Saturday, January 21, 2006

Saturday Night Surfing

Cruising around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web on this fine Saturday night, I found a few sites I thought I would share. One or two you may recognize, but one or two you might not. The first is Uninformed, a technical journal that appears to have picked up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role previously worn by Phrack. By that I mean that defeating security measures is a strong cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me. The second is Codebreakers Journal. This technical journal is peer-reviewed, and also features cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same sorts of articles found in Uninformed. The final site is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ElseNot Project. The site lists every Microsoft security bulletin since 1 June 1998, and tries to match an exploit for every vulnerability. As of today cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are 138 exploits for 464 bulletins listed.

Review of The Debian System, Debian/GNU Linux 3.1 Bible Posted

Amazon.com just posted my five star review of The Debian System. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

"I was extremely impressed by Martin Krafft's The Debian System (TDS). I approached this book as a fairly experienced FreeBSD user and an occasional Linux user. (I run Debian on i386 and PA-RISC, but I wanted to know more about Debian as a system.) I strongly recommend TDS for two types of users. The first group includes anyone who wants to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unique techniques and tools found in Debian. The second group includes developers and users of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r operating systems who are looking for different ways to approach system administration problems. Both groups benefit from TDS' thorough and commanding coverage of Debian and its community."

Amazon.com also posted my four star review of Debian GNU/Linux 3.1 Bible. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review:

"Debian GNU/Linux 3.1 Bible (DGL3B) is a good book if your expectations match its content. This can be difficult when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cover bears this somewhat misleading quote by Debian founder Ian Murdock: 'This book contains everything you need to know to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most out of Debian, from installing it to tapping into its vast repositories of software.' That quote should have been applied to Martin Krafft's book The Debian System, which I read right after DGL3B. Those new to Linux will like DGL3B, but those experienced in Linux but new to Debian should read Krafft's book instead."

Friday, January 20, 2006

DoD Directive 8570.1 Changes Everything

Last night I attended my local ISSA-NoVA meeting. I listened to Steven Busch from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Defense-wide Information Assurance Program (DIAP). He is a "Change and Workforce Management Senior Managing Consultant" with IBM working on implementing DoD Directive 8570.1, "Information Assurance Training, Certification, and Workforce Management", which I mentioned yesterday. He's also a Marine. (Notice I said "Marine," not "ex-Marine." Even though Mr. Busch is no longer in uniform, I recognize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are no "former Marines.")

I will try to summarize what I heard, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 expectation that Mr. Busch's slides will be posted at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ISSA-NoVA Web site soon. I managed to get related material from this earlier briefing (.pdf, slow). There's also a summary at (ISC)2.

The vision for 8570.1 is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

A professional, efficiently managed IA workforce with knowledge and skills to securely configure information technology, effectively employ tools, techniques and strategies to defeat adversaries, and proactively identify and mitigate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full spectrum of rapidly evolving threats and vulnerabilities in order to protect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network.

After reading my comments, you may agree that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 implementation of 8570.1 will not meet this vision.

8570.1 will apply to anyone with privileged access (e.g., system administration) to DoD systems, to include uniformed military personnel, civilians, and contractors. The following chart summarizes 8570.1 (incorrectly called "8570" below) and 8570.1-M, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Manual which was signed on 19 December 2005 and provides implementation guidance.



Essentially, to administer a DoD system, military, civilian, and contractor operators will have to attain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se goals:

  1. Vendor-neutral security certification

  2. Vendor-specific platform certification

  3. On-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-job training


Before I discuss cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 approved certifications, let's look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people affected by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se requirements.



The slide shows two existing tracks. One is an IA Technical Category (for system and network administrators) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r is an IA Management Category. Now let's see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certification list as displayed last night.



The Tech I and Management I categories are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pyramids shown previously, while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IIIs are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pyramids.

Let's break out those acronyms, since I didn't recognize all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. First, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certifications for technical people:

  • A+: CompTIA's basic system administration cert

  • Network+: CompTIA's basic network administration cert

  • TICSA: TruSecure ICSA (formerly International Computer Security Association) Certified Security Associate; never encountered this before

  • SSCP: Systems Security Certified Practitioner, an (ISC)2 certification that just received ANSI accreditation -- a requirement for all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor-neutral certifications

  • GSEC: GIAC (Global Information Assurance Certification, formerly Global Information Assurance Center) Security Essentials Certification, a SANS entry-level certification

  • Security+: basic security; why is Security+ here, and come to think of it, why is A+ and Network+ listed earlier for security certifications?

