SANS Blames MCSE Training for Spread of Code Red
8/15/2001 -- The SANS institute is blaming the lack of security-focused training within the MCSE program for the spread of Web viruses like Code Red.
According to ComputerWorld, last week the SANS institute sent out the following statement in an e-mail to its members: "One of the saddest dimensions of information security is that hundreds of thousands of people earned MCSE certifications without being required to demonstrate any competence in security."
"It is a situation where MCSEs had no idea that there is a fundamental vulnerability in IIS and ISAPI mapping and so had no way to protect their systems other than after-the-fact patching," Alan Paller, director of the SANS institute, told ComputerWorld for a story printed yesterday.
Microsoft says that, on the contrary, lack of training and information is what's allowing the virus to spread. "Code Red [is] a security vulnerability in IIS," said Dean Murray, Microsoft's director of courseware development. "Students in Course 2295 [Implementing and Supporting Microsoft Internet Information Services 5.0] go through the process of installing patches."
To suggest that MCSEs are lacking in security training goes against the number one priority of Microsoft's goals for its training and certification program, said Kris Vezina, group manager of content development for Microsoft's exams: "The fundamental basis for adding security to the MCSE track is a job task analysis we did in 1999...Security was the most important task [listed by MCSEs]."
To keep up with security vulnerabilities in Microsoft's products, Microsoft issues its Security Bulletin via e-mail. To subscribe to the security bulletin and get information Code Red patches currently available, go to http://www.microsoft.com/security/. -M.D. and B.N.
|
There are 52  user Comments for “SANS Blames MCSE Training for Spread of Code Red”
|
|
Page 3 of 6
|
| 8/16/01: Anonymous says: |
I'm an MCSE who monitors mail lists, MS security alerts, etc. and had my web servers patched well before Code Red Worm began spreading. No I didn't learn about doing this in any MS course or exam...anyone who thinks you learn everything you need to know in a MS course or by passing an exam is a complete MORON! SANS is simply trying to sell their training by blaming MCSEs. Has anyone done an analysis to see if MCSEs were responsible for ANY of the Code Red Worm infections? The Code Red Worm infected servers owned by certified and uncertified administrators! Get real...SANS should apologize to all the MCSEs (and non-MCSEs) who take security seriously. |
| 8/17/01: Jarrod says: |
When are people going to stop putting the blame on somebody else. The only people making money in this economy are the people finding the solutions. Stop wasting energy blaming others. Create solutions. |
| 8/17/01: anonymous says: |
To say that a virus spreading is down to lack of security training in MCSE is like saying colds and flu spreading are the Doctors fault. We can't stop virus writers and viruses spreading but we sure as hell protect our systems, servers and users! SANS apologise!!! MCSE certified person! (Oh and BTW person who says the English are racist? Don't blame that for you not getting a job. It isn't true in IT, IT is global. Maybe it time to check your atitude!) |
| 8/17/01: RD says: |
I'm a MCSE+I and I've passed SANS GIAC Security Essentials certification. Yes, security was mentioned in the MCSE material that I studied for NT/Exchange/Proxy Svr, but it was more of a side bar than a complete topic. In the Win2K materials, security is covered more but you still are not required to pass the security course to get your MCSE. I learned more about Windows NT security at the SANS course than in studying for all of the MS exams I've passed so far. |
| 8/17/01: Casey W says: |
I can't see how certifications even come into play. All it takes is someone who is even remotely interested in their job. Just read the email, and download the patch. You can of course go farther and get more in-depth, but to resolve the issue, it only takes a quick patch. How can one person be more prepared for that then someone else? |
| 8/17/01: Craig says: |
It is definitely not the fault of MCSE's for the spread of this virus. It is all of the people who have set up IIS without any training. I have to tell you that there are a lot of them out there. Because Microsoft products are so easy to install and configure, anybody thinks they can set something up and not worry about it. |
| 8/17/01: Do says: |
Obviously, the part of MCSE training which emphasizes NOT applying security patches is to blame here. I am sure that SANS has a utility which can determine which websites are administered by MCSEs and then correlate that to which webservers are infected with CodeRed. The people to blame are those who do not pay any attention to security updates. I have never had any SANS training, but somehow I manage to subscribe to several security bulletins and apply needed patches when they are issued. SANS is blowing a lot of hot air trying to sell their services. Their opinions are about as unbiased as Microsoft's... |
| 8/17/01: Don says: |
ideaguyannonymous hit the nail on the head here. Every MCSE can't be expected to dig into the code and find bugs and security holes. They can, and should, be expected to apply appropriate patches as they become available. I can't believe the whining people do about Microsoft. The Microsoft curriculum covers security pretty well. Is it "in depth" - no, it's not. If you want to become a security expert additional training is necessary. But every network manager can't be expected to be a security "expert" and frankly, every security expert shouldn't be a network manager. |
| 8/17/01: Anonymous says: |
Dear Costa - just having a certification and no experience (or communications skills) does not entitle you to a job, or avan make you a good candidate. Your race is not a factor, your skills, education and experience are factors. Pushing a mop is not a required skill in most (not all!) IT shops. I'm so tired of people blaming racism for not getting a hand out... |
| 8/17/01: Trellph says: |
HAHAHAHAHHA. I know people with MCSE's that don't even know that you need to install an application after downloading it. I don't think it's a problem with "Security in Training", but a more threatening point. People take the course in 4 or 5 days, take the simple test and get thier cert, if they don't get the cert they get thier money back. Now the way I see that, if a company is going to promise you getting the cert, they will ONLY feed you the 411 to pass the test. MCSE to me means jack, I have only met one person that has thier MCP or MCSE that actually knew what they were talking about. Anyways if you want a server, run BSD or Linux. |
First Page Previous Page Next Page Last Page
|
|
|
|
