Adding Security to MCSE

More to networks than security

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

Opinion Shiftless third-party prep courses have made MCSE certification less valuable. Is Microsoft's new security cert doomed to the same fate, asks Tim Mullen, SecurityFocus columnist.

When you and I consider the word "traffic," images of data packets and protocol streams inevitably spring to mind. However, the everyday users that we all support would undoubtedly have visions of slowly-moving automobiles in congested masses on our road systems-- agitated drivers honking their horns and exchanging vulgarities with gestures of digital impudicus as they attempt to travel from source to destination in utter frustration.

Many users experience the same level of desperation in their cubicles, as network traffic and other system issues impede their work flow. That is why it is critical to have your network infrastructure designed and implemented by someone who knows how to properly configure a Microsoft network.

And that is why Microsoft originally created the MCSE certification program: to design a metric by which one could measure the competence of a network engineer based on a standard of knowledge. Being an MCSE meant that you knew what you were doing, and you had applicable knowledge -- field skills - to get the job done.

So I've always been amused by those who criticize the certification on the grounds that no security training is covered. They are right -- the MCSE did not include security training, but it was not supposed to. The certification was for a "Microsoft Certified Systems Engineer," not a Security Engineer.

There is more to our networks than security. Yeah, I said it. I know; it's blasphemy. Burn me at the stake.

But it is true.

We have complex infrastructures that must be in constant communication. We need highly available servers and redundancy. We need clusters and failover systems. We need robust services.

The reality of our networks is that they have to work before we can worry about security. The most secure network is one that cannot pass any data; therefore, the most secure network has no worth. Today, there is a much richer market for people who can make a network work than for those who can make a network secure.

Yes, even post 9/11, people still want to get their jobs done. Companies may be spending more on security, but it is only within the context of a working network. Security is a critical part of an infrastructure design-- but is it only part of that design.

MCSE's Lost Luster

The debate over the MCSE and security reawakened last week when Microsoft announced it was augmenting the MCSE certification with some optional levels of security certification. Now an engineer can, for example, get an "MCSE: Security on Microsoft Windows 2000" cert.

The "optional" part bothers Alan Paller, director of the SANS Institute. In an editorial, Alan wrote that Microsoft's continued offering of MCSE credentials sans security training showed that they still did not "get it" when it came to security.

I disagree. I don't go to my favorite mechanic because he is a good driver. I go to him because he can make my truck run the way I want it to. Driving it correctly is up to me.

In conversation, Alan cited an incident where a government employee (an MCSE) opened up a NetBIOS share to the Internet. Okay, I guess that kind of thing happens more than I like to think. But is it Microsoft's fault that the guy was a moron? No. Does Glock put a sticker on the Model 10 saying "don't stick the bad end up your nose and pull the trigger thingy?" No. Both companies make quite reasonable assumptions about the competence of those who show up for the job.

But Alan made one good point: That we should expect a "baseline" level of security from someone -- anyone -- who is being trained on how to implement a given topology.

Fair enough. But I stand firm on my opinion that we can no longer blame Microsoft for the excruciatingly obvious mistakes made by dipsticks who don't bother to learn the most rudimentary aspects of security and who wear their MCSE certifications just under their tin foil hats.

In my view, the real problem with the MCSE is that it no longer means as much as it once did.

I have MCSE certifications -- both in NT and Win2k, separately. And getting them wasn't easy. Today, purveyors of "boot camps" and "get your cert today" snake-oil salesmen have cheapened the certification and weakened its status by teaching people how to pass tests instead of how to build networks.

Cheating today -- and I consider these courses a form of cheating -- makes it a cakewalk.

So I'm not certain how much value an added security certification will provide: there will be cheat-tests on the one side, and the "how can they test for something they know nothing about" comments on the other. But however slight it may be, the bar is being raised a little, and they might be enough to let traffic flow a bit smoother.

© SecurityFocus.com

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation. Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.