Exam TruSecure ICSA Certified Security Associate Vendor TruSecure Status Live (Currently available only in U.S. and Canada) Reviewer's Rating "I drew upon my experiences on the job far more often than I drew from the theoretical knowledge I'd learned in class, and that was a nice change from most standardized tests that I've taken." Test Price $295 (U.S.) Who Should Take This Exam? Systems administrators who meet the title's experience requirement (two years hands-on, or 48 hours of training.) Exam Details 70 multiple-choice questions, standard format. 90-minute time limit. Registration available through Prometric For more information Click here

Notice that I said that the TICSA was TruSecure's first "personal certification," to which one might respond, "What other kind of certification is there?" Thank you for asking. The answer lies in the unraveling of the mystery behind the TICSA acronym, which stands for "TruSecure ICSA Certified Security Associate" Wait a second. You mean to tell me that the ‘I' inside of TICSA stands for ICSA?" That's right, the ‘I' stands for ICSA Labs, an organization that TruSecure touts as being the "security industry's central authority for research, intelligence, and product certification for over a decade." ICSA Labs certifies anti-virus software, firewalls, IPSec products, and cryptography products based on how these products perform on the tests that ICSA Labs has devised. TruSecure is the parent corporation, and also publishes the NT BugTraq and Information Security magazine. If that is more acronyms than you care to remember, think of it this way: At least they didn't name it the TICSACSA. Anyway…

TruSecure promotes the ICSA certification as one that is designed for systems administrators with experience in information security. TruSecure claims that the focus of the ICSA program is geared toward more towards practical security principles, as opposed to other security certifications, such as the CISSP, which have a very broad scope. In addition to passing a written examination, which we will focus on later in the article, a minimum experience or education requirement must be met. Applicants must possess two years of experience in information security, or show proof of attending at least 48 hours of information security education via seminar or training course. Once conferred, the certification is valid for a two-year period, during which the certified professional must attend 48 hours per year of approved conferences or educational seminars. Currently, Global Knowledge is TruSecure's exclusive certified training partner. The written examination is administered at Prometric testing centers at a cost of $295 (US), so it's worthwhile to be well prepared for the exam.

The exam is geared toward those who perform security work as part of their jobs, and the exam does a good job of testing those skills. The official 14 areas covered by the exam, provided by TruSecure, are as follows:

• Essential security practices vs. "best" security practices
• Risk Management fundamentals
• TCP/IP networking basics
• Firewall fundamentals
• Incident response and recovery practices
• Administration maintenance procedures
• Design and configuration fundamentals
• Malicious code mechanisms
• Law, ethics, and policy issues
• Authentication techniques
• Cryptography basics
• Host- vs. network-based security
• PKI and digital certificates basics
• Operating system security fundamentals

Coming from a primarily network administration background, many of the areas covered on the test were familiar to me, such as TCP/IP, firewalls and operating system hardening. In my opinion, the exam goes beyond simple security principles, and requires knowledge that most people without a more extensive security background would probably not have. In my case, the areas that I felt I needed to improve upon were topics that I associated more with management, such as legal issues, risk management and change of control procedures.

Because the exam requires the evaluation of situations and application of theoretical knowledge, cramming will probably not benefit you as much as usual. To put it simply, a solid understanding of a wide variety of security-related topics is the best approach. When it comes to understanding advanced networking concepts, fundamental knowledge of TCP/IP is crucial. I've stressed this point before, and I'll do so again: if you understand the way TCP/IP works, you will be miles ahead of those who do not.

For example, understanding how a SYN flood attack works requires an understanding of how TCP establishes connections. TCP uses what is called a three-way handshake to establish a connection. The client sends a packet with the SYN flag set, to which the server will respond with an ACK/SYN packet, and the client will send another ACK packet back to the server. When a SYN flood attack is executed, a SYN packet is sent to the victim using a spoofed (faked) IP address. The victim sends the customary ACK/SYN packet to the faked IP address and waits for the corresponding ACK packet. Because the IP address was spoofed, the ACK packet never comes, and the victim must wait for the timeout period to expire. The incomplete connection takes up a slot in the queue for the service, and once this queue is full, no more connection attempts are allowed. At this point, the service has effectively been shut down until the queue clears. If the SYN flood attack continues, the service will stay unavailable for legitimate use.

