Microsoft MCSE training faulted

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-91_STO63028,00.html

Lack of focus on security in professional training seen as factor in
spread of viruses

By DAN VERTON 
August 13, 2001

IT professionals and trainers are blaming insufficient security
training offered under the nationwide Microsoft Certified Systems
Engineer program for contributing to the spread of Code Red and other
damaging viruses.

In an e-mail newsletter sent out last week to its 96,000 members, the
Bethesda, Md.-based SANS Institute, a research and education
organization for systems administrators, urged MCSEs to take a free
class offered by the institute on how to reconfigure and patch
Windows-based systems against the vulnerabilities exploited last month
by the Code Red worm. The core courses required to attain MCSE
certification don't provide the level of security training engineers
need to protect their systems, according to SANS Institute officials
and other industry experts.

MCSE trainers and students contacted by Computerworld last week said
they agree with the organization. Most noted that while basic security
is covered as part of the Microsoft Official Curriculum for MSCE
certification, in-depth security training is optional and not a core
requirement.

The shortfalls in MCSE training are "one of the root causes of lax
security in the private sector," said Keith Morgan, chief of
information security at Terradon Communications Group LLC, a Nitro,
W.Va.-based network security services company.

"Every MCSE that comes through our door has to be quizzed on his level
of security understanding," said Morgan. "Most of them have to be
trained in even the most basic of security principles. It costs us
time and money."

MCSEs design, install, support and troubleshoot information systems
based on Microsoft Corp. software.

Alan Paller, director of the SANS Institute, said the recent outbreak
of the Code Red worm, which took advantage of vulnerabilities in
Microsoft's Internet Information Services (IIS) software and a
misconfiguration in the Internet Server Application Interface (ISAPI),
is a perfect example of how MCSE training falls short.

"It is a situation where MCSEs had no idea that there is a fundamental
vulnerability in IIS and ISAPI mapping and so had no way to protect
their systems other than after-the-fact patching," said Paller.

"One of the saddest dimensions of information security is that
hundreds of thousands of people earned MCSE certifications without
being required to demonstrate any competence in security," stated the
SANS newsletter.

Robert Stewart, general manager of training certification at
Microsoft, countered that each of the four core classes required for
MCSE certification covers various aspects of security.

"There are definitely items and sections of the core exams that focus
on security," said Stewart. In fact, the Windows 2000 Server
administration course includes a "pretty big piece on security," he
said. "And you can't pass through the gate and become an MSCE without
passing it."

MCSE students are required to take five core exams on how to
configure, design and administer a Windows 2000 network. (Windows 2000
certification replaced NT certification this year.) However, of the
four core design courses offered, only one is geared specifically
toward security - and it's optional.

"There's nothing specific on security," said Bob Hillary, vice
president of academic affairs and chairman of the IS department at New
Hampshire Community Technical College, a major MCSE training center,
in Portsmouth. "It's not that MCSE training is without security, but
it's an elective. Just as they have an 'MCSE plus I' for their
Internet certifications, they should have an 'MCSE plus S' for
security," said Hillary.

Although the in-depth security course is an elective, Stewart said,
the fact that Microsoft has designed a specific course on security
demonstrates the company's commitment.

MCSE training is conducted by dozens of private service providers
throughout the country. Microsoft, through its training Web site,
"makes no warranties or representations with regard to their
services."

Terry Lewis, an MCSE training instructor at Emergent Technologies Inc.
in Reston, Va., agreed that security training is "very basic" and
should be enhanced. However, to do that, the five-day core courses
would have to be lengthened, he said.

"In Microsoft's defense, I don't think that in a certification
training environment you can teach the in-depth subject of security,"
said Lewis. "Should there be more security? Absolutely. Is there any
time that can be thrown out of the current courses and devoted to
security? No."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.