Blog Home Page Next article:

What Cyber Security Certification Do We Need?

 

That is the question (or something very similar) that I invariably get after presenting the results of a security engagement where the seemingly obvious were exploited.  These are the kinds of exploits that lead to administrator-level access to systems in hours (or even minutes), and that could expose sensitive organizational data or PII.

Whenever these events occur there are a range of potential outcomes. In a “good” scenario the CIO or CTO is embarrassed about the audit and is going to have to send the results up the chain, but no real damage came about as a result. But the “bad” version of this scenario involves explaining the results of an actual breach, the scope of the exposure, and acknowledging how a few low-cost administrative or technical safeguards could have prevented or alerted them to the issue far sooner.

In most cases, CIO’s have a staff qualified to manage the physical (route/switch/firewall) and administrative (Windows/Unix/Helpdesk) aspects of the network.  The staff is responsive, keeps the network running and people working. But with multiple staff members holding industry certifications — CCNA, CCNP, A+, Network+, MCSE, MCP — how can this level of vulnerability be found to exist within an organization?

The answer is that these professionals have built a network for efficiency and ease of use which is what they were taught and what was/is expected of them. Security is typically a small portion of their duties and they will often choose efficiency over hearing the grumbling that comes along with, for example, it taking a few extra seconds for “task X” to be completed because of new security measures being implemented. When performance metrics outweigh security posture, they get praised … until it hits the fan.

If you are in the “Good Scenario” (see first paragraph) and merely have a bad report card, how real is the threat? Ask the CTO in the “Bad Scenario”– those incidents are the tip of iceberg: it is very REAL! Every connection to the Internet — whether it sends emails, uploads or downloads files, provides Wi-Fi access, enables VOIP or cell phone usage — is being scanned or assessed for vulnerabilities on a daily if not continuous basis.  Even the PSTN phone line connected to the “Fax Machine” (now most likely an “All-in-One” printer) with a network is being attacked by images with embedded code!  Nothing is safe.

What Industry certification should I look for now?  For my employees? For new hires? For contractors or outsourced IT staff?

(Disclaimers up front: I don’t get it, I don’t understand it, but there are individuals at all levels, CISSP to Security+, that have no business giving anyone advice. There are people that can read and regurgitate data without understanding a word of it or having any real-world experience to back it up.)

There are many governing bodies and unique business roles that are intended to provide general guidelines, and there are many other certifications out there. I like the Department of Defense (DoD) model and approach to this (look up DoD 8570.01-M Requirements) another great resource is  NIST’s NICE Cybersecurity Workforce Framework.

Entry Level:  If they can monitor, change, administer, or in any way affect the security of the IT infrastructure, they need to have CompTIA’s Security+, Cisco’s CCNA-Security, EC-Council’s CEH or SANS’  GISF  (SEC301) in addition to their other professional certifications or years of experience. My personal preference is the new Security+ (CE) that requires continuing education every year to maintain the certification.

 

NOC/SOC Shift or Team Leader:  Anyone managing or leading a section or team should probably step up their certification level, especially if these people are serving in technical support with security responsibilities. This is where new certifications with a technical focus have started to show up. Cisco’s CCNA-Cyber Ops , CompTIA’s Cybersecurity Analyst (CySA+) or PenTest+ , all step up the level of knowledge. They also focus on the ability to apply, understand, and interpret data and then react appropriately to potential security threats. Less technical managerial/oversight roles could use (ISC)2’s SSCP or GIAC’s GSEC certifications or in the Healthcare Industry (ISC)2’s HCISPP (HealthCare Information Security and Privacy Practitioner) . There are also several higher-level GIAC certifications that are more role based that can’t be ruled out if they fit that exact role. Once again, this is in addition to their other professional certifications or years of experience and proven track record of success.

 

NOC/SOC Manager, Director, CTO/CIO/CISO:  Anyone making decisions that directly affect the security of an organization — or managing people making those decisions — needs to hold (ISC)2’s CISSP, ISACA’s CISA, or CompTIA’s CASP (depending on whether the role is deeply technical or broad-range security management). The quick, generally-accepted analogy for the difference between these certificates, specifically regarding the level of security knowledge base involved, goes like this:

  • The CISSP is a mile wide and an inch deep
  • The CASP is an inch wide and a mile deep
  • The CISA is fantastic for those with heavy compliance responsibilities

 

Outsourced IT Vendors:  Organizations large and small in almost every business sector outsource IT with the belief that these vendors are providing security along with their core services (often desktop support and printer service providers). These vendors rarely perform any system hardening or updates on multi-function office automation devices that have Windows or Linux-based operating systems with substantial amounts of disk memory space. Ideally, someone on the management side of the organization should have CISSP or CASP, and lead technicians should have CCNA-Security, CEH or Security+. In some geographic areas perhaps only the manager needs CySA+, CEH or Security+, but the key here is determining whether the vendor acknowledges the security risks associated with the provided service and takes steps to ensure that they and their employees understand the security risks. Getting and maintaining security certifications should be a part of any SLA you sign.

Your people don’t know what they don’t know. While setting a minimum base security certification level does not guarantee they will completely understand security, it makes it 100% clear that IT security is important to the organization. It also communicates to every person in the organization, new and old, that there is a minimum acceptable level of knowledge and that maintaining and increasing security education will be rewarded. Ultimately, certification and positive progression helps to foster a “Culture of Security” within an organization.

Tim Crosby, CISSP, HCISPP, CySA+, PenTest+ SME, CSA+ SME
Sr. Security Consultant
Consulting Services Group
Spohn Consulting, Inc.
Office: (512) 685-1820
Mobile: (512) 945-5674
[email protected]

www.linkedin.com

Twitter: @Spohn_PEN