This type of attack is, of course, called a denial of service (DOS) attack, which is also something to be familiar with if you plan on sitting the TICSA exam, or pursuing a career in information security. Hopefully by this point it is obvious why understanding a SYN flood attack requires an understanding of TCP/IP and the three-way handshake, so learn the basics first!

Another topic that warrants your attention is authentication. Authentication need not be limited to a username and password pair, it can include much more. Methods of authentication can easily be broken down into three categories:

• Methods that test something you know
• Methods that test something you have
• Methods that test something you are

The first and most common method tests your knowledge of a secret value, such as a password or personal identification number (PIN). This is the most commonly used method because it is inexpensive and requires no additional equipment. The down side to this type of authentication is that most passwords are poorly chosen, and once compromised, provide an easy way to bypass security.

Some methods of authentication test something that you have, such as a private key, smartcard or even a simple key. These devices typically provide for better protection than a password, but are more expensive to implement and are often lost.

A third method of authentication involves testing something that you are, such a retina scanning or fingerprinting. These methods are typically expensive to implement, but are generally considered more secure than the other methods. The best solution, if possible, is to combine two or more of these methods. Requiring a smartcard as well as a PIN requires an attacker to gain access to both the physical device and the knowledge that form the two parts of the authentication scheme.

Cryptography and public-key infrastructure (PKI) also play a vital role in information security, and should be understood by any security professional. Cryptography can be divided into two separate types, secret-key and public-key. Secret-key cryptography, such as DES, uses one key to encrypt and decrypt messages. As such, both parties must possess the key for communication between them to be successful. Because anyone with the key can decrypt the communications, the key must be kept secret. With public-key cryptography, two keys, a public key and a private key, are used to encrypt and decrypt messages. The mathematical relationship between the two keys is such that text encrypted by one key can only be decrypted using the other key, and vice versa. If Sue wants to send an encrypted message to Ron, Sue would encrypt the message using Ron's public key, which is freely available. Ron then decrypts the message using his private key, which is known only to him. Because Ron's private key is the only key that can decrypt a message that has been encrypted by his public key, Sue knows that only Ron can decrypt the message.

PKI can also be used to verify that the sender of a message is who he claims to be, using what is called a digital signature. If Ron wanted to send a message to Sue and make sure that she knew it came from him, he could encrypt the message with his own private key. Sue would then obtain Ron's public key from a certificate authority. If the public key decrypts the message successfully, Sue knows that the message came from Ron, because only Ron's public key can decrypt a message that was encrypted with his private key. In addition, because only Ron should know his private key, Ron cannot argue that the message did not come from him. This is referred to as nonrepudiation.

In the TICSA exam FAQ, TruSecure states that the difference between their program and other security programs is that it "focuses on essential aspects of sound security implementation." They further specify that differentiating between "must dos" and best practices is integral to the TruSecure approach to security and risk management. I felt that this was the most difficult portion of the exam to prepare for, because I did not have a clear idea of the "TruSecure way." I found it hard to distinguish between what was absolutely necessary and what was just a really good idea in a given situation. Perhaps that kind of clarity comes with increased experience in the information security field. I was glad that I had taken the time to at least read over RFC 2196, the Site Security Handbook, and perhaps could have spent more time on it, in retrospect.

In preparation, I also attended two courses from Global Knowledge: Network Security and Firewall Administration and Designing Security Architectures. I used the course books for the exam, and feel that they were acceptable preparatory tools for certain areas, but do not cover all of the necessary material. I considered the courses themselves very informative, though the courses alone would not adequately prepare someone either. I drew upon my experiences on the job far more often than I drew from the theoretical knowledge I'd learned in class, and that was a nice change from most standardized tests that I've taken. I am of the opinion that experience should be a very valuable asset on exams that are supposed to measure that experience, and too often this is not the case. It is obvious that some thought was put into making this exam a reflection of practical experience, not simply memorization of book knowledge. That is not an easy feat, and one that some veteran vendors in the certification world have never achieved. For TruSecure to accomplish it on their first endeavor is commendable.

More articles by Richard Shanks:

• Cisco's Routing Exam: A Tale of Three Protocols
  
• Network+: The New Net Essentials?
  
• Linux+ Some Other Stuff
  
• RHCE Essentials