  • SCNP: Security Certified Network Professional, offered by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Certified Program; never even heard of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m

  • CISSP: Certified Information Systems Security Professional from (ISC)2, which is also ISO/IEC 17024 certified. All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se certifications need to be ISO compliant, but I do not think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y all presently are compliant.

  • SCNA: Security Certified Network Architect, anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r SCP cert I've never seen before

  • CISA: Certified Information System Auditor, offered by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Information Systems Audit and Control Association (ISACA); also ANSI-certified.

  • GSE: GIAC Security Expert; this is a SANS cert held by five people. It is absolutely ridiculous to put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tech-less CISSP in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same category as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 GSE, which requires "five intermediate level GIAC certifications" and "3 days of testing!"


Here are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certifications for managers, only listing those not covered above:

  • GSLC: SANS GIAC Security Leadership Certification

  • GISO: SANS GIAC Information Security Officer; this is already obsolete, replaced by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 GSLC or GISF

  • CISM: Certified Information Security Manager, anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ISACA cert


The list will not necessarily be used by everyone in DoD. The DoD components can choose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certs on this list that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will accept. They cannot independently add certs to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 list, although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 oversight board managing this program for DoD can add new certs in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future.

You are probably wondering about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor-specific certification requirements. Mr. Busch explained that if a person administers Microsoft systems, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will need Microsoft certification. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are a Cisco network admin, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will need Cisco certification. He admitted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have "not done much" yet in this area.

Earlier I reported on this story which inaccurately states cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

[DoD] requires frontline security professionals to have certifications from CompTIA and (ISC)2 but not from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS Institute or vendors.

That is patently not true. When I first read that statement, I thought I understood why Alan Paller was upset. Now that I see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are some SANS certifications accepted by DoD, I realize he is more upset by DoD's choice of certifications. I agree with him.

Essentially, if you have your CISSP, you have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "golden ticket" for technical or managerial work in DoD. While that might be appropriate for management, it is absolutely worthless for operators. This DoD program is not going to result in any better security if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 emphasis is placed on certs that have little or no technical relevance.

There may be benefit to having vendor-specific certs. Someone responsible for administering Solaris, Red Hat, or Cisco products are probably going to benefit from those programs. Unfortunately, DoD seems to be treating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se programs as an afterthought.

One audience member asked Mr. Busch what he should tell an admin he knows that works on Oracle, Microsoft SQL, Solaris, and slew of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r applications and operating systems. Mr. Busch replied "Most DoD components don't have that many OS' in one environment." This will be a real shock to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 front lines!

DoD plans to collect "IA performance data" to "measure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 effectiveness" of this program. I would like to see if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y consider "certified" (and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want 10% of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 force ready by 30 Dec 06) are any more capable than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 uncertified crowd.

I also wonder why DoD didn't leverage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CERT®-Certified Computer Security Incident Handler (CSIH) certification program. It's practically DoD already, is vendor-neutral, has been around for a long time, and appears to cover cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subjects I would want to see in DoD security people.

There are some aspects of this program that I think are beneficial, without reservations. Mr. Busch said DoD is trying to include IA training within Professional Military Education, such as that found at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 war colleges. This is a great idea and I would be interested in helping with that program. People with IA certifications will also be tracked DoD-wide, and IA will be treated less as an "additional duty" and more of a professional obligation.

Crucially, Mr. Busch recognizes that receiving training helps retention. Someone during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ISSA meeting asked what DoD will do when it trains its people and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n watches cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m separate from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 service. That attitude absolutely infuriates me. The alternative means keeping untrained people in place, because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have no marketable skills? That is completely idiotic. I argued with a colonel at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pentagon about this when I was a captain.

I would like to hear your thoughts on this program. Overall, I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intentions are good, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 selection of certs is on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole misguided. I also hope to hear more details from Alan Paller, who seems to have a good grasp on this issue.

