manager, Global Emerging Talent Trends Julie Wilcox, Systems Engineer Symantec Corporation Cupertino, CA Robert A. Clyde, CTO Larry Dietz, Director of Marketing Intelligence Neils Johnson, Principal Technologist, Enterprise Security Melissa Martin, PR Manager Tim M. Mather, Senior Director of Information Security 99 Access Granted Works Consulted Actel Definitions. Available: http://www.actel.com/products/rescenter/security/resources/glossary/glossary-body.html?print=true (3 January 2003). Baumann, Reto. “Ethical Hacking: GSEC Practical Version 1.4 (Option 1),” 24 November 2002, Available: http://www.giac.org/practical/GSEC/Reto_Baumann_GSEC.pdf (30 April 2003). Blakeley, Tanisha. “Staying Ahead of the Curve,” Certification Magazine, March 2003, Available: http://www.certmag.com/articles/templates/cmag_department.asp?articleid=91&zoneid=63 (31 March 2003). “Blended Threats: Case Study and Countermeasures,” Symantec Enterprise Security White Paper, December 2001, Available: http://www.istart.co.nz/index/HM20/PC0/PV21902/EX239/CS2206 (1 April 2003). Blum, Daniel. “Federating Identity: Trends, Technologies and Best Practices.”, RSA Security Conference 2003. Moscone Center. (14 April 2003). Bobkiewicz, Bartosz. “Layman’s Guide to Using Digital Signatures and Certificates,” WindowsSecurity.com, 23 January 2003. Available: http://www/cs.rit.edu/~jstl1734/crypt_paper.html (8 May 2003). Boulton, Clint. “Studies: Security Services, Software on the Rise.” Internetnews.com, 5 February 2002, Available: http://www.internetnews.com/ent-news/article.php/968991 (17 March 2003). “Bouncing Back: Jobs, Skills and the Continuing Demand for IT Workers,” Information Technology Association of America, May 2002, Available: http://www.itaa.org/workforce/studies/02execsumm.pdf (9 April 2003). Brocaglia, J., D. Foote, T. Lenzner, L. Kushner, L. Regener, and A. Briney “Infosec Job Market Flies.” Information Security, January 2001, Available: http://www.infosecuritymag.com/articles/january01/features.shtml (23 January 2003). Brown, Ken Spencer. “Valley Answering Nation’s Call for New, Better Security Technologies,” San Jose Business Journal, 1 March 2002, Available: http://sanjose.bizjournals.com/sanjose/stories/2002/03/04/story7.html (25 March 2003). Brykczynski, Bill. “Using ISO 17799, Code of Practice for Information Security Management, to Best Advantage.” RSA Security Conference 2003. Moscone Center. (14 April 2003). 100 Access Granted California Employment Development Department, Labor Market Information Division, “Employment Projections by Occupation,” 2003, Available: http://www.calmis.ca.gov/htmlfile/subject/occproj.htm (2 May 2003). “Cyber Crime Bleeds U.S. Corporations, Survey Shows; Financial Losses from Attacks Climb for Third Year in a Row,” Computer Security Institute, 7 April 2002, Available: http://www.gocsi.com/press/20020407.html (23 March 2003). DataMasters. “2003 DataMasters Salary Survey.” Available: http://www.datamasters.com (2 May 2003). “Definitions,” SearchCIO.com, 30 July 2001, Available: http://searchcio.techtarget.com/sDefinition/0,,si19_gci212346,00.html (8 April 2003). Delio, Michelle. “Why FBI Computer Force Ain’t Fat,” Wired News, 3 September 2002, Available: http://www.wired.com/news/politics/0,1283,54850,00.html (16 January 2003). Ducklin, Paul. “The ABC of Computer Security.” Sophos Anti-Virus for Business, April 1999, Available: http://www.sophos.com/virusinfo/whitepapers/abc.html (23 January 2003). Duffy, Daintry. “Pro and Con,” CIO Magazine on the Web, 1 June 2000, Available: http://www.cio.com/archive/060100_con.html, (21 February 2003). “E-Transaction Privacy: The New Requirement for Information Security Across the Extended Enterprise,” Ingrian Networks, 7 March 2003, (12 March 2003). Erbschloe, Michael. “Action Steps for Improving Information Security,” Cisco Systems, 19 November 2002, Available: http://www.cisco.com/warp/public/cc/so/neso/sqso/roi5_wp.htm (17 March 2003). Feldman, William and Patti Feldman. “Access Control Products—Specific Examples,” Electricsmarts.com, 25 March 2003, Available: http://www.electricsmarts.com/content/security_accessspecific.asp (27 March 2003). Foote, David. “Companies Need Security Pros with More Varied Skills,” Computerworld on the Web, 9 July 2001, Available: http://www.computerworld.com/securitytopics/security/story/0,10801,61965,00.html (10 March 2003). 101 Access Granted Foote, David. “Info Security Job Boom Inevitable,” ComputerWorld, 2 September 2002, Available: http://www.computerworld.com/securitytopics/security/story/0,10801,73893,00.html. (1 April 2003). Foote, David. “Security Still Pays,” Information Security Magazine, August 2002, Available: http://www.infosecuritymag.com/2002/aug/securitymarket.shtml (21 January 2003). Gabelhouse, Gary. “Certification, Salaries, & the IT Market,” Certification Magazine. December 2002. Available: http://www.certmag.com/issues/dec02/feature_gabelhouse.cfm (14 April 2003). Gabelhouse, Gary. “Certification: Something of Value.” Certification Magazine, 2 April 2003, Available: http://ww.certmag.com/issues/dec01/feature_gabelhouse.cfm (14 April 2003). “Hackers, Crackers and Trojan Horses: A Primer,” Insurgency on the Internet, 29 March 1999, Available: http://www.cnn.com/TECH/specials/hackers/primer/ (1 April 2003). Hasson, Judi. “Techies Turn to Security Training: Credentials Can be a Differentiator.” Federal Computer Week., 7 January 2002, Available: http://www.fcw.com/fcw/articles/2002/01017/mgt-train-01-07-02.asp. (27 March 2003). “HIPAA Administrative Simplification News,” Center for Medicare & Medicaid Services, 31 January 2003, Available: http://www.cms.hhs.gov/hipaa/hipaa2/news/NewsReleaseFull.asp#NewsItem12 (17 April 2003). Hunt, Steve. “The Changing Nature of the Chief Security Officer,” 23 May 2002, Available: www.gigaweb.com (30 April 2003). Hurley, Edward. “Corporate Security Career Path Often Cultivated Internally,” Search Security.com, 3 March 2003, Available: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci883476,00.html (1 April 2003). Johnson, Amy Helen. “Guardians of the Gate,” Computerworld on the Web, 15 July 2002, Available: http://www.computerworld.com/printthis/2002/0,4814,72636,00.html (25 November 2002). 102 Access Granted Johnson, Neils. “Symantec Enterprise Security.” Data Security: Under Siege. Latham & Watkins. Garden Court Hotel. (2 April 2003). Jun, Benjamin. “It Takes A Village: Managing A Mission-Critical Security Project.” RSA Security Conference 2003. Moscone Center. (14 April 2003). Kabay, M.E. and Philip S. Holt, “Career Advice: Breaking into Infosec,” Information Security, May 2001, Available: http://www.infosecuritymag.com/articles/may01/features_career_advice.shtml. (24 March 2003). Kizza, Joseph. “Types of Cyber-Attacks,” Chapter 3, Available: http://www.utc.edu/Faculty/Joseph-Kizza/Books/CyberEthics/Notes/Chapter3.ppt (23 March 2003). Klein, Anthony. “Legal and Contract Issues Regarding Data Security.” Data Security: Under Siege. Latham & Watkins. Garden Court Hotel. (2 April 2003). “Latest Computer Security News,” Security Stats.com, Available: http://www.securitystats.com (23 March 2003). Lowery, Jessica. “Penetration Testing: The Third Party Hacker,” Sans.org, 11 February 2002, available: http://www.sans.org/rr/penetration/third_party.php (31 January 2003). McFadden, Joanne. “New Demand for Engineers: Security Services.” SiliconValley/San Jose Business Journal, 7 February 2003, Available: http://www.bizjournals.com/sanjose/stories/2003/02/10/focus3.html (17 March 2003). McWilliams, Brian. “White-Hat Hate Crimes on the Rise,” Wired News, 13 August 2002, http://www.wired.com/news/culture/0,1284,54400,00.html (19 February 2003). Mitchell, Bradley. “Firewalls and Firewall Technology,” Computer Networking, 21 March 2003, Available: http://compnetworking.about.com/cs/firewalls/index.htm (24 March 2003). Munster, Eugene, Fischman, Eric, Meyer, David, and Jennings, Tom. “Wall Street’s Perspective on the Security Industry.” RSA Security Conference 2003. Moscone Center. (14 April 2003). National Science Foundation, Division of Science Resources Ststistics. “Science and Engineering Doctorate Awards: 2001, NSF 03-300,” Susan T. Hill, Project Officer (Arlington, VA 2002). National Security Telecommunications and Information Systems Security Committee. National Training Standard for Information Systems Security Officers (ISSO) NSTISSI No. 4014, August 1997. 