Events such as the recent MSBlaster worm, the DOS attack against Microsoft.com, and the Sobig virus have raised the awareness of security. The recent problems have also driven IT teams, security specialists and company management to work to make their organizations as secure as possible from the multitude of security risks.
The Internet has provided an amazing infrastructure for connecting people to other people and businesses. It has also provided a playground for the attacker. The importance of good security seemingly increases by the day. Alongside growing organizational awareness of security issues, the demands on security specialists and IT teams mount. How can companies keep up and stay ahead of the attackers?
The problem with security is that the odds are in favor of the attacker. All the attacker has to do is to find one way in - the defender has to defend against all of attacks. As IT solutions get ever more complex, the skills required to ensure IT solutions are well defended become ever more important and valuable. And because of the importance of security, it's important that the right people are fully trained in how to design and deliver a secure IT environment.
As I look around, I see several different approaches to training security. Like any popular technology, we see some players who have been around for some time as well as many companies just getting onto the security bandwagon with their offerings. At an individual course level, some of these offerings are very good - but it seems to me that none of the ones I've seen have an underlying structure. Additionally, much of the training courses tended to focus on IT security - the security of the products you buy from vendors such as Microsoft (e.g. Exchange, Windows), IBM (AIX), and others.
However, there is no one approach to security training. To really train people in both the fundamentals of security, and the specifics of Information Technology security, you need to operate on several separate dimensions simultaneously. Security, and security training, is about people, technology and processes. With security only as strong as the weakest link, you must ensure you address fully these key areas. Only a holistic approach to security training will ensure you have every aspect of security covered.
The Three Dimensions to Security Training
Security training can be viewed in three dimensions:
- Security breadth - security is, or should be, a part of every business process in every organization. Staff at all levels need general security awareness - and this training needs to reinforce their day to day job roles.
- IT Security - modern IT systems are complex, combining sophisticated software and hardware. Securing modern IT systems is, likewise, a complex business, involving an understanding of security features and functions provided by the components that make up the system.
- Security Certification - some staff need to become certified as a condition of employment. For others, certification helps demonstrate the acquisition of skills and knowledge. Having staff with certified skills can provide additional assurance that security matters are being addressed using both the latest techniques and proved best practices.
Security In Breadth
This dimension recognizes that security is a part of everything an organization does. Every interaction with every supplier or customer has a security implication:
- Is the customer really who they say they are? How do you know the person on the phone really is the person they are claiming to be? Could they be engaging in social engineering?
- Does the customer have the authority (and the ability) to pay for the item they are ordering, or the rights to make a change to an order? Even if you know who you are talking to, do they have the authority to order or change an existing order?
- Will the supplier deliver your order in the right way, at the right time? How can you be certain that what the voice at the end of the phone tells you?
While we probably do not like having to ask these questions each time a customer calls, there is a risk to the business if these questions do not get asked (and answered). Companies need to educate staff, both inside the IT department and outside. They also need to ensure that their business practices have been reviewed with respect to security. The STRIDE Model, for example can be used to analyze the security of a system in particular the potential vulnerabilities. STRIDE gets you to look at 6 separate aspects of a solution for security problems:
S - Spoofing Identity
T - Tampering with Data (affecting data integrity)
R - Reputability
I - Information Disclosure
D - Denial of Service
E - Elevation of Privilege
The STRIDE model is relatively straightforward, but the IT staff needs training in how to use this model as part of the design and development process. And there needs to be a hearts and minds understanding that security matters.
In developing breadth training courses, we try to get an organization's Human Resources group involved. This helps to ensure that all the normal HR concerns are factored into the training program and that security violations are clearly dealt with in the same way as other violations of terms of employment. With Internet law still not an exact science, HR needs to ensure that security issues are dealt with in accordance to existing and evolving employment and data protection legislation.
Getting the HR group involved also helps to ensure that new joiners are given all the necessary security training as part of the induction process. Almost more importantly, it helps to ensure that when someone leaves (whether voluntarily or under less happy circumstances), all necessary security steps have been taken to ensure that no damage can be done by the departing employee.
