Security Certification Resource Guide Essential Information on Security2 Certifications003 for IT Professionals and Managers

This guide offers in-depth coverage of security certifications in the IT industry as well as resources for further study.

IT Influencer Series Security Certification Resource Guide Essential information on security2 certifications003 for IT professionals and managers.

Introduction 3 EC-Council: Know Your Enemy 14

(ISC)2 : Experience Counts 4 Blueprint for a Career 15 Contents in Security SANS: A Practical Approach 6 Guide to Security Job Titles 19

Microsoft: Locking Windows 7 Q&A: Can Security 22 Certifications Help Your Career? CompTIA: Security for the Masses 8 Salary Data for IT 23 Professionals Cisco: Hardware Lockdown 9 About Those U.S. Government 24 Check Point: Enterprise Certified 10 Security Clearances

CWNP: Wireless Pro 10 15 Best Web Sites for Security 25

ISACA: Audit Secure 12 5 Must-Read Security 26 Newsletters TruSecure: TISCA Experience 12 5 Web Picks for Security 26 Symantec: Sleeper Hit 13 Certification

SCP: Security Certified Pro 13 Security Bookshelf 28

SCSA: Seeking the Sun 14 Advertiser Index 30

Introduction

ecurity is one of the hottest areas in IT certification today. S It can also be the most confusing. As little as two years ago, IT professionals wanting to certify their security-related knowledge and expertise had only a handful of credentials to choose from, most of which were reserved for the most experienced professionals. Since then, several vendors have added security-related titles and options, and those specializing in security are offering more credentials than ever. This boom has created a mix of titles that, while serving a wider cross-section of the IT community, also make understanding and an honest perspective from an indus- evaluating security certifications an try insider on exactly what certifica- arduous endeavor. tion can (and can’t) do for your We’ve created this guide to help career. We also share the real way IT professionals and managers sort those all-too-elusive U.S. security out the many options available. On clearances are obtained. its pages you’ll find profiles of almost To help in the learning process, every major security-related certifi- we’ve included our top picks for secu- cation available today. For each, we rity Web sites and newsletters, as well explain the audience they’re aimed as certification preparation resources. for, the requirements for obtaining Whether you’re an IT profes- the titles, and what separates each sional considering a career in securi- from the other credentials. ty or a manager who needs to guide But we also know that becoming your security staff’s professional an IT security professional takes more development, we hope the following than just certification. That’s why information will offer you the com- you’ll also find advice on developing prehensive overview of security cer- an IT security career, including frank tification you’ve been searching for. words from security maven and Enjoy. author Roberta Bragg on what it takes to excel in this field, as well as —The Editors

All content was written and/or developed by Keith Ward, senior editor, Microsoft Certified Professional Magazine; Becky Nagel, editor, CertCities.com; Michael Domingo, editor, MCPmag.com and Dian Schaffhauser, editorial director, Microsoft Certified Professional Magazine.

Experience Counts

It takes more than just knowledge to earn (ISC)2’s CISSP and SSCP titles. The International Information Systems Security Certification to attempt the organization’s Systems Consortium, (ISC)2,formed in 1989 to create an industry Security Certified Practitioner (SSCP) title. This three-hour, 125-question standard for information security best practices. Since that exam focuses on seven of the above time, the organization has released several vendor-neutral domains and requires only one year of certifications that combine testing candidates’ knowledge of direct work experience. Like the CISSP, you must subscribe to the organization’s these practices along with experience, ethical and ongoing code of ethics and earn continuing edu- education requirements. cation units to maintain the title. If you don’t have enough experi- The organization’s flagship title, the degree can substitute for one year. This ence to earn either title but you still Certified Information Systems Security experience must be documented by an want to take the above exams, you can Professional (CISSP), focuses on 10 independent third-party and submitted become an Associate of (ISC)2. This common bodies of knowledge (CBKs) to the (ISC)2 for audit, along with a new program from the organization based on the above-mentioned standards: signed document stating that the candi- allows candidates without the required • Access Control Systems & Methodology date will subscribe to the organization’s experience to take the exams and then • Applications & Systems Development code of ethics. Only then will the title of earn the certifications once they obtain • Business Continuity Planning CISSP be granted. But that’s not the end the needed experience. • Cryptography of it—all CISSPs must complete 120 If you’re already a CISSP and want • Law, Investigation & Ethics units of continuing education per year to to distinguish yourself further, the • Operations Security keep their title active. organization recently announced sever- • Physical Security If you don’t quite have four years of al “concentrations” that candidates can • Security Architecture & Models direct work experience, you may want add on to their CISSP: CISSP Man- • Security Management Practices agement and CISSP Architecture. 2 • Telecommunications, Network & (ISC) There’s also the Information System Internet Security Vendor: The International Information Security Engineering Professional The resulting exam is a six-hour, Systems Security Certification (ISSEP), a concentration formed in 250-question affair, for which most can- Consortium (ISC)2 conjunction with the United States didates study months to prepare. Certifications: CISSP, SSCP, related National Security Agency that focuses Because of the broad depth of knowl- concentrations on the information security needs of edge covered on the exam, most stu- Certification Type/Focus: Vendor- federal government employees. dents prefer not to go it alone, joining neutral titles focusing on best practices Note that because the organization’s study groups or attending instructor-led for information security professionals. exams are paper-based, candidates must training courses. Candidates must meet experience sign up through (ISC)2 and travel to an However, simply passing the exam requirements and sign an ethics pledge. official testing location. Prices for the 2 won’t earn you the CISSP. (ISC) cites Exam Prices: $350 to $550 (U.S.) organization’s exams currently range its mission to create a “gold standard” Training Required?: No from $350 to $550, but will rise as much certification as the reason it requires all as $100 beginning January 1, 2004. Testing Centers: Available only candidates to have at least four years of More information on all of the through vendor “direct full-time security professional above titles can be found on (ISC)2’s work experience” in one or more of the More information: Web site at http://www.isc2.org. http://www.isc2.org test domains listed above. A college — Becky Nagel

STAY ON TOP OF THE LATEST SECURITY TRAINING...

...or your replacement will be happy to do it for you.

With 28 hands-on Security Training courses, Global Knowledge offers the industry’s most comprehensive

collection of Network Security courses delivered by real-world, expert instructors. Visit our web site now

for more information: www.globalknowledge.com Keyword: MCPSECURE or call 1-800-COURSES.

GET A FREE T-SHIRT When you take our 1-minute IT survey at www.globalknowledge.com/securitytee

A Practical Approach

The SANS Institute’s GIAC certifications combine testing with practical assignments. Like (ISC)2, the SANS Institute’s Global Information Assurance Certification (GIAC) takes a vendor-neutral approach. However, this organization’s titles focus on the practical more than the theoretical, testing candidates’ skills in a wide variety of areas through online or in-person testing as well as practical assignments.

Those interested in GIAC testing have Administrator; and GIAC Certified a wide variety of titles to choose from: Unix Security Administrator—can • GIAC Security Essentials earn the organization’s highest certifi- GIAC exam, candidates must complete Certification (GSEC) cation, the GIAC Security Engineer. a “practical assignment”—an original • GIAC Certified Firewall Analyst According to the organization, only research paper that demonstrates the (GCFW) two GIAC Security Engineers exist in candidate’s knowledge of the material • GIAC Certified Security the world today. being tested. These assignments are Leadership (GSLC) Before being allowed to take any reviewed and graded by the organiza- • GIAC Certified Intrusion Analyst tion, and those who pass are then (GCIA) SANS/GIAC allowed to sit the related exam. • GIAC Certified Incident Handler GIAC exams are delivered online (GCIH) Vendor: The SANS Institute and at SANS conferences. Because of • GIAC Certified Windows Security Certifications: 12 Global Information the program’s tie-in with SANS’ educa- Administrator (GCWN) Security Certification (GIAC) titles tional offerings, some GIAC certifica- • GIAC Certified Unix Security Certification Type/Focus: Skills testing tions require that candidates take the Administrator (GCUX) in a variety of security areas, such as related SANS training course either at • GIAC Information Security firewalls, intrusion analysis and foren- a conference or online. When taken Officer (GISO) sics. Candidates must pass an exam along with a training course, the price • GIAC Systems and Network along with a practical assignment. of the exam is $250. Exams cost $450 Auditor (GSNA) when not accompanied by training. Exam Prices: $250 (U.S.) with train- • GIAC Certified Forensic Analyst All GIAC professionals must ing, $450 (U.S.) without (GCFA) recertify every two years by passing a • GIAC IT Security Audit Essentials Training Required?: Yes, for select “refresher” exam. The price of renewal (GSAE) titles is $120, which includes free access to Those who earn five of the above Testing Centers: Available only SANS courseware online. titles—GIAC Certified Firewall Ana- through vendor More information on GIAC’s cer- lyst; GIAC Certified Intrusion Analyst; More information: tification program can be found at: GIAC Certified Incident Handler; http://www.giac.org/ http//:www.giac.org. GIAC Certified Windows Security — Becky Nagel

