Certification is just the start. Real professionals learn to share with others of like mind, says Mark Fischer
One of the key responsibilities of any security professional is to keep up to date on the potential threats to the organization. By the time attacks are detected by their firewall, intrusion detection system or log files, it is often too late.
Training and certification are part of the answer in preparing the true professional against future threats. But to stay really up to date, you need to build a network of people and information sources.
There are many informal opportunities for companies to share IT security information about recent attacks, new products, or solutions to common problems. Professional organizations, business associations, and educational events are all valuable information-sharing venues.
Companies can learn about new attacks or vulnerabilities that have not been publicly discussed, enabling them to better defend themselves. They can also benefit from the experiences of others in dealing with security-related technologies, products, vendors, and consultants. Reference to a good consultant can save a company thousands of dollars in fees.
Professional organizations and other security-related gatherings are also fertile areas for recruiting additional staff for a company's security organization. Company employees can identify and assess potential new hires in a natural, non-threatening environment.
There are a number of professional organizations for information security practitioners. Typically, these are either national or international organizations with local chapters that meet on a regular basis.
The Information Systems Security Association (www.issa.org) is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members.
ISSA has 71 chapters in 31 countries and advertises itself as "the largest international, not-for-profit association specifically for security professionals." Most chapters have regular meetings, and ISSA organizes an annual conference and a seminar series. It publishes an electronic newsletter and monthly printed magazine.
The Information Systems Audit and Control Association (www.isaca.org) is an international organization focused on IT audit and related functions. It has more than 28,000 members in more than 100 countries, and local chapters in many cities. ISACA was founded in 1969 and sponsors international conferences, training events and a global knowledge network known as K-NET.
Held on a monthly basis
Attendees at ISACA chapter meetings usually include IT auditors, IT security personnel and local vendors. They are typically held on a monthly basis and many chapters publish newsletters to complement the meetings. ISACA chapters are located across the country and around the world. In many smaller cities, ISACA is the only information security-related organization and the chapter meetings are the most logical place for security professionals to meet.
While informal information sharing among peers is a very powerful tool, some industries and groups have elected to create more formal organizations. These are sometimes organized in a specific geographic region, other times they are formed to serve a specific industry or constituency.
The FBI's InfraGard program is an initiative to strengthen ties between the bureau and private industry to better protect critical infrastructures, including computer networks. The Information Sharing and Analysis Centers (ISACs) established in some industries have the same goal, but for specific industries rather than specific geographic regions.
InfraGard (www.infragard.net) is a program to build partnerships between private industry and the federal government, represented by the FBI, to improve the security of the nation's critical infrastructures.
It began in 1996 as a pilot program by the bureau's Cleveland field office to enlist the aid of local computer professionals in determining how to better protect both public and private infrastructures. It was such a success that it expanded to more than 70 chapters across the country.
InfraGard has a strong system for collecting information from member companies. These members are encouraged to share information about incidents through the local co-ordinator, or by telephone or fax to the national Watch and Warning Unit in Washington. The InfraGard Secure Access program enables members with special virtual private network (VPN) software to send electronic incident information securely to the Bureau.
The federal government has recognized the advantages of formal information-sharing mechanisms as a component of its efforts to protect critical infrastructures. Presidential Decision Directive 63 (PDD63), issued in 1996 by President Clinton, directed the U.S. government to protect critical infrastructures such as power, transportation and financial services from attack. As part of this program PDD63 formalized an information-sharing function for these critical infrastructures through ISACs. The Financial Services ISAC (FS/ISAC) was the first and began operation in October 1999. Other ISACs have been planned and implemented for other sectors, including Telecommunications, Information Technology, Water, Food, and Aviation.
There are two key roles associated with each ISAC - Lead Agency and Sector Co-ordinator and Operator. The Lead Agency is a specific federal government agency responsible for supporting the ISAC.
Each Lead Agency has a private-sector counterpart known as the Sector Coordinator. These Sector Coordinators are typically trade groups of firms active in the sector. For example, the Sector Coordinator for Information Technology is the Information Technology Association of America.
Model for later ISACs
The Financial Services ISAC (www.fsisac.org) was the first ISAC. It was created in 1999 to service members from the banking, securities, and insurance industries. It has more then 60 members and is the model for many of the ISACs that came later.
It is operated by the Science Application International Corporation (SAIC) (www.saic.com), a large consulting and professional company that also operates a number of other ISACs. Information about the FS ISAC, such as its location or the identity of its members, is closely guarded and little is known about its operations.
The Telecommunication ISAC (www.ncs.gov/ncc) is operated by the National Co-ordinating Committee for Telecommunications. The NCC is a long-standing public-private organization focused on mitigating threats to the national telecommunications infrastructure. There is little public information about the Telecommunications ISAC.
The Electricity Sector ISAC (www.esisac.com) is sponsored and operated by the North American Electric Reliability Council and serves the electricity sector by facilitating communications between electric sector participants, the federal government and other critical infrastructure industries.
It is the job of the ESISAC promptly to disseminate threat indications, analyses, and warnings, together with interpretations, to assist electricity sector participants take protective actions.
The Information Technology ISAC (www.it-isac.org) is operated by the Information Technology Association of America and is a forum for sharing information about network vulnerabilities, and effective solutions.
