SANS Blames MCSE Training for Spread of Code Red
8/15/2001 -- The SANS institute is blaming the lack of security-focused training within the MCSE program for the spread of Web viruses like Code Red.
According to ComputerWorld, last week the SANS institute sent out the following statement in an e-mail to its members: "One of the saddest dimensions of information security is that hundreds of thousands of people earned MCSE certifications without being required to demonstrate any competence in security."
"It is a situation where MCSEs had no idea that there is a fundamental vulnerability in IIS and ISAPI mapping and so had no way to protect their systems other than after-the-fact patching," Alan Paller, director of the SANS institute, told ComputerWorld for a story printed yesterday.
Microsoft says that, on the contrary, lack of training and information is what's allowing the virus to spread. "Code Red [is] a security vulnerability in IIS," said Dean Murray, Microsoft's director of courseware development. "Students in Course 2295 [Implementing and Supporting Microsoft Internet Information Services 5.0] go through the process of installing patches."
To suggest that MCSEs are lacking in security training goes against the number one priority of Microsoft's goals for its training and certification program, said Kris Vezina, group manager of content development for Microsoft's exams: "The fundamental basis for adding security to the MCSE track is a job task analysis we did in 1999...Security was the most important task [listed by MCSEs]."
To keep up with security vulnerabilities in Microsoft's products, Microsoft issues its Security Bulletin via e-mail. To subscribe to the security bulletin and get information Code Red patches currently available, go to http://www.microsoft.com/security/. -M.D. and B.N.
|
There are 52  user Comments for “SANS Blames MCSE Training for Spread of Code Red”
|
|
Page 1 of 6
|
| 8/15/01: Bill says: |
HOW IS A LACK OF TRAINING THE CAUSE OF THE SPREAD OF A VIRUS DUE TO A MAJOR BUG IN A SOFTWARE PRODUCT. SANS BETTER SCREW THEIR HEADS ON AND LEARN THE DIFFERENCE BETWEEN LACK OF TRAINING AND BUGGY SOFTWARE |
| 8/15/01: Stone says: |
IIS is not buggy, it is just fundamentally unsecure. Security WAS never MS's big concern - ease of use and features were. I hope the delayed Blackcomb will have a fundamentally different engine that like Unix, provides high-level security from the ground. |
| 8/15/01: F (don't ask for the full word please) says: |
I am using windows 2000 and the thing crashes on me all the time. The moral of this line is? Windows still needs some growing up to do. The problem here is that the operating system grew overnight, and to compound the problem Bill Gate tries to incorporate all rival products into the one operating system at once. Now you can draw, take pictures, play music, compress you disk and expand your memory, and then finally confute. Imagine a medical doctor; say a general practitioner doing your teeth, your feet at the same time, if you are not careful you might end up with a foot and mouth disease. When you experience a series of serious problems and you heart is in your mouth, the same knows-it-all doctor criticises you saying you're not a good patient. I truly think that an operating system should be an operating system rather than trying to be all things at the same time. |
| 8/15/01: Vince says: |
And there must be an MCSE standing next to every web server at every company and every home installation of IIS that's sending the Code Red worm? If corporations hired MCSE's more often then I would start to agree. Until then, we'll blame the food supermarket cleaners? I know - MCSD's are the blame for faulty software because of course there is an MCSD with every Microsoft compiler. Let me know when we can blame those Cisco certifieds for something - power outages? As far as Windows growing up, it is, the patch for this was released several weeks ago. Maybe the blame is a sad human out there trying to wreak havoc or sell more anti-virus software. Naw... We should blame it on someone else. |
| 8/15/01: Carl says: |
I think what is even more to blame is the companies themesleves, especially the government. I have been supporting commercial and government clients for ever 6 years now. Most of the time, my hands are so tied when it comes to security that I have left jobs over it. "If it ain't fix, don't break it" is a poor attitude many non-technical (and unfortunately) technical people have. Even in May, I was told I couldn't apply appropriate security updates and patches, or even try to enforce documented and "local" security policies despite the clear threats from China. I mean come one, most people get what they ask for. If you have stupid people making stupid decisions, what more can you want? Well, for me, I got a pink slip for trying to "enlighten" people. So to each their own. |
| 8/15/01: E. says: |
It's true that MS never was concerned much about security and also MCSE do not have to know much about security to get their certs... but I think security depends on everyone, not just on MS. If you want to know more about your system, you can get plenty of informations everywhere. If you want to know more about security, there are a lot of mailing lists, books and websites... problem is that most administrators and company simply don't care!!! |
| 8/16/01: Frick says: |
I teach MCSE courses, and have for some time. Vulnerabilities like the one exploiyed by Code Red are something I have been teaching about for some time. I thought everyone who ran these services took extensive technical training (NOT!). The real source of the problem is people who think that a feature rich product like Windows NT or Windows 2000 can contain several million limes of code and have no flaws whatsoever, and who don't pay attention when new vulnerabilities are discovered and patches made available. I subscribe to several security mailing lists, and NONE of my servers were affected by the worm. It isn't the OS that's to blame, it's the lack of proactive action on the part of those responsible for the decisions to not implement security patches, or in some cases, the lack of awareness that such patches exist. Microsoft has been pushing its security newsletter for many years, if you don't subscribe, they can't notify you of patches. |
| 8/16/01: Kai says: |
1) The MCSE can be earned, from scratch, in about 3 months. The simple fact is that MCSE training doesn't amount to very much by itself. A lot of MCSE's, of course, have plenty of other training, particularly those MCSE's who have primary responsibility for networks. 2) It's pure semantics to say that IIS is not buggy, it's just "fundamentally unsecure". IIS is a web server -- security is, or should be, a fundamental part of its operation. Moreover, I've been on MS's security list for the past two years, and barely a week goes by that I don't receive one or two notifications of a new IIS security vulnerability. MS's decision to put II$ on the market was not based on the software. In all fairness to MS, most of these notifications come with notices of patches. 3) Sorry to hear about your problems, costa. I don't know the employment situtation in England very well, but I think blaming your problems on racism is hopeless (I'm not saying it doesn't exist). You must find a way to deal with it; to do what you can to control the situation despite the factor that you can't control (racism). Good luck. |
| 8/16/01: Casual says: |
Based on the text of Costa's posting, I think he might be a victim of the myth of "Certification alone = Big Money". I currently have a MCSE, CNE and a CCNA, but I don't expect to be hired on those alone. I have 20 years experience in this industry, and there are still lots of jobs I am under-qualified for. I think his employment problem is more likely related to his level of personal communication skills and professionalism. |
| 8/16/01: IdeaGuy says: |
I would like to know what type of security training SANS believes would have avoided this issue. I don't think it's fair to expect every MCSE to reverse engineer their operating system and check for bugs in the code. It is the responsiblity of the software manufacturer to check the code for holes and patch them. It's the Network Admin's responsibility to make sure he keeps his software updated with the latest patches/bug fixes, and that his infrastructure is secure. |
First Page Next Page Last Page
|
|
|
|
