Information Security Finally Gains Objective Measure of Practical Skills and Knowledge Through Serious Assessment Tool
I’m bemused. A long, long time ago in another life, I studied anthropology at Princeton and the University of Texas at Austin: at the latter school, I had a “near-PhD experience” in that subject, in fact. After talking with some principals at TeleCommunication Systems (TCS) in Maryland last week, I found myself recalling a long-forgotten encounter with Chairman Mao’s Little Red Book in the context of the relationship between theory and practice in understanding and evaluating human behavior and cultural beliefs. In particular, I was reminded of this statement of his: “Knowledge begins with practice, and theoretical knowledge which is acquired through practice must then return to practice. The active function of knowledge manifests itself not only in the active leap from perceptual to rational knowledge, but – and this is more important – it must manifest itself in the leap from rational knowledge to revolutionary practice.” Don’t get me wrong: I’m neither a closet Marxist-Leninist, nor am I am proponent of dialectical materialism. What draws me to the Chairman’s aphorism is the strange situation in the field of information security certification nowadays, where the vast majority of credentials – including highly-regarded certs like the CISSP and the CISM, for example – tend to focus on theory and to treat practice at arm’s length, particularly in their examinations of their certification candidates. And even those credentials which do include a performance-based component tend to do so more in the framework of specific scenarios (what you might called “canned security situations”) rather than more open-ended diagnosis and mitigation situations (like what CCIEs routinely encounter when taking that infamous and notoriously difficult lab exam, or the strenuous performance-based exams typical for more senior Red Hat credentials like the RHCE and RHCA).
Little Red Book to the left; TCS PerformanScore “symbolic gauge” to the right.
That’s why I was both intrigued and impressed to hear from TCS about their trademarked PerformanScore toolset to help address increasing needs – especially amongst those elements in our armed forces charged with engaging in cyber warfare – for qualified cybersecurity professionals who are prepared to engage in real-time information security encounters where lives, property, and critical infrastructure elements may hang in the balance of the resulting outcomes from those encounters. As I understand it, the PerformanScore approach is designed specifically to measure and assess critical information security skills and knowledge in a live environment. This approach takes candidates through three phases of measurement, in fact:
- Assessment: Provides metrics to enable the assessment of individuals or teams based on industry standards and specific organizational requirements (often characterized in the military as “missions”). The result is a competency benchmark that identifies strengths and weaknesses, with specific recommendations for training and mitigation when areas fall below certain thresholds. According to TCS, this testing instrument can even recommend specific training and/or additional performance-based testing to make sure that candidates reach or exceed required skills and knowledge thresholds to meet mission requirements.
- Learning: PerformanScore delivers specific and tailored feedback to both candidates and their instructors on a candidate’s strengths, and detailed feedback on areas where candidates need improvement. This approach lets instructors offer remediation or repetition where warranted, and gives them the opportunity to refocus and restructure training materials and exercises to meet a candidate’s or team’s specific needs.
- Testing: The testing facilities integrated into the PerformanScore environment provides managers in both technical and non-technical areas in-depth analyses of candidates’ skills and abilities. This offers ongoing insight into candidates’ suitability for inclusion in specific teams or on certain missions, and helps managers ensure the best fit between the individuals available to them and the missions that must be accomplished by them.
Because the PerformanScore methodology is vendor-neutral TCS can customize its coverage to match that provided by existing knowledge-based exams (including all the major and well-recognized information security certifications). In addition, however, PerformanScore is flexible enough to incorporate and accommodate additional mission-specific performance-based knowledge and skills requirements as well. In fact, TCS informs me that their approach is open-ended enough to also be applied outside the somewhat narrow (if extremely important) area of information security/information assurance, particularly in areas well-suited for training and testing based on use of learning labs or simulated environments based on both vendor-neutral and vendor-specific technologies.
