Security

ISC-Squared Finally Begins Move Away from Pencil&Paper Testing

It’s funny how information sometimes shows itself to those who care to look for it. Now with over 60,000 CISSPs certified world-wide, and with surely two or three times that many professionals across all of its half-dozen certifications, I’ve always found it interesting that the (ISC)² (pronounced “Eye-Ess-See squared”) continues to require its certification candidates to show up at physical testing centers on specific dates to take proctored exams using old-fashioned mark-sense forms with a pencil, instead of making a deal with Prometric or Pearson VUE to start doing cert exams the way all the other big programs do them–by computer download to a graphics test engine at an affiliated testing center. This opens the doors to many more exam takers, and will surely lead to a further increase in the size of their certified population.

The International Information Systems Security Certification Consortium logo

In a press release entitled “Pearson Vue and (ISC)² Sign Exclusive Contract to Deliver Computer-Based Information Security Exams Worldwide” two very interesting nuggets of information present themselves for consideration. First, the two organizations will work together to release an exam at Prometric VUE testing centers “sometime in 2010.” Second, (ISC)² will begin “…phasing in its other credential exams over the next three years,” with the first exam up being the Certified Secure Software Lifecycle Professional (CSSLP).

Presumably that means by the end of 2012, the CISSP and the SSCP will also be avaiable in computer-based format at a nearby Prometric VUE testing center. Congratulations to the (ISC)², and welcome to the 1990s. It’s about time!

ISC-squared Creates a Software Lifecycle Credential

Ask any security-savvy software developer how best to make code secure, and he or she will quickly tell you something like “To make code secure, you must design it to be secure, then test the heck out of it to make sure the implementation lives up to that design goal.” And in fact, a growing body of knowledge in the software development community focuses on design tools and techniques to  help make sure that what gets built is indeed as secure as possible, augmented by a growing number of automated tests designed to check such work from the security perspective.

This is a very good thing. No less a security eminence than Bruce Schneier believes that security testing is not only important, but also something that must be part and parcel of the development process starting from initial design all the way through post-release maintenance and updates —throughout th entire software lifecycle as it were. For some fascinating reading on this and just about any other security topic that might interest you, check out his blog “Schneier on Security” for some eye-opening and thought-provoking material.

The new credential is called the Certified Secure Software Lifecycle Professional (CSSLP) and aims to bring better knowledge and tools to bear on software design, development, and maintenance. The primary subject areas figure into the CSSLP:

• Secure Software Concepts: security implications that touch on software development
• Secure Software Requirements: representing security needs and concerns during the requirements gathering phase of development
• Secure Software Design: translating security requirements into application design elements and specifications
• Secure Software Implementation/Coding: unit testing for security functionality and resistance to attack, developing secure code, including incident-handling and mitigation techniques
• Secure Software Testing: QA testing that integrates tests for security functionality and resistance to attack
• Software Acceptance: Security analysis and investigation during software acceptance
• Software Deployment, Operations, Maintenance, and Disposal: ensuring security during steady state operations and when managing software

Anybody who’s familiar with the software lifecycle model for development will recognize that this new cert simply integrates security throughout its current phases and activities. This is a great way to make common sense and a growing body of thought and expertise more explicit and better recognized. If you’re a developer with a security bent, this could be just as potent a credential for coders as the CISSP is for system and network administrators and “security policy wonks.” Check it out on the CSSLP Home page.

Erik Eckel Opines on “10 Best IT Certifications”

In digging through some Microsoft PR materials recently, I came across mention of a Top 10 IT certification list that Erik Eckel put together for TechRepublic, later reprinted by big-time training company Global Knowledge. Though it’s dated December 12, 2008 it still provides some interesting information for consideration, and some fodder for ongoing debate. I’m not quite sure that I fully understand his selection criteria which he describes as follows “While this list may not include the 10 best accreditations for you, it does catalog 10 IT certifications that possess significant value for a wide range of technology professionals.”

