Stephen Northcutt of the SANS Institute: Need for Information Security Certifications
STEPHEN NORTHCUTT: Hi, Richard.
RICHARD SWART: Hi. You recently said that fewer than one in 20 security professionals have a core competency and a foundational knowledge to effectively serve in security positions, which is a pretty interesting comment. What are the key skills and training that someone in security must possess?
STEPHEN NORTHCUTT: Well, Richard, a reasonable degree of assurance seems to come down to two things. One is the ability to configure the system correctly, and maintain that configuration throughout its life cycle, and the other is because we can’t do the first one perfectly, is to be able to understand what network traffic is leaving and coming into our organizations. If we can do those two things, we can get a reasonable degree of assurance. So, it would be the hands-on operating system administration skills, and then the network analysis skills are the core two things a professional needs to have.
RICHARD SWART: Also, I recently read that Steve Katz, the Chief Information Security Officer at Citicorp [Editor's note: Katz is the former CISO at Citicorp,]told a group of government and industry leaders that he feels that the greatest threat to information security is a lack of people with these technical security skills. Do you agree with him? And why would that be the greatest threat out there?
STEPHEN NORTHCUTT: This is a really interesting comment that he has made, because if you think about it, Citicorp, JP Morgan, these are the folks who can pay the best in the industry. Right? With the government, you’re going to kind of get mediocre in the industry. So, when the people with the higher budgets and the people who are – I mean, when you’re protecting money, you can afford to pay a little bit more – when they tell you this, then it’s got to be a big eye opener. And I have to agree, we are a point and click generation at this point, which is great, as long as the point and click device is able to do the job. But, when it isn’t, having the people with the actual skills is necessary, and they’re in short supply, and so the reason this becomes the greatest threat is the attackers are able to operate without being detected. I was just looking at the antiforensics tools the other day, the latest generations of malware that actually disable things that I use to look at my system with, the task narrator, as an example, to see what is going on. And so, you have to have the ability to go below using the GUI task manager.
RICHARD SWART: And why would that be a larger threat than the recent scourge of botnets, or the insider threat? Is it simply that they don’t have the technical staff that they need to staff their positions?
STEPHEN NORTHCUTT: More technically related to the two, because we don’t have the technical skills, the botnets get to be so successful. We don’t have the skills to identify whether a given machine is compromised, or not.
RICHARD SWART: What is the role of certification in information security?
STEPHEN NORTHCUTT: Well, certification means that someone meets a minimum standard. That is all certification is able to do. So, the important thing to do is establish where we want those standards to be and at what level in the job. Obviously, an entry level person would meet a lesser minimum standard than a senior person, responsible for the architecture, or the incident response, forensic response in an organization. One of the problems that the industry has had is we are jumping all over the least common denominator. For instance, the military is requiring certification for everyone with hands-on IT responsibilities. That is good. But, the military is primarily choosing the Security Plus, which was designed for entry level, but they are using it for people who have greater responsibilities than entry level, and that’s bad.
RICHARD SWART: The CISSP has always been the gold standard in certification. Are you seeing any change in that?
STEPHEN NORTHCUTT: I don’t know that we will ever see any change in that. Partly, it’s the lowest common denominator thing, just like with SANS’ GIAC the security essentials, our lower certification, is our best seller is the certification. It’s just easier to pass and get. But, the thing that we need to understand about the CISSP is that it doesn’t test any pragmatics. That is intentional. Their role of endorsing your role told them, you know, “If you say, ‘here is a specific command line for something,’ and you break something, you could be sued,†which is true, by the way. And so, the CISSP means you learn terminology and concepts – very important – but it doesn’t do anything to test or assure that someone has the technical skills that Steve Katz was talking about in your earlier question.
RICHARD SWART: SANs is the acknowledged leader in information security training. What approach did you take and why are you so successful?