Locking Windows

Microsoft debuts MCSA: Security and MCSE: Security specializations. If you’re a Microsoft networking professional, you no longer need to seek titles from outside vendors to certify your Windows security expertise. That’s because in June Microsoft announced new security specializations for its Microsoft Certified Systems Engineer (MCSE) and Microsoft Certified Systems Administrator (MCSA) titles. Microsoft “We put together these certification specializations to allow IT professionals a way Vendor: Microsoft Corp. to demonstrate a specific technical focus in the area of security within their job Certification: MCSE: Security, MCSA: roles,” David Lowe, product manager for security with Microsoft’s Training and Security Certification group, said in an interview with MCP Magazine when the exams Certification Type/Focus: Windows- debuted. “The new specializations are directly analogous to the existing base cre- specific specializations that show a dentials, but with a ‘prescribed path’ of specialization exams rather than electives.” candidate’s security focus within the And that’s the key to these specializations: To become an MCSE: Security or company’s MCSA and MCSE titles. MCSA: Security, you don’t have to take any more exams than would be required Exam Price: $125 (U.S.) to earn the standard MCSA or MCSE. It’s determined by which exams you take. Training Required?: No Testing Centers: Pearson Vue and For MCSA: Security 2000, your elective exams must include: Prometric • 70-214: Implementing and Administering Security in a Microsoft Windows More information: 2000 Network http://www.microsoft.com/mcp • 70-227: Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition OR CompTIA’s Security+ allow individuals to demonstrate; they’ll For MCSE: Security 2000, you must also take the elective: get to highlight their focus on platform- • 70-220: Designing Security for a Microsoft Windows 2000 Network specific security and design skills.” For MCSA: Security 2003, you must take the following electives: Microsoft exams consist of stan- • 70-299: Implementing and Administering Security in a Microsoft Windows dard, multiple-choice questions as well Server 2003 Network as more in-depth scenario-based ques- • 70-227: Installing, Configuring, and Administering Microsoft Internet tions. The company doesn’t place train- Security and Acceleration (ISA) Server 2000, Enterprise Edition OR ing or experience requirements on its CompTIA’s Security+ certifications, but hands-on experience MCSE: Security 2003 requires the above plus: with the products is highly recommended. Microsoft exams cost $125 • 70-298: Designing Security for a Microsoft Windows Server 2003 Network (U.S.) and are available worldwide If you’ve already earned your MCSA or MCSE, you can simply take any addi- through Pearson Vue and Prometric tional exams required to add the desired specialization. testing centers. Lowe explained that Microsoft created the specializations because, “We recognize More information on these certifi- that in IT job roles, like systems administrator and systems engineer, there are a num- cations can be found at ber of individuals who have a very specific concentration on a particular area and, http://www.microsoft.com/mcp. obviously, in an important area as security. So that’s what these specializations will — Becky Nagel

Security for the Masses CompTIA’s Security+ aims to bring baseline security knowledge to all IT professionals.

The Computing Technology Industry Association is well known for its entry-level, vendor-neutral certifications such as A+, Network+ and Linux+. Therefore, it wasn’t surprising when late last year the organization added Security+ to its roster.

Security+ is a one-exam certification bers, such as Microsoft, IBM and Sun, or allow it as an alternative requirement. covering a wide-range of top-level helped create the title, participating in For example, Security+ counts as an security knowledge. Topics covered on development meetings and deciding the elective toward MCSE 2000 as well as this exam include: certification’s focus. As such, several cer- its new MCSA: Security and MCSE: • Communication security tification programs either recommend Security specializations. • Infrastructure security Security+ as a prerequisite for their titles These tie-ins may be one reason • Cryptography this title has resonated so well with the • Access control CompTIA IT community. Even before its official • Authentication Vendor: Computing Technology release, Security+ landed at #2 on • External attacks CertCities.com’s list of Top 10 IT Industry Association • Operational security Certifications for 2003. And according The exam itself consists of 100 Certification: Security+ to Gene Salois, CompTIA’s vice presi- questions with a 90-minute time limit. Certification Type/Focus: Vendor- dent of certification, Security+ is the The minimum passing score is 764, organization’s fastest-growing title ever. neutral security title that focuses on graded on a scale of 100 to 900. One The Security+ exam costs $225 baseline security knowledge and skills. focus of the exam is terminology, mak- (U.S), with a discount given to ing sure candidates understand the Exam Price: $225 (U.S.) employees of corporate members. The many threats out there. Candidates are Training Required?: No certification is good for life, so there also tested on the best ways to tackle are no extra costs associated with those threats. CompTIA recommends Testing Centers: Pearson Vue and renewing the title. that all candidates have at least two Prometric More information about years of general networking experience More information: Security+ can be found at before taking the exam, but the experi- http://www.comptia.org/certification http://www.comptia.org/certifiction/ ence level isn’t required. /security/default.asp. security/default.asp Many CompTIA corporate mem- — Becky Nagel

Hardware Lockdown Cisco Cisco offers a variety of ways to certify your Vendor: Cisco Systems expertise in securing its essential internetworking Certifications: CCIE Security, CCSP, Qualified Specialist devices. Certification Type/Focus: For the past 10 years Cisco Systems has CCIE Security, you may be interested Product-specific titles for a variety been offering IT professionals working in Cisco’s newest security offering, the of experience levels. with its products ways to certify their Cisco Certified Security Professional Exam Prices: $125 to $1,250 (lab expertise, but only recently has a suite (CCSP). exam) (U.S.) of options emerged for those wishing to The CCSP is a professional-level Training Required?: No prove their security skills. title, on the same level as its Cisco For the most experienced candi- Certified Network Professional (CCNP) Testing Centers: All but lab available dates, Cisco offers a security track for its and Cisco Certified Design Professional through Pearson Vue and Prometric. expert-level Cisco Certified Internet- (CCDP) certifications. More information: work Engineer (CCIE) title. The CCIE To become a CCSP, candidates http://www.cisco.com/en/US/learning/ is known world-wide as one of the hard- must obtain a Cisco Certified est certifications to obtain because candi- Network Associate (CCNA) or Cisco your existing CCNA certification with dates must pass an in-person, proctored Certified Internetwork Professional one of Cisco’s security-related concen- troubleshooting lab exam. (CCIP) credential, then pass the fol- trations available through its Qualified Typical study methods won’t get lowing five exams: Specialist program. you a CCIE. As Cisco states on its Web • 642-501 SECUR: Securing Cisco The company currently offers three site, “Training is not the CCIE program IOS Networks security-related Qualified Specialist titles objective. Rather, the focus is on identi- • 642-511 CSVPN: Cisco Secure for the IT community at large: fying those experts capable of under- VPN • Cisco Firewall Specialist standing and navigating the subtleties, • 642-521 CSPFA: Cisco Secure • Cisco IDS Specialist intricacies and potential pitfalls inher- PIX Firewall Advanced • Cisco VPN Specialist ent to end-to-end networking.” As • 643-531 CSIDS (beta): Cisco As mentioned above, candidates such, the company recommends that all Secure Intrusion Detection System must first obtain a CCNA. From there, candidates have at least three to five • 642-541 CSI: Cisco SAFE each title requires passing two exams: years of hands-on experience working Implementation 642-501 SECUR, plus one focused on directly with the technology in a real- As you can see from the above, the chosen specialty from the above list world environment. this certification is so new that one of of CCSP exams. Because the exams are CCIE exams are not only gruel- the required exams is still in beta for- the same, candidates can apply their ing, they’re expensive: $1,250 (U.S.) mat—it is expected to be released in its Qualified Specialist title toward future plus expenses to travel to one of five final version by the end of 2003. pursuit of the CCSP. locations worldwide where lab exams These tests are standard-format All Cisco certifications require are offered. To make sure that only exams featuring multiple-choice ques- recertification through passing update those who have a chance of passing tions. Some also include simulation exams. Recertification for Cisco titles attempt the exam, all CCIE candidates questions that require hands-on skills. takes place every two to three years. must first pass a $300, standard-format All are available at Prometric and More information on all of Cisco “qualification” exam, available through Pearson Vue testing centers worldwide. certification offerings can be found at local Pearson Vue and Prometric test- The beta is priced at $50 and the live the following URL on Cisco’s Web site: ing centers. There are no other require- exams are $125 (U.S.). http://www.cisco.com/en/US/learn ments or prerequisites to earn the title. If you’re not looking for a standing/. If you’re not yet ready to tackle alone title, you might want to augment — Becky Nagel

to earn any other Check Point certifi- Enterprise Certified cation but is recommended for those new to security. Check Point’s certifications test users’ skills with the Check Point’s Management track company’s Firewall-1 NG product and more. offers two titles: • Check Point Certified Managed Mid-size and enterprise networks across title: Check Point Certified Security Security Expert (CCMSE) the globe use Check Point Software Principles Associate (CCSPA), “an • CCMSE Plus VPX Technologies’ Firewall-1 and VPN-1 entry-level certification that validates a Check Point describes the CCMSE products to keep their environments student’s proficiency in security funda- as its premier-level title for those using secure. If you are looking for a way to mentals, concepts and best prac- the company’s Firewall-1, VPN-1 and certify your skills on these products, tices”—much like CompTIA’s Secur- Provider-1 products in a “Network Check Point offers several options. ity+ exam. The CCSPA isn’t required Operating Center” environment. It Check Point separates its certifica- requires passing three exams. The tions into two tracks: Security and Check Point CCSME Plus option allows CCSMEs Management. Within the Security Vendor: Check Point Software add to their credential by showing their track, there are three titles, each of Technologies expertise with the company’s VSX secu- which requires one exam. The certifica- Certifications: CCSPA, CCSA, CCSE, rity solution, as managed by Provider-1. tions are tiered, meaning that each CCSE Plus, CCMSE, CCMSE Plus VSX All of Check Point’s exams are higher level requires the previous certi- standard-format multiple choice tests, Certification Type/Focus: Product- fication. They are: available for $150 (U.S.) through specific titles focusing on Check Point • Check Point Certified Security Pearson Vue testing centers worldwide. security solutions for mid-size to Administrator (CCSA), which Check Point recommends that all can- enterprise networks. focuses on Firewall-1. didates have six months to one year of • Check Point Certified Security Exam Price: $125 (U.S.) hands-on experience with the products Expert (CCSE), which adds VPN-1. Training Required?: No they want to certify on. • CCSE Plus Enterprise Integration Testing Centers: Pearson Vue More information on Check Point’s and Troubleshooting, which adds certification program can be found at: More information: http://www.check integration and troubleshooting http://www.checkpoint.com/services/ed point.com/services/education/certifica for both products. ucation/certification/index.html. tion/index.html Also within this track is a new — Becky Nagel