Here’s his list as ranked at TechRepublic in straight numerical order:

1. MCITP (Microsoft Certified IT Professional), with specific mention of database developer, database administrator, enterprise messaging administrator, and server asministrator
2. MCTS (Microsoft Certified Technology Specialist), with specific mention of SQL Server business intelligence, database creation, or SQL server administration
3. CompTIA Security+, with an observation that “security continues to be a critical topic”
4. MCPD (Microsoft Certified Professional Developer) with specific mention of the Windows Developer 3.5, ASP.NET Developer 3.5, and Enterprise Applications Developer 3.5 tracks
5. CCNA (Cisco Certified Network Associate), with an emphasis on increasing dependence on remote access technologies, even at smaller companies
6. Comptia A+, iwth an emphasis on “proven support expertise” in the areas of desktop installation, problem diagnosis, preventive maintenance, and computer/network troubleshooting.
7. PMP (Project Management Professional) with an emphasis on “job skills and knowledge required to plan, execute, budget, and lead a technology project”
8. MCSE/MCSA (Microsoft Certified System Engineer/Administrator) represent Microsoft’s previous take on basic admin (MCTS) and professional (MCITP) certs, and enjoy amazing certficiation population numbers–as Eckel observes “…these certifications tend to indicate holders that have been working within the technology field for a long time.”
9. CISSP (Certified Information Systems Security Professional) receives mention for “…building a respected, vendor-neutral security certification,” that’s also accredited by ANSI.
10. CompTIA Linux+ get a nod because “…the open source alternative is an important platform…”

Given these choices, it’s no wonder that Microsoft is promoting this list: they’ve garnered 4 out of 10 (really 5 out of 11) choices therein. CompTIA might also take cheer as well from the inclusion of Network+, Security+, and A+ (of which Network+ and A+ are by far its most popular credentials). And certainly, all the other elements in the list–CCNA, PMP, and CISSP–are all immensely popular and highly sought-after credentials as well.

Though Eckel’s selection criteria and methods aren’t entirely clear, this blog makes me wish that CertCities.com would revive its Top 10 lists, which used to be an interesting marker between one year and the next for IT professionals. At  least their list came from a survey of thousands of active IT participants, an could in some sense be argued as representative of collective interests. Funny how those lists of yore don’t differ too much from Eckel’s list, either.

I wouldn’t have any arguments with this list, in fact, if it used the word “Popular” instead of “Best” to describe its constituents, because there’s almost no argument about any of these on a pure numbers basis. But the definition of best is one that’s fraught with peril, and certainly subject to lots of differing interpretations. While he does give the CCIE passing mention in his CCNA item, I’d be inclined to put it in any Top 10 Best I were to put together,  and I’d be more inclined to pick rather more senior-level credentials rather than entry-levels ones like the CompTIA items, MCTS, and CCNA. But that’s my “best” interpretation showing. What’s yours?

Prepping for CISSP? Check out CCCure.org

As I started working on one of our more successful books–it’s now in a fourth edition, and continues to generate modest but steady earnings–I first stumbled across French-Canadian Clement Dupuis’ outstanding CCCure.org Web site. For those prepping for the CISSP exam, this site is a real treasure trove of information, including all kinds of useful study tips and advice on how best to prepare for the exam, as well as beaucoups content and pointers to still more content to help candidates learn the subject matter necessary from each of the exam’s many categories/topic areas in the body of knowledge that they must master.

You’ll also find pointers to relevant training and tutorials, exam quizzes to help you hone your study skills, and even a nice collection of book reviews of CISSP study guides–including, thankfully, a good review of the aforementioned CISSP Study Guide to which James Michael Stewart, Mike Chapple, and I all contributed. But the best aspect of this resource has to be the on-site forums. Here, you can learn an awful lot by reading over postings from others with CISSP related questions, and the answers that some incredible security luminaries regularly provide in response. If you need answers to your own questions, please do your homework and search existing threads first before posting here, then be prepared to wait 2-3-sometimes-even-4 days to get a reply. You won’t be sorry.

