Administrative Note

I am aware that comments aren't being posted until the next time I update this blog. This is a problem I'm looking into. I appreciate your patience and encourage you to continue commenting.



While talking with a friend tonight, the topic of CISSP certification came up. Lately I have been lamenting the loss of this certification as the most recent version of the MCSE. As many are probably aware, the MCSE was once an impressive credential showing one's proficiency in Windows, but grew to be nothing more than a few letters required by HR to get your foot in the door at large companies with draconian hiring policies. This was largely due to the poor experiences real Windows administrators had working with other "MCSE"'s who knew nothing more than what was on their test. These less-proficient professionals became known as "paper" MCSE's - an MCSE on paper, but not in practice.

Once an identifier of dedicated security professionals, it seems that the CISSP is heading in the same direction. I make this statement from personal experience alone, and not any empirical data, but I have had more negative experiences with people holding CISSP's than those without. By "negative experiences," I'm referring to a serious lack of general InfoSec-specific skills, or a serious lack of practical implementation and use of such skills.

That being said, the CISSP is still a great way to get a foot in the door for InfoSec, or to round out a resume that might be light on security-specific experience. It's also a way to make it past the first round of cuts when looking for a job. It would be the perfect "next step" for recent college graduates, or IT professionals looking to specialize. But insofar as practical expectations are concerned, I've grown to become cautious of individuals who emphasize their CISSP certification as evidence of their own personal InfoSec prowess over other, more concrete achievements.


The changing face of the Industry

Recently, security giant Symantec bought Veritas, an enterprise backup software vendor. This is following the current trend of consolidation in the enterprise software market, but also marks another major progression I think we'll see more of: Security companies offering a range of software products, tied together at the enterprise level, that encompass the entire universe of information security. With this purchase, Symantec comes one step closer to being able to say that their products cover all your enterprise's needs in Confidentiality, Integrity, and Availability.

Confidentiality and Integrity are often seen as the cornerstones of information security, with "Availability" - backups, etc. - being treated as a totally different problem altogether. For a long time, this has made sense. Strategies involving confidentiality and integrity are very different than disaster recovery. However, in the current environment, being able to give executives immediate and, more importantly, meaningful statistics on an enterprise's complete security posture is a Good Thing (TM). It's only a matter of time before companies like Symantec are offering CIO's and CTO's an enterprise security dashboard on their desktops.



Not much in the security industry has been afoot that a million people haven't already commented on, such as the Lycos debacle, which is nicely summarized, including repercussions & fallout, on SecurityFocus by Mark Rasch. As a brief aside, I'd just like to comment that while civil suits might be a deterrent for future acts of "vigilantee-ism", there really should be criminal repercussions as well.

I have a long article planned concerning the impending release of the 2004 OIG FISMA report (the 2003 report is available here). For those of you fortunate enough to not be bogged down with US Government bureaucracy, this is the report that assigns grades to, and evaluates the posture of, information security at all major US Government Agencies. My comments could apply to last year's report, but will be more timely with the release of 2004's report and have more meaning using updated statistics in examples. Free preview without spoilers: FISMA is good, but could easily be better.

One perennial story that's never gotten a whole lot of attention is the ongoing drama between a Las Vegas adult service operator and Sprint, the local phone company. The issue, in its most basic form, is a lawsuit by the adult service operator accusing Sprint of negligence and seeking damages from supposed lost business. He claims business was lost when hackers compromised Sprint's equipment and redirected calls to his competitors. When I first read about this story a few years ago, it was so sensational that I was hesitant to believe it. The accuser has strong "anecdotal evidence," and after following the story I don't believe it's that far-fetched. Virtually no one's equipment was secure in 1994. What's disturbing is the reason that it was dismissed in 2002: "Sprint's security is no better nor no worse than that of other telephone companies." Excuse me, come again? Just because everyone else had poor security doesn't make Sprint less liable. IANAL, so this may hold in a legal sense, but it's horrible logic. At the very least this case deserves some close technical scrutiny.

On a much more technical (and lighter) front, ISC handler Cory Altheide gets my InfoSec gold star for using the phrase "packet-fu" in a summary of the strange UDP packets some of us InfoSec folk have been seeing on the Internet the past week.

And, on a final note, Penn State is now recommending its users switch from Microsoft Internet Explorer to an alternate web browser that is more secure. I've been recommending this for months.


As a postscript, my apologies for getting this out so late. I had this article completed a number of days ago but technical difficulties prevented me from posting it until now.