Anybody who’s read my blog for more than a little while knows that I’m a strong proponent of and believer in performance-based testing as the strongest foundation for meaningful IT certifications. I’m incredibly intrigued by what TCS might have to offer here – enough so that I’ve begged my way into one of their classes in Maryland later this summer to experience their approach, implementation, and testing tools for myself. If their methodology and automation tools can deliver even half of what’s described in their product literature and information (see the PerformanScore pages for more info), it has the potential to remake the IT certification business as it currently stands. In particular – getting back to the Chairman and his Little Red Book– it has the potential to see that theory and practice are trained and tested in the right kind of balance to ensure that certified professionals not only “know their stuff” but that they can “do the job” or “handle the mission.” In the final analysis those latter qualifications are what really matters most, particularly in matters of war and commerce.
The International Information Systems Security Certification Consortium is usually known as (ISC)2, pronounced “ISC-squared.” They are pretty well-known as the source for the ever-popular Certified Information Systems Security Professional (CISSP) credential, and offer a whole slew of other credentials besides that, including the Certified Authorization Professional (CAP), the Systems Security Certified Practitioner (SSCP, a kind of CISSP precursor cert), various CISSP concentrations, and the Certified Secure Software Lifecycle Professional (CSSLP). The organization is now working on a September, 2013, release of a new credential called the Certified Cyber Forensics Professional (CCFP), which aims to identify qualified computer professionals who are proficient in topics that include “established forensics disciplines” plus “mobile forensics, cloud forensics, antiforensics, and more.”
Increasing global appetite for certified forensics professionals no doubt prompted ISC-squared’s entry into this market space.
As of our most recent 2013 Information Security Survey for TechTarget’s site, SearchSecurity.com, we counted 23 vendor-neutral forensics certifications, and as many as five (or as few as two, depending on how you want to count such things) vendor-specific forensics credentials, not including forensics-related certs like those for the Wireshark protocol analyzer (this is tool often used in forensics examinations of network traffic, and sports its own Wireshark Certified Network Analysts, or WCNA, credential). Thus, the CCFP comes into an already-crowded but also highly-fragmented part of the certification landscape.
I have to believe that the ISC-squared is seeking to trade on the high name recognition that its CISSP has achieved, along with that certification’s nearly constant spot in the “Top 10 Lists” for IT certification in general, and information security certification in particular, for the past decade or longer. And certainly, the CCFP is targeting exactly the right audience including law enforcement professionals, private and public cyber forensics investigators, corporate information security professionals, litigation support professionals, and so on. Examination of the CCFP home page and the content and composition of its Common Body of Knowledge (or CBK, for which term ISC-squared claims a registered trademark!) show that the organization has done its homework in addressing the key subject matters relevant to computer forensics. Here’s a quick list of the CBK elements:
- Legal and Ethical Principles
- Forensic Science
- Digital Forensics
- Application Forensics
- Hybrid and emerging technologies (mobile, cloud, virtualization, …)
Background and experience requirements for the CCFP include a four year-college degree (Bachelor’s or “regional equivalent”), plus three years of full-time digital forensics or IT security experience in three out of six of the CBK domains just recited above. Candidates who lack a four-year degree need six years of digital forensics or IT security experience in three out of six of those domains, but may be granted a one-year “professional experience waiver” if they’ve earned an alternate forensics certification from the (ISC)2 list of approved certs. That list includes a Hanggul (Korean) cert name I can’t read, plus the EnCase EnCE and EnCEP, AccessData’s ACE, the IACIS CFCE, the SANS GIAC GCFA, EC-Council’s CHFI, and ISFCE’s CCE, which clearly positions the CCFP as a senior-level forensics certification with some interesting vendor-specific (EnCase and AccessData) as well as vendor-neutral (GIAC, IACIS, EC-Council, and ISFCE) antecedents. In keeping with the CISSP program, the CCFP also offers the “Associate in CCFE” to those who can pass the exam, but who don’t yet have the requisite years of experience and/or degree to qualify for the full-blown certification.