Of course, I should also mention that Clement Dupuis is no slouch in the security department: he’s a well-known instructor, researcher, and consultant in this area. He’s also now teaching for Shon Harris’ San Antonio-based training company, Logical Security, where he regularly rubs shoulders with other security experts as well.

If you need to add an excellent on-line resource to your study arsenal for the CISSP exam, CCCure.org is it. You’ll also find some coverage of the ISACA CISA and CISM exams here, too, but I haven’t explored it sufficiently enough to give it the same ringing endorsement I so happily give to the CISSP coverage–though I’m pretty sure I would do likewise were I to dig into it more deeply.

Need a guide to infosec certs? Check out this (our) survey!

One continuing bright spot in the IT specialization/employment world is information security. More and more companies and organizations are devoting personnel to this area, and more and more IT professionals are finding it worthwhile to obtain or demonstrate expertise in information security subjects, tools, and technologies. But with hundreds of options to choose from, what’s a savvy IT person to do when it comes to narrowing her or his selections? Why, consult our survey at SearchSecurity.com, of course!

Every year, my partner in grime, Kim Lindros, and I compile a survey of all the certification programs we can find in the area of information security. It’s called the “SearchSecurity.com guide to information security certifications” and covers 71 vendor-neutral and 36 vendor-specific credentials. It also includes analyses of these various offerings, and identifies the most popular and/or useful credentials across the various categories used to break the surveys up into manageable chunks.

Putting this survey together each year is a big job, and requires an enormous amount of checking (for existing certs, which come and go with amazing frequency) and surfing (to find new infosec certs, which pop up like mushrooms after the rain). As you look this material over, please e-mail me [mailto:etittel at techtarget dot com] or post here if you can point me at any credentials we’ve somehow managed to miss. There are so many of them, I’m sure we missed at least one or two. We’ll be updating this survey again in Q109 so I hope to hear from you on this score sooner, rather than later.

Thanks a bunch in advance for your help and support with this project. Those pondering infosec certs will also surely find it useful (our lowest reader ranking for any of this survey’s many parts is 4.68 out of 5.00, so I know we must be doing OK).

–Ed–

The Other CompTIA Certifications

OK, so everybody knows about the Big Three certs from CompTIA: A+, Network+, and Security+. A+ and Network+ are more or less checkbox items for aspiring entry-level IT, help desk, and tech support workers. Security+ is fast becoming a stepping stone to other, more senior, well-recognized and -rewarded information security certs as well (see our SearchSecurity.com guide to information security certifications for more information on this topic).

All this said, CompTIA offers a total of 13 certifications. What about the other 10? Here’s a list with information and commentary to help introduce them to those who haven’t come across them before, and to refamiliarize those who may have heard of them before:

CompTIA CDIA+ Certification: The CDIA+ was CompTIA’s first-ever certification and has been around for more than 10 years. It target a very specific niche market for digitizing, storing, and managing documents in digital form rather than paper form. It’s intended to demonstrate expertise in technologies and best practices involved in planning, designing, and specifying document imaging and management systems. Here again, this remains a narrowly-focused and relatively small market segment.

CompTIA Convergence+ Certification: Responding to industry requests for more skills and knowledge about communications technologies, which are said to reside where data communications, telephony and telecommunications, and video and broadcast multimedia technologies combine into a single IP-based delivery system, Convergence+ seeks to demonstrates basic skills and knowledge across all these areas. CompTIA faces stiff competition from the Telecommunications Industry Association’s (TIA’s) Convergence Technologies Professional (CTP) and Certified in Convergent Network Technologies (CCNT) certifications here, and has not been as widely adopted or recognized in the marketplace, either.

CompTIA CTT+ Certification: The Certified Technical Trainer, or CTT credential, predates its acquisition by CompTIA. It’s a vendor-neutral classroom training cert that is accepted as evidence of sufficient training skills in many vendor-specific training programs in lieu of their own in-house credentials (where available). Obtaining a CTT+ certification requires candidates to demonstrate their preparation, presentation, communication, and facilitation skills, and to submit a videotape for evaluation of classroom skills and behavior. It’s probably the best-known, most valuable, and most widely sought-after of all the “other” CompTIA certs.