Wireless Pro Certify your wireless security expertise with Planet3’s CWSP. CWNP Vendor: Planet3 Wireless There are plenty of security issues sur- first obtain the program’s Certified Certification: CWSP rounding wireless networking. The Wireless Networking Associate Certified Wireless Networking Program (CWSA) before pursuing the CWSP. Certification Type/Focus: Vendor- (CWNP) from Planet3 Wireless is a cer- According to Planet3 Wireless, the neutral wireless security title. tification option that allows wireless pro- CWSP exam focuses on three areas: Exam Price: $175 (U.S.) fessionals to test their security knowl- • Wireless LAN intrusion Training Required?: No edge and skills. • Wireless LAN security policy Testing Center: Prometric According to Planet3, CWNP’s • Wireless LAN security solutions Certified Wireless Security Professional The exam itself is a standard-for- More information: (CWSP) title is vendor-neutral, focus- mat, multiple-choice test with 60 ques- http://www.cwne.com ing on 802.11 wireless technology tions. It’s available through Prometric rather than specific vendors’ products. testing centers worldwide for $175, For more information on this certifica- As the second tier of the program’s four although candidates must purchase the tion, visit http://www.cwne.com. levels of certification, candidates must exam voucher directly from Planet3. —Becky Nagel

Network and certification training for® Windowsonals. professi

2 0 0 4 E V E N T S

NEW ORLEANS, LA APRIL 4 – 8

SAN JOSE, CA SEPTEMBER 28 – OCTOBER 1

Join network managers and administrators for a new lineup of technical training sessions by networking, messaging and security experts. Take control. Get solutions, not theories, to your everyday networking problems.

Registration opens mid-November.

presented by: TechMentorEvents.com certification profiles

Audit Secure ISACA The Independent Systems Audit and Control Association Vendor: Information Systems Audit and Control Association offers two certification options for IS auditing and security Certifications: CISA, CISM professionals. Certification Type/Focus: High-level The Information Systems Audit and responsibilities,” the Web site states. “ It certifications for information security Control Association (ISACA) has been is business-oriented and focuses on infor- and auditing professionals. offering its flagship Certified Infor- mation risk management while address- Exam Price: $325 to $495 (U.S.) mation Systems Auditor (CISA) title ing management, design and technical Training Required?: No since 1978. The title, which focuses on security issues at a conceptual level.” Testing Centers: Available through IS auditing and control as well as sys- Both ISACA exams are offered vendor only tems security, is now held by more than once a year at a variety of locations More information: 30,000 professionals worldwide. worldwide. Candidates don’t have to be http://www.isaca.org While this title does cover security, members to take an exam, but they do the organization recently decided to cre- need to agree to adhere to the organiza- years of information security experience ate another credential specifically for tion’s code of ethics. Both titles must be can grandfather directly into the CISM security professionals: the Certified maintained through continuing educa- title without taking the exam. Various Information Security Manager (CISM). tion requirements. degrees and certifications count toward ISACA describes the CISM as its The exams range in cost from the grandfathering process. “next generation credential…specifically $325 to $495 (U.S.) depending on More information on ISACA cer- geared toward experienced information membership status, registration date tifications can be found at security managers and those who have and method of registration. Through http://www.isaca.org. information security management Dec. 31, 2004, candidates with eight — Becky Nagel

TISCA Experience TruSecure TruSecure moves into certifying individuals with its TICSA Vendor: TruSecure program. Certification: TISCA Certification Type/Focus: Vendor- You may know TruSecure as the com- • Risk management fundamentals neutral title that also requires pany that owns the ISCA labs, which • TCP/IP networking basics experience. tests and certifies security products. • Firewall fundamentals What you might not know is that • Incident response and recovery Exam Price: $295 (U.S.) Tr uSecure also offers certifications for practices Training Required?: No IT security professionals. • Administration maintenance Testing Center: Prometric (U.S. and The company has turned its certifi- procedures Canada Only) cation experience into the vendor-neu- • Design and configuration tral TruSecure ICSA Certified Security fundamentals More information: Associate (TICSA) title. To achieve it, • Malicious code mechanisms https://ticsa.trusecure.com/ candidates must first prove they have • Law, ethics, and policy issues least two years of hands-on experience • Authentication techniques The $295 (U.S.) exam is available or attend 48 hours of computer securi- • Cryptography basics through Prometric testing centers in ty training within a two-year period. • Host- vs. network-based security the U.S. and Canada only. In addition Only then are candidates allowed to sit • PKI and digital certificates basics to passing the exam, candidates are the TISCA exam, which features 70 • Operating system security required to sign an ethics statement questions covering TruSecure’s 14 fundamentals before the credential will be awarded. “essential” bodies of knowledge: Six areas of risk are also covered: For more information on the TISCA, • Essential security practices vs. electronic, malicious code, physical go to: https://ticsa.trusecure.com/. “best” security practices threat, human, privacy and downtime. —Becky Nagel

Sleeper Hit looking for. Symantec’s program features four tiers of certification focusing on its Symantec Symantec jumps to second products along with general security Vendor: Symantec on CRN’s 2003 list of most knowledge and strategies. Following is Certifications: SPS, STA, SCSE, SCSP valuable certifications for the listing of these titles and their Certification Type/Focus: Tiered resellers. description as provided by Symantec: • Symantec Product Specialist program focusing four Symantec (SPS): One exam on a single securi- product areas. If you’re looking for a security certifica- ty product and its functionality in Exam Price: $125 to $150 (U.S.) tion that resonates with solution an overall security system. providers, then a title from Symantec • Symantec Technology Archi- Training Required?: No may be right for you. tect (STA): one-exam title focusing Testing Centers: Prometric Earlier this year, Computer Reseller on vendor-neutral security knowledge More information: News released the results of its third of how to design, plan, deploy and http://www.symantec.com/ annual certification study, which rates manage effective security solutions. the importance of various IT certifica- • Symantec Certified Security education/certification/ tions for small and large solution Engineer (SCSE): covers a high-level providers. Symantec’s Certified Security understanding of a broad range of secu- VPN, Vulnerability Management, Practitioner (SCSP) jumped up the list rity solutions plus in-depth knowledge Intrusion Detection and Virus Protec- to become the second most important and skills within a specific security tion & Content Filtering. certification for small solution pro- focus. These titles require passing two Symantec exams cost between viders (revenue under $5 million) and to three SPS and/or STA exams. $125 and $150 (U.S.) and are available the fastest-growing title in importance • Symantec Certified Security at Prometric testing centers worldwide. for large service providers (revenue Practitioner (SCSP): senior security More information on Symantec more than $5 million). title. Achieved by earning all four of certification can be found at Even if you’re not working for a the SCSE certifications. http://www.symantec.com/edu solution provider or reseller, Symantec Within these tiers, there are four cation/certification/. may still offer the certification you’re areas of product focus: Firewall & — Becky Nagel

Security Certified Pro SCP Vendor: Ascendant Learning Ascendant Learning offers a vendor-neutral alternative. Certifications: SCNP, SCNA Ascendant Learning bills its Security ty technologies, such as firewalls and Certification Type/Focus: Mid- to Certified Professional as an advanced, intrusion detection. The SCNA focuses high-level vendor-neutral security vendor-neutral IT security certification on the next level of technology, such as certifications. program. “The Security Certified enterprise security solutions, forensics Exam Price: $150 to $180 (U.S.) Program is proud to offer intense certi- and biometrics. Training Required?: No fication exams,” the program’s Web site Both titles require passing two reads. “Whereas most certifications test exams each. The exams feature sce- Testing Centers: Pearson Vue and on rote memorization-level details… nario-based questions. Although train- Prometric SCP exams are designed to test a candi- ing is highly emphasized on the pro- More information: http://www.securi date’s knowledge of working security gram Web site, it doesn’t say that it’s tycertified.net issues, programs and utilities.” required before taking the exams. Currently, the program offers two SCNP exams cost $150. SCNA holders to recertify every two years. titles: Security Certified Network exams cost $180 (U.S.). All are avail- For more information about these Professional (SCNP) and the Security able at Pearson Vue and Prometric test- certifications, visit http://www.security Certified Network Architect (SCNA). ing centers worldwide. certified.net. The SCNP focuses on defensive securi- The program requires all title — Becky Nagel

Seeking the Sun Solaris administrators worldwide now have a way to certify Sun their expertise on this Unix-based operating system. Vendor: Sun Microsystems Certification: SCSA for Solaris 9 While there’s still a dearth of Unix-spe- Certified Network Administrator Certification Type/Focus: One-exam cific security certifications available, at (SCNA) or Sun Certified Systems title testing security expertise in least one vendor has stepped up to the Administrator (SCSA) certification Solaris 9. plate. In April 2003, Sun Microsystems before attempting the exam. Six to 12 Exam Price: $150 (U.S.) debuted the Sun Certified Security months of hands-on experience is also Training Required?: No Administrator (SCSA) for Solaris 9 OS. recommended. Testing Center: Prometric This one-exam title is, in fact, the Like other Sun tests, the Sun first security-specific certification to be Certified Security Administrator exam More information: offered by Sun. The objectives for the contains multiple choice, scenario- http://suned.sun.com/US/catalog/cou exam break down into six main areas: based, matching, drag and drop and rses/CX-310-301.html • General security concepts free-response questions. There are 60 • Detection and device management questions, with 60 percent needed to Sun has made no indication of creating • Security attacks pass. Candidates are given 90 minutes. exams for earlier versions, despite the • File and system resources protection The exam is available for $150 (U.S.) at continued popularity of its SCSA and • Host and network prevention Prometric testing centers worldwide. SCSA for Solaris 8 exams. • Network connection access, To give candidates an idea of what More information about this cer- authentication and encryption to expect, Sun offers 10 free sample tification can be found at: Although there are no prerequi- questions for the SCSA on its Web site. http://suned.sun.com/US/catalog/cour sites for this title, Sun recommends Because the certification is so new, ses/CX-310-301.html. that all candidates hold either its Sun it’s only available for Solaris version 9. — Becky Nagel

Know Your Enemy EC-Council offers white hats a chance to shine with its Ethical Hacker certification.

