The IT Humidor

In the IT industry, there’s a lot of talk about how good a “security professional” is versus a “hacker”. Considering the companies that were compromised this year alone – Sony, RSA, Valve, just to name a few – the whole industry is looking at security a whole lot more seriously these days.

This brings me to a thread on TechExams.net from a few years ago that discusses what it takes to be an industry-recognized security professional. Something to note here, this forum assumes that certifications are earned through rigorous study and hands-on experience, not through memorizing stolen test-questions or cramming a book just enough to pass the test. That being said, this particular conversation discusses the much-lauded CISSP certification, which requires professional experience and a degree, in addition to a test, in order to obtain.

Keatron, who teaches courses in network security, had the following advice for another forum-member asking how to get into security:

I’ve had many people sit my CEH class and realize they should have had Security+ level knowledge under their belts first. I by have it, I actually mean have it, not just pass the test.

I would say probably Sec+ (even if you do it self study).
Then MCSA:Sec
Then CEH
Then SSCP
At this point I’d suggest getting some Cisco in there. And you must start with CCNA, Then work the CCSP route (will not be easy, but worth it).

By this time you should be very ready to start preparing for the CISSP.

Again, keep in mind that the assumption here is that a professional would be working as he or she earns these certs, and actually learning the material in a practical way over the course of the two or three years it would take to study for all these tests.

So, the response we get from UnixGuy, another member of the forum who is interested in security-work:

Hmmm, isn’t this tooo long a way to earn a CISSP ??

And here is the big payoff, Keatron’s reasoning for all those other skills and experience:

For UnixGuy, think of it this way. Let’s say you have 6 different certifications that all deal with 6 different areas of Information Security. Think of these as your 6 cans of Coke. Now think of the CISSP as the little plastic stuff that holds a six pack of coke together. Take your 6 cans of coke (your experience and other certs) and the little plastic stuff (your CISSP), add those together and you have a solid six pack that’s held together well. For example, you might have a job as a firewall administrator. You might perform this job well for 6 or 7 years. However, you could be an expert firewall administrator, and not know squat about application security. In reality, the CISSP helps a security professional take all their years of experience, and certifications and FINALLY tie them all together and see clear relationships between it all. But there’s the old saying “garbage in, garbage out”. So in other words, if you are a person with only 1 can of coke (mimimal experience and minimal exposure to certifications), then the little plastic thing (CISSP) wont really do you much good, because you don’t have any cans (experience and certs) to tie together. The CISSP is often described as a mile wide and an inch deep. But it should be understood that you don’t go a mile deep because theoretically, you’ve already been 20 miles deep in several of the domains. I always stress experience first, then certs. However, sometimes you need the cert, to be awarded the opportunity to get the experience. But I often recommend people in the security field get vendor specific certs related to operating systems or network equipment they may be responsbile for securing. You can’t possibly secure a large building if you don’t know where all the doors and windows are. Additionally you need to know how to open and close these doors and windows. Same goes for systems and networks. Here’s a few examples;

How can one possibly understand group policy if they’ve never implemented or least labbed it out in preperation for MCSE? How could you know that group policies only apply to computers that are a member of the domain, OU, or site that group policy was applied to if you haven’t done it, or again labbed it out. Not to mention you have to remember to give groups read and apply group policy permissions to the group policy object if it is to have any effect at all. If one doesn’t understand these basics, then how could they possibly even start to secure a Windows based network? How does Kerberos work (in Windows world). What’s sent in clear text and what’s encrypted? How feasible is it for an attacker to forge a ticket and fool another device or computer in the realm to believing it’s legit? If you’ve never implemented a Pix or an ASA then how could you know what it’s default inspection rules for the FTP protocol is? We’re taught that FTP uses ports 20 and 21 only. But is that actually accurate? Is is true that FTP actually uses dynamically allocated ports to actually do the data transfer part of an FTP session? How does the ASA default inspection rules allow for this? And if you know the answer to that, then what security concerns does this behavior and allowance or disallowance by ASA introduce or expose your organization to? Have you observed it’s behavior via ethereal or some other analyzer or sniffer? What about the bazillion other protocols you’re forced to allow into your network? Are you sure DNS only uses port 53? TCP or UDP? Both? When you perform a query for a resource on the web, does the response to query come back in on UDP port 53? What about zone transfers? Is that via port 53 as well? TCP or UDP? Are these zone transfers in cleartext? If they are, what can you implement to encrypt these zone transfers? How does Checkpoint Firewall solutions deal with this behavior? (And saying it just works doesn’t count). Are the ways in which it deals with this behavior introducing unique security considerations? Isn’t it true that the biggest problems with firewall, IDS, and other mechanisms is that they act and behave in a very predictable manner? How does NTFS file systems store data and files? What about NFS? FAT? What about ZFS? So how do ZFS and EXT2 differ in how they store and catergorize data? From a confidentiality perspective, which is more feasible? If you haven’t worked with these file systems you might not know the answers. However, getting certifications can expose you to this very information and least give you some level of knowlegde in those areas.

This list could go on and on. And obviously a CISSP that thinks they only utilize port 21 when they go to an FTP site and download files probably could have benefited from getting little more experience (or getting more cans) before getting the plastic peice (CISSP) to pull it all together. Because pulling it all together with too few cans causes us to have huge “knowledge gaps” and therefore renders us less effective in our roles as information security professionals.

So UnixGuy, the above is some of the major reasons I suggest a path to the CISSP that’s probably a little longer than what you normally hear. Thanks for reading. And I hope it helps. 

Keatron.

I agree with every word of it. You cannot secure a network, a server, a website, or even a stand-alone PC, if you don’t know how those things work in the first place. Security is a second-tier skillset, you have to learn how it works before you can learn how to protect it. ”Security” isn’t some additional field that was invented for us to work in, it’s a term for the in-depth knowledge we gain as we work and learn about these systems that helps prevent exploits and hacks from being executed. UnixGuy’s question is a common one, and he’s not stupid or self-entitled for thinking that the road is too long. Unfortunately, I think that security isn’t taken seriously enough as a whole by this industry, (and many others,) and the result is that most of us don’t know how much work and effort goes into becoming an expert on that level.

Given, even experts make mistakes and sometimes the black-hats (bad guys) are sometimes smarter than the white hats (good guys), but that’s all the more reason to study, train, and prepare yourself if you want to be a CISSP, for example. Some people think the road is too long. . . I think that the road isn’t often long enough. It’s a big, bad world out there full of threats and people who want to steal our information. The more you know, the fewer times you’ll get caught with your pants down.