103 Access Granted National Security Telecommunications and Information Systems Security Committee. National Training Standard for Information Systems Security (INFOSEC) Professionals NSTISSI No. 4011, 20 June 1994. “National Strategy to Secure Cyberspace,” Educause. Available: http://www.educause.edu/security/nation-strategy/ (1 April 2003). “Novell UDDI Server Supports Secure Identity Management,” The Cover Pages, 11 December 2002, Available: http://xml.coverpages.org/Novell-UDDI200212.html (3 February 2003). Paterson, Kenneth G., Piper F., and Robshaw M. “Smart Cards and the Associated Infrastructure Problem,” 2002, Information Security Group. Available: http://www.compseconline.com/gej-ng/10/23/44/76/52/26/article.html. (27 March 2003). Patrick, Thibodeau. “California Leads Way on ID Theft Legislation.” ComputerWorld, 13 December 2002, Available: http://www.computerworld.com/securitytopics.privacy/story/0,10801,76721,00.html?SKC=hac king-76721 (18 April 2003). Perez-Reyes, Arturo. “Cyber-Insurance Solutions: First and Third Party Covers.” Data Security: Under Siege. Latham & Watkins. Garden Court Hotel. (2 April 2003). Pescatore, John. “The Future of the Information Security Market.” RSA Security Conference 2003. Moscone Center. (14 April 2003.) Phillips, Heather Fleming. “Domestic Security a Tech Bonanza,” The Mercury News on the Web, 11 November 2002, Available: http://www.bayarea.com/mld/mercurynews/4579521.htm (11 March 2003). Poulsen, Kevin. “California Disclosure Law has National Reach,” SecurityFocus Online, 3 January 2003, Available: http://online.securityfocus.com/news/1984 (3 February 2003). Price, Kori and Jason Dean. “E-commerce Security Countermeasures.” Florida State University’s School of Information Studies, 16 June 2000, Available: http://slis-two.lis.fsu.edu/~security/ecom2.html (17 March 2003). Price, Kori and Jason Dean. “Hackers & Crackers: What’s the Difference?” Florida State University’s School of Information Systems Studies, 16 June 2000, Available: http://slistwo.lis.fsu.edu/~security/HackersCrackers.html (27 March 2003). 104 Access Granted Price, Kori and Jason Dean. “How Viruses Work: Understanding the Computer Virus Infection Process,” Florida State University’s School of Information Systems Studies, 16 June 2000, Available: http://slis-two.lis.fsu.edu/~security/HowVirusesWork.html (26 March 2003). Price, Kori and Jason Dean. “Network Worms.” Florida State University’s School of Information Systems Studies, 16 June 2000, Available: http://slistwo.lis.fsu.edu/~security/NetworkWormsPG.html (26 March 2003). Rasmussen, Michael. “IT Trends 2003: Information Security Standards, Regulations and Legislation.” CSO Online. Available: http://www.csoonline.com/analyst/report721.html (30 April 2003). “Report: IT Security Market to Hit $45B.” Silicon Valley Business Journal, 4 February 2003, Available: http://www.bizjournals.com/sanjose/stories/2003/02/03/daily28.html. (28 February 2003). “Robert Half Technology IT Hiring Index,” Robert Half Technology, February 2003, Available: http://www.rhic.com (9 April 2003). Rosenberg, Tim, Ron Plesco and Scott Zimmerman. “Legal Limitations of Ethical Hacking: How Far is Too Far?” RSA Security Conference 2003. Moscone Center. (14 April 2003.) Ross, Seth T. “Computer Security: A Practical Definition”. Excerpt from Unix System Security Tools Albion.com, Available: http://www.albion.com/security/intro-4.html. (3 March 2003). Salois, Gene. “Driving Your Career: The Intrinsic Value of Certification,” Certification Magazine, March 2003, Available: http://www.certmag.com/articles/templates/cmag_feature.asp?articleid=89&zoneid=8 (31 March 2003). Sandhu, Ravi and Pierangela Samarati. “Authentication, Access Control, and Audit.” George Mason University. ACM Computing Surveys, Vol. 28, No.1, March 1996. Scalet, Sarah. “Risk: A Whole New Game. Economics is Changing Information Security. You Can Help Write the New Rule Book,” CSO Online.com, 9 December 2002, Available: http://www.csoonline.com/read/120902/intro.html (17 March 2003). Schneier, Bruce. “Following the Money, Negotiating for Security.” RSA Security Conference 2003. Moscone Center. (16 April 2003). 105 Access Granted Shachtman, Noah. “Hackers Being Jobbed Out of Work,” Wired News, 30 August 2002, Available: http://www.wired.com/news/culture/0,1284,54838,00.html (21 February 2003). Sigmond, Steve and Vikram Kaura. “Safe and Sound: A Treatise on Internet Security,” RBC Capital Markets (1 November 2001) Available: http://www.rbccmresearch.com/SafeandSound.pdf (19 April 2003). Stephens, Andrew. “Script Kiddies—What Are They and What Are They Doing?” SANS Info Sec Reading Room, November 13, 2000, Available: http://www.sans.org/rr/hackers/kiddies.php (23 March 2003). Stiffler, Rick. “Security Training and Certifications Update” (PowerPoint slides presented at Cisco Systems, Inc. for Analyst Briefing, San Jose, CA, April 2003). “Survey of 538 IT Security Professionals,” Computer Security Institute/FBI Computer Intrusion Squad, as quoted in “Security Statistics: Risk of Doing E-business,” Computerworld, 9 July 2001, Available: http://www.computerworld.com/securitytopics/security/story/0,10801,62002,00.html (23 March 2003). “Symantec Corporation 2002 Internet Security Threat Report,” quoted in Mullins, Robert. “Cyber Attacks Decrease as Potential for Trouble Increases,” Silicon Valley San Jose Business Journal, 3 February 2003, Available: http://www.bizjournals.com/sanjose/stories/2003/02/03/daily8.html (21 February 2003). “The Difference of Cipher & Code Encryption,” Cipher Encryption: Cryptography Software and Resources. Available: http://www.cipher-encryption.com/cipher-code.html (8 May 2003). Tobias, Zachary. “Getting Started in Computer Forensics,” Computerworld on the Web, 9 July 2001, Available: http://www.computerworld.com/printthis/2001/0,4814,61876,00.html (25 November 2002). “US Federal Security Legislation and Regulations.” Baker & McKenzie: Global E-Commerce Law, 14 February 2003. Available: http://www.bmck.com/ecommerce/fedlegis-s.htm (23 March 2003). VaaseWeek, Lisa. “Breaking the Code on Security Certs,” Security Supersite: News and Resources for Security Professionals, 17 March 2003, Available: http://security.ziffdavis.com/print_article?0,4281,a=38811,00.asp (27 March 2003). 106 Access Granted “Viral Infection, Worms & Klez.” Network Abuse Report Site Viral Infection, Worms & Klez, 2 April 2003, Available: http://abuse.dragnet.com/au/content.php?mid=3&cid=5 (14 April 2003). Wagner, Dave. “Why Firewalls are a Poor Investment.” RSA Security Conference 2003. Moscone Center. (16 April 2003). “What’s New: Presidential Strategies Released by The White House—February 14, 2003.” Partnership for Critical Infrastructure Security. Available: http://www.pcis.org/ (6 March 2003). Winkler, Ira. “Zen and the Art of Information Security.” RSA Security Conference 2003. Moscone Center. (16 April 2003). Worrall, John. “Beyond Technology: Impact of Security on Tomorrow’s Business.” RSA Security Conference 2003. Moscone Center. (14 April 2003). 107 Access Granted Endnotes 1. “Report: IT Security Market to Hit $45B.” Silicon Valley Business Journal, 4 February 2003, Available: http://www.bizjournals.com/sanjose/stories/2003/02/03/daily28.html. (28 February 2003). 2. “Report: IT Security Market to Hit $45B.” Silicon Valley Business Journal. 3. “Symantec Corporation 2002 Internet Security Threat Report,” quoted in Mullins, Robert. “Cyber Attacks Decrease as Potential for Trouble Increases.” Silicon Valley San Jose Business Journal, 3 February 2003, Available: http://www.bizjournals.com/sanjose/stories/2003/02/03/daily8.html (21 February 2003). 4. “Cyber Crime bleeds U.S. Corporations, Survey Shows; Financial Losses from Attacks Climb for Third Year in a Row.” Computer Security Institute, 7 April 2002, Available: http://www.gocsi.com/press/20020407.html (21 February 2003). 5. “What’s New: Presidential Strategies Released by The White House—February 14, 2003.” Partnership for Critical Infrastructure Security. Available: http://www.pcis.org/ (6 March 2003). 6. “National Strategy to Secure Cyberspace.” Educause. Available: http://www.educause.edu/security/nation-strategy/ (1 April 2003). 7. “US Federal Security Legislation and Regulations.” Baker & McKenzie: Global E-Commerce Law, 14 February 2003. Available: http://www.bmck.com/ecommerce/fedlegis-s.htm (23 March 2003). 