SANS Blames MCSE Training for Spread of Code Red
8/15/2001 -- The SANS institute is blaming the lack of security-focused training within the MCSE program for the spread of Web viruses like Code Red.
According to ComputerWorld, last week the SANS institute sent out the following statement in an e-mail to its members: "One of the saddest dimensions of information security is that hundreds of thousands of people earned MCSE certifications without being required to demonstrate any competence in security."
"It is a situation where MCSEs had no idea that there is a fundamental vulnerability in IIS and ISAPI mapping and so had no way to protect their systems other than after-the-fact patching," Alan Paller, director of the SANS institute, told ComputerWorld for a story printed yesterday.
Microsoft says that, on the contrary, lack of training and information is what's allowing the virus to spread. "Code Red [is] a security vulnerability in IIS," said Dean Murray, Microsoft's director of courseware development. "Students in Course 2295 [Implementing and Supporting Microsoft Internet Information Services 5.0] go through the process of installing patches."
To suggest that MCSEs are lacking in security training goes against the number one priority of Microsoft's goals for its training and certification program, said Kris Vezina, group manager of content development for Microsoft's exams: "The fundamental basis for adding security to the MCSE track is a job task analysis we did in 1999...Security was the most important task [listed by MCSEs]."
To keep up with security vulnerabilities in Microsoft's products, Microsoft issues its Security Bulletin via e-mail. To subscribe to the security bulletin and get information Code Red patches currently available, go to http://www.microsoft.com/security/. -M.D. and B.N.
|
There are 52  user Comments for “SANS Blames MCSE Training for Spread of Code Red”
|
|
Page 4 of 6
|
| 8/17/01: Rocky says: |
If companies would implement policies prohibiting their IT people from carrying cell phones and pagers, then hire people and train them to manage their networks and prohibit them from calling their manager when there is a problem, networks would not only be more secure but would function better as well. Too many problems are being "solved" over the phone by too many self-important, "indispensible" people. |
| 8/17/01: Arthur says: |
I'm a self taught electronic technician/programmer since 1971. I have been using MS programming tools and Operating Systems to support clients ever since 1983. In my view, anybody who really has a desire to excel in any field of endeavor, should take responsibility for making sure that an OS and/or web server is really secure. Don't expect ANY computer hardware or software to work as claimed. You have to run tests. The fact is that whether you fully analyze IIS or the latest version of Apache, you will always find hackers that will occassionally get through ALL security measures that ANYONE can take. The Internet by definition is NOT even close to secure. If you want better security don't settle for placing your trust in ANY software company....do your homework...research...testing. And you might want to use an OS that allows you to make your own changes to it....and that provides better security features from the ground up...Linux. Even Linux however, is not secure at all unless you use it intelligently. That means LOTS of homework. The biggest problem we face is that we actually believe all the hype coming from M$ and many other sources...when will we learn to stop listening to it and start testing? |
| 8/17/01: Alan C. says: |
SANS admitted a month ago that their site www.sans.org was hacked. They found this a humbling experience and set out to build a model hardened site. Admirable but the site is still not back up. |
| 8/17/01: Don says: |
Sounds like the down economy has hit SANS in the "butt". Like a the Jenny Jones Show, SANS is taking to the limit. I'm shocked at such an accusation. Not just because I'm an MCSE , but because its a bunch of bull. I didn't get my MCSE to become a developer, nor a software winnie. If I'm able to fine a bug or hole, I report it. If I fine a patch on MS site, I install it. I don't have the time to test every app for bugs or holes. Come on SANS, you're strecting real bad.........we're better than that and you are to. |
| 8/17/01: Alan C says: |
Correction to my previous post. www.sans.org seem to have come back up today. |
| 8/19/01: Ray says: |
SANS is definitely wrong! I'm an MCSE and thankfully I subscribe to many security bulletins and pay close attention to the security patches. My company takes security seriously ! ALL of the many MCSE's that I know and work with do too. |
| 8/22/01: K says: |
If sounds like SANS thinks Microsoft should require their MCP candidates to be subscribed to all the available security bulletins in order to receive and maintain certs. Even if they did this, there is no guarantee that everyone would actually READ the bulletins or bother to download and install patches or make configuration changes, unfortunately. I think the fault lies more with companies not REQUIRING their IT people to be all over security in order to keep their jobs. Then there is the whole other issue of Joe Home User with his DSL or broadband connection setting up machines and not having a clue how to administrate them properly (which includes hardening the machine). In that scenario, you can make a beef with MS that IIS should not be part of a default install, but other than that -- SANS is out of line. |
| 8/22/01: Bob says: |
Microsoft continues to ignore regressive secruity testing in favor of shipping Operating Systems quickly. They continue to use the automobile model of how many law suits vs. how much profit, etc. I have been in the Information Technology business since the birth of the IBM 1401 mainframe and I have been subjected to many security schemes and testing models in my career as a software engineer. To say Microsoft doesn't have the time or money to perform this type of testing is short sighted and just plain stupid. Wake up! It's all about profit margin and time to market. The type of testing I am referring to has been conducted by IBM for many years with great success. Try to do damage to a locked down AIX or MVS/XA system and you won't get pass the security portal. Some of the most bullet proof Web and Application servers run in this environment. So if you want the web on the cheap use Microsoft OS'es and be subject to every simpleton security problem on the planet. You get what you pay for in this life..... With computer security cheap is dangerous! SANS is correct about Microsoft OS'es and I support their position completely on this subject. |
| 8/23/01: Muhammad says: |
I like mcse course most interest so future planning helpfully thank |
| 8/24/01: ThatONEdude says: |
I do believe that Microsoft should cover security more in depth in the MCSE training. MS has the security exam as an elective for people who need to FOCUS on security. I don't know how your organization works, but in mine, everyone plays their role. There is a group for network connectivity, a group for servers, a group for workstations...so on. A GROUP FOR SECURITY.... Now if the people who's primary responsibility is the security of the network are not doing their job, you have a problem. These people may or may not be MCSE. If you work in a mixed environment (as I do), some of these people handle mainframe, some unix, some MS and on and on again. Make sure that those guys know their role and do it. Do not blame MS for poor security, blame your security policy (or lack of one) for it. This patch was available for over a month when all this sh** hit the fan. Anyone who is responsible for security should have know this. If they did not, maybe whoever in management who oversees that the security gurus do their job should look for someone else????? |
First Page Previous Page Next Page Last Page
|
|
|
|