Can the (ISC)2 step in an grab a choice spot at the top of the computer forensics certification food chain? Maybe so: this fragmented cert niche has lacked a global credential until now, and there’s an interesting combination of strong appetite and lack of a clear market leader that has obviously led (ISC)2 to make a foray into the forensics game. Can (ISC)2 succeed where others have not yet prevailed? Again: maybe so. But I will also observe that if the CISSP has one weakness, it’s in the lack of a practical, hands-on, lab-based component to complement its excellent coverage of information security theory with an equally demanding test of hands-on and practical skills and knowledge. This has not hampered CISSP’s success or standing, but in an arena like cyber forensics where practical skills and knowledge are perhaps even more important than a knowledge of theory and CBK domains, it may not be enough to leapfrog the CCFP into the market-leading position that this credential obviously aims to occupy. It should be interesting to see how this all turns out…
I just got through writing a couple of articles about Microsoft Certifications and higher education — one will show up on TechTarget soon, and the other one on Tom’s IT Pro when its turn for release comes up — and came to some very interesting realizations. First, let me give credit where credit is due, and say that MS does a bang-up job in making its certification training materials available to academia in high schools, trade and technical schools, community colleges, and at four-year colleges (Bachelor’s level) and universities. They also offer killer deals to those same institutions to train up their staff, purchase OSes, applications, and other software, and provide lots of great support for students and educators to dig into and get up to speed on a whole host of Microsoft platforms and tools, and related Microsoft certifications.
The IT Academy Locator lets you find schools, training companies, colleges (both 2- and 4-year)
and universities that belong to the program by city and state.
There’s even a pretty nifty IT Academy Locator that enables interested site visitors to find community and regular colleges and universities that belong to the program. What the locator lacks, however — and what makes up the basis for the “modest request” mentioned in the title of this blog post — is the ability to search directly or explicitly for online programs that also belong to the MS ITA. I was able to find quite a few by using the locator tool in major metro areas like NYC, LA, Dallas, Houston, and so forth. But it would be really, really helpful if they added an “Online” option to their search capability, too.
I’m going to send a link to this blog post to my contacts at Microsoft’s PR firm, and in MS Learning. With a little luck, it will at least garner some kind of response. Frankly, it seems so very obvious to me that this should be a search option that I’m having difficulty understanding why it’s not already in there. I’m more than curious to see what, if anything, might happen next! And if MS Learning is feeling especially ambitious, I’d also really like to see them create a section in the IT Academy for those institutions that offer what I call “degree+certification” programs where, in addition to taking students through a typical two- or four-year degree program in computer science, information technology, or other departments whose graduates are likely to toil in the IT patch upon earning their sheepskins, those same students also get prepped for (and may even be required to earn) a certification like the MCSA or MCSE as part of their overall academic experience. As I’m learning by trial and lots of error, it’s difficult to run down all of the no-doubt numerous institutions that do offer such plans. Wouldn’t it be nice if Microsoft Learning lent a helping hand here? Yes it would!
I just read an interesting interview with Robb Tracy, author of the LPI Linux Essentials Certification All-in-One Exam Guide (McGraw-Hill, 2013, ISBN: 9780071811019, $31.01 Amazon). It appears at GoCertify in a June 19, 2013, story entitled “Linux Essentials – What is this new credential?” Tracy makes some very interesting points about why LPI (which already offers the LPIC-1 Linux credential, and cooperated with CompTIA in the design and creation of the Linux+ certification as well) decided to offer yet another entry-level Linux certification above and beyond what’s already available.
First, he explains that Linux Essentials was originally launched as a pilot program in the part of the world often known as EMEA (Europe, the Middle East, and Africa) by LPI, and later expanded into North America in 2012. The content was created for students in high schools, or trade and technical schools (something like our community college system here in the USA), and intended to teach and test for basic Linux literacy, skills, and knowledge. In North America, Linux Essentials has also gained traction in four-year college and university programs, especially for lower-division undergraduates just getting started with computing topics, tools, and technologies. In this vein, Tracy says “The goal of Linux Essentials is to expose students to the Linux operating system and the concept of Open Source software. As such, it is the ideal entry-level Linux program.”