CompTIA DHTI+ Certification: DHTI stands for Digital Home Technologies Integator, and covers a grab-bag of digital home technologies including alarm systems, control systems, entertainment systems, communications, networking, and more. The successor to the short-lived Home Technologies Integrator (HTI+) certification, the DHTI+ continues to face issues with breadth and depth of coverage in a collection of technology areas that are changing so rapidly as to defy codification and currency in coverage. Nevertheless, the DHTI+ certification seeks to demonstrate competence in configuring, integrating, maintaining, troubleshooting, and comprehending basic design concepts for electronic and digital home systems. Here again, this is a narrowly focused niche for high-end equipment vendors, installation companies, home builders, and so forth, that has yet to gain significant traction outside those organizations where hiring qualified technicians can be a real challenge.

CompTIA e-Biz+ Certification: E-business (or E-biz) is an area of technical activity that involves conducting business online. It’s kind of a combination of Web technology and e-commerce; e-Biz+ is no longer available worldside (it’s only available in Korean and Japanese languages). This is a credential whose time has largely come and gone.

CompTIA Linux+ Certification: Linux certifications are many, and their coverage is often scattered, where focus on actual distributions may be tightly focused or all over the place. Linux+ is vendor-neutral, and focuses on open source and Linux basics, including fundamentals of user administration, file permissions and access controls, and setup and software configuration, plus local storage and network management. Linux+ has not really been widely adopted and faces stiff competition from the longer-lived, multi-tiered, and more wide-ranging Linux Professional Institute credentials (LPIC levels 1 through 3), as well as well-recognized vendor Linux certs from Red Hat, Novell/Suse, and others.

CompTIA PDI+ Certification: The PDI+ certification takes printing and document imaging devices as its focus, and seeks to demonstrate knowledge and skills necessary for to support and operate high-end printing and document imaging devices. Topics covered include print and scan processes and components, basic electromechanical tools, and color theory, along with soft skills such as customer service and professionalism, safety, and environmental sensitivity. This is another niche cert that aims to supply printing and imaging service providers with qualified technical staff.

CompTIA Project+ Certification: Project+ might be described as a set of “training wheels” for the Project Management Institute’s (PMI’s) Project Management Professional (PMP) certification. That is the Project+ focuses on fundamental project management skills including the whole project life cycle starting with initiation and planning, all the way through execution, acceptance, support and closure. The PMP remains “the” certification for project management professionals, while Project+ is a stepping-stone to that goal at best.

CompTIA RFID+ Certification: RFID stands for Radio Freqency Identifier, a special kind of hardware device that announces itself to inquiring transponders and provides other data as well. The RFID+ seeks to demonstrate knowledge and skills in the areas of installation, maintenance, repair, and upkeep of hardware and software functionality of RFID products. This credential is designed with a very specific audience in mind, and is relevant for those seeking work with RFID technologies. But it’s still a fairly small niche.

CompTIA Server+ Certification: Server+ was designed as a higher-level credential, which makes sense given its focus ontechnical competencies surround network server issues and technologies. Coverage includes installation, configuration, upgrading, maintenance, and environment, plus troubleshooting and disaster recovery. Server+ is accepted in some vendor-specific programs, but at most it takes the place of a single exam in programs that require passing four or more exams to earn vendor certification.

As you look over these certs, it’s wise to consider where CompTIA gets its name and mission: at its heart it’s an industry association whose mandate is to identify areas of technical competency where industry needs workers and to design certifications based on job requirements to match. For some of these credentials, there’s a happy fit between what IT professionals want and need to learn and what industry is looking for. For others, exposure, interest, and experience in specific industry niches drives the certs, and must therefore drive professionals into seeking the related certs as well.

To CompTIA, or Not?

