Adding Security to MCSE

More to networks than security

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Opinion Shiftless third-party prep courses have made MCSE certification less valuable. Is Microsoft's new security cert doomed to the same fate, asks Tim Mullen, SecurityFocus columnist.

When you and I consider the word "traffic," images of data packets and protocol streams inevitably spring to mind. However, the everyday users that we all support would undoubtedly have visions of slowly-moving automobiles in congested masses on our road systems-- agitated drivers honking their horns and exchanging vulgarities with gestures of digital impudicus as they attempt to travel from source to destination in utter frustration.

Many users experience the same level of desperation in their cubicles, as network traffic and other system issues impede their work flow. That is why it is critical to have your network infrastructure designed and implemented by someone who knows how to properly configure a Microsoft network.

And that is why Microsoft originally created the MCSE certification program: to design a metric by which one could measure the competence of a network engineer based on a standard of knowledge. Being an MCSE meant that you knew what you were doing, and you had applicable knowledge -- field skills - to get the job done.

So I've always been amused by those who criticize the certification on the grounds that no security training is covered. They are right -- the MCSE did not include security training, but it was not supposed to. The certification was for a "Microsoft Certified Systems Engineer," not a Security Engineer.

There is more to our networks than security. Yeah, I said it. I know; it's blasphemy. Burn me at the stake.

But it is true.

We have complex infrastructures that must be in constant communication. We need highly available servers and redundancy. We need clusters and failover systems. We need robust services.

The reality of our networks is that they have to work before we can worry about security. The most secure network is one that cannot pass any data; therefore, the most secure network has no worth. Today, there is a much richer market for people who can make a network work than for those who can make a network secure.

Yes, even post 9/11, people still want to get their jobs done. Companies may be spending more on security, but it is only within the context of a working network. Security is a critical part of an infrastructure design-- but is it only part of that design.

MCSE's Lost Luster

The debate over the MCSE and security reawakened last week when Microsoft announced it was augmenting the MCSE certification with some optional levels of security certification. Now an engineer can, for example, get an "MCSE: Security on Microsoft Windows 2000" cert.

The "optional" part bothers Alan Paller, director of the SANS Institute. In an editorial, Alan wrote that Microsoft's continued offering of MCSE credentials sans security training showed that they still did not "get it" when it came to security.

I disagree. I don't go to my favorite mechanic because he is a good driver. I go to him because he can make my truck run the way I want it to. Driving it correctly is up to me.

In conversation, Alan cited an incident where a government employee (an MCSE) opened up a NetBIOS share to the Internet. Okay, I guess that kind of thing happens more than I like to think. But is it Microsoft's fault that the guy was a moron? No. Does Glock put a sticker on the Model 10 saying "don't stick the bad end up your nose and pull the trigger thingy?" No. Both companies make quite reasonable assumptions about the competence of those who show up for the job.

But Alan made one good point: That we should expect a "baseline" level of security from someone -- anyone -- who is being trained on how to implement a given topology.

Fair enough. But I stand firm on my opinion that we can no longer blame Microsoft for the excruciatingly obvious mistakes made by dipsticks who don't bother to learn the most rudimentary aspects of security and who wear their MCSE certifications just under their tin foil hats.

In my view, the real problem with the MCSE is that it no longer means as much as it once did.

I have MCSE certifications -- both in NT and Win2k, separately. And getting them wasn't easy. Today, purveyors of "boot camps" and "get your cert today" snake-oil salesmen have cheapened the certification and weakened its status by teaching people how to pass tests instead of how to build networks.

Cheating today -- and I consider these courses a form of cheating -- makes it a cakewalk.

So I'm not certain how much value an added security certification will provide: there will be cheat-tests on the one side, and the "how can they test for something they know nothing about" comments on the other. But however slight it may be, the bar is being raised a little, and they might be enough to let traffic flow a bit smoother.

© SecurityFocus.com

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation. Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Beginner's guide to SSL certificates

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Hikvision devices wide open to hacking, claim securobods
prev story


Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.