8. “HIPAA Administrative Simplification News.” Center for Medicare & Medicaid Services, 31 January 2003, Available: http://www.cms.hhs.gov/hipaa/hipaa2/news/NewsReleaseFull.asp#NewsItem12 (17 April 2003). 9. Poulsen, Kevin. “California Disclosure Law has National Reach.” SecurityFocus Online, 3 January 2003, Available: http://online.securityfocus.com/news/1984. (23 March 2003). 10. Patrick, Thibodeau. “California Leads Way on ID Theft Legislation.” ComputerWorld, 13 December 2002, Available: http://www.computerworld.com/securitytopics.privacy/story/0,10801,76721,00.html?SKC =hacking-76721 (18 April 2003). 11. Sigmond, Steve and Vikram Kaura. “Safe and Sound: A Treatise on Internet Security.” RBC Capital Markets, 1 November 2001, Available: http://www.rbccmresearch.com/SafeandSound.pdf (19 April 2003). 108 Access Granted 12. Kizza, Joseph. “Types of Cyber-Attacks.” Chapter 3, Available: http://www.utc.edu/Faculty/Joseph-Kizza/Books/CyberEthics/Notes/Chapter3.ppt (23 March 2003). 13. “Survey of 538 IT Security Professionals.” Computer Security Institute/FBI Computer Intrusion Squad, as quoted in “Security Statistics: Risk of Doing E-business.” Computerworld, 9 July 2001, Available: http://www.computerworld.com/securitytopics/security/story/0,10801,62002,00.html (23 March 2003). 14. “Cyber Crime Bleeds U.S. Corporations, Survey Shows; Financial Losses from Attacks Climb for Third Year in a Row.” Computer Security Institute, 7 April 2002, Available: http://www.gocsi.com/press/20020407.html (23 March 2003). 15. “Cyber Crime Bleeds U.S. Corporations, Survey Shows; Financial Losses from Attacks Climb for Third Year in a Row.” Computer Security Institute. 16. Kizza, Joseph. “Types of Cyber-Attacks.” Chapter 3, Available: http://www.utc.edu/Faculty/Joseph-Kizza/Books/CyberEthics/Notes/Chapter3.ppt (23 March 2003). 17. Kizza, Joseph. “ Types of Cyber-Attacks.” Chapter 3. 18. “Viral infection, Worms & Klez.” Network Abuse Report Site, 2 April 2003, Available: http://abuse.dragnet.com.au/content.php?mid=3&cid=5 (23 March 2003). 19. Price, Kori and Jason Dean. “Network Worms.” Florida State University’s School of Information Systems Studies, 16 June 2000, Available: http://slis-two.lis.fsu.edu/~security/NetworkWormsPG.html (26 March 2003). 20. Bobkiewicz, Bartosz. “Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment.” WindowSecurity.com, 23 January 2003. Available: http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_ Environment.html (5 May 2003). 21. Northcutt, Stephen. “What Was the Melissa Virus and What Can We Learn from It?” SANS Reading Room, 22 April 1999, Available: http://www.sans.org/resources/idfaq/what_melissa_teaches_us.php#4 (5 May 2003). 22. “Blended Threats: Case Study and Countermeasures.” Symantec Enterprise Security White Paper, December 2001, Available: http://enterprisesecurity.symantec.com/content/displaypdf.cfm?PDFID=152&EID=0 (13 March 2003). 23. “Blended Threats: Case Study and Countermeasures.” Symantec Enterprise Security White Paper. 109 Access Granted 24. “Blended Threats: Case Study and Countermeasures.” Symantec Enterprise Security White Paper. 25. Price, Kori and Jason Dean. “Hackers & Crackers: What’s the Difference?” Florida State University’s School of Information Systems Studies, 16 June 2000, Available: http://slistwo.lis.fsu.edu/~security/HackersCrackers.html (27 March 2003). 26. Price and Dean. “Hackers & Crackers: What’s the Difference?” 27. Stephens, Andrew. “Script Kiddies—What Are They and What Are They Doing?” SANS Info Sec Reading Room, November 13, 2000, Available: http://www.sans.org/rr/hackers/kiddies.php (23 March 2003). 28. Baumann, Reto. “Ethical Hacking: GSEC Practical Version 1.4.” SANS Institute, 24 November 2002, Available: www.giac.org/practical/GSEC/Reto_Baumann_GSEC.pdf (23 April 2003). 29. Ross, Seth T. “Computer Security: A Practical Definition.” Excerpt from Unix System Security Tools Albion.com, Available: http://www.albion.com/security/intro-4.html. (3 March 2003). 30. Sandhu, Ravi and Pierangela Samarati. “Authentication, Access Control, and Audit.” George Mason University, ACM Computing Surveys, Vol. 28, No.1, March 1996, Available: www.list.gmu.edu/journals/acm/survey96(org).pdf (5 April 2003). 31. Sandhu and Samarati. “Authentication, Access Control, and Audit.” 32. Sandhu and Samarati. “Authentication, Access Control, and Audit.” 33. Sandhu and Samarati. “Authentication, Access Control, and Audit.” 34. Actel Definitions. Actel, Available: http://www.actel.com/products/rescenter/security/resources/glossary/glossarybody.html?print=true (3 January 2003). 35. Sigmond, Steve and Vikram Kaura. “Safe and Sound: A Treatise on Internet Security.” RBC Capital Markets, 1 November 2001, Available: http://www.rbccmresearch.com/SafeandSound.pdf (19 April 2003). 36. “Definitions.” SearchCIO.com, 30 July 2001, Available: http://searchcio.techtarget.com/sDefinition/0,,si19_gci212346,00.html (8 April 2003). 37. “The Difference of Cipher & Code Encryption.” Cipher Encryption: Cryptography Software and Resources, Available: http://www.cipher-encryption.com/cipher-code.html (8 May 2003). 110 Access Granted 38. Bobkiewicz, Bartosz. “Layman’s Guide to Using Digital Signatures and Certificates.” WindowsSecurity.com, 23 January 2003. Available: http://www/cs.rit.edu/~jstl1734/crypt_paper.html (8 May 2003). 39. “Definitions: Biometrics.” SearchSecurity.com, 18 December 2002, Available: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211666,00.html. (28 March 2003). 40. “Bouncing Back: Jobs, Skills and the Continuing Demand for IT Workers.” Information Technology Association of America, May 2002, Available: http://www.itaa.org/workforce/studies/02execsumm.pdf (9 April 2003) 41. Foote, David. “Security Still Pays.” Information Security Magazine, August 2002, Available: http://www.infosecuritymag.com/2002/aug/securitymarket.shtml (21 January 2003). 42. “Robert Half Technology IT Hiring Index.” Robert Half Technology, February 2003, Available: http://www.rhic.com. (9 April 2003). 43. Stiffler, Rick. E-mail Response from Interviewee, Senior Manager of Security and Emerging Technologies Training, 13 May 2003. 44. Childs, Karl. Conference Call Interview with Novell’s Certification Program Manager by Wei Kuan Lum, 24 April 2003. 45. Tittel, Ed. “Security Certification: A Marketplace Overview.” Certification Magazine, (February 2003), Available: http://www.certmag.com/articles/templates/cmag_sg.asp?articleid=71&zoneid=74. (8 May 2003). 46. Tittel, Ed. “Security Certification: A Marketplace Overview.” Certification Magazine. 47. Tittel, Ed. “Security Certification: A Marketplace Overview.” Certification Magazine. 48. Robinson, Chad. “Security Certifications and Backgrounds: Identifying Real Employees.” CSOonline.com, (25 April 2003), Available: http://www.csoonline.com/analyst/report1279.html (7 May 2003) 49. Foote, David. “Security Still Pays.” Information Security Magazine, August 2002, Available: http://www.infosecuritymag.com/2002/aug/securitymarket.shtml (21 January 2003). 50. “2003 DataMasters Salary Survey.” DataMasters, Available: http://www.datamasters.com (2 May 2003) 111 Access Granted 51. Swanson, Marianne and Barbara Guttman. “Generally Accepted Principles and Practices for Securing Information Technology.” September 1996, Available: http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf (17 April 2003) 52. National Security Telecommunications and Information Systems Security Committee. National Training Standard for Information Systems Security (INFOSEC) Professionals NSTISSI No. 4011, 20 June 1994. 53. National Security Telecommunications and Information Systems Security Committee. National Training Standard for Information Systems Security Officers (ISSO) NSTISSI No. 4014, August 1997. 54. "Layers of Defense for the Small Office and Home Network." SANS Reading Room, Available: www.sans.org/rr/homeoffice/layers.php (23 April 2003). 55. “Symantec Blended Threats: Case Study and Countermeasures.” iStart: New Zealand’s e-Business Portal, December 2001, Available: http://www.istart.co.nz/index/HM20/PC0/PV21902/EX239/CS2206 (8 May 2003). 56. “NetVision Product in Novell’s Nsure/SIM Solution.” Netvision, 27 February 2003, Available: http://netvision.com/partners/novellnsure.html (23 April 2003). 57. Maxey, Bill. Conference Call Interview with Novell’s Global Solution Manager of Security Solutions by Wei Kuan Lum, 24 April 2003. 