Why Certify: Stephen Northcutt

Why Certify:

January 2002

Stephen Northcutt served as the Information Warfare Officer at the Ballistic Missile Defense Organization (BMDO), founded the Global Incident Analysis Center, led the Naval Surface Warfare Center’s Shadow team, and wrote the seminal book on intrusion detection. In this interview he answers questions about the community-wide effort that he leads to help security professionals master the critical skills they need to secure Internet-connected systems and prove they have those skills.
SANS Security Alert:
What led you to push for skills certification for security professionals?
Northcutt:
When I moved from network management to take over the information assurance function, I was shocked to learn that a high percentage of the employees in information security lack the basic skills and knowledge to accomplish their jobs. They come to work day after day to produce policies or run tools with no understanding of the fundamental technologies and principles of security. They are often stressed out, secretive, edgy, and defensive, because they know they do not have the understanding or mastery of tools they need. Unskilled security professionals do not reduce risk one bit. In fact, they put the organization in jeopardy.
SSA:
How widespread is the skills shortage and what types of skills do you find missing?
Northcutt:
Fewer than one in twenty security professionals has the core competence and the foundation knowledge to take a system all the way from a completely unknown state of security through mapping, vulnerability testing, password cracking, modem testing, vulnerability patching, firewall tuning, instrumentation, virus detection at multiple entry points, and even through back-ups and configuration management.
SSA:
You talk about security professionals lacking those skills. Don’t the system administrators have those skills?
Northcutt:
A few do, but most system administrators have never been trained in security; although a few have been able to learn it on their own.
SSA:
Does that include system administrators who have gone to Microsoft and Solaris training?
Northcutt:
Yes. People who have earned Microsoft Certified System Engineer (MCSE) status tell us they were taught nothing about security in their training, and the topic was not covered in the certification exam. This is a real problem because Microsoft environments need extensive hardening before they are safe for Internet deployment. And it’s essentially the same for UNIX and Linux environments .
SSA:
Are you saying that neither the system administrators nor the security professionals have the needed skills to protect their systems?
Northcutt:
That’s right. And I am not the only person who recognizes this. Steve Katz, the Chief Information Security Officer at CitiCorp told a group of government and industry leaders in December that he feels the greatest threat to information security is the lack of people with technical security skills.
SSA:
Doesn’t the problem correct itself as people gain more experience?
Northcutt:
No. It’s getting worse. Every single month, nearly two million new computers are registered as Internet hosts. The people deploying these systems cannot find skilled security staff, because the few skilled people are busy maintaining security on existing systems. The newcomers are forced to hire more and more junior people. So, on average, computers are being less well protected. And there’s another force working against security. The problem isn’t static. An increasing number of attackers are developing and launching new types of attacks at an increasing rate.
SSA:
OK so the problem is real. How do you propose to solve it?
Northcutt:
There’s no quick fix. We must improve the security skills of tens of thousands of system administrators and security professionals while we develop college-level programs to bring new people into the field.
SSA:
How can you define exactly what skills are needed?
Northcutt:
Through a consensus of the top security professionals working in the field on exactly what skills and knowledge are really needed. We gathered more than 100 of the top security faculty and practitioners and worked with them to build a consensus curriculum teaching the skills that they want in people they hire for security roles. Together this community worked for six months through more than 90 versions of the curriculum before launching the training and testing program; the curriculum continues to be updated often as thousands of people implement what they are learning and give us feedback.
SSA:
Can you summarize the program for us?
Northcutt:
It has three levels. The foundation, called LevelOne or Security Essentials, has nineteen modules ranging from understanding Internet threats to perimeter protection to password cracking to auditing. Few organizations would feel comfortable without people who have mastered these skills. LevelOne may be taken over the web or in live classes. Over the web, the student passes quizzes for each module to ensure mastery. When all the modules are completed, the student may sit for a comprehensive certification examination. The second level has much more advanced training in Intrusion Detection Analysis, Firewalls and Perimeter Protection, Incident Handling and Hacker Exploits, and Windows and UNIX security. For each of these areas, the person who seeks certification completes an intensive immersion curriculum and a comprehensive exam. If the exam score is high enough, the student is offered a set of practical exercises that allow him/her to demonstrate the needed skills. Only when the coursework, the exam, and the practical exercises are completed successfully, is the person awarded certification. A third level of certification is awarded to people who have mastered multiple LevelTwo disciplines.
SSA:
Why did you include a requirement for the practical work?
Northcutt:
For the same reason that pilots are required to prove they can fly planes, not just pass tests. When I recommend people as qualified security professionals, I want to be certain they can do more than read a book and answer test questions.
SSA:
Why did SANS call it GIAC Certification?
Northcutt:
We named the program after the Global Incident Analysis Center because it is designed to ensure that it teaches people how to defend against the most current attacks. GIAC receives reports of hundreds of new attacks every week. By linking the certification program with the current attack information, and by giving certified people access to updates and refreshers, we give people a fighting chance to stay ahead of the attackers. Moreover, many of the newly certified people have become active participants in GIAC ensuring it continues to provide up-to-date patterns of attacks and countermeasures.
SSA:
Do you know whether it works?
Northcutt:
Oh yes. Several of the most useful new intrusion analyses were done by people who earned GCIA (GIAC Certified Intrusion Detection Analyst), and they did not have the skills prior to doing the training. Even more gratifying are reports that GIAC certified people are winning the respect of their fellow system administrators and managers and being given far greater authority to make the security changes which they deem necessary.
SSA:
Where can people learn more about the program?
Northcutt:
The program is described in detail at http://www.giac.org