What exactly is an ethical hacker? The other security professionals who are International Council of E-Commerce EC-Council interested in exactly what the other Consultants (EC-Council) states on its Vendor: International Council of side is doing and how to prevent it. Web site: “The Ethical Hacker is an E-Commerce Consultants The exam itself consists of 50 ques- individual who is employed and can be Certification: Ethical Hacker tions covering 22 domain areas, such as trusted to undertake an attempt to footprinting, system hijacking, hacking Certification Type/Focus: Tests penetrate networks and/or computer Web servers, SQL injection, password knowledge of hacking terminology systems using the same methods as a cracking techniques and ethics. It’s and techniques. Hacker… The key difference is that available for $125 at Prometric testing the Ethical Hacker has authorization to Exam Price: $125 (U.S.) centers worldwide. EC-Council offers probe the target.” Training Required?: No optional training for the title. Although passing the title’s one Testing Center: Prometric More information about this exam does grant one the title of Ethical More information: certification can be found at: Hacker, the credential appears to really http://www.cwne.com http://www.eccouncil.org/CEH.htm. be aimed at systems administrators and — Becky Nagel

By Roberta Bragg

If you want to do IT security because it’s “hot” right now, or because you think that’s where the money is, forget it. If you truly love the field, read on. What do I mean? Perhaps you’re one of the many who have written for my help in “getting into security” or pursu- fingernails and struggling to keep up for an attacker to steal credit card num- ing a security career. Perhaps you wonder with the dual demands of rapidly bers off your servers grab your guts? if security is an area for you. Maybe you changing information and rarely Would you rather manage or do? Does want the big bucks. Maybe you’re out of changing attitudes. Sure, it’s fun to creating policy float your boat? As you a job, find your engagement calendar ramble about the foibles of most infra- can see, there’s a wide range of careers empty, or otherwise think it’s time to structure gurus, but I can’t even talk in security. I know security officers who change your game plan. about my greatest jobs, those where my have never touched a server, and sys- input or my design prevented the suc- tems admins who never should have. You Missed the Wave, Dude cess of a very determined attacker. To help you find your niche, con- Security isn’t the answer to your sider attending a security conference. shrinking paycheck. It won’t bring you The Four-Step Program Continued on next page fame and fortune; it won’t even get you Are you still reading, even after my an interview. If you don’t already have attempts at dissuasion? You haven’t Hackers Need Not Apply deep security knowledge, you don’t given up in despair? You say you want have time to gain it in order to ride the to be a security expert, and you realize If you think that hacking into current wave. The days of success are it’s not an easy thing. Here, in my Web sites, writing and releasing long past for those armed with mini- humble opinion, is how to fulfill that malicious code or breaching mal knowledge and a pre-programmed goal. Your program should include security at Fortune 500 compa- security vulnerability scanner. The these four steps. nies, government offices, utilities word “Security” in your title or your or other well-known entities is a company’s name will get you no instant Step One: Narrow Your Options precursor to or a guarantee of a appreciation now. The market for secu- Your first step should be to determine security career, you’re dead rity goods and services is more sophis- exactly what you mean by “security.” wrong. Doing these things is just ticated than it was. To make your way, Do you want to specialize in some tech- plain stupid. You can disrupt to survive, you have to be able to do nical aspect of security, say establishing business, shut down basic utili- more than know a few buzzwords. and configuring perimeter defenses ties and kill people. There’s a This market isn’t a Mecca for those such as firewalls? Do you absolutely who want to relax, either. Security is 10 love decoding packets to figure out new hardened attitude out there, percent pure panic and 90 percent what’s happening on the wire? Are you and you may just find yourself drudgery. It’s long hours with no obsessive-compulsive about the code doing time instead of working reward. You’ll generally only get recog- you write? Does implementing tech- for the company of your choice. nition when you fail. For me, it’s like nology excite you, or does the fact that —Roberta Bragg I’m always hanging from a cliff by my your mistakes might provide a venue

Page 15 • Security Certification 2003 Resource Guide (c) 2003 101communications LLC, http://certcities.com, http://mcpmag.com You’ll meet people who already work in Now the good news—maybe: If you the job, some were trained by the mili- the field, gain some security knowledge, stop and think about it, much of what tary, and others were gifted with deep and maybe make a few useful contacts. you do in IT is security-related. Most talent and mathematical education. Check out the sites listed below and the systems administrators spend a fair Few had formal training in computer conferences and seminars they offer. amount of time granting or preventing security, per se. In the second phase, a They represent many different sides of resource access. Security is, in large part, large demand meant even inexperi- the security game. Just don’t assume about exercising controls in order to pro- enced people could earn money ped- you’ll see all security careers represented tect resources. If, however, you get your dling security advice, and many self- at any one event, or that you’ll be chuckles from making complex systems proclaimed hackers—the guys with the accepted with open arms when you say work, or writing elegant code, or getting experience—were able to cut their hair the words “Microsoft” and “security.” the best performance or throughput, or and morph into security consultants. • http://www.rsasecurity.com the most “bang for the buck,” then secu- Now we’re in stage three. There’s still • http://www.sans.org rity may not be a wise choice for you. a large demand, but buyers are more • http://www.gocsi.com/annual/ On the other hand, if you feel that knowledgeable. To get hired, you need index.html someone’s always looking over your some proof of expertise. If you don’t • http://www.blackhat.com shoulder; if you have multiple online have experience, do you have certifica- • http://www.defcon.org personalities; change out your hard tion or education? Employers today are • http://www.issa.org drive when you go online; subscribe to certification-shy, and bad experiences • http://www.misti.com multiple security newsletters (and with paper MCSEs have contributed to actually read and follow their advice); this. Several very good education alter- Step Two: Get Naked have been to Defcon or a CSI confer- natives exist, and you should start at Second, take a long look at yourself. ence; downloaded all the NSA guide- http://www.nsa.gov/isso/programs/nietp Carefully review your background, suc- lines; know who Stephen Northcutt, /newspg1.htm. Among the offerings on cesses and failures, dreams and reality. Bruce Schneier, Mudge and cDc are; the National INFOSEC Education & As they say in the weight-loss biz, stand purchased the SANS checklists; and Training Program Web site are the 50 in front of the mirror naked and take a have www.microsoft.com/security as universities designated “Centers of good, long look. A clear understanding your default home page, you probably Excellence in Information Assurance of your abilities, aptitudes and experi- have the necessary makeup for the Education” by the National Security ence is the starting point. Having a security field. Agency. Take a look at these programs. clear goal will help you identify the You’ll find that not one of them is a path to take. Does something in your Step Three: Get Trained short-term answer to your goals. Most background fit your idea of this long- Now that you know where you are and are traditional four-year undergraduate term goal? If your experience lies in what you want to do, determine what programs, or master’ and doctorate pro- networking or systems administration, you need to do to get there. Each secu- grams. Some of the more well-known of you have a good foundation to build rity opportunity may require a different these schools include: upon. Writing solid code and under- skill set, a different level of education. • Carnegie Mellon University: standing good coding practices is para- Where not long ago there were no (http://www.heinz.cmu.edu/infose mount to many security careers. If you “security degrees” and only a smattering curity/), well-known as the host don’t have either of these skill sets, why of certifications, both formal education location for the Computer Emergen- are you reading this article? Seriously, and a plethora of certification programs cy Response Team (CERT), as well while many security jobs don’t require now exist. The opportunities for educa- as many fine programs that offer you to code or to configure systems, tion have multiplied like hack attacks education in information security. they do require you to have knowledge on a new IIS server. • George Mason University: in these areas. Get some. If you’re Are formal education programs the (http://www.isse.gmu.edu/~csis/ struggling in IT because of a lack of way to go? Remember: Security as a index.html) ability to do a job for which you were career has gone through its first two • Janes Madiscon University: trained, what makes you believe that phases. In the first one, a need evolved (http://www.infosec.jmu.edu/pro you can enter the security arena with- as the natural result of the mainframe gram/html/classroom.htm) offers a out any experience or education at all? culture. Many people got trained on Continued on next page

LearnKey 2003 Winner Best Computer Application Training Best Online Certification Training - Training Magazine 2003 APX awards

First 20 Callers SAVE $100! Security is not an option! LearnKey Security Training on LearnKey SecurityTraining

CISSP Series ( Domains also sold separately) ...... 11 Sessions...... C#150168...... $2,995

® Cisco Certified Security Professional Series (Prep for SECUR, CSPFA, CSVPN, CSI, & CSIDS Exams) ...... 24 Sessions...... C#562198...... $3,265

® CompTIA Security+...... 4 Sessions...... C#101078...... $355

Hacking Revealed...... 5 Sessions...... C#150108...... $425

® Windows 2000 Network Security Design...... 3 Sessions...... C#601098...... $265