58. Ranger, Steve. “Novell Lands Airline Security Deal.” Vnunet.com, 22 April 2003, Available: http://www.vnunet.com/News/1140320 (23 April 2003). 59. “Comprehensive Security Management: Enabling the Convergence of IT and Physical Security,” Open Security Exchange, 2003 RSA Conference (14 April 2003). 60. Lowry, Bruce. Conference Call Interview with Novell by Wei Kuan Lum, 24 April 2003. 112 Access Granted Education and Training Resources American Business College International 650 North King Road San Jose, CA 95133 Ph: (408) 258-0800 Fax: (408) 258-8553 www.americanbci.com Institute of Computer Technology 589 West Fremont Avenue Sunnyvale, CA 94087 Ph: (408) 736-4291 Fax: (408) 735-6059 www.ict.org Computer Training Consultants 144 North San Tomas Aquino Road Campbell, CA 95008 Ph: (408) 871-6636 Fax: (408) 871-6633 www.comptraining.com International Technological University 1650 Warburton Avenue Santa Clara, CA 95050 Ph: (408) 556-9010 Fax: (408) 556-9212 www.itu.edu Evergreen Valley College 3095 Yerba Buena Road San Jose, CA 95135 Ph: (408) 274-7900 www.evc.edu Micro-Polytech Institute 1108-1110 Walsh Avenue Santa Clara, CA 95050 Ph: (408) 492-9048 Fax: (408) 492-1464 www.micropolytech.com Foothill College 12345 El Monte Road Los Altos, CA 94022 Ph: (650) 949-7777 Fax: (650) 949-7375 www.foothill.fhda.edu Mission College 3000 Mission College Boulevard Santa Clara, CA 95054 Ph: (408) 988-2200 www.missioncollege.org Institute for Business and Technology 2550 Scott Boulevard Santa Clara, CA 95050 Ph: (408) 727-1060 Fax: (408) 980-9548 www.ibttech.com National Hispanic University 14271 Story Road San Jose, CA 95127 Ph: (408) 254-6900 Fax: (408) 254-1369 www.nhu.edu 113 Access Granted National Institute of Technology 235 Charcot Avenue San Jose, CA 95131 Ph: (408) 441-6990 Fax: (408) 441-6994 www.nitschools.com OTI/Foothill-De Anza Colleges 21250 Steven Creek Boulevard Cupertino, CA 95014 Ph: (408) 864-8869 Fax: (408) 864-8462 www.oti.fhda.edu Portnov Computer School 1580 West El Camino Real #12 Mountain View, CA 94040 Ph: (650) 961-2044 Fax: (650) 9179977 www.portnov.com San Jose City College 2100 Moorpark Avenue San Jose, CA 95128 Ph: (408) 288-3708 Fax: (408) 223-3000 www.sjcc.edu San Jose State University One Washington Square San Jose, CA 95192 Ph: (408) 924-1000 Fax: (408) 924-2050 www.sjsu.edu Santa Clara Adult Education 1840 Benton Street Santa Clara, CA 95050 Ph: (408) 423-3500 Fax: (408) 423-3580 www.scae.org 114 Santa Clara County Regional Occupational Program-North 575 West Fremont Avenue Sunnyvale, CA 94087 Ph: (408) 733-0881 Fax: (408) 733-0894 www.ncrop.sccoe.net UCSC – Extension Cupertino Campus 10420 Bubb Road Cupertino, CA 95014 Ph: (408) 752-1300 UCSC – Extension Sunnyvale Campus Moffett Business Park 1180 Bordeaux Drive Sunnyvale, CA 94089 Ph: (408) 752-1300 www.ucsc-extension.edu University of Phoenix 3590 North First Street San Jose, CA 95134 Ph: (877) 478-8336 www.phoenix.edu West Valley College 1400 Fruitvale Avenue Saratoga, CA 95070 Ph: (408) 741-2000 www.wvmccd.cc.ca.us/wvc Access Granted Industry Websites Government Central Intelligence Agency (CIA) www.cia.gov CSO Magazine www.csoonline.com Committee on National Security Systems www.nstissc.gov Information Security Magazine www.infosecuritymag.com Federal Bureau of Investigation (FBI) www.fbi.gov SC Infosecurity News www.infosecnews.com National Infrastructure Protection Center (NIPC) www.nipc.gov SC Magazine www.scmagazine.com National Security Agency (NSA) www.nsa.gov National Strategy to Secure Cyberspace www.whitehouse.gov/pcipb U.S. Department of Homeland Security www.dhs.gov Search Security.com http://searchsecurity.techtarget.com SecurityFocus www.securityfocus.com Security Magazine www.securitymagazine.com Industry News & Magazines Sys Admin Magazine www.samag.com All-Internet-Security.com www.all-internet-security.com TCP Magazine www.tcpmag.com Certification Magazine www.certmag.com Organizations and Associations CertCities.com www.certcities.com Cert Coordination Center www.cert.org CIO Magazine www.cio.com Computer Security Institute (CSI) www.gocsi.com 115 Access Granted Human Firewall www.humanfirewall.org Information Systems Audit and Control Association www.isaca.org Information Systems Security Association (ISSA) www.issa.org Information Technology Association of America (ITAA) www.itaa.org International Information Systems Security Certification Consortium, Inc. www.isc2.org National Security Institute www.nsi.org SANS Institute www.sans.org Annual Conferences CardTech SecurTech Conference www.ctst.com CSI Annual NetSec www.gocsi.com RSA Conference www.rsasecurity.com/conference 116 2003 Bay Area Events Datacenter Ventures 2003 http://datacenterventures.com Access Granted Occupational Definitions The following occupational classifications and definitions come directly from the Standard Occupational Classification (SOC) codes. The SOC system is used by all federal statistical agencies to classify workers into occupational categories. It is structured into 23 major groups, 96 minor groups, and 449 broad occupations. The following are from major groups 11-0000 Management Occupations and 15-0000 Computer and Mathematical Occupations. 11-3021 Computer and Information Systems Managers Plan, direct, or coordinate activities in such fields as electronic data processing, information systems, systems analysis, and computer programming. 15-1051 Computer Systems Analysts 15-1071 Network and Computer Systems Administrators Install, configure, and support an organization's local area network (LAN), wide area network (WAN), and Internet system or a segment of a network system. Maintain and monitor network hardware and software to ensure network availability to all system users. 15-1081 Network Systems and Data Communications Analysts Analyze, design, and evaluate network systems, such as local area networks (LAN), wide area networks (WAN), and Internet. Perform network modeling, analysis, and planning. Research and recommend network and data communications hardware and software. Include telecommunications specialist who deal with the interfacing of computer and communications equipment. Analyze data processing problems for application to electronic data processing systems. Analyze user requirements, procedures, and problems to automate or improve existing systems and review computer system capabilities, workflow, and scheduling limitations. 117 Access Granted Glossary of Industry Terms Source: Actel http://www.actel.com/products/rescenter/security/resources/glossary intro.html Access Control BS 7799 Access control refers to the rules and deployment of mechanisms that control access to information systems, and physical access to premises and systems. The entire subject of information security is based upon access control, without which information security cannot, by definition, exist. The British Standard for Information Security, which was re-issued in 1999 in two parts. Part 1 is the Code of Practice for Information Security Management and Part 2 specifies the requirements for implementing Information Security in compliance with the Code of Practice. In October 2000, BS 7799 was elevated to become an International Organization for Standardization (ISO) standard - ISO 17799. Authentication 118 Authentication refers to the verification of the authenticity of either a person or of data, e.g . a message may be authenticated to have been originated by its claimed source. Authentication techniques usually form the basis for all forms of access control to systems and data. Security access control systems, which authenticate (verify the identity of) users by means of physical characteristics, e.g. face, fingerprints, voice, or retina pattern. Authorization Business Assets The process whereby a person approves a specific event or action. In companies with access rights hierarchies it is important that audit trails identify both the creator and the authorizer of new or amended data. It is an unacceptably high risk situation for one to have the power to create new entries and then to authorize those same entries oneself. The term ‘business assets,’ as it relates to information security, refers to any information upon which the organization places a measurable value. By implication, the information is not in the public domain and would result in loss, damage, or even business