The Progress of the Profession

One major advance in the field of incident response is the rise of incident response as a professional discipline. Incidents are increasingly handled by dedicated teams, either part of the company or external consultants. This trend really began as a response to the Morris Internet worm and has continued as organizations recognize that security-related incidents are here to stay and can cripple an organization. Law enforcement agencies have established specific teams to deal with security incidents, including forensics specialists and legal experts versed in the intricacies of computer crime and international law. The press has discovered that security incidents make good news, so companies and agencies have been forced to deal publicly with issues that, until recently, might have been brushed under the rug.

There is an international organization of incident response teams, the Forum of Security and Incident Response Teams (FIRST). Established in 1990, FIRST now has more than 90 members. These members include corporate teams (representing internal incident response teams), government agencies (representing either an entire national government, such as Australia, or an agency, such as NASA), consulting companies (that provide external incident response support), and nonprofit teams (such as the Computer Emergency Response Coordination Center [CERT/CC] discussed in Chapter 1,“An Introduction to Incident Response”). More details about FIRST are available at www.first.org.

Whereas early incidents were primarily handled by a combination of general law enforcement agents and systems administrators, major incidents today might involve a multiagency task force teamed with incident response teams from national agencies, Internet service providers, and major corporations. The FBI, U.S. Secret Service, New Scotland Yard, and many state and local law enforcement agencies now have dedicated computer incident investigators. Unfortunately, getting these agencies involved requires that the incident violate a certain statute and that, quite frankly, a law enforcement representative (such as a U.S. attorney) deem the incident worthy of investigation and prosecution.

Certification

A number of professional certifications are available in the field of computer security. Although most of these do not directly equate to incident response, they are applicable to it in many ways and illustrate the continuing trend toward specialization in the field. It is likely that certifications will become more important as the field of incident response (and computer security in general) matures.

CISSP

The Certified Information Systems Security Professional, or CISSP, is the oldest certification program in the field of computer security. The program is offered by the Information Systems Security Consortium (ISC2, www.isc2.org). The certification is modeled after the certified public accountant program and consists of a requirement of three years of experience, a test covering 10 subject areas, and a requirement for continuing education. The 10 subject areas, called the Common Body of Knowledge (CBK) are covered in the following sidebar. CISSPs must also agree to abide by a code of ethics.

ISC2 Code of Ethics ISC2 requires that candidates for the CISSP and SSCP examinations agree to a code of ethics. This code is arguably the de facto standard code of ethics for information security professionals. The code is reproduced in its entirety here: “All information systems security professionals who are certified by (ISC)2 recognize that such certification is a privilege that must be both earned and maintained. In support of this principle, all Certified Information Systems Security Professionals (CISSPs) commit to fully support this Code of Ethics. CISSPs who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification. “There are only four mandatory canons in the code. By necessity, such high-level guidance is not intended to substitute for the ethical judgement of the professional. “Additional guidance is provided for each of the canons. While this guidance may be considered by the Board in judging behavior, it is advisory rather than mandatory. It is intended to help the professional in identifying and resolving the inevitable ethical dilemmas that will confront him/her.” Code of Ethics Preamble: Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this code is a condition of certification. Code of Ethics Canons: Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. Objectives for Guidance: Give guidance for resolving good versus good and bad versus bad dilemmas. Encourage right behavior. For example, teaching, valuing the certificate, and “Walking” Discourage certain common but egregious behavior. Protect Society, the Commonwealth, and the Infrastructure: Promote and preserve public trust and confidence in information and systems. Promote the understanding and acceptance of prudent information security measures. Preserve and strengthen the integrity of the public infrastructure. Discourage unsafe practice. Act Honorably, Honestly, Justly, Responsibly, and Legally: Tell the truth; make all stakeholders aware of your actions on a timely basis. Observe all contracts and agreements, expressed or implied. Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order. Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence. When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service. Provide Diligent and Competent Service to Principals: Preserve the value of their systems, applications, and information. Respect their trust and the privileges that they grant you. Avoid conflicts of interest or the appearance thereof. Render only those services for which you are fully competent and qualified. Advance and Protect the Profession: Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession. Take care not to injure the reputation of other professionals through malice or indifference. Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others.[3]

^[3] Information Systems Security Consortium Code of Ethics, www.isc2.org.

