Terms you'll need to understand:
Certified Information Systems Security Professional (CISSP)
Systems Security Certified Practitioner (SSCP)
SysAdmin, Audit, Network, Security—. Global Information Assurance Certification (SANS-GIAC)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Forensic Analyst (GCFA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Unix Security Administrator (GCUX)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Gold Standard Certificate (GGSC-0100)
GIAC Information Security Officer-Basic (GISO-Basic)
GIAC IT Security and Audit Kickstart (GIAK)
GIAC Security Engineer (GSE)
GIAC Security Essentials Certification (GSEC)
GIAC Systems and Network Auditor (GSNA)
TruSecure ICSA Computer Security Associate (TICSA) Security Practitioner Certification
Techniques you'll need to master:
Locating training and certification information on the various security certification Web sites
Obtaining descriptions and objectives for specific security programs and exams
Identifying self-study and training options related to specific security exams
Keeping up with the ever-changing security certification landscape
No matter what kind of systems or networks an organization uses, some concern for security is well founded. In today's world where Internet access is a given, protecting the boundaries of systems and networks is no longer a luxury reserved for an elite few; managing security has become absolutely necessary, even in small- to medium-sized organizations.
This helps to explain why a plethora of security-related IT certifications has begun to appear on the scene. There are so many of them, in fact, that we cover only the most significant ones in depth here in this chapter, and we simply mention others near this chapter's end. A recent survey of the certification landscape revealed more than 30 vendor-neutral security certifications from a variety of organizations; the number of vendor-specific security certifications available is also approaching 20.
The following three security certification programs are covered in this chapter:
The International Information Systems Security Certification Consortium's Certified Information Systems Security Professional (CISSP) and its Systems Security Certified Practitioner (SSCP) certifications
The SysAdmin, Audit, Network, Security (SANS) Institute's Global Information Assurance Certification (GIAC) program and related training programs
The TruSecure ICSA Computer Security Associate (TICSA) certification
In the sections that follow, you'll find information about all three of these programs.
Note
As you read through this chapter, you might notice the omission of a new but important security-related certification: Security+. We cover CompTIA's Security+ certification in detail in Chapter 4, “CompTIA Certification Programs.”
The formal name of the organization responsible for the CISSP and SSCP certifications is the International Information Systems Security Certification Consortium, Inc. (IISSCC). Everybody takes the easy way out and calls this group (ISC)2 (pronounced “ISC-squared”).
Let's briefly review the two abbreviations that relate to (ISC)2 certifications. After that, you'll have a chance to investigate each certification in some detail. Finally, you'll learn how to sign up for tests and locate resources to prepare for the CISSP and SSCP exams.
The following abbreviations are related to (ISC)2 certifications:
CISSP (Certified Information Systems Security Professional)—. The (ISC)2's premier security certification, this credential is aimed at individuals who are responsible for developing information security policies, standards, and related practices and procedures and for managing their implementation across an entire organization. The CISSP certification has been around since 1992, and it boasts a certified population of more than 7,500 at present.
SSCP (Systems Security Certified Practitioner)—. The (ISC)2's secondary (and newer) security certification aims—as its name suggests—at network and systems administrators who implement the kinds of policies, standards, practices, and procedures that CISSPs create and manage for the various hardware and software systems for which they are responsible. The SSCP certification is meant to complement the CISSP certification at an operational level.
The best source of information about (ISC)2 certifications appears on the organization's training and certification pages at www.isc2.org. You can select the Training and Certification links for more information on these topics.
Obtaining CISSP certification requires passing only a single exam, but it's a whopper: 250 multiple-choice questions taken from across 10 security-related knowledge domains, with a maximum of six hours allowed to complete it. Remember that CISSP is a senior-level security certification that is for seasoned and experienced security professionals. The minimum requirements include four years of direct experience or three years of direct experience along with a college degree or the equivalent life experience. CISSPs work as full-time security professionals, which typically means one of two things:
A full-time job as a security professional inside a corporation or an organization big enough to warrant creating such a position
A full- or part-time job as a security consultant, either on a freelance basis or within some kind of consulting organization that could range from a small business to a large, multinational firm such as EDS or Accenture
For such professionals, the 10 Common Body of Knowledge (CBK) domains associated with the CISSP certification represent a large knowledge base to master but one that is entirely within the purview of the candidates' professional activities. These 10 CBK domains are as follows:
Access Control Systems and Methodology—. This domain covers planning, design, use, and maintenance of user and group accounts, access controls, rights and permissions, various authentication mechanisms, and auditing and accountability mechanisms for monitoring efficacy of access controls.