collapse, were the information to be lost, stolen, corrupted, or in any way compromised. Biometric Access Controls Access Granted By identifying and valuing the business assets in an organization, and the systems that store and process them, an appropriate emphasis may be placed upon safeguarding those assets which are of higher value than those that are considered easily replaceable—such as information in the public domain. Change Control An internal control procedure by which only authorized amendments are made to the organization’s software, hardware, network access privileges, or business process. This method usually involves the need to perform an analysis of the problem and for the results to be appended to a formal request prepared and signed by the senior representative of the area concerned. This proposal should be reviewed by management (or committee) prior to being authorized. Implementation should be monitored to ensure security requirements are not breached or diluted. Clear Desk Policy A policy of the organization, which directs all personnel to clear their desks at the end of each working day, and file everything appropriately. Desks should be cleared of all documents and papers, including the contents of the ‘in’ and ‘out’ trays! The purpose of the Clear Desk Policy is not simply to give the cleaners a chance to do their job, but to ensure that sensitive papers and documents are not exposed to unauthorized persons out of working hours. Clear Screen Policy A policy of the organization, which directs all users of screens or terminals to ensure that the contents of the screen are protected from prying eyes and other opportunistic breaches of confidentially. Typically, the easiest means of compliance is to use a screen saver that will engage, either on request, or after a specified time. Communications Line Within a communications network, the route by which data is conveyed from one point to another. Recently the term has started to be replaced by ‘communications link’ to reflect the fact that a growing number of small networks, even within the same building, are using radio ('wireless') communications rather than fixed cables. Communications Network A system of communications equipment and communication links (by line, radio, satellite, etc.) that enables computers to be separated geographically while remaining connected to each other. Confidentiality Assurance that information is shared only among authorized persons or organizations. Breaches of confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the information concerned. Such disclosure can take place by word of mouth, by printing, copying, emailing or creating documents and other 119 Access Granted data. The classification of the information should determine its confidentiality and hence the appropriate safeguards. Configuration The act of programming an SRAM-based FPGA at system power up to make it functional. Configuration requires the use of a configuration device, which is typically a PROM (see PROM) or other type of memory. Contingency Planning Contingency planning plans for the unexpected or for the possibility of circumstances changing. Contingency plans are individual plans associated with individual projects or programs. A contingency plan is never expected to be executed; as a result, situations in which attention to detail and the budget allocation are clearly inadequate guarantee failures if it is executed. As with any plan, it is essential to agree on the ‘trigger(s)’ that will result in the plan coming into force and the subsequent 'chain of command' that will take over during that period. Corrupt Data Data that has been received, stored, or changed, so that it cannot be read or used by the program that originally created the data. Cracker A cracker is either a piece of software (program) whose purpose is to 'crack' the code to a password, encryption key, or configuration bitstream; or 'cracker' refers to a person who attempts to gain unauthorized access to a computer system, hardware, or board level components. Such persons are usually ill intentioned and perform malicious acts of crime and vandalism. Cryptography The subject of cryptography is primarily concerned with maintaining the privacy of communications, and modern methods use a number of techniques to achieve this. Encryption is the transformation of data into another usually unrecognizable form. The only means to read the data is to de-crypt the data using a (secret) key, in the form of a secret character string, itself encapsulated within a pre-formatted (computer) file. Cybercrime Cybercrime may be internal or external, with the former easier to perpetrate. Cybercrime is any criminal activity that uses network access to commit a criminal act. With the exponential growth of Internet connection, the opportunities for the exploitation of any weaknesses in information security are multiplying. Data Encryption Data encryption is a means of scrambling the data so that it can only be read by the person(s) holding the ‘key’—a password of 120 Access Granted some sort. Without the 'key,' the cipher cannot be broken and the data remains secure. Using the key, the cipher is decrypted and the data is returned to its original value or state. Decryption The process by which encrypted data is restored to its original form in order to be understood/usable by another computer or person. Denial of Service (DoS) DoS attacks deny service to valid users trying to access a site. DoS attacks do not usually have theft or corruption of data as their primary motive and will often be executed by persons who have a grudge against the organization concerned. Consistently ranked as the single greatest security problem for IT professionals, DoS attacks are an Internet attack against a website whereby a client is denied the level of service expected. In a mild case, the impact can be unexpectedly poor performance. In the worst case, the server can become so overloaded as to cause a crash of the system. Encryption The process by which data is temporarily rearranged into an unreadable or unintelligible form for confidentiality, transmission, or other security purposes. Hacker An individual whose primary aim in life is to penetrate the security defenses of large, sophisticated, computer systems. A truly skilled hacker can penetrate a system right to the core and withdraw again without leaving a trace of the activity. Hackers are a threat to all computer systems that allow access from outside the organization’s premises, and the fact that most ‘hacking’ is just an intellectual challenge should not allow it to be dismissed as a prank. Clumsy hacking can do extensive damage to systems even when such damage was not intentional. Identity Hacking Posting on the Internet or bulletin board(s) anonymously, pseudonymously, or giving a completely false name/address/telephone with intent to deceive. Impact Analysis As part of an information security risk assessment, you should identify the threats to your business assets and the impact such threats could have, if the threat resulted in a genuine incident. Such analysis should quantify the value of the business assets being protected to decide on the appropriate level of safeguards. Incursion A penetration of the system by an unauthorized source. Similar to an intrusion, the primary difference is that incursions are classed as ‘hostile.’ 121 Access Granted Information Asset Logical Access An information asset is a definable piece of information, stored in any manner that is recognized as ‘valuable’ to the organization. The information that comprises an information asset may be little more than a prospect name and address file; or it may be the plans for the release of the latest in a range of products to compete with competitors. The process of being able to enter, modify, delete, or inspect records, designs, schematics, source code, and other data held on a computer system or device by means of providing an ID and password (if required). The view that restricting physical access relieves the need for logical access restrictions is misleading. Any organization, systems, or devices within a system with communications links to the outside world has a security risk of logical access. Information Warfare/Infowar Also cyberwar and netwar. Infowar is the use of information and information systems as weapons in a conflict in which the information and information systems are the targets. Infowar has been divided into three classes: 1. Individual privacy 2. Industrial and economic espionage 3. Global information warfare, i.e., nation state versus nation state Most organizations will not need to be concerned over classes I and III, but clearly Class II is relevant to any organization wishing to protect its confidential information. Intrusion The technology equivalent of trespassing. An uninvited and unwelcome entry into a system by an unauthorized source. While incursions are always seen as hostile, intrusions may well be innocent, having occurred in error. Strong verification and security systems can minimize intrusions. 