SANS Blames MCSE Training for Spread of Code Red
8/15/2001 -- The SANS institute is blaming the lack of security-focused training within the MCSE program for the spread of Web viruses like Code Red.
According to ComputerWorld, last week the SANS institute sent out the following statement in an e-mail to its members: "One of the saddest dimensions of information security is that hundreds of thousands of people earned MCSE certifications without being required to demonstrate any competence in security."
| -- advertisement (story continued below) -- |
|
|
"It is a situation where MCSEs had no idea that there is a fundamental vulnerability in IIS and ISAPI mapping and so had no way to protect their systems other than after-the-fact patching," Alan Paller, director of the SANS institute, told ComputerWorld for a story printed yesterday.
Microsoft says that, on the contrary, lack of training and information is what's allowing the virus to spread. "Code Red [is] a security vulnerability in IIS," said Dean Murray, Microsoft's director of courseware development. "Students in Course 2295 [Implementing and Supporting Microsoft Internet Information Services 5.0] go through the process of installing patches."
To suggest that MCSEs are lacking in security training goes against the number one priority of Microsoft's goals for its training and certification program, said Kris Vezina, group manager of content development for Microsoft's exams: "The fundamental basis for adding security to the MCSE track is a job task analysis we did in 1999...Security was the most important task [listed by MCSEs]."
To keep up with security vulnerabilities in Microsoft's products, Microsoft issues its Security Bulletin via e-mail. To subscribe to the security bulletin and get information Code Red patches currently available, go to http://www.microsoft.com/security/. -M.D. and B.N.
|
There are 52  user Comments for “SANS Blames MCSE Training for Spread of Code Red”
|
|
Page 5 of 6
|
| 8/24/01: Pickles the says: |
I think was SANS was trying to say is that an MCSE's should have enough smarts to go to http://windowsupdate.microsoft.com/ without having to hear an emergency announcement on CNN. Otherwise that MCSE might find him/her self working as an Tesco Supermarket cleaner and sometime warehouse! ... and I know you don't that! :) |
| 8/28/01: Johnny says: |
Next week SANS headline: GUNS DON'T KILL PEOPLE, MCSE's KILL PEOPLE |
| 8/30/01: Eugene says: |
I am a MCSE+I (soon to be only MCSE). I do not recall seeing anything in the Microsoft Training Materials concerning viruses, not that i think it should even be covered. Microsoft doesn't have a virus suite so why would their certs reflect virus protection knowledge? I am with a company that deploys McAfee TVD and when i want information in reguards to virii etc i contact McAfee not microsoft. If anyone wants to point fingers about virus security then poit them to the virus software vendors who don't require any level of expertise to become a dealer or partner. just my 2 cents. |
| 9/1/01: ... says: |
To say that the virus is a fault of a certain group of certified individuals is a bit much. However, the sad thing is, MCSE is nothing more than a title now, because just about anyone can and is certified in some area of IT. Most people just see a salary posting and possesing no computer knowledge at all decide to go into the field. They take a training course for the exams in whatever cert they want to get, and cram like a bitch then pass. Then you sit them down in thier job in front of a computer expect them to function properly at their duties and you get anything but. Its sad really. Perhaps they should add another Certification for those who have to fix the screw up's the other unexperienced certified techs make. |
| 9/4/01: Anonymous says: |
There are two issues at hand here. First is that Microsoft pushes fundemantilly flawed software out the door and then "fixes" it with a storm of patches. Fine. It happens. The bigger issue, however, is that there is a false sense of security in the Microsoft world. It *IS* the fault of MCSE's for not patching their servers. PERIOD. There are vulnerabilities in the Unix world too. You know what we do? We fix them! We don't assume that a benevolent being is going to fix our problems for us. It is nothing like blaming doctor's for flus and colds. It's more like blaming doctor's for polio outbreaks because they didn't vaccinate patients. It's real simple: A PRODUCTION LEVEL MACHINE MUST BE CONSTANTLY MONITERED AND UPDATED TO PREVENT SECURITY BREACHES. The real scary thing is that there are still alot of machines out there propogating Code Red. A MCSE certification does equal good systems administrator, and it never will. However, by glossing over security related issues in the certification materials, it only downplays the very real world importance of the issue. This incoherant rant brought to by the letter J. |
| 9/7/01: Phil says: |
MS software is much more highly visible than other web server software because of it's availability and ease of use. There are glaring security vunerabilities in unix web servers if they are installed without updates- but they are not exploited as often, because the people supporting those systems are generally more conscious of these issues. The only sin commited by Microsoft is that Microsoft has designed IIS so that any idiot can install it- and any idiot has. |
| 9/12/01: Thinking about says: |
It is true that training is not competence. Holier-than-thou posturing by *ix bigots does not help. Time teaches, not finger-waving. |
| 11/4/01: Map says: |
SANS is insanely anti-Microsoft, and probably laughably thinks that Solaris and Linux are secure OSs. Get off the soap box, pleeeeez! SANS is as neutral as myself, an MCSE. |
| 1/26/02: Abe G. P. from Illinois says: |
Although I agree that many MCSE certified "professionals" out there don't know what they are doing at all. I don't believe that it is their fault entirely for not knowing how to secure the networks or systems that they are in charge of. There are many of us professionals that do not go for the white papers due that the prior noted facts. Yet I would suggest that many training sites require more than just basic knowledge of a system and understanding as to how to configure a network. I have been working the security field as a professional longer than many of my "certified" associates and although I don't possess anymore certs, I am still ahead of those that are due to my continuing study of the programs and testing of systems. Many of the MCSEs that the above unduly note are limited in there job funtions due to company policies. But I acknowledge that many people are just too lazy to continue there study of the field. I conducted surveys lately and many people that are MCSE certified have recieved their qualifications by "brain-dumping". Also I have found that many of them were certified many months ago without even updating there knowledge of the field in which they work. On the other hand, I have found that to be true in all certifications, including many associates holding certs even from CISCO. But as a defense for all certified professionals, I have found that it has mainly been the company that employs them to be the most at-fault. As with my own current situation, I found security flaws both in codes and programs within our network, yet my employers just keep stating that it doesn't concern our networks unless we contract a virus or our system is breached,ect. Thus,Businesses don't care about security. Even when we point out faults months in advance. It isn't always the individuals fault, yet the certification include standard procedures in IT security issues within there course. That I do agree with. Yet, take this fact into account, 54% of all individuals that have taken MCSE, and even CISCO certification exams and have passed, are not working in any field related to IT. As a Security-Specialist, also investigate this fact as well, "87% of all individuals that have taken a course in IT,IS,and-or Programming launguages can NOT tell you most of the answers to many of the most common occurances that they may face in their job functions or related field of study, after a year of attaining a degree or certification." |
| 4/7/02: Anonymous says: |
If Microsoft certification means nothing in England, why would costa be continuing on that track? |
First Page Previous Page Next Page Last Page
|
|
|
|
