11/15/2000 -- Is there a serious shortage of information technology professionals? In the information security world the answer is a resounding "Yes!" According to the SANS institute, an organization dedicated to network security, complete novices are being thrust into the position of security analyst and being charged with keeping the nation's Web sites and corporate infrastructure safe. In fact, Steven Northcut, who founded the Global Incident Analysis Center, led the Naval Surface Warfare Center's Shadow Team, and served as the Information Warfare Officer at the Ballistic Missle Defense Organization, claims that "…fewer than one in 20 security professionals has the competence and foundation knowledge [on a comparable level with their duties]."

Because of the growing need for security professionals, the popularity of security certifications is growing as well. However, there's no magic certification to prepare you should find yourself in the situation described above; real-world ability and a strong grounding in a broad range of information are still what count most. Even so, several security certifications tend to articulate these values, and for those who are experienced, it can help you solidify your knowledge base and stand out from among your peers.

-- advertisement (story continued below) --

Before delving into all the security certs out there, it's important to understand the types available. Security certs tend to fall into one of two categories: product and industry. Product certifications show that you've studied a particular product and know enough to pass an exam provided by its manufacturer. Some of these certifications tend to be directed toward partners (read: "sales outlets") of the companies that sponsor them. If you work for a partner or use these security products, see if you qualify to take the certification exam. It probably won't land you another job, but it can't hurt.

Industry certifications tend to be a bit broader. They're usually driven by a need to acknowledge the mastering of a commonly recognized body of knowledge in a particular field. Most industry certifications emphasize experience before examination and require some form of continuing education.

With all of the above in mind, let's take an in-depth look a number of viable certification options available for security professionals.

Product-Related Security Certifications

Check Point Certified Security Administrator or Engineer
Check Point Software Technologies (www.checkpoint.com), makers of the network security product FireWall-1, offers two levels of security administration certification for this product: Check Point Certified Security Administrator (CCSA) and Check Point Certified Security Engineer (CCSE).

The first level is the Check Point Certified Security Administrator (CCSA). According to the company, a CCSA understands FireWall-1 and can install and set up simple configurations. To become a CCSA, you'll first need to choose a track: FireWall-1 4.0 or FireWall-1 2000. Each track consists of one exam, offered through certified testing centers. Check Point also offers training classes. Before attending such a class, Check Point recommends that you have working knowledge of Unix or Windows, network technology, Internet communications and TCP/IP, as well as three months experience with the product. Benefits of the CCSA include three free technical support incidents and access to SecureNet, a technical reference knowledge base.

Once you've obtained CCSA, for more validity go for Check Point Certified Security Engineer (CCSE), intended for engineers who manage multiple FireWall-1 systems. You're expected to attend the class, "Advanced FireWall-1 Management." Here you learn how to implement sophisticated security requirements for enterprise networking. The company also recommends you take "VPN-1 for the Security Professional." You must have CCSA certification and one year's experience with VPN-1/FireWall-1 to obtain the CCSE. Pass the exam and gain two support incidents during the first year after certification and access to SecureNet. A different version of each is available for FireWall-1 4.0, 4.1 and 2000.

Certification exams and titles exist for other Check Point products, specifically, Certified Network Traffic Engineer (FloodGate-1) and Certified Infrastructure Engineer (Meta IP). Certified professionals are expected to keep up with exams on new product releases or they'll be considered retired professionals.

Learn more at www.checkpoint.com/services/education/certification/index.html.

Cisco Certified Network Professional (CCNP) Security Specialization
Cisco Systems recently announced a security specialization option for its CCNP designation. If you're already a CCNP, you can obtain this specialization by passing one additional exam, Managing Cisco Network Security (#640-442).

According to Cisco's Web site, the exam focuses on building and maintaining Cisco security solutions, including standalone firewall products and IOS software features. Cisco offers an optional training course for preparing for this exam.

Cisco will be adding more requirements for its security specialization starting Jan. 1, 2001. For more information, visit http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/exam_list.htm.

Microsoft Windows 2000 Security Exam
In July Microsoft introduced a new exam: Designing Security for a Microsoft Windows 2000 Network (#70-220). This exam can serve as the required design course or as an elective for the premium Microsoft Certified Systems Engineer (MCSE) certification. While this exam focuses on security in Win2K, it encompasses security design rather than taking a step-by-step approach to using the security features of Win2K. For more information see http://www.microsoft.com/trainingandservices/exams/examasearch.asp?PageID=70-220.