122 Malicious Code Malicious code includes all and any programs (including macros and scripts) that are deliberately coded in order to cause an unexpected (and usually, unwanted) event on a PC or other system. However, whereas antivirus definitions (‘vaccines’) are released weekly or monthly, they operate retrospectively. In other words, someone’s PC has to become infected with the virus before the antivirus definition can be developed. In May 2000, when the ‘Love Bug’ was discovered, although the antivirus vendors worked around the clock, the virus had already infected tens of thousands of organizations around the world before the vaccine became available. Non-Repudiation For e-commerce and other electronic transactions, including ATMs (cash machines), all parties to a transaction must be confident that the transaction is secure, that the parties are who they say they are (authentication), and Access Granted that the transaction is verified as final. Systems must ensure that a party cannot subsequently repudiate (reject) a transaction. To protect and ensure digital trust, the parties to such systems may employ digital signatures, which will not only validate the sender, but will also ‘time stamp’ the transaction, so it cannot be claimed subsequently that the transaction was not authorized or not valid. Penetration Intrusion, trespassing, unauthorized entry into a system. Merely contacting the system or using a keyboard to enter a password is not penetration, but gaining access to the contents of the data files by these or other means does constitute penetration. Penetration Testing The execution of a testing plan, the sole purpose of which is to attempt to hack into a system using known tools and techniques. Physical Access The process of obtaining use of a computer system, development tools, or direct access to a system and its components. For example by sitting down at a keyboard, or being able to enter specific area(s) of the organization where the main computer systems are located, or accessing system level hardware or in some cases even board level components. Physical Security restrictions on entry to computer department and tank, locking/disabling equipment, disconnection, fire-resistant and tamperresistant storage facilities, anti-theft measures, and anti-vandal measures. Public Key Infrastructure (PKI) Where encryption of data is required, perhaps between the organization's internal networks and between clients and representatives, a means of generating and managing the encryption keys is required. PKI is the use and management of cryptographic keys—a public key and a private key—for the secure transmission and authentication. Security Breach A breach of security occurs when a stated organizational policy or legal requirement regarding information security has been contravened. However, every incident suggesting that the confidentiality, integrity and availability of the information have been inappropriately changed can be considered a security incident. Every security breach will always be initiated via a security incident. Only if confirmed does it become a security breach. Security Incident A security incident is an alert to the possibility that a breach of security may be taking, or may have taken, place. Physical protection measures to safeguard the organization’s systems. Including, but not limited to, restrictions on entry to premises, 123 Access Granted Smart Card Smart cards look and feel like credit cards, but have one important difference: they have a ‘programmable’ microchip embedded. Their uses are extremely varied but, for information security, they are often used not only to authenticate the holder, but also to present the range of functions associated with that user's profile. Smart Cards will often have an associated PIN number or password to provide a further safeguard. The main benefits of using Smart Cards is that their allocation can be strictly controlled, they are hard to forge and are required to be physically inserted into a ‘reader’ to initiate the authenticate process. Virus A virus is a form of malicious code and, as such it is potentially disruptive. It may also be transferred unknowingly from one computer to another. The term virus includes all sort of variations on a theme, including the nastier variants of macro-viruses, Trojans, and worms, but, for convenience, all such programs are classed simply as ‘viruses.’ 124 Access Granted Certifications from Symantec Title Basic-Level Symantec Product Specialist (SPS) Specializations include: Symantec Enterprise Firewall Symantec Firewall Advanced Topics Enterprise Security Manager (ESM) Symantec NetRecon Intermediate-Level Symantec Technology Architect (STA) Specializations include: Firewall and VPN Technologies Vulnerability Management Intrusion Detection Virus Protection and Content Filtering Advanced-Level Symantec Certified Security Engineer (SCSE) Specializations include: Firewall and VPN Technologies Vulnerability Management Virus Protection and Content Management Symantec Certified Security Practitioner (SCSP) Description For individuals who wish to demonstrate expertise with a particular Symantec product and its functionality in an overall security system. Focuses on vendor-neutral security knowledge of how to design, plan, deploy and manage effective security solutions. STA certification is awarded for each Symantec Security Solutions Exam passed. This certification provides a high-level understanding of a broad range of security solutions plus in-depth knowledge and skills within a specific security focus (ie: Vulnerability Management, Intrusion Detection, etc). An SCSE is involved in the design, integration and deployment of comprehensive enterprise security solutions. For senior security consultants who wish to demonstrate in-depth expertise. This certification is achieved after all SCSE have been obtained. 125 Access Granted Requirements for Certification Symantec Certification Designation Pre-Requisite Knowledge Passed Technology Passed Security and Experience Exams Solutions Exam Symantec Product Specialist TCP/IP Networking, OS Proficiency 1 N/A Symantec Technology Architect TCP/IP Networking , OS Proficiency, Security Essentials Course None 1 Symantec Certified Security Engineer TCP/IP Networking, OS Proficiency, Security Essentials Course All within security focus 1 of targeted security focus Symantec Certified Security Practitioner SCSE Certifications All All Recertification Timeline: • Product certification is granted for specific versions of a product only. • All certifications are valid for 18 months and must be renewed prior to expiration to maintain credentials. 126 Access Granted Certifications from Cisco Systems, Inc. Title Description Associate-Level (Basic) Cisco Certified Design Associate (CCDA®) This certification indicates a foundation or apprentice knowledge of network design for the Cisco Internetwork Infrastructure. CCDA certified professionals can design routed and switched network infrastructures involving LAN, WAN, and dial access services for businesses and organizations. Cisco Certified Network Associate (CCNA®) This is an entry-level certification that validates an individual’s ability to install, configure, and operate LAN, WAN, and dial access services for small networks of 100 nodes or fewer. Professional-Level (Intermediate) Cisco Certified Design Professional (CCDP®) With this certification, a network professional can design routed and switched networks involving LAN, WAN, and dial access services, applying modular design practices and making sure the whole solution responds optimally to the business and technical needs. Cisco Certified Internetworking Professional (CCIP®) This certification provides individuals working in service provider organizations with competencies in infrastructure IP networking solutions. CCIP professionals have detailed understanding of networking technologies in the service provider arena including IP routing, IP QoS, BGP, and MPLS. Cisco Certified Network Professional (CCNP®) This certification indicates advanced or journeyman knowledge of networks. With a CCNP, a network professional can install, configure, and troubleshoot local and wide area networks for enterprise organizations with networks from 100 to more than 500 nodes. 