Application and Systems Development—. This domain covers application development and data management as they relate to security, including distributed technologies and threats such as worms, viruses, Trojan horses, and active content; working with databases and data warehouses; managing and controlling data stores; working with systems development and security control systems and architectures; managing system integrity levels; recognizing and dealing with malicious code; and understanding common system and network attacks.
Business Continuity and Disaster Recovery Planning—. This domain covers practices, data requirements, and arrangements that are necessary to ensure business continuity in the face of disruptions. It involves planning, preparation, testing, and maintenance of specific actions to prevent critical business processes and activities from being adversely affected by failures, interruptions, and so forth.
Cryptography—. This domain covers basic principles of cryptography and how they apply to matters of confidentiality, integrity, authentication, and nonrepudiation; cryptographic concepts, methods, and practices, including digital signatures, encryption/decryption and related algorithms, key distribution, escrow, recovery, error detection/correction, and hashes, digests, and ciphers; public and private key algorithms; public key infrastructure (PKI); system architectures for implementing cryptographic functions; and well-known methods of cryptographic attack and countermeasures.
Law, Investigation, and Ethics—. This domain covers basic knowledge of laws and regulations governing licensing, intellectual property, import/export, liability, and data flows across borders that can affect system or network security and/or business operations. It includes knowledge of relevant computer crime laws and regulations, proper investigative procedures, methods for evidence gathering, incident-handling techniques, and ethical and conduct issues.
Operations Security—. This domain covers planning, design, implementation, and management of systems and networks, including basics of administrative management; important concepts in operations such as antivirus management, backups, and need-to-know regimes; types and applications of operational controls; resource protection requirements; auditing needs, methods, and documents; monitoring types, tools, and techniques; and intrusion detection and penetration testing needs, methods, and tools.
Physical Security—. This domain covers facility requirements, technical controls, environmental and safety issues; physical security threats and elements of physical security, including threat prevention, detection, and suppression; fire, water, and toxic materials threats; and alarms and responses.
Security Architecture and Models—. This domain covers basic principles of computer and network architecture; principles of common security models, along with architectures and evaluation criteria; and common flaws and security issues associated with specific architectures and designs.
Security Management Practices—. This domain covers basic concepts and principles, including privacy, confidentiality, availability, authorization, identification and authentication, and accountability; change control and management; data classification schemes (government and private); employment policies and practices; and working with the procedural side of security, as in formulating policies, guidelines, and procedures.
Telecommunications, Network, and Internet Security—. This domain covers the ISO/OSI network reference model; communications and network security through topology, protocols, services, APIs, and remote access; Internet/intranet/extranet equipment and issues, including firewalls, routers, switches, proxies, and gateways; TCP/IP and related security protocols and services; connection services; a broad range of communications security techniques, including tunneling, VPNs, NAT, and error detection and correction methods; review of security practices for email, fax, and voice; and a review of common network attacks and associated countermeasures.
A CISSP candidate must also subscribe to (ISC)2's CISSP code of ethics to complete the certification requirements and have four years of working experience (or three years of working experience plus a college degree or equivalent life experience) in at least 1 of the 10 CBK domains. The CISSP exam rightfully has the reputation of being long and somewhat arduous. For those reasons, we strongly recommend that you obtain and review the CISSP Study Guide, downloadable from www.isc2.org/cgi-bin/request_studyguide.cgi. You might also want to consider attending an authorized CBK Review Seminar to prepare for this exam.
After you've passed the CISSP exam, you are required to get your application endorsed by an existing CISSP before you can receive certification. In addition, a certain number of randomly chosen CISSP applications are audited by ISC2 in order to confirm the candidates' experience and resume information. A candidate must pass this audit before he or she can receive their CISSP credential.
CISSP certification lasts for three years and may be renewed by completing 120 hours of continuing education during the interim or by retaking the exam. At least 80 hours of these continuing education credits must be directly security related. See isc2.org/cgi-bin/content.cgi?page=43 for more information.
Obtaining SSCP certification requires passing only a single exam (but it's a long one): 125 multiple-choice questions taken from across 7 of the 10 security-related CBK domains. Candidates are allowed a maximum of three hours to complete the exam. Remember that SSCP is a junior- to mid-level security certification that is for individuals who are ready to integrate day-to-day security activities as part of their full-time jobs as system or network administrators. Thus, even though the descriptions for the 7 CBK domains for the SSCP are the same as for the CISSP, an SSCP candidate need not be as deeply or intimately familiar with these domains as a CISSP candidate should be.
The seven CBK domains that apply to the SSCP are as follows:
Access Controls—. This domain covers how to use, apply, monitor, and maintain access controls to specify what users may do, which resources they may access, and what operations they may undertake on a system. It includes familiarity with access control technologies, such as biometrics, hardware tokens/smart cards, and passwords, where each technology offers varying levels of confidentiality, integrity, and availability.