ISA Server 2000...... 4 Sessions...... C#601958...... $355

FREE Security Training CD! Choose from these popular titles: Training Features: • Dynamic instructor-led video CompTIA® Security+ • CISSP • Cisco® SECUR • Powerful animations & graphics HURRY! Click Here First 50 Only! • Testing, labs and eSupport and register to get yours! • 99% pass-rate

www.learnkey.com/mcpsecurity / 1.800.865.0165 ext. 5256

© 2003 LearnKey, Inc. LK112503 Source Code #5256 Prices listed are for Single-Users. Please call for Multi-User pricing and Corporate solutions. master’s degree program with a con- of which are profiled in the first part of adding the word “security” was a double centration in information security, this report—may help. Experience is guarantee. Many of these companies are taught entirely online. more important, but studying for certi- just treading water now; make your own • North Carolina State University: fication isn’t a bad way to develop well- inquiries before diving in. (http://ecommerce.ncsu.edu/infosec/ rounded product knowledge. Think outside the box. Did you courses.html), offers undergraduate, notice the acronym “HIPAA” in the job masters and doctorate programs in Step Four: Market Research list above? It stands for Health Insurance information assurance. Research the job market. IT security Portability and Accountability Act of • University of Idaho: employment is currently suffering a soft- 1996. Some of the regulations of this act (http://www.csds.uidaho.edu/), has ening of the market. Visit IT recruiter L.J. mean radical changes in the way hospi- the Center for Secure and Depen- Kushner (http://www.ljkushner.com/) to tals, doctor offices, insurance companies dable Software (CSDS). get the skinny on where they think it’s and anyone who handles patient infor- headed; if you’re qualified, post a resume. mation must do their job. While many Be sure to check out the new Visit popular headhunter sites and institutions have a strategy in place, oth- Federal Cyber Service: Scholarship for do a search on information security. At ers are still trying to understand what Service programs if you’re studying Career Builder (http://www.headhunt they need to do. In either case, there will information security in college. U.S. er.net) I found more than 371 jobs from be a continued demand for IT security citizens can get two years of their infor- the keywords “information security.” people in the health care industry. mation security education paid for in Granted, a lot of jobs didn’t fit my defi- return for two years of government nition of info sec, but many did. Poring If You’re Still Interested… information security work. Pay atten- over the possibilities might just reveal By now you should have an idea that tion to the qualifications: Not every some ideas you hadn’t considered. How being a security professional is not don- program—nor every candidate—quali- about being a senior fraud examiner, ning a 10-year-old’s T-shirt or doing fies. You must be enrolled in an info sec security manager, risk management-secu- the rock star strut across a stage. There’s curriculum in one of several qualifying rity and regulatory manager, security no surgical security implant or Viagra colleges before you can apply. Several of engineer, IT auditor, security engineering for the brain. You’ve found there’s a cry- the programs referenced above partici- specialist, IT risk management specialist, ing need for those who know IT securi- pate in the program. Your best source policy maintenance senior specialist, ty, but no money to pay them; hordes of information is their Web sites. acquisition security specialist, network of security babe-wannabes; and an And don’t forget that good old prac- security integrator, chief information pri- immature industry where even the def- tice of studying on your own or with vacy officer, security analyst, security sys- inition of “security professional” is your buds. I don’t have to tell you that tem installer, director of IT security or undecided. If somehow you’ve made it many of your peers in IT run extensive HIPPA information security officer? Job to this point, you probably still want to home test networks. If you’re thinking listing sites are an excellent way to learn pursue the dream, so go for it. of hitting the consultant career path, about the various security job categories this is essential. It’s my belief that you and required experience level. You may A version of this article was first print- can earn the equivalent of a master’s be startled to learn that many pay less ed in Microsoft Certified Professional degree if you’re willing to invest in a than a good network administrator job. Magazine. subscription to MSDN and TechNet, Graze through popular security cobble together a few boxes in your product sites. Many of them have Roberta Bragg, MCSE: Security, CISSP, basement and spend hours and hours employment sections. Working for a Security+ and contributing editor for with them. Note that it’s my belief: I security consulting firm or product MCP Magazine, runs Have Computer know of no college that will give you company can boost your career. A word Will Travel Inc., an independent firm spe- credit for your wee-hour explorations to the wise: Research the financial sta- cializing in security, operating systems and of PKI, Insect, Kerberos, group policy bility of these companies before you databases. She’s a frequent speaker and or other security-related items. join. Many security startups got their trainer for TechMentor. She’s currently Many vendors have certifications, funding during the high-tech expansion completing two books on network security too. If you work extensively with their wars, when the word “Internet” was for Microsoft Press. Contact her at products or wish to, these certs—many synonymous with “Cha-ching!” and [email protected].

Does adding “security” to already-existing IT job titles mean a new job for you? In some cases, yes.

A search of popular job search engines security clearance— like Dice.com or ITjobs.com on the which isn’t something keywords “IT,” “network” and “securi- you can simply pick up ty” will produce titles such as systems when you need it, making administrator and security administra- that a factor beyond the tor, network analyst and security ana- usual IT job descriptions. lyst, or IS manager and IS security (For more on this topic, manager. Are these new jobs or the read “About Those U.S. same jobs you’re familiar with, with Government Security Clearances” later Security Engineer security sneaking onto the list of in this guide.) Security engineers are typically involved responsibilities? Purely based on a ran- In this article, we share various in planning, managing and implement- dom survey of jobs that are available security-related job titles and what ing higher-level security issues as they out there, it’s a mixture of both. kind of work they entail. It isn’t meant relate to systems and networks and are The need for specialists pervades to be a comprehensive list, but it cov- often tasked with evaluating security any profession and often produces new ers the major ones you’ll run across in software and the impact that third-party job titles—the IT profession is no dif- the course of scanning employment software may have as it’s installed on a ferent. New security titles have cropped opportunities. network. Security engineers usually have up out of necessity and these types of significant input on setting up security jobs can be found primarily in medium Security Administrator policies during the planning phase. The to large organizations where security Security administrators typically are security engineer may fill roles as project has to be controlled on a large scale. tasked with implementing security leads and may even be a manager. (That’s not to say that small companies measures on a network. This may You’ll find security engineers among don’t have their fair share of security include: administering passwords, any type of IT engineer who performs a jobs; you might find the odd need for a monitoring system or data security specialty. One interesting form of the security analyst at a consulting or out- practices based on established compa- security engineer on an ITjobs.com list- sourcing firm.) Imagine, for example, ny guidelines and monitoring and ing is the information assurance security having to manage and troubleshoot reg- thwarting internal and external inci- engineer. This job’s differentiating factor ularly scheduled password changes for dents (worms, viruses, Trojans and was the concentration on certification an accounting firm, where data access is external or internal system abuses). and accreditation of systems/sites. For critical and can’t be interrupted. They also might be in charge of disas- this job title, the company required Security encompasses issues beyond ter recovery efforts and typical net- someone with some form of govern- the tradtional IT scope; for example, as work administrator duties. ment security clearance, since the job with the Health Insurance Portability Security administrators may have involved writing up information assur- and Accountability Act of 1996. HIPAA a hand in maintaining or recommend- ance activities on federal government is a recurring criteria for security-related ing changes in established security poli- customer systems and networks. jobs in healthcare and banking. Like- cies and procedures. You might find jobs with specialties wise, federal positions having to do with Security administrators report to a in database security and firewalls. security may require you to possess a project lead or manager. Here’s an interesting twist on the secu-

Page 19 • Security Certification 2003 Resource Guide (c) 2003 101communications LLC, http://certcities.com, http://mcpmag.com rity engineer title: Enterprise Security One company on ITjobs.com post- that encompassed the same as a securi- Engineer, Ethical Hacker, for a Fortune ed a job for a “senior consultant, ty monitoring/compliance officer, but 500 company in Chicago. The company HIPAA security,” who would primarily also required some experience in legal requires “ethical hacking skills,” which play advisor and coordinator for pre- evidence-gathering techniques. often means programming expertise sales engagements to companies that with a strength in developing exploits. required HIPAA compliance before Security Director forming partnerships. Security directors are often the line Security Architect Another listing called for a Security between staff and executive manage- Similar to security engineer in expert- Analyst, Intrusion Detection/Forensics, ment, usually leaning over to the latter. ise, security architects are primarily a job whose defining characteristic was Security directors, though, make rare responsible for establishing a frame- the ability to respond quickly to securi- appearances on job search engines, work for a comprehensive security ty incidents that can affect mission-crit- because the responsibilities can be an strategy. The framework might involve ical production systems. Response had amalgamation of higher-level duties drilling down to specific policies and to be quick and thorough, particularly taken on by a team of security managers, procedures. Rarely is the security archi- in assessing, documenting and offering engineers and administrators. If such a tect involved in implementation, unless solutions to thwart attacks. Another job listing appears, it’s rarely for a small providing hands-on support to a secu- duty: That person would be tasked with company. Typical responsibilities for rity team. Architects usually have a developing new ways to harden systems. security directors include: overseeing thorough understanding of network, Another job listing asked for a and coordinating security policies for IT application and database security. cyber security analyst. Based on the and company-wide for departments like Security architects can be highly spe- description, job duties matched up engineering, operations, legal and so on; cialized, such as one Dice.com listing for with a typical security consultant. developing and standardizing the com- a “single sign-on architect.” It’s a highly munication of security, privacy policies specialized security architect whose sole Security Monitoring/Compliance and disaster recovery initiatives, often in responsibility is to design a single sign- Officer accordance with industry regulations; on standard, often done for disparate This person implements and supports and developing or driving security network systems that need to be wholly information security to maintain com- awareness training. Security directors secure across architectures. pliance with applicable laws. He or she typically report to a chief information The security architect might be acts as a resource on matters relating to officer or chief security officer. interchangeable with the security man- information security and will investi- ager at some companies or may report gate and recommend secure solutions Chief Security Officer to a security manager. for implementing IS security policy At or near the top of a company hierar- and standards. In some companies, the chy (CSO would report directly to the Security Consultant security monitoring/compliance officer CTO or CEO), the chief security offi- Often someone whose breadth of expe- might report directly to an enterprise cer often dictates the companywide rience encompasses security administra- security director or chief security offi- security mission or strategy. One high tor to architect to director, security ana- cer, perhaps even to the CIO or CEO. profile member of this elite corps is lysts or consultants often work in an A Dice.com job listing asked for a Howard Schmidt, previously the CSO outsource capacity to test and recom- specialized business information securi- for Microsoft, then pegged as cyberse- mend security solutions or strategies. ty officer (BISO) who would be respon- curity advisor to the White House, and Security consultants and analysts should sible for IS audits and advising other more recently vice president and chief have extensive knowledge of network groups of security requirements for line information security officer for eBay. access, authentication, development of of business applications and concoct While it’s a mystery how CSOs differ security policies and procedures and compliance reports in terms of business from CIOs, many of the Fortune 500 conducting vulnerability assessments. risk. The BISO would report to the offi- companies like Microsoft and General They may also be involved in security cers of various groups, such as engineer- Electric have them. pre-sales engagements. The security ana- ing directors and data center managers. Consider these positions to be a lyst title may be interchangeable with Another job was listed as fraud rare breed, indeed. the security consultant title. investigator, a highly specialized skill —Michael Domingo

Q&A: Can Security Certifications Help Your Career?