Industry Certifications

Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP)
The International Information Systems Security Certification Consortium's (ISC2) Certified Information Systems Security Professional (CISSP) certification covers the broadest area of knowledge of all the security certifications discussed in this article.

The CISSP exam consists of 250 multiple-choice questions covering 10 test domains. These domains are:

• Access Control Systems & Methodology
• Computer Operations Security
• Cryptography
• Application & Systems Development
• Business Continuity & Disaster Recovery Planning
• Telecommunications & Network Security
• Security Architecture & Models
• Physical Security
• Security Management Practices
• Law, Investigations & Ethics

You're given six hours to complete the exam.

Before you can sit the exam, you must subscribe to the ISC2 Code of Ethics and have three years of direct work experience in one or more of the 10 test domains. Examples of qualifying individuals are IS auditors, consultants, vendors, investigators, and instructors who require IS security knowledge and the direct application of that knowledge. The exam fee is $450 and exams are held at international locations periodically throughout the year.

Recertification is required every three years. It's obtained by earning 120 Continuing Professional Education credits.

ISC2 also offers a Systems Security Certified Practitioner (SSCP) designation. While the CISSP program certifies IT professionals who are responsible for developing the information security policies, standards, and procedures and managing their implementation across an organization, the SSCP program certifies network and systems administrators who implement those policies, standards, and procedures on the various hardware and software programs for which they are responsible. Like the CISSP, it requires adherence to a code of ethics and hands-on experience (minimum). However, it requires passing two exams: one core, and one specialty. If you register before January 2001, you can take the core exam at this year's price: $150.

For more information on these certifications, visit http://www.isc2.org/examinations.html.

Certified Information Systems Auditor
The Information Systems Audit and Control Association (http://www.isaca.org/cert1.htm) sponsors the Certified Information Systems Auditor certification, in existence since 1978. This designation is often sought by IS audit, control and security professionals.

To obtain certification, you must:

• Pass the CISA exam.
• Adhere to the ISACA's Code of Professional Ethics.
• Submit evidence of five years of professional information systems auditing, control or security work experience.

The four-hour exam consists of 200 multiple-choice questions. It is offered only in June. The exam is comprehensive, covering:

• Auditing standards and practices
• Security and control practices
• IS strategies, polices, procedures and management practices
• IS hardware and software platforms
• Network and telecommunications
• Data validation, development, acquisition and maintenance

To get a taste, try the 25-question sampler at http://www.isaca.org/examsamp.htm. Maintaining certification requires continuing education hours and fees.

SANS GIAC Certification
To meet the needs of budding security professionals, the SANS Organization (http://www.sans.org/infosecFAQ/index.htm) offers the GIAC Security Essentials Certification via both Web-based instructions and a conference-based program. Instruction covers information assurance fundamentals, IP concepts and behavior, Internet threats, anti-virus tools, security policies, password management and cracking, PGP, cryptography, Windows NT and UNIX security related topics. For Level One GIAC certification, you must pass an examination and complete a practical. The practical is an Internet-based research paper on a hack, hacker, exploit, vulnerability attack or other important security information. The best papers are published on the Web site (http://www.sans.org/y2k/GSEC.html).

GIAC training is not just for newbies: SANS also offers Level Two GIAC training and certification in the following specialties:

• Certified Intrusion Analyst
• Certified Advanced Incident Handler and Hacker Exploits
• Certified Firewall Analyst
• Certified UNIX Security Analyst
• Certified Windows Security Analyst

While these are not currently available via the Web, they are offered during GIAC and SANS conferences. Demonstration of hands-on mastery of the material as well as an examination is required. You also can become a GIAC Security Engineer by being certified as an honors student in at least two Level Two certification programs and completing a "sudden death" exercise.

For more information, visit http://www.sans.org.

Broader Is Better
By now you know that knowledge and ability should always count more than paper titles. Sometimes, though, you need to have both. No matter the security designation you choose (or any certification in general, for that matter), seek out one that reflects your real-world abilities by emphasizing broad industry knowledge and experience. In this way, you'll help ensure the value of your hard-won designation for a long time to come.

What's your take on security certifications? Post your comments below.

More articles by Roberta Bragg:

Microsoft's 70-214 Exam: Security Workhorse

Testing Your Mettle: The Six-Hour, 250-Question CISSP Exam

PKI Primer