[ISN] Microsoft MCSE training faulted

From: InfoSec News (isnat_private)
Date: Tue Aug 14 2001 - 02:57:42 PDT

  • Next message: InfoSec News: "[ISN] Power Grid Vulnerable to Hackers"

    Lack of focus on security in professional training seen as factor in
    spread of viruses
    August 13, 2001
    IT professionals and trainers are blaming insufficient security
    training offered under the nationwide Microsoft Certified Systems
    Engineer program for contributing to the spread of Code Red and other
    damaging viruses.
    In an e-mail newsletter sent out last week to its 96,000 members, the
    Bethesda, Md.-based SANS Institute, a research and education
    organization for systems administrators, urged MCSEs to take a free
    class offered by the institute on how to reconfigure and patch
    Windows-based systems against the vulnerabilities exploited last month
    by the Code Red worm. The core courses required to attain MCSE
    certification don't provide the level of security training engineers
    need to protect their systems, according to SANS Institute officials
    and other industry experts.
    MCSE trainers and students contacted by Computerworld last week said
    they agree with the organization. Most noted that while basic security
    is covered as part of the Microsoft Official Curriculum for MSCE
    certification, in-depth security training is optional and not a core
    The shortfalls in MCSE training are "one of the root causes of lax
    security in the private sector," said Keith Morgan, chief of
    information security at Terradon Communications Group LLC, a Nitro,
    W.Va.-based network security services company.
    "Every MCSE that comes through our door has to be quizzed on his level
    of security understanding," said Morgan. "Most of them have to be
    trained in even the most basic of security principles. It costs us
    time and money."
    MCSEs design, install, support and troubleshoot information systems
    based on Microsoft Corp. software.
    Alan Paller, director of the SANS Institute, said the recent outbreak
    of the Code Red worm, which took advantage of vulnerabilities in
    Microsoft's Internet Information Services (IIS) software and a
    misconfiguration in the Internet Server Application Interface (ISAPI),
    is a perfect example of how MCSE training falls short.
    "It is a situation where MCSEs had no idea that there is a fundamental
    vulnerability in IIS and ISAPI mapping and so had no way to protect
    their systems other than after-the-fact patching," said Paller.
    "One of the saddest dimensions of information security is that
    hundreds of thousands of people earned MCSE certifications without
    being required to demonstrate any competence in security," stated the
    SANS newsletter.
    Robert Stewart, general manager of training certification at
    Microsoft, countered that each of the four core classes required for
    MCSE certification covers various aspects of security.
    "There are definitely items and sections of the core exams that focus
    on security," said Stewart. In fact, the Windows 2000 Server
    administration course includes a "pretty big piece on security," he
    said. "And you can't pass through the gate and become an MSCE without
    passing it."
    MCSE students are required to take five core exams on how to
    configure, design and administer a Windows 2000 network. (Windows 2000
    certification replaced NT certification this year.) However, of the
    four core design courses offered, only one is geared specifically
    toward security - and it's optional.
    "There's nothing specific on security," said Bob Hillary, vice
    president of academic affairs and chairman of the IS department at New
    Hampshire Community Technical College, a major MCSE training center,
    in Portsmouth. "It's not that MCSE training is without security, but
    it's an elective. Just as they have an 'MCSE plus I' for their
    Internet certifications, they should have an 'MCSE plus S' for
    security," said Hillary.
    Although the in-depth security course is an elective, Stewart said,
    the fact that Microsoft has designed a specific course on security
    demonstrates the company's commitment.
    MCSE training is conducted by dozens of private service providers
    throughout the country. Microsoft, through its training Web site,
    "makes no warranties or representations with regard to their
    Terry Lewis, an MCSE training instructor at Emergent Technologies Inc.
    in Reston, Va., agreed that security training is "very basic" and
    should be enhanced. However, to do that, the five-day core courses
    would have to be lengthened, he said.
    "In Microsoft's defense, I don't think that in a certification
    training environment you can teach the in-depth subject of security,"
    said Lewis. "Should there be more security? Absolutely. Is there any
    time that can be thrown out of the current courses and devoted to
    security? No."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 04:52:38 PDT