127 Access Granted Title Description Cisco Certified Security Professional (CCSP) This certification provides network professionals with professional level recognition in designing and implementing Cisco secure networks. CCSP holders are actively involved in developing business solutions and designing and delivering multiple levels of security departments. Expert-Level (Advanced) Cisco Certified Internetworking Expert (CCIE™) Routing & Switching CCIE™ Security This certification covers IP and IP routing as well as specific security components. CCIE™ Communication & Services This certification covers IP and IP routing, Optical, DSL, Dial, Cable, Wireless, Wan Switching, Content Networking, and IP Telephony. CCIE™ Voice This certification covers those technologies and applications that comprise a Cisco Enterprise Voice over IP solution. Cisco Qualified Specialist Program Cisco Cable Communications Specialist 1 Cisco Content Networking Specialist 128 This expert-level certification covers IP, IP routing, non-IP desktop protocols such as IPX, as well as bridge and switch-related technologies. This is currently one of the premier IT certifications. This certification focuses on the knowledge and skills required to support and deploy Cisco cable two-way data services. This certification includes proficiency in DOCSIS, DVB, RF, and Cisco IOS®. This certification validates an individual's knowledge of content edge delivery, content distribution and management, content switching, and content routing. Access Granted Title Description Cisco Firewall Specialist This certification focuses on securing network access using Cisco IOS Software and Cisco PIX Firewall Technologies. Cisco IDS Specialist Cisco IDS Specialists can operate and monitor Cisco IOS Software and IDS technologies to detect and respond to intrusion activities. expertise in operating and monitoring Cisco IOS Software and IDS technologies to detect and respond to intrusion activities. Cisco IP Telephony Design Specialist, Cisco IP Telephony Operations Specialist and Cisco IP Telephony Support Specialist The Cisco IP Telephony Support, Design and Operations Specialist focused certifications validate proficiency in designing, installing, and supporting a multi-service network solution. These certifications are for individuals who plan, implement, and support Cisco advanced IP telephony network solutions. The focus is on implementing and supporting Cisco data and voice integration solutions over Frame Relay, ATM, and IP. Cisco Multiservice Switching Specialist For individuals who install, configure, support, troubleshoot, and design complex ATM-based networks in the service provider market segment. Cisco MxU Specialist This certification addresses network professionals who need to successfully implement ATM Multiservice switching and service provisioning based on Cisco BPX® and MGX™ networks. Cisco Optical Specialist 1 This certification is for network professionals who design, install, operate, and maintain optical networking systems. 129 Access Granted Title Description Cisco VPN Specialist A Cisco VPN Specialist can configure VPNs across shared public networks using Cisco IOS Software and Cisco VPN 3000 Series Concentrator technologies. Cisco Wireless LAN Design Specialist and the Cisco Wireless LAN Support Specialist These certifications indicate significant knowledge of relevant factors involved in deploying Cisco Wireless LAN solutions. Cisco Wireless LAN Specialists understand radio technologies associated with WLAN 802.11 standards, understand WLAN and bridge topologies and applications, can configure WLAN products, can explain Aironet software and management features, can configure various security methods for Wireless LAN environments, understand basic antenna theory, understand how to perform a site survey covering WLAN topology and design, and understand vertical market deployment and challenges. Instructor-Level Certified Cisco Systems Instructor (CCSI) Certifications Notes: 130 This certification is for individuals who want to teach authorized Cisco courses. You must be employed or sponsored by a Cisco Learning Partner. • There are three levels of certification and four different options for areas of focus. These four areas of focus are: (1) Network Installation and Support, (2) Network Engineering and Design, (3) Communications and Services, (4) Network Security. Each of these four areas of focus are available in the three levels (Associate, Professional, Expert). Access Granted Recertification Timeframes: • CCNA, CCDA, CCNP, CCDP, and CCIP certifications are valid for three years. • All CCIE and Cisco Qualified Specialist certifications are valid for two years. 131 Access Granted Certifications from Novell Title Description Basic-Level Certified Novell Administrator (CNA) Intermediate-Level Certified Linux Engineer (CLE) Certified Novell Engineer (CNE) Expert-Level Master Certified Novell Engineer (CNE) 132 For individuals who are interested in providing on-site administration for software users in a variety of work environments, including professional offices and small businesses, workgroups or departments, and corporate information services. CNAs handle day-today administration of an installed Novell networking product: NetWare, Novell eDirectory and GroupWise. For individuals who wish to expand their IT expertise in the area of Novell’s services for Linux including eGuide, iFolder, NMAS, DirXML, NetMail, ZENwworks, and Novell’s eDirectory. For individuals who already work in the Information Systems/Information Technology (IS/IT) industry as well as individuals are interested in entering this industry. For individuals are interested in becoming some of the information technology industry’s leading integration specialist. This program is designed to give individuals advanced skills that are required to provide solutions to complex networking problems that may span across several different platforms and product solutions. Access Granted Title Description Certified Directory Engineer (CDE) For individuals who are interested in maximizing their knowledge and skills in Novell’s eDirectory, as well as on the platform-independent directory information needed to implement and troubleshoot directories effectively in real, working environments. Instructor-Level Certified Novell Instructor (CNI) For individuals who are interested in becoming instructors of Novell’s certifications programs. They are able to gain access to Novell’s latest information and technology in order to equip individuals to become instructors. Certifications Notes: • The CLE is the latest certification introduced by Novell. Recertification Timeframe: • Recertification is an ongoing embedded process 133 Access Granted Certifications from Sun Microsystems, Inc. Title Description Basic-Level 134 Sun Certified System Administrator for the Solaris Operating Environment Solaris™ Operating Environment Certification Learning Path This certification is for system administrators tasked with performing essential system administration procedures on the Solaris™ Operating Environment (Solaris OE) and technical application support staff responsible for administering a networked server running on the Solaris OE. Sun Certified Programmer for the Java 2 Platform This certification is for programmers interested in demonstrating proficiency in the fundamentals of the Java™ programming language using the Java 2 Platform, Standard Edition (J2SE™ technology). Sun Certified Data Management Engineer This certification is for storage managers and system administrators responsible for administering disk array storage systems. This certification covers the skills required to implement, configure, operate and administer a disk array storage system. Students