We asked a security insider to share his honest take on exactly what security certifications can—and can’t—do for your job prospects.

Greg Owen is technical director for the security problems from time to time. because they’re so big that one person Global Information Assurance That cert makes it more official that can’t do all the jobs. Having said that, I Certification (GIAC), a vendor-neutral they do know this area. They’ve proba- don’t think being fully specialized is a certification program sponsored by the bly had to deal with it, probably had to helpful thing, especially in security. I SANS Institute. He holds three GIAC help out. I think that for a person with think knowing a little bit about every- certifications: no IT experience, to go out and get a thing helps you do one thing better. • GIAC Certified Incident Handler cert is not as useful, but that’s not the Broad experience and broad under- (GCIH) case for the vast majority of people who standing of the entire problem area • GIAC Certified Windows Security are [pursuing security certification]. It makes dealing with specific areas easier. Administrator (GCWN) can still be useful for someone without • GIAC Certified Forensic Analyst experience, but employers are looking Is there value in platform-specific certifi- (GCFA) for the combination of experience and cation, like Microsoft or Cisco? Part of his duties with GIAC include testable proof. There definitely is. With specific respect exam preparation. Owen also does net- to security, I don’t know how much the work security consulting for a consulting Should you wait until you’ve been in secu- Microsoft [security specialization] will company in Boston, Massachusetts. He’s rity for some years before getting certs? help. It’s only recently that they’ve been working in IT, including network I think a year or two is useful, but the added the security specialization. I think security, for more than 10 years. thing about security is it’s something the attitude is, “Why would you go to people have to deal with all the time. the vendor who shipped the broken Are security certifications becoming Having a job on your resume that has software in the first place to tell you how more important or less so in the current to do with security [is helpful]. to fix it?” There’s a certain amount of market? hesitancy there, but specific training is Greg Owen: It’s becoming more impor- Do security certifications help if you want definitely valuable if you’re going to be tant. The larger the company, the more to become a security consultant? working in that area. If you’re looking reliant they are on the certification. I think so. Whenever a consulting firm for a Windows network administrator, The events of the last couple of years or independent consultant comes in to you definitely want them to have their are starting to drive home to everybody bid for a job, the good ones will have a MCSE. If you have a large Cisco infra- the point that security is more impor- page on the back which has a quick bio structure and you need that supported, tant than it used to be. For a large com- of the people they’re proposing to send you’re going to want Cisco certification. pany, it’s hard for them to make a shift in on the job [and certifications show like that. Human resources needs to up well]. What would you tell someone who want- have something they can look for to Consulting [for independent con- ed a security certification because it’s the differentiate that “this is a candidate sultants] is as much a sales issue as any- “hot” field right now? who can do what we want; this [one thing else, and part of the sales issue is I wouldn’t recommend that somebody isn’t].” At one bank I’ve worked with, saying, “Yes, I know what I’m doing, and go into it if they haven’t had an interest their security people almost universally here’s what I have to prove it.” in it, just because of that [i.e., it’s popu- hold the CISSP. Certifications can be very helpful to lar at the moment]. Like any profession, prove that. if you’re just going into it for the money, Can you get a security-related job with if you’re not truly interested in the chal- certification and no experience? Will there be further areas of security cer- lenges, it will show to employers. They’ll I think the security certification helps a tification specialization? see that. If you don’t enjoy doing that lot, in the situation where someone’s It depends on the size of the company. kind of work, if you don’t enjoy walking been doing IT and has gotten certifica- In larger companies, I’m definitely see- that walk, I’m not sure I’d recommend it. tion and had to deal with corners of the ing a trend toward specialization, simply — Keith Ward

Title Salary “The true source of long-run wealth is for us to specialize in what we are best MCP* $61,700 at,” writes Brad DeLong, economics ISA Server $65,100 2 professor at U.C. Berkeley. He may (ISC) Systems Security Certified Practitioner $77,500 have been explaining 19th century Check Point Certified Security Expert $78,500 2 economist David Ricardo’s principle of (ISC) :Certified Information System Security Professional (CISSP) $78,800 “comparative advantage” in simpler Cisco Certified Security Professional $93,500 terms, but DeLong’s explanation has Table 1. Comparing salaries of MCPs and those holding security-specific certifications. application with IT careers. * Average base salary of all MCPs; all other figures come from Chart 8, “Salary by Other Becoming a specialist can be one way Certifications,” from the 2003 MCP Magazine Salary Survey. More at http://mcpmag.com. to make some personal improvements in your career and sustain your good for- as well as the MCP, made at least because Salary.com gathers it on a tune in these shaky times. Several current $4,000 more, and in some cases continual basis. surveys of IT salaries among those who $30,000 more (see Table 1). • ComputerWorld 2003 Salary specialize in security skills show modest While specializing may seem to be Survey: gains against contemporaries who don’t the next logical step, salary numbers (http://www.computerworld.com/c indicate a specialty. like those shown on these reports aren’t areertopics/careers/story/0,10801,8 Take Salary.com, which offers basic guaranteed. Remember that salary sur- 6413,00.html). Published in ongoing reporting of salaries within the veys only provide a snapshot of salaries October 2003, data comes from U.S., compiling data from thousands among the employed as those surveys more than 19,000 responses. of human resources departments. were conducted. Obtaining a security • Microsoft Certified Professional Based on its report for Nov. 11, medi- specialty only means your breadth of Magazine 2003 Salary Survey: an average salary for network adminis- expertise may give you an advantage (http://mcpmag.com/salary trators across the U.S. was $54,458. over peers. Whether that translates to surveys/) MCP Magazine is known Compare that to security administra- additional compensation is up to your for its yearly survey of certified pro- tors, whose median was $62,074, a 12 employer and your powers of persua- fessionals woking with Microsoft percent increase. sion over the one who signs your check. products. Data collected from more ComputerWorld’s 2003 compensa- Looking into 2004, it’s tough to than 6,000 respondents. tion survey backs up Salary.com’s data know how valuable the security focus • Janco Associates: with a more pronounced increase. in your portfolio will continue to be. (http://www.psrinc.com/salary.htm) Network administrators earned What’s hot today can grow cold tomor- This technical outsourcing firm $51,265 on average, while IS security row in IT. We’d advise you to stay in gathers compensation data from specialists said they earned $70,780. touch with published information on more than 400 mid- and large-sized Specialization here may account for a compensation; but remember, those companies twice a year. The most 26 percent increase. numbers can’t pinpoint what a particu- recent report was published in June. Salaries qualified by certification lar individual should earn. Variables • Foote Partners LLC: show increases that are just as remark- such as geographic location, years of (http://www.footepartners.com/sala able. The Microsoft Certified experience, type and size of organiza- ryresearch.htm) Collects salary data Professional Magazine 2003 Salary tion and negotiating skills come into from 35,000 IT workers on a quar- Survey (MCP Magazine and play in any given scenario. terly basis. Reports are costly, but CertCities.com are both 101communi- To find detailed salary survey infor- the sample versions have a signifi- cations LLC companies) reports that mation, check out these links: cant amount of data. the average base salary for MCPs was • Salary.com: More links to salary surveys can be $61,700. Respondants who held addi- (http://www.salary.com) Get daily found on CertCities.com at http://cert tional security-based certifications like salary reports just by clicking on the cities.com/editorial/salary_surveys/. Microsoft’s own ISA Server or CISSP, simple criteria. Data changes —Michael Domingo