Administration—. Security administration means identifying information assets and documenting the security policies, standards, practices, and procedures necessary to protect those assets. This domain covers privacy issues, data integrity, auditing, organizational roles and responsibilities, policies, practices, procedures, and guidelines, plus security education, awareness, and continued application of industry practices.
Audit and Monitoring—. Monitoring collects information about system activities and events; auditing tracks the use and assignment of access controls and related system objects or resources. Knowledge of both is important to maintaining proper security. This domain covers methods of data collection, including logging, sampling, and reporting, plus audit review and compliance checking. It also includes coverage of legal considerations related to monitoring and auditing.
Cryptography—. Cryptography provides powerful mechanisms whereby data may be altered to maintain its integrity, confidentiality, and authenticity. Topics included in this domain are basic cryptography terms and concepts; definitions, applications, and uses for public and private key technologies; and the application and use of digital signatures to prove authenticity and establish nonrepudiation.
Data Communications—. This domain covers network structures, transmission methods, transport formats, and protocol- and service-level measures that are used to maintain data integrity, availability, authentication, and confidentiality of transmitted data. This topic embraces communications and network security as they relate to LANs and WANs; remote access; the roles that special networking devices, such as routers, switches, firewalls, and proxies, play on the Internet, extranets, and intranets; understanding of TCP/IP protocols and services, especially as they relate to security; and techniques for detecting and preventing network attacks and suitable countermeasures.
Malicious Code—. Malicious code encompasses any software-based security threat that can compromise access to, operation of, or contents within systems or networks, including viruses; worms; Trojan horses; active content such as ActiveX, Java, and Perl; and other threats. SSCP candidates must understand basic terms and concepts related to mobile and malicious code, be able to identify malicious code threats, explain how such code can enter an environment, and be able to describe and apply appropriate protection, repair, and recovery methods.
Risk, Response, and Recovery—. Risk management means identifying, measuring, and controlling losses associated with business interruptions, disruptions, or system and network compromises or failures. This topic embraces security reviews, risk analyses, evaluation and choice of safeguards, cost–benefit analyses, making effective management decisions, and safeguard implementations and effectiveness reviews.
The SSCP exam has the reputation of being relatively straightforward but still somewhat long and detail oriented. For those reasons, we strongly recommend that you obtain and review the SSCP Study Guide, downloadable from www.isc2.org/cgi-bin/request_studyguide.cgi. The (ISC)2 identifies the collection of objectives around these seven information domains as part of its CBK. You might also want to consider attending an authorized CBK Review Seminar to prepare for this exam.
SSCP certification lasts for three years and may be renewed by completing 60 hours of continuing education during the interim or by retaking the exam. At least 40 hours of these continuing education credits must be directly security related. See www.isc2.org/cgi-bin/content.cgi?page=46 for more information.
Now that you've learned about the CISSP and SSCP certifications, you probably want to know more about registering for written and laboratory exams. To register, you need to contact (ISC)2. You can sign up for an exam online; by phone at 888-333-4458 (in North America), 727-738-8657, or 727-738-9548; or by writing to the following address:
(ISC)2 Services
P.O. Box 1117
Dunedin, FL 34697 USA
To learn more about exam locations, schedules, and fees, please visit the following sites and select the appropriate links in the left pane:
The CISSP exam costs $450, and the SSCP exam costs $350. Both are administered approximately once per year per location (check the online schedule for details). Cancellations must be submitted in writing more than 5 days in advance, or the entire fee is forfeit. Registering with less than 21 days' notice and rescheduling at least 5 days in advance each cost an extra $100. For a complete list of exam locations, visit www.isc2.org/cgi/exam_schedule.cgi.
An annual maintenance fee of $85 is charged to each CISSP certification holder (the fee is $65 for SSCPs) to offset administrative costs of maintaining certification records and for the recertification process. Remember that each of these certifications lasts three years and that you can renew the certifications by meeting continuing education or retesting requirements.
At a minimum, you should use the following materials to prepare for an (ISC)2 certification exam:
(ISC)2 provides an examination overview for each of the two exams. For CISSP certification, visit www.isc2.org/cgi/content.cgi?category=19; for SSCP certification, visit www.isc2.org/cgi/content.cgi?category=20. Study guides for both exams can be downloaded from www.isc2.org/cgi-bin/request_studyguide.cgi.
If you take the CBK classroom training, be sure to consult your student manuals. They offer comprehensive coverage of the topics that will appear on the exam and are a great preparation tool. For more information on these courses, visit www.isc2.org/cgi-bin/content.cgi?category=15.
