8/15/2001 -- The SANS institute is blaming the lack of security-focused training within the MCSE program for the spread of Web viruses like Code Red.

According to ComputerWorld, last week the SANS institute sent out the following statement in an e-mail to its members: "One of the saddest dimensions of information security is that hundreds of thousands of people earned MCSE certifications without being required to demonstrate any competence in security."

"It is a situation where MCSEs had no idea that there is a fundamental vulnerability in IIS and ISAPI mapping and so had no way to protect their systems other than after-the-fact patching," Alan Paller, director of the SANS institute, told ComputerWorld for a story printed yesterday.

Microsoft says that, on the contrary, lack of training and information is what's allowing the virus to spread. "Code Red [is] a security vulnerability in IIS," said Dean Murray, Microsoft's director of courseware development. "Students in Course 2295 [Implementing and Supporting Microsoft Internet Information Services 5.0] go through the process of installing patches."

To suggest that MCSEs are lacking in security training goes against the number one priority of Microsoft's goals for its training and certification program, said Kris Vezina, group manager of content development for Microsoft's exams: "The fundamental basis for adding security to the MCSE track is a job task analysis we did in 1999...Security was the most important task [listed by MCSEs]."

To keep up with security vulnerabilities in Microsoft's products, Microsoft issues its Security Bulletin via e-mail. To subscribe to the security bulletin and get information Code Red patches currently available, go to http://www.microsoft.com/security/. -M.D. and B.N.