Adding Security to MCSE

More to networks than security

  • alert
  • submit to reddit

Build a business case: developing custom apps

Opinion Shiftless third-party prep courses have made MCSE certification less valuable. Is Microsoft's new security cert doomed to the same fate, asks Tim Mullen, SecurityFocus columnist.

When you and I consider the word "traffic," images of data packets and protocol streams inevitably spring to mind. However, the everyday users that we all support would undoubtedly have visions of slowly-moving automobiles in congested masses on our road systems-- agitated drivers honking their horns and exchanging vulgarities with gestures of digital impudicus as they attempt to travel from source to destination in utter frustration.

Many users experience the same level of desperation in their cubicles, as network traffic and other system issues impede their work flow. That is why it is critical to have your network infrastructure designed and implemented by someone who knows how to properly configure a Microsoft network.

And that is why Microsoft originally created the MCSE certification program: to design a metric by which one could measure the competence of a network engineer based on a standard of knowledge. Being an MCSE meant that you knew what you were doing, and you had applicable knowledge -- field skills - to get the job done.

So I've always been amused by those who criticize the certification on the grounds that no security training is covered. They are right -- the MCSE did not include security training, but it was not supposed to. The certification was for a "Microsoft Certified Systems Engineer," not a Security Engineer.

There is more to our networks than security. Yeah, I said it. I know; it's blasphemy. Burn me at the stake.

But it is true.

We have complex infrastructures that must be in constant communication. We need highly available servers and redundancy. We need clusters and failover systems. We need robust services.

The reality of our networks is that they have to work before we can worry about security. The most secure network is one that cannot pass any data; therefore, the most secure network has no worth. Today, there is a much richer market for people who can make a network work than for those who can make a network secure.

Yes, even post 9/11, people still want to get their jobs done. Companies may be spending more on security, but it is only within the context of a working network. Security is a critical part of an infrastructure design-- but is it only part of that design.

MCSE's Lost Luster

The debate over the MCSE and security reawakened last week when Microsoft announced it was augmenting the MCSE certification with some optional levels of security certification. Now an engineer can, for example, get an "MCSE: Security on Microsoft Windows 2000" cert.

The "optional" part bothers Alan Paller, director of the SANS Institute. In an editorial, Alan wrote that Microsoft's continued offering of MCSE credentials sans security training showed that they still did not "get it" when it came to security.

I disagree. I don't go to my favorite mechanic because he is a good driver. I go to him because he can make my truck run the way I want it to. Driving it correctly is up to me.

In conversation, Alan cited an incident where a government employee (an MCSE) opened up a NetBIOS share to the Internet. Okay, I guess that kind of thing happens more than I like to think. But is it Microsoft's fault that the guy was a moron? No. Does Glock put a sticker on the Model 10 saying "don't stick the bad end up your nose and pull the trigger thingy?" No. Both companies make quite reasonable assumptions about the competence of those who show up for the job.

But Alan made one good point: That we should expect a "baseline" level of security from someone -- anyone -- who is being trained on how to implement a given topology.

Fair enough. But I stand firm on my opinion that we can no longer blame Microsoft for the excruciatingly obvious mistakes made by dipsticks who don't bother to learn the most rudimentary aspects of security and who wear their MCSE certifications just under their tin foil hats.

In my view, the real problem with the MCSE is that it no longer means as much as it once did.

I have MCSE certifications -- both in NT and Win2k, separately. And getting them wasn't easy. Today, purveyors of "boot camps" and "get your cert today" snake-oil salesmen have cheapened the certification and weakened its status by teaching people how to pass tests instead of how to build networks.

Cheating today -- and I consider these courses a form of cheating -- makes it a cakewalk.

So I'm not certain how much value an added security certification will provide: there will be cheat-tests on the one side, and the "how can they test for something they know nothing about" comments on the other. But however slight it may be, the bar is being raised a little, and they might be enough to let traffic flow a bit smoother.

© SecurityFocus.com

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation. Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.