Next, Tracy points out that the LPIC-1/Linux+ credentials aim mostly at IT professionals (though often entry-level or junior IT workers) and have the “reputation of being quite difficult.” Tracy reports further that he has often fielded complaints from LPIC-1/Linux+ candidates that these exams are “too difficult” (emphasis his) and that they “can scare away Linux newcomers” as a consequence — a phenomenon Tracy likens to the “‘Linux all of fear.'” He then follows up with this telling observation: “I think Linux Essentials provides a fantastic avenue for those new to Linux to get their feet wet with the operating system and gain some confidence before tackling the more advanced LPIC-1/Linux+ certification.” All of this goes to explain why I can’t help but seeing this new offering as a kind of Linux certification with training wheels myself.
Some additional points from the interview worth noting include:
- Though it’s elementary, the Linux Essentials cert still covers considerable ground: newbie candidates should give themselves no less than two months to prepare for the exam, and even those with some Linux exposure and knowledge will need a month to get ready. If covered in the classroom, preparation usually involves a semester-long course.
- Candidates must get familiar and comfortable with the Linux command line, and really dig into the wide array of commands and their many switches, parameters, and options. This involves what Tracy aptly describes as “practice, practice, practice!”
- Tracy provides useful tips on gaining access to a live Linux system on which to implement his previous admonition (practice!): repurpose an older system, or installing VMware player and running Linux in a virtual machine.
- Tracy also advises candidates to visit any of the many Websites that provide access to Linux man pages (the per-command help files so well-known and loved/hated by experienced Linux/Unix users), and recommends Linux.die.net in particular.
The interview concludes with Tracy’s recitation of a number of useful study tips that he routinely shares with his students. Be sure to read the interview, and check them out, if you decide to pursue Linux Essentials yourself (or pass the link along to more junior colleagues, co-workers, offspring, or whatever who might benefit from a little Linux know-how).
For over a decade, one of my favorite sources of IT certification news and info has been Anne Martinez’ excellent GoCertify.com website. In addition, she has published a great monthly newsletter called “IT Certification Watch” over most of that interval as well. But last fall, I noticed that the newsletter ceased delivery after September 18, 2012. Upon my return to the office after a 10-day business trip this morning, I discovered that her newsletter is back online, as shown in this screen capture:
After an 8-month hiatus, IT Certification Watch is back.
In case you can’t read the micro-type that shows the publication date for Volume 15 #8, it’s September 18, 2012. The most recent issue (Volume 16 #1) shows a publication date of June 12, 2013. Be sure to check out this newly-revived IT certification newsletter. You won’t be sorry you did.
Last week I wrote a short blog post for my old friend and colleague, Anne Martinez, that appears on GoCertify.com under the title “Java Certifications — What’s Happening Now?” It’s been about three a half years since Oracle acquired Sun Microsystems on January 27, 2010, and there have been some profound changes to that venerable programming language and its attendant certifications since that change of stewardship occurred. Perhaps the most interesting and damaging items have centered around the US Department of Homeland Security’s recommendation that businesses disable Java in their employee’s web browsers late in 2012, a warning that has been repeated numerous times in 2013 (most recently in March: see Vulnerability Note VU#688246).
Rumors of Java’s demise (or defenestration) may have been somewhat exaggerated…
However, despite some serious security issues, Java development apparently continues unabated — especially in the mobile world, where Oracle claims that over 3 billion mobile devices currently run some kind of Java runtime environment nowadays. A quick look at my GoCertify piece shows that there are still 15 Java-related certs active, of which about half focus on current Java platforms (Java SE 7, Java EE 6, and Java ME 1) and the other half on older legacy versions (Java SE 5, Java SE 6, and Java EE 5). Furthermore, Oracle published an interesting blog post at Oracle University on March 21, 2013 entitled “Wanted: Certified Java Experts” that seems to suggest the company’s interest in promoting (and hopefully also, supporting) Java may not have waned as many had feared. Here are some high points from that piece:
- Java is still the #1 developer platform in the world
- Java appears on 97% of enterprise desktops, 115 million TV set-top devices, and — as already mentioned — 3 billion mobile phones
- Surveys of hiring managers and recruiters validate strong demand for skilled Java developers in the marketplace
- Technical and labor resource/hiring sites including Dice, Jobstock, E-Skills, and the US Bureau of Labor Statistics all agree that Java remains among top technical skills in high demand
Perhaps there’s still some life left in the old pot of coffee after all. Be sure to visit the Oracle Java and Middleware certifications page to see what’s available there. You may just be surprised! And if you decide to start down the Java certification path, be sure to check out my old friend Marcus Green’s totally terrific JavaRanch website — still the best place for what he fondly calls “Java greenhorns” to go to start learning and doing what’s necessary to develop strong Java knowledge and skills.
