Adding Security to MCSE

More to networks than security

Opinion Shiftless third-party prep courses have made MCSE certification less valuable. Is Microsoft's new security cert doomed to the same fate, asks Tim Mullen, SecurityFocus columnist.

When you and I consider the word "traffic," images of data packets and protocol streams inevitably spring to mind. However, the everyday users that we all support would undoubtedly have visions of slowly-moving automobiles in congested masses on our road systems-- agitated drivers honking their horns and exchanging vulgarities with gestures of digital impudicus as they attempt to travel from source to destination in utter frustration.

Many users experience the same level of desperation in their cubicles, as network traffic and other system issues impede their work flow. That is why it is critical to have your network infrastructure designed and implemented by someone who knows how to properly configure a Microsoft network.

And that is why Microsoft originally created the MCSE certification program: to design a metric by which one could measure the competence of a network engineer based on a standard of knowledge. Being an MCSE meant that you knew what you were doing, and you had applicable knowledge -- field skills - to get the job done.

So I've always been amused by those who criticize the certification on the grounds that no security training is covered. They are right -- the MCSE did not include security training, but it was not supposed to. The certification was for a "Microsoft Certified Systems Engineer," not a Security Engineer.

There is more to our networks than security. Yeah, I said it. I know; it's blasphemy. Burn me at the stake.

But it is true.

We have complex infrastructures that must be in constant communication. We need highly available servers and redundancy. We need clusters and failover systems. We need robust services.

The reality of our networks is that they have to work before we can worry about security. The most secure network is one that cannot pass any data; therefore, the most secure network has no worth. Today, there is a much richer market for people who can make a network work than for those who can make a network secure.

Yes, even post 9/11, people still want to get their jobs done. Companies may be spending more on security, but it is only within the context of a working network. Security is a critical part of an infrastructure design-- but is it only part of that design.

MCSE's Lost Luster

The debate over the MCSE and security reawakened last week when Microsoft announced it was augmenting the MCSE certification with some optional levels of security certification. Now an engineer can, for example, get an "MCSE: Security on Microsoft Windows 2000" cert.

The "optional" part bothers Alan Paller, director of the SANS Institute. In an editorial, Alan wrote that Microsoft's continued offering of MCSE credentials sans security training showed that they still did not "get it" when it came to security.

I disagree. I don't go to my favorite mechanic because he is a good driver. I go to him because he can make my truck run the way I want it to. Driving it correctly is up to me.

In conversation, Alan cited an incident where a government employee (an MCSE) opened up a NetBIOS share to the Internet. Okay, I guess that kind of thing happens more than I like to think. But is it Microsoft's fault that the guy was a moron? No. Does Glock put a sticker on the Model 10 saying "don't stick the bad end up your nose and pull the trigger thingy?" No. Both companies make quite reasonable assumptions about the competence of those who show up for the job.

But Alan made one good point: That we should expect a "baseline" level of security from someone -- anyone -- who is being trained on how to implement a given topology.

Fair enough. But I stand firm on my opinion that we can no longer blame Microsoft for the excruciatingly obvious mistakes made by dipsticks who don't bother to learn the most rudimentary aspects of security and who wear their MCSE certifications just under their tin foil hats.

In my view, the real problem with the MCSE is that it no longer means as much as it once did.

I have MCSE certifications -- both in NT and Win2k, separately. And getting them wasn't easy. Today, purveyors of "boot camps" and "get your cert today" snake-oil salesmen have cheapened the certification and weakened its status by teaching people how to pass tests instead of how to build networks.

Cheating today -- and I consider these courses a form of cheating -- makes it a cakewalk.

So I'm not certain how much value an added security certification will provide: there will be cheat-tests on the one side, and the "how can they test for something they know nothing about" comments on the other. But however slight it may be, the bar is being raised a little, and they might be enough to let traffic flow a bit smoother.

© SecurityFocus.com

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation. Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Sponsored: 5 critical considerations for enterprise cloud backup