Army Thin Clients

Last month I posted news about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Navy's adoption of real thin client systems on some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir ships. Last year I said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

"We have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force barking up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong tree with new Microsoft purchases. The Navy and Marine Corps are stuck with a disfunctional NMCI. I guess this leaves cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army to embark on a bold strategy that leaves cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 broken enterprise desktop computing model behind? Stay tuned."

It looks like I was right about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army. This morning I read Army plans to use thin-client systems at FCW.

The Army intends to streamline information technology at its bases by using thin-client systems, which do not require a computer at every worker’s desk...

The Army intends to install thin-client computers as it restructures and consolidates bases...

“The whole Army is behind this,” Winkler [director of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army’s Governance, Acquisition and Chief Knowledge Office] told industry executives at a conference on BRAC’s impact. The IT Association of America sponsored cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 event.

Winkler said Lt. Gen. Steven Boutelle, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army’s chief information officer, briefed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 secretary of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plan yesterday, and Winkler quoted Boutelle as saying, “We’re going to be Draconian about it.”

“I see no reason why you can’t have thin clients in all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 services,” Winkler said. “I see no reason why [cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Defense Department] shouldn’t jump on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bandwagon.”


The only question is what sort of thin clients will be used. I will be astounded if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army turns to a real thin client like Sun's Sun Ray 170.

Bejtlich Interview on PaulDotCom

Paul Asadoorian and Larry Pesce from PaulDotCom interviewed me yesterday. The podcast is available as a 30 MB .mp3. Thanks to Paul and Larry for taking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to speak with me.

IISFA Is Irrelevant

For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past several months, I've been receiving notices from "Marcus Lawson - ISFA" of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 International Information Systems Forensics Association. IISFA is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization that awards cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Certified Information Forensics Investigator™ (CIFI) Certification. I initially thought this would be a good certification for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reasons outlined in that post and previous posts linked within it.

The emails from IISFA have said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

Subject: Your International Information Systems Forensics Association membership is past due for renewal.

Dear Richard,

I have good news and bad news:

Bad news: your membership has, or is about to expire to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Information Systems Forensics Association. This means you will no longer be a part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Global Voice of Information Forensics;" you will not longer receive "The Information Forensics Journal;" and you will no longer be able to participate in ISFA events; internationally or locally.

Good news: You can renew your membership and continue to be a part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 excitement of investigative and scientific discovery for anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r year.

We hope you will continue to enjoy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 benefits of ISFA for anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r year.

Sincerely,

Michelle Bourque, CISSP International Director of Membership International Information Systems Forensics Association

Your International Information Systems Forensics Association membership expired on 01/20/2006. Please take advantage of our limited time grace period offer and renew by 2/19/2006 to continue receiving all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 benefits we have to offer.

Member Name: Richard Bejtlich,
Current Membership Type: Member
Membership Start Date: 01/06/2005
Membership Expiration Date: 01/20/2006


I've tried sending this response to multiple email addresses. No one has responded.

I've received mutliple renewal notices regarding my IISFA membership. They say:

Bad news: your membership has, or is about to expire to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Information Systems Forensics Association [sic].

Isn't it IISFA, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 International Information Systems Forensics Association?

The email cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n says:

you will not [sic] longer receive "The Information Forensics Journal;"

Has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re been any new issue of IFJ since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 July/August 2004 issue?

The email continues:

you will no longer be able to participate in ISFA [sic] events; internationally or locally.

Have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re been any IISFA events? I was scheduled to speak at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 22 Sep 04 meeting in Georgia, but I haven't heard anything about IISFA meetings since that event was cancelled (due to tragedy).

The most recent news item at iisfa.org dates from April 2005.

Overall, I do not get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 impression that IISFA is offering much of value to me. Why should I renew membership?


Why should I renew, indeed? Has anyone gotten anything of value from IISFA, period? I plan to let membership lapse and my CIFI standing disappear.

Thursday, January 19, 2006

Notes from Airplane Reading

Last week I read several magazines on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way to DoD Cybercrime. Here are a few thoughts on what I read. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat and vulnerability definition department, we have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article DHS offers $765M in risk-based grants from Federal Computer Weekly:

The Homeland Security Department has made $765 million available in fiscal 2006 for 35 urban areas to guard against terrorist threats, DHS Secretary Michael Chertoff announced today.