I’m a pretty regular blogger these days. In addition to this three-times-a-week venue, I also blog about IT certification topics for Tom’s IT Pro and for PearsonITCertification.com, at the rate of one or more times a week for each of those sites. Pondering my work over the past 5 years, I realized last week that I’ve now posted over 1,000 blog posts in this general subject area. As I think back on the most common kinds of questions I answer for readers of all ages, and at all levels of skill and experience, in IT, one recurring theme jumps to the head of that list — namely, requests for information or advice on how to dig into something different from what the writer is currently doing, with an eye to moving into or increasing expertise in some new area of technical and professional interest.
Curious or interested in some new technical topic or area? Start reading, then start practicing, then start look for certification opportunities…
What usually comes out of any ensuing conversation — which includes a review of a person’s education, any certs earned, past and present job experience, financial situation, and so forth (See my “Help Me Help You” post for Tom’s IT Pro for a handy-dandy questionnaire to fill out for yourself, or to send to me if you’re so inclined) — is something like this:
1. We identify one or more areas of technical or professional interest that a person wishes to investigate further.
2. I suggest (and provide links to) one or more books, training courses, or IT certifications that might help to scratch that itch.
3. We figure out roughly how much time and money it will take for the person to pursue such things, and formulate a plan to get the ball rolling.
4. The person takes that plan and starts to execute it so he or she can augment his or her current portfolio of skills and knowledge.
This is a fundamentally cyclical process, and should be repeated periodically — I think once every year or two is good for those already working in the field, and more often is good for those in school or trying to break into IT. Give it a try, either on your own or by asking me for input and advice. If you get yourself going, you’ll be able to accomplish great things.
Over the past couple of weeks, Veronica Sopher from Microsoft Learning has published a pair of very interesting blog posts on Born to Learn. Entitled “Certification Exam Training Tips with MCT Sasa Kranjac” (5/22/13) and “More Certification Exam Training Tips with MCT Sasa Krajnac” (6/1/13), these two pieces convey some useful advice on cert exam preparation approaches and techniques, and also provide pointers to some useful cert prep tools and resources. Kranjac hails from Croatia, and works full-time as an IT trainer, consultant and professional speaker.
Given the part of the world where he’s from, I’m guessing “Sasa” is pronounced “Sasha,” but hey — I could always be wrong.
Here’s a quick rundown of the primary points from these two blog posts, each of which is worth reading through in its entirety:
1. Prepping for certifications isn’t about passing exams, it’s about learning how to secure your future.
2. Self-paced study works best if you use the Skills Measured tool (http://www.microsoft.com/learning/en/us/Exam.aspx?ID=70-xyz, where you plug in the right three-digit code for your current target exam). Be sure to check out TechNet and MSDN along the way, too.
3. Instructor-Led Training (ILT) is all about picking the right instructor.
4. Most Valuable Resource for Krajnac is a TechNet/MSDN subscription (I agree, and have owned either one or the other for twenty years now).
5. The first blog post is worth visiting, if only to peruse Krajnac’s excellent list of IT Pro Resources, Developer Resources, and General Resources — plus Networking, Group Policy, Storage Technologies, Windows Security Collection, Active Directory Collection, and more — for the Microsoft world.
6. Curiously, Krajnac provides pretty much the same test-taking advice to readers that my wife and I provide to our bright and sometimes over-active 9-year-old son, for whom each test seems like a kind of race: Take your time. Read each question twice, all the way to then end. Don’t get stuck for too long on any single question.
7. Schedule your exam early on in the prep process, and pick a definite date that’s not too far-out into the future. This concentrates the mind and your study efforts effectively.