The certification has been criticized as not technical enough, but the CISSP is targeted specifically at managers. Hands-on administrators can earn the Systems Security Certified Practitioner certification. This exam is directed at network and security administrators. ISC2 differentiates the two as follows:

“The CISSP certification identifies you as a security professional who has met a certain standard of knowledge and experience and who continues to keep his/her knowledge current and relevant to what is happening the field of Information Security. CISSPs must have a minimum of three years experience in one or more of the 10 CBK domains. The CISSP program certifies IT professionals who are responsible for developing the information security policies, standards, and procedures and managing their implementation across an organization.

“The SSCP certification identifies you as a security practitioner who has met a certain standard of knowledge and experience and who continues to keep his/her knowledge current and relevant to what is happening in the practice of Information Security. SSCPs must have a minimum of one year of experience on one or more of the seven CBK domains. The certification is targeted at network and systems security administrators. Network and systems security administrators provide day-to-day support of the security infrastructure.”^[4]

^[4] Information Systems Security Consortium, SSCP White Paper, www.isc2.org/sscp/index.html.

ISC2 Common Body of Knowledge ISC2 has recognized 10 major areas in the field of information security. Although none of them equates directly to incident response, all have some applicability. The 10 areas are as follows: Access control Computer operations security Cryptography Application program security Risk management and business continuity planning Communications security Computer architecture and systems security Physical security Policy, standards, and organization Law, investigation, and ethics The SSCP certification program recognizes a slightly different version of the Common Body of Knowledge because it is oriented more toward administrators than managers. The seven areas covered by the SSCP exam are as follows: Access controls Administration Auditing and monitoring Risk, response, and recovery Cryptography Data communications Malicious code[5]

^[5] Information Systems Security Consortium, www.isc2.org.

Although certification is not currently a requirement by any organization for employment, it is increasingly becoming a discriminator, and many employment advertisements state that certification is an asset. Some consulting organizations are now advertising the number of CISSPs on staff.

SANS

The SANS Institute has recently begun a certification program. In 1999, SANS formed the Global Incident and Analysis Center (GIAC) to gather and analyze Y2K incident data. In late 2000, SANS announced a certification program as part of this center. GIAC certification begins with a course called “SANS Security Essentials,” designed to prepare professionals for the subject area modules. The GIAC Security Essentials Certification (GSEC) covers security basics but assumes that students have some familiarity with computers and networking concepts.

Six subject area modules provide in-depth training in specialized subjects. These courses assume the student has a basic working knowledge of each area:

• Firewalls, Perimeter Protection, and VPNs: GIAC Certified Firewall Analyst (GCFW)

• Intrusion Detection in Depth: GIAC Certified Intrusion Analyst (GCIA)

• Advanced Incident Handling and Hacker Exploits: GIAC Certified Incident Handler (GCIH)

• Securing Windows: GIAC Certified Windows Security Administrator (GCNT)

• Securing UNIX: GIAC Certified UNIX Security Administrator (GCUX)

Following the successful completion of the GSEC and at least one subject area module, students are eligible to sit for the GIAC Security Engineer (GSE) certification. Training consists of a combination of coursework offered at the conferences, practical exercises, and an examination. Recertification is required periodically, depending on the subject area. The recertification period ranges from one to four years; professionals must retake the certification examination.

Forensics

The major certifying body in the field of computer forensics is the International Association for Computer Investigative Specialists (IACIS, www.cops.org). Membership in IACIS is limited to law enforcement personnel. The organization offers a two-year certification program for investigators called the Certified Forensics Computer Examiner (CFCE). The major advantage to CFCE certification is that it has been recognized by legal precedent as specifying a certain level of expertise. This makes it much simpler to introduce a CFCE as an expert witness in litigation.

Until recently, CFCE certification has been limited to IACIS members (and by extension, to law enforcement only). In March of 2001, however, IACIS announced an external certification program in which the CFCE program will be offered to nonmembers.

This certification program consists of a series of hands-on tests in which the applicant must recover data from floppy and hard disks, followed by an examination on forensics techniques and procedures. The disks must be examined and reports prepared that indicate that the applicant used proper forensics and investigative measures. The entire process (six floppy disks, one hard disk, and the examination) must be completed within five months. IACIS offers a training program for its members, but no instruction is available for nonmembers.

Other Certifications

Other certification programs are available that do not directly relate to the field of information security. For example, a person can become a Certified Fraud Examiner (CFE) or a Certified Information Systems Auditor (CISA). Most of these programs have their roots in financial audit and were originally designed to support an audit program.