STEPHEN NORTHCUTT: Well, one of the things that we tried to do, which wasn’t the best idea from an economic point of view, was tried to have a class specific to the roles that you would have in information security. So, we have a course and a certification track for intrusion detection, and a course and certification track for hardening Windows, and one for firewalls, and one for forensics, and one for wireless, and so forth, as opposed to trying to meet everyone’s need with a single offering. And since the people that really do have to have that responsibility, who really do have that job, want job-specific training, it has worked out very well for us. Now, needless to say, the industry catches up. And so, if you do your homework, you will see many other organizations offering job-specific training, and therefore, I imagine, over the next few years, you will see job-specific certification, as well. And this is a good thing. You never really welcome competition, because it makes it harder to earn money, but the competition validates the approach, and that’s a wonderful thing.
RICHARD SWART: What is your opinion of the state of the education offered by colleges and universities these days in information security?
STEPHEN NORTHCUTT: Well, academia has historically taught theory. They teach you how to think. This is wonderful. The problem is, again, it doesn’t, in general, produce the folks that people like Steve Katz is looking for at Citicorp. I really am amazed, because one of the frontrunners in information security, years ago, when I was cutting my teeth, was Purdue, of course, under Gene …
RICHARD SWART: Spafford.
STEPHEN NORTHCUTT: Gene Spafford, yeah, thank you. And Spaf was just adamant that these people left with hardcore technical skills, and during that whole period of time, the late 80’s and very early 90’s, if you could get a Purdue grad with a masters in information security, you rocked. I mean, it was a good thing. And, I’m amazed more colleges have not copied off their paper. And so, you have a lot of relatively weak programs. In fact, I’ve been looking at a number of the programs, where they are just essentially certificates. You still get a degree, but you take a course out of the computer science, artificial intelligence, this, that, and the other thing. But none of that prepares you to deal with Eastern European or Russian hackers, Brazilian hackers, who are doing it for the money, they are very serious, they are very disciplined, and absolutely none of it prepares you for the Chinese military operative who knows exactly what they are doing, and they are mining for information. So, I think the colleges and universities have a bit of work ahead of them, if they are going to produce people that can actually do the job. On the other hand, let’s be honest, technical skills perish very quickly. And so, if colleges totally focus on technical skills, and not the critical thinking, not the research, they will produce people that can’t grow. They will be good for a year or two. Again, I just have to keep looking back at Purdue, and say these guys have the mix pretty good.
RICHARD SWART: Do you see any change in the demand for information security professionals?
STEPHEN NORTHCUTT: Well, the latest partners survey says the demand for information security professionals is up at the 9/11 level. It had been drifting down, and they say it is going up. You know, I was using Google trends, and if you put in “information security†it still shows a downtick. I believe that we can use a few less bodies in the industry, that even though I was disparaging about point and click devices, the appliances are getting so much better, you know, your intrusion prevention devices, and the like, that you can use a few less people. The trick is, we need to lose the policy people and keep the technical people.
RICHARD SWART: So, what advice would you give someone wanting to break into this field, some student at a university, or someone just getting out of school?
STEPHEN NORTHCUTT: Find a large enough organization that can actually afford a security department, and has a security department. Don’t accept a job, unless the job is hands-on. Make sure your first couple of years you are actually fooling around, typing in command lines, and things like that, and looking at the hearts of systems. Those are skills that will be with you for the rest of your life.
RICHARD SWART: Are there any new challenges or trends emerging that we need to be aware of?
STEPHEN NORTHCUTT: The one thing that I think is really important is the malware problem. Right now, we lack, as an industry, the ability to tell whether a computer is compromised. By compromised, I mean it has some key stroke logger, or some bot on it. Since 2002, or so, they have been evading, by turning off, antivirus and the like. Now, with the antiforensics tools, even with the best toolkits and the like, it is even money you can’t tell the malware is there, especially, the curled tips. And so, as an industry, we need to buck up. As you know, information security has always been a case of the attackers get better and then the defenders get better, and so forth. And so, it’s time for the defenders to get better. And we need to really learn how to identify whether a system is clean, or not. That needs to be a major focus of our industry in the next couple of years.
RICHARD SWART: Thank you for listening to another PodCast with Information Security Media Group. To listen to a selection of other PodCasts or find other educational content regarding information security for the banking and finance community, you can visit www.bankinfosecurity.com or www.cuinfosecurity.com