IT Security and the associated training is another important dimension to broad security training. It looks as the specific security issues arising form the IT systems being used and developed. This level of training is focused primarily on the IT department.
IT Security Training can be broken down to three Levels as follows:
- Managing IT Security - Managing the security of an organization's IT estate requires both awareness of legal and external factors and a good understanding of the technologies you are using and deploying. External factors, such as Data Protection legislation, the Basle II accord, etc, all impact heavily on the IT manager. As companies become legally liable for compliance, IT managers need short sharp courses to bring them up to speed on all these issues. Managing IT Security requires both some understanding of the external constraints such as data protection legislation, requirements of corporate governance, etc, as well as technology, people and processes that you will use to develop your solution.
- Securing what we build and buy - IT solutions these days are complex, consisting of sophisticated hardware and large applications suites. You need to be able to design a secure solution that is based on components from many vendors. Most IT solutions are built of a combination of vendor products, possibly extended or augmented by in-house developments. It's vital you understand how to design a secure solution based on a variety of components and how you can secure the individual components. Exchange 2003, for example now supports traditional client access (i.e. Outlook), web access (Outlook Web Access) and smart phone access. If you are designing a messaging solution, each of these different approaches gives rise to security issues, and tasks to do. To date, most vendors concentrate on just their products, leaving the customer to manage the integration.
- Securing what we deploy - Once you've built a solution, you have to deploy and operate it. It's all fine and well building a secure solution, but it has to remain secure as the users and customers start using it. Ultimately, you need to ensure that once you deploy a business solution, it remains secure. This often involves training of the Operation staff, both in the underlying technologies (i.e. Exchange, Windows, etc) and in how your solution was developed and deployed.
The third dimension of security training relates to security certification. To be certified, you need to pass an exam to demonstrate mastery of a subject, both in terms of knowledge of the subject area and the skills to use that knowledge effectively.
Security certification has become a big business over the past few years, with many competing certification schemes. The underlying concept of these schemes is that you take tests to prove your knowledge and skill. The argument goes that someone certified is more productive and is therefore both a better hire and worth more to your organization.
Sadly, this has given rise to both paper certification (where people just buy or download an exam cram package, memories answers to pass the tests) and certification schemes that seem more attuned to making money for the scheme's owner than anything else. Certainly, these problems have hurt the credibility of this argument, especially as far as certifications such as Microsoft's MCSE is concerned. But there are some creditable schemes out there that can help you to determine staff skill levels.
Another problem that many companies face is retention of skilled (certified) staff, especially those who the company has helped to get certified. It's common to hear of someone who has worked for company A while getting his MCSE then leaves to join company B for much more money. This makes some organizations less interested in investing in certification of any type.
But by and large, reputable schemes can help you to identify the security knowledge and skills needed to secure your organization.
There are two separate streams of security certification you might consider:
- Vendor neutral certification - these programs are meant to be broadly based and are independent of a specific vendor. A great example of this type of certification is the CompTIA Security+ exam.
- Vendor certifications - some vendors have a long history of high grade certification, particularly Cisco, with its CCIE certification. It would appear that many vendors are jumping onto the security certification bandwagon, offering their own certification programs. The latest example of this is the MCSE: Security (MCSE:S) and MCSA: Security (MCSA:S) certifications from Microsoft.
Many companies do encourage staff to pursue the certification scheme appropriate to their job roles. All staff working in an IT department, for example, should be certified to at least the level of Security+, the vendor-neutral foundation security certification.
For companies using predominately Microsoft software, consider certifying existing MCSE or MCSA holders to the MCSE:S and MCSA:S level. This can help to ensure they are up to speed on key security issues relating to Microsoft software.
Security training involves understanding the business, the technology and the tools, people and processes involved in developing and operating complex business systems. By looking at this training requirement in multiple dimensions, businesses can ensure they get the right training in the most comprehensive way.
First you should understand and address your breadth security needs. The training you provide should support the overall needs of your organization. Once you have a clear idea of the needs of the organization, you can begin to plan your security training approach.
Thomas Lee is Chief Technologist for QA.