Options from third parties can help you prepare for the CISSP exam. Our quick visit to an online bookstore, with a search on CISSP, turned up 10 titles. We found 2 hits for SSCP. A private publisher, SRV Professional Publications, offers books on both programs. (For more information, visit www.srvbooks.com.) As time goes by, the number of such options is bound to increase.
Several publishers, including Sybex, Osborne McGraw-Hill, and Syngress, offer CISSP and/or SSCP certification-related titles of one kind or another. Que Certification offers CISSP Training Guide by Roberta Bragg.
These materials represent a usable collection of sources and resources for (ISC)2 exam topics and related information.
The SANS Institute has offered network administration and security-related training since 1989 and has offered its GIAC program since 1998. Stephen Northcutt, former chief for information warfare at the U.S. Department of Defense's Ballistic Missile Defense Organization, directs training and certification for the SANS Institute, and he brings a great deal of experience and credibility to the position and to the program.
The SANS-GIAC program incorporates three levels of exams, as follows:
Foundational
Intermediate
Advanced
Each of these is covered in the sections that follow.
Let's review the SANS-GIAC certification programs. After that, you'll have a chance to investigate each of the levels and each individual certification in some detail—including the elements that lead to each one. Along the way, you'll learn how to sign up for tests, find study resources, and so on.
Here are the abbreviations related to SANS-GIAC certifications, with brief explanations:
SANS (SysAdmin, Audit, Network, Security)—. The SANS Institute is the parent training and certification organization that created and maintains the GIAC security certifications.
GIAC (Global Information Assurance Certification)—. The conception of the GIAC certification program followed the creation of the Global Incident Analysis Center, an actual business entity established by SANS in 1999 to meet a White House request for a “quick response facility” to collect data from the security and networking communities and to distribute information about potential and emerging threats. Consequently, the Global Incident Analysis Center also makes a great home for security information and training and has been a natural fit for a security certification program.
GISO-Basic (GIAC Information Security Officer-Basic)—. This foundational-level certification is for individuals who are responsible for information security resources, which includes basic technical knowledge risks, threats, and best practices. This credential is also aimed toward candidates who are new to the security industry who desire basic knowledge of security principles and techniques.
GSEC (GIAC Security Essentials Certification)—. This foundational-level certification is for individuals who have a firm technical understanding of computer and network security topics, tools, and techniques. Requirements include a practical project assignment and one exam.
GCFW (GIAC Certified Firewall Analyst)—. This intermediate-level certification is for individuals with sound practical experience in securing and managing network perimeters.
GCFA (GIAC Certified Forensic Analyst)—. This intermediate-level certification is for individuals with advanced experience in incident handling, analysis, and investigations
GCIH (GIAC Certified Incident Handler)—. This intermediate-level certification is for individuals with proven incident-handling and real-world intrusion experience.
GCIA (GIAC Certified Intrusion Analyst)—. This intermediate-level certification is for individuals with practical industry experience with intrusion detection, including real-world cases, trace files, and analysis tips.
GCUX (GIAC Certified Unix Security Administrator)—. This intermediate-level certification is for individuals with practical industry experience in configuring the Unix operating system and using critical security tools to reduce or eliminate system vulnerabilities.
GCWN (GIAC Certified Windows Security Administrator)—. This intermediate-level certification is for individuals with a firm understanding of typical Windows attacks and vulnerabilities, closing security holes, and implementing effective defenses.
GGSC-0100 (GIAC Gold Standard Certificate)—. This certification is for security professionals, such as auditors, security officers and managers, and system administrators, who can effectively apply the Gold Standards developed by The Center for Internet Security to Windows 2000 systems. Because this certification is nonrenewing, we do not cover it in-depth in this chapter.
GSE (GIAC Security Engineer)—. This advanced-level certification (also referred to as a track) is for individuals who have attained all intermediate-level certifications. GSE is slated to be GIAC's ultimate certification, which will be offered in 2003.
GSNA (GIAC Systems and Network Auditor)—. This intermediate-level certification is for individuals with sound industry experience in system security and auditing and risk analysis.
GIAC certification levels and exams correspond closely with courses that SANS offers at its regularly scheduled conferences. Visit www.sans.org for more information about SANS conferences and related offerings. Check out www.giac.org/certifications.php for information about the GIAC certification offerings and links to all the details.
Each GIAC foundational-level certification requires individuals to submit a practical project assignment and to pass one or more examinations; taking a preparatory course is optional. The GIAC courses set out the material covered on the exams and in the projects very well.
The GSEC exam covers computer and network security topics, tools, and techniques in depth. Topics include information assurance foundations, IP concepts and behavior, threats, security policy, virus protection, password management, PGP, cryptography, and system backups.
Although GSEC certification is not required to pursue intermediate GIAC certifications, SANS recommends that aspiring systems and network security professionals master the materials associated with GSEC certification in any case. We can't help but agree!