Many of the questions I get from readers and IT professionals might best be summarized as “If I earn the following cert(s), will it help my career?” More than half the time, in fact, one or more of the specific IT certifications mentioned in the query comes from the Computing Technology Industry Association or CompTIA. To be even more specific A+ is mentioned most frequently, with Network+ close behind, and Security+ in third place by the numbers.

Thus, I’d like to address the issue of what kinds of value these and other CompTIA certifications can provide, and what kinds of people are most likely to benefit from their pursuit and attainment. Both A+ and Network+ focus solidly on entry-level personnel, or as CompTIA likes to put it “individuals embarking on a career in technology.” A+ seeks to identify PC technicians with at least 6 months of experience or its functional equivalent, where Network+ ups that ante by three months and recommends its pursuers to earn the A+ as a stepping stone to this credential.

By design, both A+ and Network+ serve as steppings stones to other, more advanced CompTIA certifications, and to some extent, they’re also referenced or recognized in other vendor-specific and -neutral certification programs. But the fact remains that these credentials work best to identify those inexperienced or new-to-the-industry workers who have sufficient interest in and motivation to demonstrate some basic PC (A+) and networking (Network+) knowledge and proficiency.

By themselves, neither or both of these credentials is probably enough to land somebody a job in IT, however. Even an associate’s degree remains worth more to most organizations hiring entry-level workers, or those switching from other fields to IT. Thus, while I can (and do) recommend A+ and Network+ to aspiring IT workers in PC or network technician, help desk, tech support, operator, and other traditional first rung IT jobs, I usually have to temper that recommendation by observing that other signs of education, skill, and ability will add to one’s chances of parlaying these credentials into a job.

Security+ is a slightly different animal. It recommends earning both A+ and Network+ first, and seeks to identify individuals with two or more years of security-related job experience. Thus, it’s not quite as “entry-level” as the other two certs, though it is very much an entry-level information security certification by virtue of its depth and breadth of coverage. Here again this is a certification that while helpful and worth pursuing may not be enough by itself to parlay into an information security position. That’s partly because the phrase “entry-level security position” is something of an oxymoron, and something of a rare bird besides that. However, earning the Security+ is a useful stepping stone toward the CISSP, CISM, and other more senior infosec certs that and often do help IT professionals move into information security jobs, or up the information security component in network and systems administration positions.

Thus, to answer the question posed in the title of this blog, the answer is: “Yes, but…” The buts include “don’t expect to turn this into immediate gold, a first job, or a promotion” and “be prepared to proceed from these ’stepping-stone’ credentials to other, more substantial and serious vendor-neutral and/or -specific certifications to really boost your career and your future earning potential.”

–Ed–

Time for a sanity check: How am I doing? And yourself?

This is my 18th entry for this continuing “IT Career JumpStart” blog. I’m about six weeks into the process, and both I and my masters at TechTarget are reasonably pleased with the way things are going so far. I’ve managed to get some discussion going on over half of my posts, and have fielded at least a dozen related e-mails from others who were perhaps too shy or who didn’t want to post comments directly to the blogs.

My objectives here are two-fold:

1. I’d like to ask for your input on how useful or otherwise the kind of content I’ve posted so far has been. Either way, please tell me what you liked best and why, and what you didn’t like (and why for that also, if you’re inclined to tell me).
2. I’m going to present some ideas on future topics for coverage and would like to get your reactions. Please, if you ask me not to cover something, do suggest an alternative topic to take its place if you can–preferably something that interests you, or where you’re currently seeking information or advice and haven’t been able to get what you need.

Here are the topics that I’m planning to cover over the next couple of months, some of which will be multi-part postings:

1. CompTIA Revisited: a look at the CompTIA cert stable, with more coverage on the most popular items, A+, Network+, and Security
2. The Next Microsoft Generation: What’s up with MCTS, MCITP, MCPD, and Microsoft Certified Master?
3. Another take on information security certifications: updating the semi-annual infosec cert survey
4. Industry-motivated academic programs: where certificates, certification, classroom education, and workforce preparation meet

That should probably get us into November, perhaps even as far as Thanksgiving. But with your help and input, I’m more than happy to add and drop items, or to refocus coverage to help address your needs and answer your questions. Ultimately, that really why I’m doing this, so please give me the benefit of your input, not to mention your insight, as we plan for some next steps in the great chain of blogging!