Membership is limited to U.S. companies providing information technology hardware, software, or services. The Energy ISAC (www.energyisac. com) services companies in the energy industry, including oil and natural gas companies, pipeline operators, electric power companies, and energy trading organisations.
Many facets of the energy industry are regulated and there is a risk that companies won't share critical security information out of fear that it could be used against them by regulators. The Energy ISAC addresses this issue by noting that it is exclusively for, and designed by, professionals in the energy industries. No U.S. government agency, regulator, or law enforcement agency can access the Energy ISAC.
The Energy ISAC is operated by SAIC under contract to National Petroleum Council. It is managed by a board of trustees with members from companies such as ConocoPhillips, Shell Oil, and BP.
The Water ISAC (www.waterisac.org) is a centralized resource that gathers, analyzes and disseminates threat information that is specific to the water community. Subscriptions to the Water ISAC are currently reserved for U.S. drinking water and wastewater systems, regardless of size or type of ownership.
The Surface Transportation ISAC (www.surfacetransportationisac.org) is co-sponsored by the Association of American Railroads and the American Public Transport Association and is operated by EWA Information and Infrastructure Technologies. Its members include railroad companies, trucking companies, and mass transit operators.
The Aviation ISAC (www.aci-na.org) is operated by the Airports Council International North America. The Aviation ISAC was organized in 2001 to share information about threats to the information systems of airport operators.
The Food and Agriculture ISAC (www.fmi.org/isac) was organized on February 15, 2002 by the Food Marketing Institute (FMI). It serves primarily as a co-ordination and information dissemination organization. It does not have an in-house analysis function, but recommends that its members report incidents directly to the National Infrastructure Protection Center (NIPC).
The Chemical Sector ISAC (chemicalisac.chemtrec.com) is sponsored by the American Chemistry Council and is open to companies or organizations involved in manufacturing and distributing chemical products. Prospective members complete an on-line application form that is evaluated by the ISAC.
Mark Fischer is managing director of Security Guild, an infosec consultancy
Certifications for forensics
The certification wars are raging. Nowhere is this more obvious than in the world of digital forensics. We hear everything from "forensics doesn't need certifications" to this or that certification is "lame." Before we look at what certifications are available for forensic examiners, let's examine, briefly, how the certification process should work.
Basically, there are three types of certifications: industry, professional and vendor. Industry certifications are general in nature and pertain to a particular industry. In information security, we have the CISSP and
the CISM. CISSP is a general certification, and, some would argue, the benchmark certification for information security professionals. CISM is specifically for information security managers.
Professional certifications come from a body of scientific professionals such as the UK's Royal College of Surgeons. Usually, the top certification in such a society is Fellow. That designation is conferred by the conferee's peers in the society. I only know of one such certification in information security: the Institute for Communications, Arbitration and Forensics in the UK. In the non-digital forensics world, however, there are several. For more information on those certifications you can visit the web site of the American Academy of Forensic Science (www.aafs.org).
Vendor certifications are the most common kind of qualifications in information security and digital forensics. These are certifications offered by the developers of products. They are focused on providing assurance to consumers that anyone using, installing or supporting a product has been appropriately trained and is qualified to do so. The primary vendor certification in digital forensics is the enCE from guidance software (enCase).
Credible and valuable
Coming in the middle of these three basic types of certifications are those offered by training organizations. Usually, however, these can be viewed as suspect, since their primary objective is to sell training.
However, that does not nullify the value of all such certifications - for example, the SANS GIAC (www.giac.org) certification is both credible and valuable.
The big question is: "Why get certified at all?". The answer is easy, and should define your certification goals. There are only three reasons to get a certification: to get a job - many organizations use certain certs as filters for job applicants; to get a promotion; because you want to.
If you are a consultant, of course, the first applies to you in the form of getting new clients. The second applies to getting higher fees, and the third to increasing bragging rights among your peers.
There are very few credible certifications as yet for digital forensic examiners, although there are a few more being developed.
The oldest is available only to law enforcement. The International Association of Computer Investigative Specialists (IACIS - www.cops.org/certification.htm) offers law enforcement certification in electronic evidence collection and computer forensic examination.
A new certification for information forensics investigators is the Certified Information Forensics Investigator (CIFI) from the International Information System Forensics Association (www.iisfa.org/certification/certification.asp). This is an industry certification, is vendor neutral and does not rise to the level of a professional certification. It is well conceived, however, and has the potential to become the "CISSP" of the digital forensics community.
The major question to be asked about certifications and their value is: "Where does the cert come from and what are its objectives?". A good industry certification will have several recognizable components if it is to be credible:
- it is based upon an accepted common body of knowledge that is well understood, published and consistent with the objectives of the community applying it;
- it requires ongoing training and updating on new developments in the field;
- there is an an examination (the exception is grandfathering, where extensive experience may be substituted);
- experience is required;
- grandfathering is limited to a brief period at the time of the founding of the certification;
- it is recognised in the applicable field;
- it is provided by an organization or association operating in the interests of the community, usually non-profit, not a training company open to independent peer review.
There are credible certifications that are not money-grabs. However, as with anything that promises to improve the acquirer's status, it is always a case of "buyer beware."