You’ve found a job whose description fits including titles, supervisor names and granted or denied. you perfectly except for one small matter: supervisor addresses—people who know If it’s granted, the fun doesn’t stop It requires a security clearance and you you well aside from spouses and rela- there. Depending on what level of clear- don’t have one. As with many things in tives, relatives and associates (along with ance you have, you’ll have to undergo life, getting this particular position their dates of birth, country of birth and reinvestigation every five, 10 or 15 years. would be a long shot for you, but that current address), your military history If you leave that position, the clearance is doesn’t mean you shouldn’t try anyway. and foreign activities (including travel still active, but it may not be usable by The fact is that security clearance is for business and pleasure), police your next employer—depending on something you can’t obtain for yourself. records, medical records, financial what type of security clearance the new Your current or prospective employer has records and delinquencies, use of illegal job requires. Let enough time pass and to set the wheels in motion to get it for drugs and alcohol, and groups you asso- the clearance will have no merit at all. you. Since the process is costly and time- ciate with that espouse the violent over- The whole process of obtaining a consuming, organizations won’t do it throw of the government. clearance can take many months— unless it’s absolutely essential. Let’s Sound comprehensive? The idea is sometimes longer than a year—and cost review the basics. to weed out those who aren’t (according several thousands (even tens of thou- You typically need a security clear- to SF 86) “reliable, trustworthy, of good sands) of dollars. The more sensitive the ance when you hold a sensitive position conduct and character, and loyal to the job, the deeper—and the costlier and within the federal government or when United States.” The same form also more time-consuming—the investiga- you work for a government contractor or warns that your current employer will be tion. You can’t speed up the effort, nor some other organization that has access contacted and questioned, whether you can you offer to pay the cost. That’s why to classified information or deal with want them to be or not. so many jobs listing security clearance as other restricted information relating to Your form and your fingerprints go a requirement are anxious to find candi- national security. Clearances come in to the Federal Investigations Processing dates who already possess a clearance of many different flavors, primarily confi- Center, which calls on investigators— the right type—the project may be over dential, secret, top secret, and sensitive both federal employees and contract—to by the time somebody new to the compartmented information (SCI). start confirming what you’ve said on the process obtains his or her clearance. If Once a person has been offered a form. During this phase of the process, you’ve noticed the propensity of govern- position that requires a clearance, the investigators review available records ment contractors to intensely recruit ex- employer opens up a request with the (including your presence on the military people for open positions, it’s Office of Personnel Management Internet), check with the police, run a because vets frequently come with the through a federal security officer. The credit check on you and talk to people security clearance that’s needed as part OPM gives the candidate undergoing who know you—those you’ve listed on of their portfolio. the clearance check access to an online the form as well as people in a position to If you don’t already have a security system called e-Qip, or Electronic observe you, such as neighbors. Plus, clearance but there’s a particular organi- Questionnaire for Investigations Pro- you’ll be interviewed yourself. zation you’re determined to work for, cessing, a digital version of Standard All the data that’s collected ends up your best approach is to obtain employ- Form 86 (http://www.usaid.gov/pro in a single file, called “The Report of ment that doesn’t require the clearance curement_bus_opp/procurement/forms/ Investigation,” which is sent to the feder- with the agency or firm. Then put in SF-86/sf-86.pdf). al agency that asked for the investigation your time and make it clear to your man- SF 86 is a 13-page document that in the first place. At that point, it’s up to ager that should the right opportunity asks you to list your vitals—name, social the federal security officer at the agency present itself, you’d be willing to undergo security number, place of birth, etc.— of hire to determine your eligibility to the investigation. But temper your and then drills down on your personal have a position with access to secure enthusiasm: Too much eagerness to history going back at least seven years. information. You may get the chance to undergo this in-depth exploration into You’re expected to list where you’ve lived explain or refute negative or unclear your personal and professional life might for the last seven years, where you went information during this “adjudication be viewed as suspicious behavior. to school, your employment activities— phase.” Then your clearance is either — Dian Schaffhauser

1. Microsoft TechNet IT Pro Security 6. LinuxSecurity.com 11. Hacker Wacker Zone http://linuxsecurity.com http://www.hackerwhacker.com/ http://www.microsoft.com/technet/s This is an excellent site for Linux secu- One of the best features of this securi- ecurity/community/default.mspx rity administrators. Contains Linux ty-packed Web site is the ability to do The IT Pro Security Zone is Microsoft’s security-specific news, advisories, tools free remote security scans of your net- newest security portal. It’s your one- and research. work and firewall. See what the hackers stop shop for Microsoft-related security are seeing. newsgroups, latest patches, chats and 7. Windows 2000 Security Operations special events, security articles, FAQs Guide 12. InfoSysSec and lots more. http://www.microsoft.com/down http://www.infosyssec.org/ loads/details.aspx?displaylang=en&f Like many of the sites listed here, this 2. CERT Coordination Center amilyid=f0b7b4ee-201a-4b40-a0d2- one offers a wealth of security-related http://www.cert.org/ cdd9775aeff8 information. However, this site also The Computer Emergency Response This guide is a must-have document for lists the Top 10 IP addresses from Team helps protect the Internet through anyone with Windows 2000 servers on which Internet attacks are being various means. It constantly monitors their network. Following the step-by- launched and the Top 10 ports that are public networks for attacks, and normal- step instructions can drastically reduce being attacked. ly knows one is coming before it hits. A successful attacks on your network. treasure trove of great information. 13. HIPAA.org 8. Common Criteria http://www.hipaa.org/ 3. NTBugtraq http://www.commoncriteria.org/ Are you unsure of how the Health http://www.ntbugtraq.com Common Criteria provides a set of Insurance Portability and Accountabi- Everyone in the security community standards for information security. lity Act (HIPAA) works? If you’re a knows Russ Cooper, TruSecure’s Sur- Products are submitted to CC for test- security consultant, you should know, geon General. This is his Web site, ing and then given a rating based on since there’s a lot of money to be which offers one of the most active their overall level of security. The high- made by ensuring HIPAA compli- security newsgroups on the Net. er the number, the better. ance. This site is a good starting point. 4. InfoSec Reading Room 9. InfoSec News http://www.sans.org/rr/ http://www.infosecnews.com/ 14. CSRC NIST PKI Program SANS is well-known for its security One of the few sites that specializes in http://csrc.nist.gov/pki/ training. Its InfoSec Reading Room has computer security news. It’s updated Thinking about instituting a Public more than 1,200 security white papers daily and contains a broad range of Key Infrastructure? If so, this site from in 70 different categories. All the major content. the National Institute of Standards and platforms are covered, including main- Technology is the best place to begin frames, Unix, Linux, Mac/Apple and 10. SecurityStats.com your research. Windows. http://www.securitystats.com/ Want to follow the legal trials and 15. 2600 5. WildList Organization International tribulations of your favorite hackers? http://www.2600.com/ http://www.wildlist.org/ Find out how much the MS Blaster Why is the most famous hacker Web The best source of information on what Worm cost companies? Keep up on site of all on this list? Because to fight viruses are currently out there “in the Web defacements? Security Stats is the hackers, it’s important to understand wild.” Serious security people check place to do that and get lots of other their mindset. this list constantly. good security information. — Keith Ward

1. TechNet Flash The SANS Critical Vulnerability based in India that, among other activ- http://www.microsoft.com/technet/s Analysis Report is a weekly bulletin of ities, publishes a bi-weekly security ubscriptions/current/suboserv.asp top vulnerabilities. SANS, a security newsletter that’s mostly news, but also TechNet Flash is Microsoft’s bi-weekly training company, lists the risk levels has sprinklings of opinion scattered newsletter covering all things TechNet. with each vulnerability, potential dam- throughout. Solid coverage of security Of course, one of its main purposes is age of each and links to learn more news throughout the world, not just to alert you of the newest security vul- about them. the United States. nerabilities, patches, hotfixes and pro- — Keith Ward cedures for securing your network. 5. Asian School of Cyber Laws http://www.asianlaws.org/infosec/ne Note: Only free newsletters were consid- 2. Security Watch wsletter/index.htm ered for this list. Most of us have enough http://lists.101com.com/nl/main.asp The first reaction to the “Asian School things to pay for without shelling out for ?NL=mcpmag of Cyber Laws” is usually, “What the electronic newsletters. Security Watch, published by the same heck is that?” It’s a public organization folks who produce Microsoft Certified Professional Magazine, provides lots of original content (something often diffi- cult to find in newsletters). Included in 5 Web Picks for Security Certification each issue is a commentary by 1. CCCure.org Windows security expert Roberta http://www.cccure.org Bragg and a roundup of top security This top-notch site for CISSP candidates is packed with useful preparation tools, stories by ENTMag.com editor Scott including exam reviews, news, research and an expansive collection of practice questions. A similar site worthy of prospective CISSP candidates can be found at Bekker. If you have security responsi- http://www.cissps.com/. bilities on a Windows network, this 2. Rtek2000 Security Links newsletter is a must-read. http://www.rtek2000.com/Tech/InternetSecureLinks.html This page from training company Rtek2000 hosts one of the most comprehen- 3. Crypto-Gram sive security link collections available, covering just about every baseline topic http://www.counterpane.com/crypto- tested on security certification exams (and then some). The perfect place to gram.html begin your online studies. Crypto-Gram is a free monthly news- 3. CertCities.com Security Exam Reviews letter from Bruce Schneier, the field’s http://www.certcities.com/certs/security/exams/ foremost expert in cryptography. Go here to read CertCities.com’s collection of security-related exam reviews, 2 Schneier comments on a host of securi- including Microsoft’s 70-214, CompTIA’s Security+ and (ISC) ’s CISSP. ty topics, covering a broad range of 4.Certification-Crazy’s Security+ Resources issues. He’s never at a loss for a strong http://www.certification-crazy.net/security+.htm Scroll down to view a nice list of online Security+ resources from a fellow candidate. opinion on any security-related topic. 5. GetCertified4Less.com http://www.getcertified4less.com/testvoucher.asp 4. SANS Critical Vulnerability Offers discounted vouchers for Microsoft, Cisco, Check Point and CompTIA exams. Analysis Report — Becky Nagel http://www.sans.org/newsletters/cva

THE ANTI-SPAM SUMMIT

MARCH 17-19, 2004 THE PALACE SAN FRANCISCO, CA

You know what e-mail abuse costs your business.

You’ve tried to stop it. Now attend the only industry summit focused solely on the technical and business issues surrounding spam.

C OME LEARN ABOUT: W HAT THE SUMMIT OFFERS:

• The best-of-breed tool overviews • A technical track will focus on tools and • The latest technologies technical solutions for systems adminis- • Case studies straight from your peers trators, network managers, analysts, • Legislation and regulation IT managers and administrators – anyone fighting spam in the trenches. • What the major ISPs are doing • A business track will focus on legislation, regulation, costs, and other business issues P RESENTERS: for IT managers, vice presidents, Hear from top names fighting the spam problem today: Experts from AOL, Yahoo, Microsoft, the technical developers, and chief privacy FTC, California's Office of Privacy Protection, and officers, chief security officers, and many more. other C-level executives. • Ryan Hamlin • Jon Praed General Manager, Founding Partner, Microsoft’s Anti-Spam Internet Law Group Technology and Strategy Group

Sponsored by 101communications and Microsoft Certified Professional Magazine

R EGISTER T ODAY! WWW.101TECHSTRATEGIES. COM Security Bookshelf Popular print resources for security technology and certification.

