Adding Security to MCSE

More to networks than security

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Opinion Shiftless third-party prep courses have made MCSE certification less valuable. Is Microsoft's new security cert doomed to the same fate, asks Tim Mullen, SecurityFocus columnist.

When you and I consider the word "traffic," images of data packets and protocol streams inevitably spring to mind. However, the everyday users that we all support would undoubtedly have visions of slowly-moving automobiles in congested masses on our road systems-- agitated drivers honking their horns and exchanging vulgarities with gestures of digital impudicus as they attempt to travel from source to destination in utter frustration.

Many users experience the same level of desperation in their cubicles, as network traffic and other system issues impede their work flow. That is why it is critical to have your network infrastructure designed and implemented by someone who knows how to properly configure a Microsoft network.

And that is why Microsoft originally created the MCSE certification program: to design a metric by which one could measure the competence of a network engineer based on a standard of knowledge. Being an MCSE meant that you knew what you were doing, and you had applicable knowledge -- field skills - to get the job done.

So I've always been amused by those who criticize the certification on the grounds that no security training is covered. They are right -- the MCSE did not include security training, but it was not supposed to. The certification was for a "Microsoft Certified Systems Engineer," not a Security Engineer.

There is more to our networks than security. Yeah, I said it. I know; it's blasphemy. Burn me at the stake.

But it is true.

We have complex infrastructures that must be in constant communication. We need highly available servers and redundancy. We need clusters and failover systems. We need robust services.

The reality of our networks is that they have to work before we can worry about security. The most secure network is one that cannot pass any data; therefore, the most secure network has no worth. Today, there is a much richer market for people who can make a network work than for those who can make a network secure.

Yes, even post 9/11, people still want to get their jobs done. Companies may be spending more on security, but it is only within the context of a working network. Security is a critical part of an infrastructure design-- but is it only part of that design.

MCSE's Lost Luster

The debate over the MCSE and security reawakened last week when Microsoft announced it was augmenting the MCSE certification with some optional levels of security certification. Now an engineer can, for example, get an "MCSE: Security on Microsoft Windows 2000" cert.

The "optional" part bothers Alan Paller, director of the SANS Institute. In an editorial, Alan wrote that Microsoft's continued offering of MCSE credentials sans security training showed that they still did not "get it" when it came to security.

I disagree. I don't go to my favorite mechanic because he is a good driver. I go to him because he can make my truck run the way I want it to. Driving it correctly is up to me.

In conversation, Alan cited an incident where a government employee (an MCSE) opened up a NetBIOS share to the Internet. Okay, I guess that kind of thing happens more than I like to think. But is it Microsoft's fault that the guy was a moron? No. Does Glock put a sticker on the Model 10 saying "don't stick the bad end up your nose and pull the trigger thingy?" No. Both companies make quite reasonable assumptions about the competence of those who show up for the job.

But Alan made one good point: That we should expect a "baseline" level of security from someone -- anyone -- who is being trained on how to implement a given topology.

Fair enough. But I stand firm on my opinion that we can no longer blame Microsoft for the excruciatingly obvious mistakes made by dipsticks who don't bother to learn the most rudimentary aspects of security and who wear their MCSE certifications just under their tin foil hats.

In my view, the real problem with the MCSE is that it no longer means as much as it once did.

I have MCSE certifications -- both in NT and Win2k, separately. And getting them wasn't easy. Today, purveyors of "boot camps" and "get your cert today" snake-oil salesmen have cheapened the certification and weakened its status by teaching people how to pass tests instead of how to build networks.

Cheating today -- and I consider these courses a form of cheating -- makes it a cakewalk.

So I'm not certain how much value an added security certification will provide: there will be cheat-tests on the one side, and the "how can they test for something they know nothing about" comments on the other. But however slight it may be, the bar is being raised a little, and they might be enough to let traffic flow a bit smoother.

© SecurityFocus.com

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation. Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.