Best,
–Ed–

Security+: Third Time Lucky?

At the end of August, CompTIA announced that its Security+ certification had passed a significant milestone, as the total count of credentials granted topped the 50,000 mark. Over the past six years since this certification made its initial debut in December, 2002, Security+ has slowly gained increasing acceptance and adoption as one of a small number of entry-level information security certifications worth pursuing.

That said, Security+ has played to mixed reviews from information security and certification experts, including yours truly. At various times, it’s been suggested that the exam has gotten a bit stale, wandered off-topic, and failed to cover important topics. With an average three-year update cycle (do the math) most of these observations tend to occur beyond the half-way point between exam refreshes. It’s possible that the CompTIA methodology and timing is more responsible for the occasional gaffes and gripes that get reported about its exams, including Security+.

That said, there’s a lot to like about the latest upcoming version of Security+, slated for release in Q4 2008, as a quick review of its draft objectives (in PDF format) will attest. As it has always done, the latest Security+ incarnation seeks to validate that individuals have at least 2 years experience in network administration with a security focus, including day-in, day-out security activity, along with broad basic knowledge of “security concerns and implementation.”

The original 5 domains in the exam’s body of knowledge have acquired another domain: assessments and audits (4), along with Systems Security (1), Network Infrastructure (2), Access Control (3), Cryptography (5) and Organizational Security (6, formerly known as “Operational Security”). These objectives have also been completely refreshed and overhauled, and deliver reasonably complete and comprehensive coverage of the information security landscape as we know it today.

In my last blog, I provided a list of certifications that the DoD has mandated for IT professionals whose responsibilities at various levels touch on information security. As I read over that list, I’d wondered about the suitability of Security+ in the Level 2 Technical Worker category. Now that I’ve revisited the requirements and objectives for this exam, I wonder no longer: Security+ is definitely worth further investigation and possiible pursuit, especially for those looking for a stepping stone to the CISSP. Just be sure to wait for the 2008 version to go live, and use preparation materials (books, practice tests, flash cards, and so forth) to match!

DoD Directive 8570 and the OMB Follow-up

Back in 2005, the US Department of Defense aka DoD, issued Directive 8570 entitled “Information Assurance Workforce Improvement Program.” In a nutshell, this document states workforce responsibilites and requirements for personnel tasked with “information assurance,” a locution that means more or less the same thing as “information security” outside military circles.

There’s a lot of interesting information in this document, but what many readers of this blog will find most interesting is a list of accepted and mandated infosec certifications required for tecnical and management level workers in this technical niche. Because many of these items come from the SANS GIAC program (all of which start with the letter “G” in the lists that follow), you’ll find a nice summary of this information on their Web site.

Here is the way things break down at a very high level.

Technical Track
Level 1: A+, Network+, ISC² SSCP
Level 2: GSEC, Security+, SCNP, SSCP
Level 3: GSE, CISSP, SCNA, CISA

Management Track
Level 1: GSLC, GISF
Level 2: GSLC, CISSP, CISM
Level 3: GSLC, CISSP, CISM

What’s interesting about this list is that nearly all of these certifications are well-recognized outside the DoD, and that many of them have considerable cachet on the current job market as well. What’s even more interesting is this recent story at CertCities.com, which indicates that the Office of Management and Budget (OMMB) is working on a similar set of requirments for professional certification for IT workers in civilian agencies inside the US Government (and hence also, any contractors that do business with same).

This certainly creates rampant opportunities for individuals who hold one or more of these credentials, and makes the already-valuable CISSP, CISA, CISM, and SANS GIAC certs into a sort of “gold standard” for doing infosec business with the feds.

Need I say more, to those looking for more and better ways to feather their nests?