The GSEC course is available in the classroom and online from SANS. Online, it costs $2,430 for the course and the related exam and project fees or $2,180 for the course alone. At SANS conferences, costs are about the same for the classroom version. Those who wish to take the exam and submit a project without taking the course can do so for $425. GSEC certification must be renewed every two years.
The intermediate courses and certifications are where the SANS curriculum starts to get really interesting. This is where in-depth, hands-on encounters with tools and technologies occur, as students have a chance to get “down and dirty” with security topics of their choosing. The following intermediate-level certifications are available:
GCFW—. This certification concentrates on the preeminent security task of securing and managing the network perimeter. Subjects covered include TCP/IP concepts for understanding perimeter operation and configuring safe defenses; principles of firewall design and types of firewalls in use, with examples from actual firewall deployments; principles of VPN design and operation, plus types of VPNs and their uses; and best principles and practices of secure network architecture. This certification must be renewed every four years.
GCFA—. This certification covers advanced incident-handling issues, analysis, and investigations, as well as forensic study of networks and hosts. This certification must be renewed every four years.
GCIH—. This certification concentrates on preparing students to take on the role of incident handler and to prepare them to deal with live intrusion or penetration attempts. Subjects covered include a proven six-step incident-handling process; how to prepare for incidents before they occur; incident handling and computer crime investigation techniques; real-world hacking and penetration tools and techniques, including explanations of how they work, what vulnerabilities they exploit, and effective countermeasures; step-by-step analysis of an actual attack; and a Hacker Tools Workshop where students can practice what they learn. This certification must be renewed every two years.
GCIA—. This certification concentrates on the field of intrusion detection, with real-world cases, trace files, and analysis tips. The course is continuously revised to present current, immediate attack patterns and threats. Subjects covered include TCP/IP concepts for network traffic analysis and intrusion detection; vulnerabilities associated with remote procedure calls (RPCs); configuration and use of
tcpdump, a widely used freeware network analyzer; log file interpretation and analysis; configuration and use of Snort, a freeware intrusion detection system for Windows and Linux; and intrusion detection signatures and analysis, with samples based on real-world traces. This certification must be renewed every four years.GCUX—. This certification covers how to harden the operating system, from proper configuration techniques for the operating system, services, and applications to critical security tools (with numerous examples and opportunities to practice their use) to understanding how applications, scripts, and active code elements can introduce system vulnerabilities that allow various types of attacks (for example, buffer overflows, denial of service) to work. This certification must be renewed every two years.
GCWN—. This certification walks students step-by-step through typical Windows attacks and vulnerabilities, explaining how to close security holes and erect effective defenses. It also provides coverage of Active Directory and IIS 5.0. This certification must be renewed every two years.
GSNA—. This certification covers information system security and technical auditing of key information systems and networks, which includes risk analysis and value assessment activities. This certification must be renewed every two years.
At present, several of these courses are available both in the classroom at SANS conferences and online (other courses should become available in the near future). Each certification works like a merit badge in that it represents expertise in some specific subject matter. Candidates must submit a practical project for each topic for which they seek intermediate-level certification and take one or more exams. Although many exams and projects may be submitted without taking the courses, which cost from around $1,400 to $2,200, paying for a course automatically covers the cost of the project review and whatever exams may be required.
The culmination of attaining all GIAC certifications earns candidates the honor of sitting for the GSE certification. It is the ultimate GIAC credential and is for individuals who have not only acquired all available GIAC certifications but have also mastered all the various security information and topics covered by the certifications. At this writing, the GSE certification is under development, and it should be available in 2003. For details about GSE certification, visit www.giac.org/track_cert.php.
Now that you've learned about the SANS certifications, you probably want to know more about registering for and taking the exams. The exam registration process involves contacting the folks at SANS to obtain—you guessed it!—security information for taking any required exams online using a Web browser. (We think this is a great move and wish more programs would take this plunge.) Likewise, you must contact the folks at SANS to arrange to submit a certification project for review. For more information, visit the SANS Online Training and GIAC Certification Registration Web page at https://registration.sans.org/cgi-bin/giac1register. Requirements for the GIAC practical assignments are posted on the Web at www.giac.org/practical.php. (Note that each assignment is keyed to the specific course on which it was made, indexed by date and location.) Because SANS-GIAC enforces a strict retake policy, you should be sure to read all the details at www.giac.org/steps.php#deadlines before signing up for courses or exams.