The Urban Areas Security Initiative (UASI) this year follows a new, risk-based formula that allots funding according to threat, vulnerability and consequence, Chertoff said...

In assigning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 grants, DHS also for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first time used threat analysis from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 intelligence community to look at different kinds of threats, such as transient populations, Chertoff said.


Replace cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word "consequence" with "cost of replacement" in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second paragraph and you have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 common risk equation found in my books and elsewhere. Nice reporting, Michael Arnone!

I liked this article by CIO magazine editor in chief Abbie Lundberg. This is an excerpt:

People talk a lot about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new skills for IT being "business" skills, coming from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business side. It bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs me that people talk about "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business" as if it’s some monolithic thing made up of every department that’s not IT.

The implication is that all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se not-IT departments share common skills, attributes and concerns, and that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are no competing interests among cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m or any lack of understanding between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. It also seems to assume that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y possess some intrinsic understanding of what’s right for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise’s future and that IT doesn’t. Right.

Frankly, I don’t think "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business," or any one part of it, is in unique possession of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 skills necessary to construct cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 21st-century organization. In fact, I’d hazard to say that IT may be better equipped to drive and execute this transformation than any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r department in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 modern corporation.


Thank you. I don't know what you read or hear, but I am tired of hearing drivel about "business skills." Here's an example from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same issue of CIO, an article titled The New IT Department:

The preferred educational background for IT employees today is more often an MBA than a computer science degree, says [Lauri] Orlov [VP and research director for Forrester]. New IT hires are as likely to be brought over from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business side as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are to have been groomed in IT.

Is this why companies continue to be compromised? Are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MBAs running around wondering why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir self-defending networks are failing? I guarantee we will see a "back-to-basics" movement in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next few years, where "hands-on" tech skills will be emphasized again.

Speaking of "hands-on" skills, FCW had anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r interesting article -- SANS: Popular certifications don't ensure security. So what's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 big deal? Alan Paller summarizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 findings:

Many popular information technology security certifications don't improve holders' ability to ensure computer systems' security, according to a new survey from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS Institute, a training and education organization for security professionals.

The survey found that respondents with certifications from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Computing Technology Industry Association (CompTIA), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 International Information Systems Security Certification Consortium -- also known as (ISC)2 -- and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Information Systems Audit and Control Association (ISACA) think that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir training does not give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m as strong an advantage in performing hands-on security jobs as platform- and vendor-specific certifications do.

Because respondents could vote for multiple certifications, "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 low votes for CompTIA, (ISC)2 and ISACA certifications are compelling proof that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se certifications should not be relied upon for people with hands-on security responsibilities," said Alan Paller, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 institute's director of research.


One could argue this report and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 survey (.pdf) are serving SANS's interests, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 findings also benefit holders of Cisco and similar vendor certifications.

Why is Alan upset?

He is especially concerned that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Defense Department now requires its frontline information assurance employees to have such nontechnical certifications. DOD's decision, finalized in December, came after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Titan Rain scandal last year in which international cybercriminals circumvented DOD's security measures and stole classified information.

"If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se certifications do not correlate with hands-on security skills, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n DOD is misleading its commanders by implying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir people have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 necessary security skills when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do not," Paller said.


What does DoD require?

DOD officials are satisfied with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir choice of certifications, said Robert Lentz, director of information assurance in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DOD CIO's office. The department has codified competencies for its IT security employees under Directive 8570.1, "Information Assurance Training, Certification and Workforce Management," which requires frontline security professionals to have certifications from CompTIA and (ISC)2 but not from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SANS Institute or vendors.

Lentz said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certifications ensure that information assurance employees have adequate hands-on experience. Combined with additional specialized training that commanders provide on-site, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will ensure sufficient security for mission-critical systems, he added.


CompTIA and (ISC)2? Wonderful. Even I will admit that SANS certification holders are far more technically equipped than CompTIA Security+™ or CISSP holders.

It is a tragedy that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISSP has become associated with "hands-on" technical proficiency. And what of CompTIA?

The CompTIA Security+ certification tests for security knowledge mastery of an individual with two years on-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-job networking experience, with emphasis on security.

"Two years" and "security knowledge mastery" should not be in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same sentence.

I may have more to say on this topic after I attend tonight's ISSA-NoVA meeting. The subject is 8570.1.