.NET Framework Security Building Secure Software: Counter Hack: A Step-by- Firewall Architecture for the Brian A. How to Avoid Security Step Guide to Computer Enterprise LaMacchia, Problems the Right Way Attacks and Effective Norbert Pohlmann, Tim Sebastian John Viega, Gary McGraw Defenses Crothers Lange, Addison-Wesley Ed Skoudis John Wiley & Sons Matthew 020172152X Prentice Hall July 8, 2002 Lyons, Rudi September 24, 2001 PTR 076454926X Martin, Kevin $54.99 0130332739 $49.99 T. Price July 23, 2001 Addison-Wesley Building an Information $49.99 Firewalls: The Complete 067232184X Security Awareness Program Reference April 24, 2002 Mark B. Desman Computer Security by Keith Strassberg, Gary $57.99 Auerbach Handbook Rollie, Richard Gondek 0849301165 Seymour Bosworth and Michel McGraw-Hill Osborne Media Anti-Hacker Tool Kit October 30, 2001 E. Kabay, Editors 0072195673 Keith J. Jones, Mike Shema, $49.95 John Wiley & Sons May 28, 2002 Bradley C. Johnson 0471412589 $59.99 McGraw-Hill Osborne Media Building Internet Firewalls April 2002 0072222824 (2nd Edition) $80 June 25, 2002 Elizabeth D. Zwicky, Simon Firewalls and Internet $59.99 Cooper, D. Brent Chapman Designing Security Security: Repelling the Wily O’Reilly & Associates Architecture Solutions Hacker, Second Edition The Art of Deception : 1565928717 Jay Ramachandran William R. Cheswick, Steven Controlling the Human January 15, 2000 John Wiley & Sons M. Bellovin, Aviel D. Rubin Element of Security $49.95 0471206024 Addison-Wesley Kevin D. March 1, 2002 020163466X Mitnick, The CERT Guide to System $55 February 24, 2003 William L. and Network Security $49.99 Simon Practices The E-Policy Handbook: Hungry Julia H. Allen Designing and Implementing The Hack Counter-Hack Minds Addison- Effective E-Mail, Internet, Training Course: A Desktop 076454280X Wesley and Software Policies Seminar October 2003 020173723X Nancy L. Flynn Edward Skoudis $16.95 June 7, 2001 AMACOM Prentice Hall PTR $39.99 0814470912 013047729X Authentication: From November 2000 June 14, 2002 Passwords to Public Keys Computer Forensics: $19.95 $69.99 Richard E. Smith Incident Response Essentials Addison-Wesley Warren G. Kruse II, Jay G. Hacker’s Challenge 2: Test The Effective Incident 0201615991 Heiser Your Network Security & Response Team October 1, 2001 Addison-Wesley Forensic Skills Julie Lucas, $44.99 0201707195 Mike Brian Moeller September 26, 2001 Schiffman, Addison- Beyond Fear: Thinking $44.99 Bill Wesley Sensibly About Security in Pennington, 0201761750 an Uncertain World Computer Security Incident David Pollino, September 26, Bruce Schneier Handling: Step-by-Step Adam J. 2003 Copernicus Books (Version 2.3.1) O’Donnell $39.99 0387026207 Stephen Northcutt McGraw-Hill September 2003 SANS Institute Osborne Media $25 0972427376 0072226307 March 2003 December 18, 2002 $29.99 $39.99 Continued on next page

Page 28 • Security Certification 2003 Resource Guide (c) 2003 101communications LLC, http://certcities.com, http://mcpmag.com Hacking Exposed: Network Honeypots: Tracking Hackers Information Security Policy Kerberos: A Network Security Secrets & Lance Manual Authentication System Solutions, Fourth Edition Spitzner Edmond D. Jones Brian Tung Stuart Addison- Rothstein Associates Addison-Wesley McClure, Joel Wesley 1931332096 0201379244 Scambray, 0321108957 February 23, 2001 May 4, 1999 George Kurtz September 10, $89 $19.95 McGraw-Hill 2002 Osborne $44.99 Information Security Know Your Enemy: Revealing Media Risk Analysis the Security Tools, Tactics, 0072227427 Incident Response: Thomas R. and Motives of the Blackhat February 25, 2003 Investigating Computer Crime Peltier Community $49.99 Chris Prosise, Kevin Mandia Auerbach The McGraw-Hill Osborne Media 0849308801 Honeynet Hacking Exposed Web 0072131829 January 23, Project Applications June 21, 2001 2001 Addison- Joel Scambray, Mike Shema $39.99 $69.95 Wesley McGraw-Hill Osborne Media 0201746131 007222438X Information Security The Information Systems August 31, 2001 June 19, 2002 Architecture, Second Edition Security Officer’s Guide: $39.99 $49.99 Jan Killmeyer Tudor Establishing and Managing CRC Press an Information Protection Linux Security Cookbook Hacking Exposed 0849315492 Program Daniel J. Barrett, Richard E. Windows 2000 June 28, 2003 Gerald L. Kovacich Silverman, Robert G. Byrnes Joel $79.95 Butterworth-Heinemann O’Reilly & Associates Scambray, 0750698969 0596003919 Stuart Information Security May 1998 June 2003 McClure Architecture: An Integrated $41.95 $39.95 0072192623 Approach to Security in the August 29, Organization Inside Network Perimeter Linux Server Hacks 2001 Jan Killmeyer Tudor Security: The Definitive Rob Flickenger, Editor $49.99 CRC Press Guide to Firewalls, Virtual O’Reilly & Associates 0849399882 Private Networks (VPNs), 0596004613 Hacking Exposed Windows September 25, 2000 Routers, and Intrusion January 2003 Server 2003 $69.95 Detection Systems $24.95 Joel Scambray, Stuart McClure Stephen Northcutt, Lenny McGraw-Hill Osborne Media Information Security Zeltser, Scott Winters, Karen Malware: Fighting 0072230614 Management Handbook, Fredrick, Ronald W. Ritchey Malicious Code October 27, 2003 Fourth Edition, Volume 4 Que Ed Skoudis, $49.99 Micki Krause 0735712328 Lenny Zeltser and Harold F. June 28, 2002 Prentice Hall Hacking Linux Exposed Tipton, $49.99 PTR Brian Hatch, James B. Lee, Editors 0131014056 George Kurtz Auerbach Intrusion Detection with Snort November 9, 0072127732 0849315182 Jack Koziol 2003 March 27, 2001 November 26, SAMS $44.99 $39.99 2002 157870281X $69.95 May 20, 2003 Managing A Network HackNotes Web Security $45 Vulnerability Assessment Pocket Reference Information Security Justin Peltier, John A. Blackley, Mike Shema Policies, Procedures, and Intrusion Signatures and Thomas R. Peltier McGraw-Hill Osborne Media Standards: Guidelines for Analysis Auerbach 0072227842 Effective Information Mark Cooper, Stephen 0849312701 June 30, 2003 Security Management Northcutt, Matt Fearnow, May 30, 2003 $29.99 Thomas R. Peltier Karen Frederick $59.95 CRC Press Que Continued on next page 0849311373 0735710635 December 20, 2001 January 29, 2001 $69.95 $39.99

Page 29 • Security Certification 2003 Resource Guide (c) 2003 101communications LLC, http://certcities.com, http://mcpmag.com Network Intrusion Real World Linux Security: Snort 2.0 Intrusion SQL Server Security Distilled Detection, Third Edition Intrusion Prevention, Detection Morris Lewis Stephen Northcutt, Judy Detection and Recovery Brian Caswell, Jay Beale, James APress Novak Bob Toxen C. Foster (Editor), Jeremy 1590591925 Que Prentice Hall PTR Faircloth (Editor) July 1, 2003 0735712654 November 2000 McGraw-Hill Osborne Media $39.99 August 27, 2002 0130281875 0072226307 $49.99 $44.99 December 18, 2002 Web Hacking: Attacks $39.99 and Defense Network Security: Private Secrets and Lies: Digital Stuart Communication in a Public Security in a Networked Special Ops: Host and McClure, World World Network Security for Saumil Shah, Charlie Kaufman, Radia Bruce Schneier Microsoft, UNIX, and Oracle Shreeraj Shah Perlman, Mike Speciner John Wiley & Sons Erik Pace Birkholz, Stuart Addison- Prentice Hall PTR 0471453803 McClure Wesley 0130460192 January 2004 Syngress 0201761769 April 15, 2002 $17.95 1931836698 August 8, 2002 $54.99 February 17, 2003 $49.99 Security Architecture: $69.95 PKI: Implementing & Design, Deployment and Writing Information Managing E-Security Operations Stealing the Network: How Security Policies Andrew Nash, Christopher King, Ertem to Own the Box by Scott Barman Bill Duane, Osmanoglu (Editor), Curtis Ryan Russell Que Derek Brink, Dalton (Editor), Ido 157870264X Celia Joseph McGraw-Hill Osborne Media Dubrawsky, November 9, 2001 McGraw-Hill 0072133856 FX $34.99 Osborne July 30, 2001 Syngress Media $49.99 1931836876 Writing Secure Code 0072131233 June 2003 Michael Howard and David March 27, 2001 The Shellcoder’s Handbook : $49.95 Lebl, David LeBlanc $49.99 Discovering and Exploiting Microsoft Press Security Holes SQL Server Security 0735615888 Practical Unix & Internet Jack Koziol, David Litchfield, Chip Andrews, David December 15, 2001 Security, 3rd Edition Dave Aitel, Chris Anley, Sinan Litchfield, Bill Grindlay $39.99 Simson Garfinkel, Gene Eren, Neel Mehta, Riley McGraw-Hill Osborne Media Spafford, Alan Schwartz Hassell 0072225157 —Michael Domingo O’Reilly & Associates John Wiley & Sons August 27, 2003 0596003234 0764544683 $49.99 February 2003 March 2004 $54.95 $50

Advertiser Index Global Knowledge Intense School LearnKey, Inc. www.global knowledge.com www.intenseschool.com www.learnkey.com/mcpsecurity Global Knowledge is a worldwide leader The Security Training Experts. 2003 Free Security Training CD. Sec+, CISSP, in IT education and offers over 31 Award Winners. SECUR. Hurry 50 only! hands-on security training courses.