For more information, you can email [email protected], call 866-570-9927 (in North America) or 540-372-7066 between the hours of 9 a.m. and 5 p.m. U.S. Eastern time, or fax your inquiry to 540-548-0957. To contact SANS by mail, please write to the following address:
GIAC Online Course Registration
5401 Westbard Avenue, Suite 1501
Bethesda, MD 20816 USA
At a minimum, you should use the following materials to prepare for any SANS certification exam:
SANS provides comprehensive statements of the topics its covers and any precourse warm-up requirements on its Web pages. Be sure to consult these materials to help prepare for exams; you can find links to them through the GIAC Certification Overview Web page at www.giac.org. Be sure to read the GIAC Practical Assignment Planning Guides, available at www.giac.org/study_guides.php. Another must-read is the Frequently Asked Questions for SANS Courses and GIAC Certification Program page at www.giac.org/FAQ.php#20. Finally, for an excellent summary of this material, be sure to download the file “The Global Information Assurance Certification (GIAC) Program: Objectives and Curriculum” from www.giac.org/GIAC_Cert_Brief.pdf.
SANS is renowned for the quality of its classroom and online training classes. Visit www.sans.org to check out the SANS conference schedule to locate classes at a location that is convenient for you.
SANS provides pointers to numerous useful security books and other related publications. A quick visit to the SANS home page at www.sans.org (click the Information Security Reading Room link), shows more than 50 categories for reading matter, each pointing to one or more resources on the subject named therein. This is an excellent way to bring relevant reading materials together! Also, you can visit the SANS bookstore at http://store.sans.org to learn more about the organization's publications and course material offerings.
These materials represent a usable collection of sources and resources for SANS exam topics and related information.
Late in 2000 the International Computer Security Association (ICSA) renamed itself TruSecure Corporation but kept the ICSA moniker as a well-known label for its emerging certification program, which uses the TICSA acronym in its currently defined security certification. At around the same time—December 2000—the company also announced the outlines and components of its TICSA Security Practitioner Certification.
TruSecure is a well-known and highly regarded computer security organization. The company consists of three market-leading segments. Its media group publishes Information Security Magazine and operates the NTBugTrac databank. Its ICSA Labs is known worldwide for its leadership in information security research, standards, and third-party vendor certifications. Finally, the TruSecure-managed security services products represent the company's fastest growth area; they help enterprises identify and mitigate risk to their critical IT assets. Leveraging its leadership in the area of product certification, TruSecure offers a practitioner-level security certification.
The TICSA Security Practitioner Certification program is designed specifically to be skills and knowledge based, technology specific, vendor neutral, and pragmatic. A basis in skills and knowledge is important because real-world application of knowledge is what counts—not rote memorization from a laundry list of topics and objectives. Technology specificity is important because security and technology are so strongly intertwined that it is impossible to truly understand security without also understanding the technology that needs to be secured. Vendor neutrality is important because general security skills and knowledge are portable across multiple systems and because so many vendor-specific security certifications already exist. Finally, practicality is important because security must be practiced and maintained constantly to do its job and because effective security depends on working knowledge of current real-world attacks and risks and of the methods of control and best security principles and practices necessary to defeat or mitigate them.
Note
In the interests of ethical disclosure, Ed Tittel wishes to report that he is a member of the TICSA Oversight Board and is both interested and involved in matching industry and individual needs to the coverage and capabilities conferred by this certification program. He also thanks TruSecure representatives for reviewing this section of the book and providing additions and changes that were incorporated directly into the text.
There's just one item in this “Alphabet Soup” section, but it's important! TruSecure ICSA Computer Security Associate (TICSA) is an entry-level security certification aimed at network or system administrators who must make security part and parcel of their everyday working routine. The certification requires passing a single exam.
Obtaining the entry-level TICSA certification means meeting the following requirements:
Provide evidence of practical performance—. Applicants must provide documentation of at least two years' working experience in the areas of network security administration, LAN security management, database security, creation of security products or protocols, or persistent writing, teaching, or creation of other original work in the areas of computer or data security, including knowledge or hands-on experience with one or more of TICSA's six categories of risk (listed at www.trusecure.com/solutions/certifications/ticsa/requirements.shtml). Alternatively, applicants may present evidence of 48 hours or more of attendance at approved computer security or privacy conferences, seminars, or coursework.
Subscribe to the TICSA code of ethics—. Each applicant must read and sign the TICSA code of ethics, thereby agreeing to abide by its rules and regulations, which are designed to promote ethical security practices, policies, and procedures. The code is available online at www.trusecure.com/solutions/certifications/ticsa/ethics.shtml.
Create an online account and complete a practitioner's profile—. Candidates use this profile to identify themselves to the organization and provide information about themselves, their work experience, and their educational background. Completion of this task also provides access to downloads of all kinds of important documentation.