select from two paths for certification Solstice DiskSuite™ or VERITAS Volume Manager Software. Sun Certified Backup and Recovery Engineer This certification is being developed for backup and recovery engineers responsible for the design and implementation of backup systems in the data center. The examination is designed to measure a student's knowledge of reliable backup methodology, restoring data and meeting design requirements. Access Granted Title Description Sun Certified Storage Architect This certification is for storage architects responsible for designing and administering a storage area network. This examination focuses on the student’s knowledge of SAN design and implementation, installation, administration and troubleshooting of SAN hardware and software. Sun Certified Developer for Sun ONE Application Server 6.0 The Sun™ ONE Application Server provides the foundation for delivering enterpriseclass application services and Web services. Sun Certified Developer for Sun ONE Application Server 6.0 is for architects and developers who are using Java™ 2 Platform, Enterprise Edition (J2EE™ technology) to develop, deploy and run applications on Sun ONE Application Server 6.0. Sun Certified Engineer for Sun ONE Directory Server 5.x The Sun™ ONE Directory Server is a software product that provides a central repository for storing and managing identity profiles, access privileges and application and network resource information. The Sun Certified Engineer for Sun ONE Directory Server 5.x is recommended for professionals who design, deploy, configure, administer and troubleshoot the Sun ONE Directory Server 5.x for enterprise-level solutions with up to 5-10 million users. Intermediate Sun Certified Network Administrator for Solaris Operating Environment This certification is for experienced system administrators who are or will be responsible for administering Sun™ systems in a networked environment that includes LANs and the Solaris™ Operating Environment (Solaris OE). 135 Access Granted Title Description Sun Certified Security Administrator for the Solaris Operating Environment The Sun Certified Security Administrator for Solaris 9 OE is geared toward candidates with six to twelve months ofexperience administering security in a Solaris[tm] Operating Environment. It is recommended that candidates attend SC-300 Administering Security on the Solaris OE, have six to twelve months Security administration job role experience and have previous Solaris system and network administration certification. Sun Certified Developer for the Java 2 Platform This performance-based certification is for programmers and developers who are already familiar with the basic structure and syntax of the Java™ programming language, and who have a need to demonstrate advanced proficiency in developing complex, production-level applications using Java 2 Platform, Standard Edition (J2SE™ technology). Advanced Sun Certified Web Component Developer for the Java 2 Platform, Enterprise Edition (J2EE) Sun Certified Enterprise Architect for J2EE Technology 136 This certification is for programmers specializing in the application of JavaServer Pages™ and servlet technologies used to present Web services and dynamic Web content using Java™ 2 Platform, Enterprise Edition (J2EE™ technology). This certification is for enterprise architects responsible for architecting and designing Java™ 2 Platform, Enterprise Edition (J2EE™ technology) compliant applications, which are scalable, flexible and highly secure. Access Granted Other Popular Industry Certifications, as targeted by CSOonline.com Title Basic Check Point Certified Security Administrator (CCSA) Description Vendor-specific: For individuals interested in developing greater expertise on their product-base. CompTIA Security+ Vendor-neutral: For individuals interested in obtaining vendor-neutral competency in worldwide standards for foundation-level security practitioners. ProSoft Certified Internet Webmaster (CIW) Associate Vendor-neutral: For individuals who want to demonstrate knowledge of Networking , HTML and Internet fundamentals. Must be earned before you can continue on to any other CIW designation. Offered by Prosoft Training Center. SANS GIAC Certified Security Leadership Certification (GSLC) Vendor-neutral: For individuals with managerial or supervisory responsibility for information security staff. SANS GIAC Security Essentials Certification (GSEC) Vendor-neutral: Entry level designation for individuals who are or will be responsible for managing and protecting important information systems and networks. GIAC is the Global Incident Analysis Center established in 1999 by the SANS Institute to monitor new attacks and provide immediate analysis and response. TruSecure ICSA Certified Security Associate Vendor-neutral: For individuals who are involved in security administration of corporatesystems or networks. Typical candidates have experience in networking, system administration, may hold a security-related position, or arewell-versed in the area of network security. 137 Access Granted Title Intermediate CIW Professional 138 Description Vendor-neutral: For individuals who work with Internet/web technologies and are working toward a master CIW designation. SANS GIAC Certified Firewall Analyst (GCFW) Vendor-neutral: For security engineers who wish to show proficiency in firewalls and perimeter defense. GIAC Certified Intrusion Analyst (GCIA) Vendor-neutral: For security engineers who wish to show proficiency in intrusion analysis. GIAC Certified UNIX Security Administrator (GCUX) Vendor-neutral: For security engineers who wish to show proficiency in securing Unix systems. Master CIW Designer Intermediate/General: For individuals interested in a career in Web Design. This certification covers both site and ecommerce design. GIAC Certified Windows Security Administrator (GCWN) Vendor-neutral: For security engineers who wish to show proficiency in securing Windows NT and Windows 2000 systems. GIAC Certified Incident Handler (GCIH) Vendor-neutral: For security engineers who wish to show proficiency in advanced incident handling and hacker exploits. GIAC Certified Forensic Analyst (GCFA) Vendor-neutral: For individuals who are responsible for forensic investigation/analysis, advanced incident handling, or formal incident investigation. GIAC Systems and Network Auditor (GSNA) Vendor-neutral: Technical staff responsible for securing and auditing information systems; auditors who wish to demonstrate technical knowledge of the systems they are responsible for auditing . Access Granted Title Advanced 2 (ISC) Certified Information Systems Security Professional (CISSP) 2 Description Vendor-neutral: For experienced professionals in the computer security field who are responsible for developing the information security policies, standards, and procedures and managing their implementation across an organization. (ISC) Systems Security Certified Practitioner (SSCP) Vendor-neutral: For individuals involved in network and systems security administration who are responsible for developing the information security policies, standards, and procedures and managing their implementation across various hardware and software programs in their organization. CIW Security Analyst Vendor-neutral: For individuals who are interested in an Administration certification and want to add evidence of security skills. Master CIW Administrator Vendor-neutral: For individuals interested in a career in Network Administration. This certification covers Server Administration, Internetworking, and Security for the Internet. Master CIW Enterprise Developer Vendor-neutral: For individuals who are interested in a career in programming. Certification covers Perl and Java languages, object-oriented analyst and design, application and database development. Master CIW Web Site Manager Vendor-neutral: For individuals who want to be familiarized with the majority of Internetrelated tasks and concepts. Certification covers Server Administration, Perl and JavaScript, and Site Design for the Internet. 139 Access Granted Check Point Certified Management Security Expert (CCMSE) 140 Vendor-specific: For individuals interested in developing greater expertise on Check Point’s Internet security solutions including VPN-1/FireWall-1 and Provider-1 in a network operating Center Environment. Access Granted 141