8. Prepare to study, prepare to learn.
9. Prepare your mind: Develop your study plan.
10. Keep your goals away from trolls (don’t let others discourage your efforts, or talk you out of chasing certifications that interest you).
11. You remember 90% of what you read, hear, see, say and do, so put all of these ingredients into your cert prep study mix.
12. Additional resources in this second blog post include TCP/IP fundamentals, the Windows Server 2012 Base Configuration test lab and core network guides, plus PowerShell 3.0 coverage, and Windows 8 resources as well. Once again: these links alone make reading the post entirely worthwhile!
Great job, Veronica, and thanks, Sasa! Anybody prepping for an MS cert exam will find something — and most likely, several somethings — to like about either or both of these postings.
One of my favorite cert market watchers — namely, Mirek Burnejko over at ITCertificationMaster.com — has struck gold once again. This time, it occurs in the form of a trove of information nuggets from Joe Cannata, the Senior Manager of Certification over at Brocade Networks, and the person who runs that company’s certification and related training programs for the company. It’s entitled “How to Become a Brocade Certified Engineer — with Joe Cannata” and it’s very much worth reading in its entirety. Nevertheless, I plan to regale you with some high points from that piece right here:
Here’s the banner and lead ‘graph from Burnejko’s excellent interview. I’ve known Joe for at least three years now, and have reported several times on Brocade certs in this very blog.
- There’s a great capsule history of the Brocade cert program included, which hearkens back to its initial offerings in mid-2000, and explains how it’s changed and grown since those early days.
- There’s a very nice explanation of the four tracks in the Brocade cert program, and what kinds of professionals and technical orientations each one targets.
- It explains why Brocade hasn’t yet introduced recertification requirements for its credentials (they’re tied to specific product releases, so the market ultimately decides which ones retain their value).
- It describes the integration of Vyatta (an SDN company recently acquired by Brocade) certs into the company’s program, and other planned changes and additions to the Brocade cert program overall.
- It concludes with a collection of useful pointers to Brocade cert resources, including the Brocade certification page, their certification community, and their Facebook, LinkedIn, and Twitter presences.
It’s always nice to get a more personal view into an IT certification program, and Burnejko worked very well with Cannata to deliver just that for Brocade. A great piece of work, so I’ll repeat: this Brocade-oriented interview is well worth reading!
Two months ago, I observed in a blog post entitled “CertCities.com: Lights on, Nobody home?” that there hadn’t been any new activity in those pages since the end of January (2013). Now that I’ve had a change to talk about what’s going on over there — or not going on, as the case turns out to be — with long-time resident blogger and writer, Emmett Dulaney, I’m truly sorry to report that the site has been deactivated. If you visit CertCities.com, you’ll see the site and its content are still there, but according to what Emmett told me, there won’t be any new content coming to those pages until and unless the site’s owner and operator (The Redmond Media Group, which I’ll abbreviate as RMG) decides to resuscitate this online presence. It’s not like RMG has nothing else to do: following is a screen snip of the company’s online properties, most of which are still quite active, and some of which are at least fairly successful:
Of the many, many RMG properties, the Redmond (Microsoft) focused sites/publications and the education topics are still thriving.
In learning how CertCities got wound down, I heard from Mr. Dulaney that the company went through several fits and starts. They indicated to him on at least two occasions that the site would get an additional infusion of money and writing resources but as the stated deadline for their deployment approached, the company backed away from those plans. Mr. Dulaney also indicated that in March, he’d been informed that CertCities.com would become inactive and that no new content would be appearing on its pages for the foreseeable future. As far as I can determine, he’d been the only source of anything new for the site for two years or more before the actual cut-off occurred anyway.
Nevertheless, it’s sad to see this once-vibrant and incredibly active IT certification resource fall by the wayside. I always used to enjoy their salary surveys, IT cert wishlists, and even their lists of best certification authors and training sources (among which my own work, and the Exam Cram series I created, made frequent appearances). So please join me in wishing CertCities.com a fond farewell. It was nice while it lasted!