Pass the TICSA exam—. Candidates must take and pass the written examination associated with this certification. Topics covered in the exam include the following top-level items:
Basics of physical security
Basics of network architecture
Information and data classification
Fundamentals of TCP/IP and router knowledge
Access control
Firewall administration fundamentals
Firewall architecture and properties (comparison of architectures)
Basic TCP/IP weaknesses
Basic security threats and principles
Best/good security practices
Function and use of intrusion detection tools
Function and use of vulnerability assessment tools
IDS methodologies
Fundamentals of host-based versus network-based security
Strong user authentication methodologies
Basics of cryptography (secret key, public key, one-way hash functions)
Basics of PKI and digital certificates
Security policy and procedure implementation
Fundamentals of operating system security on at least one major platform (Windows, Linux, Unix, and so on)
Risk measurement fundamentals
Basic log analysis
Malicious code
Disaster recovery
Social engineering and countermeasures
Information on additional subitems and objectives for the exam is available at www.trusecure.com/solutions/certifications/ticsa/requirements.shtml. The TICSA exam consists of 70 questions that must be completed in 90 minutes at an authorized testing center. The exam cost is $295. Substantial discounts may be available to students enrolled in and recent graduates of accredited colleges or universities. TruSecure's retake policy limits candidates to sitting for the exam twice in one year. In other words, if you fail the exam on your second attempt, you must wait until the following year before you can take the exam again.
At a minimum, you should use the following materials to prepare for the TICSA certification exam:
TruSecure provides comprehensive statements of its objectives and requirements for the TICSA exam on its Web site. Be sure to consult them to help prepare for your exams. You can find links to these statements at www.trusecure.com/solutions/certifications/ticsa/. Also be sure to review the certification requirements information at www.trusecure.com/solutions/certifications/ticsa/requirements.shtml.
TruSecure itself offers no training, but it does review and approve specific training offerings that relate to its various certifications. For a list of TICSA Certified Training Partners, check the information at www.trusecure.com/solutions/certifications/ticsa/training.shtml.
To understand the basics of information security, the certification candidate needs to be familiar with the TICSA security methodologies, which differentiate it from other security certification programs. White papers and overview materials regarding such methodologies are made available to the testing candidates by request, but they are not ready at the time of this writing. TruSecure officials suggest that you bookmark the TruSecure Web site and check in often, as that is the best place to look for updated information.
TruSecure itself offers neither study guides nor cram materials relevant to basic security information, but several options from third parties are available or currently under development to help you prepare for the TICSA exam. We contributed to the TICSA Training Guide (Que Certification, 2002), and similar efforts are under way at Wiley Publishing, Course Technology, and New Riders Publishing, among other publishers. By the time you read this, a visit to your favorite online bookstore with a search on TICSA could produce numerous interesting results.
These materials represent a usable collection of sources and resources for TICA exam topics and related information.
In this section we toss you into a giant bowl of alphabet soup by exposing a number of other vendor-neutral (see Table 7.1) and vendor-specific (see Table 7.2) security-related certification programs—and their inevitable acronyms—that we've been able to uncover. For each one, we provide a short overview, along with pointers to more information. Sorry for the short shrift each of these programs gets, but as you'll see, that's all we have space to provide here!
Table 7.1. Other Vendor-Neutral Security Certifications
Certification | Description | More Info |
|---|---|---|
BCIP (Brainbench Certified Internet Professional); source: Brainbench | For individuals with practical experience in Web design, development, or administration. | |
CCISM (Certified Counterespionage and Information Security Manager); source: Espionage Research Institute | For individuals who can analyze potential sources of threat, avoid attacks, and manage and maintain information security at an organizational level. CCISM is a management-level certification. | |
CCO (Certified Confidentiality Officer); source: Business Espionage Controls and Countermeasures Association (BECCA) | For those with management-level expertise in information security. A CCO's mission is to protect his or her employer or clients from compromise, theft, or loss of sensitive and/or proprietary data. | |
CCSA (Certification in Control Self-Assessment); source: The Institute of Internal Auditors | For candidates with knowledge of internal control self-assessment procedures, which means performing system, information, and premises audits for compliance with legal, security, and accountability policies and procedures. | |
CFE (Certified Fraud Examiner); source: Association of Certified Fraud Examiners | For those with the ability to detect financial fraud and other white-collar crimes. A CFE must perform system, information, and premises audits for compliance with legal and accountability policies and procedures. | |
CIA (Certified Internal Auditor); source: The Institute of Internal Auditors | For those with knowledge of professional financial auditing practices. A CIA must perform system and information audits for compliance with generally accepted accounting procedures. | |
CISA (Certified Information Systems Auditor); source: Information Systems Audit and Control Association | For those with knowledge of IS auditing for control and security purposes. A CISA must perform system and information audits for access controls, monitoring, auditing, and legal or regulatory compliance. | |
CIWSA (CIW Security Analyst); source: Prosoft | For those with knowledge of Web-and e-commerce– related security principles and practices (covered in detail in Chapter 10, “Prosoft's CIW Program”). Also requires an MCSA, MCSE, CNE, CCNP, CCIE, LPIC Level 2, or LCE Level 2 certification as a prerequisite. | |
CPP (Certified Protection Professional); source: American Society for Industrial Security (ASIS) | For those who have a thorough understanding of physical, human, and information security principles and practices. | |
SCNA (Security Certified Network Architect); source: Ascendant Learning, LLC | For midlevel to senior-level security professionals who concentrate on concepts, planning, and deployment of PKI, and biometrics and identification systems. Part of the Security Certified Program. | |
SCNP (Security Certified Network Professional); source: Ascendant Learning, LLC | For entry-level to midlevel security professionals who concentrate on firewalls and intrusion detection. Part of the Security Certified Program. |
Table 7.2. Other Vendor-Specific Security Certifications
Certification | Description | More Info |
|---|---|---|
CCSA (Check Point Certified Security Administrator); source: Check Point Software Technologies, Ltd. | For individuals with practical experience working with Check Point's Firewall-1 product to provide enterprise-level security. | www.checkpoint.com/services/education/certification/certifications/ccsa.html |
EnCE (EnCase Certified Examiner); source: Guidance Software | For private- and public-sector computer forensic specialists who use Guidance Software's EnCase computer forensics tools and software. | |
RSA SecurID CA (RSA SecurID Certified Administrator); source: RSA Security, Inc. | For security professionals who use RSA SecureID products to manage and maintain enterprise security systems. | |
RSA/CI (RSA Certified Instructor); source: RSA Security, Inc. | For security professionals who can instruct others in how to use RSA SecureID products in designing, implementing, and maintaining solutions. | |
RSA/CSE (RSA Certified Systems Engineer); source: RSA Security, Inc. | For security professionals who design, install, and configure enterprise security solutions using RSA SecureID, ClearTrust, and KEO PKI core products. RSA Security, Inc., offers a separate credential for each product family. | |
SCSE (Symantec Certified Security Engineer); source: Symantec | A mid-level certification for individuals with practical experience in virus protection and content filtering, intrusion detection, VPN and firewall technologies, and vulnerability management. | |
SCSP (Symantec Certified Security Practitioner); source: Symantec | A senior-level certification for individuals with sound experience in virus protection and content filtering, intrusion detection, VPN and firewall technologies, and vulnerability management. | |
SPS (Symantec Product Specialist); source: Symantec | An entry-level certification for individuals with working knowledge of Norton AntiVirus, WebSecurity, Intruder Alert, NetPowler, Enterprise Security Manager, NetRecon, Symantec Enterprise Firewall, or Firewall Advanced Concepts. | |
TCC (Tivoli Certified Consultant); source: IBM | For individuals with sound experience designing, implementing, managing, maintaining, and troubleshooting systems and environments that incorporate Tivoli Policy Director, Tivoli Public Key Infrastructure, Tivoli SecureWay User Administration, or Tivoli SecureWay Security Manager products. | www.tivoli.com/services/certification/roadmap/cert_consult.html |
TCSE (Tivoli Certified Solutions Expert); source: IBM | For individuals with sound experience managing and maintaining solutions that incorporate the IBM SecureWay Firewall for Windows NT, the IBM SecureWay Firewall for AIX, and Tivoli SecureWay Public Key Infrastructure products. | www.tivoli.com/services/certification/roadmap/cert_solutions_expert.html |
Obviously, some of these security certifications are aimed at more specialized audiences than the ones that make up the primary focus of this chapter. For people with auditing, law enforcement, or private or government confidentiality responsibilities, the appeal of some of these certifications should be obvious. But although we think any or all of them are worth further investigation, we don't recommend these as highly as the others covered earlier in this chapter because they don't reach the core audience for this book as well—namely, IT professionals seeking certifications that can lead to career enhancements or improvements.
There's no shortage of options for would-be computer security experts to choose from. Today, CISSP, SANS-GIAC, and TICSA are probably the best-known and most widely followed computer security certifications. The numbers of certified individuals in these programs vary from a high of 7,500 to a low of fewer than 1,000 individuals. The CISA certification (refer to Table 7.1) claims a population of more than 26,000 individuals, and around 9,500 individuals hold the CPP credential (refer to Table 7.1).
In a recently released study, TruSecure indicated that there are 10 or more jobs available for every currently certified IT security professional in the United States. Worldwide that ratio is probably even larger. Thus, opportunities in this area are highly available, and prospects for certified security professionals are probably as good as in any other niche in the IT industry. Thus, these certifications bear watching—plus investigation and pursuit—for those who think they might be interested in this fascinating field.
