InformationWeek

Mike Guarracino, senior network specialist at Zenith National Insurance Corp., which has headquarters in Woodland Hills, Calif., is a case in point. He recently attended a course titled Network Security and Firewall Administration, one of four classes offered
by Global Knowledge Network, an IT-training services organization, in conjunction with ICSA, an Internet security services company. These classes prepare IT staff members for a new certification, called the Certified Network Security Administrator, that focuses on a wide range of issues and products, including security offerings from vendors such as Check Point Software Technologies, Internet Security Systems, and Cisco Systems.

Zenith, a midsize company with a net income of $54.1 million in 1999, lets its telecommuting and remote employees communicate with the company network and intranet via a virtual private network. The intranet site provides agents with data regarding claims and adjustments status. A firewall secures this site, but Guarracino wanted to learn more about how to best protect the company across the network and on the Web.

Many IT professionals have the same goals, say analysts, who point out that certification courses are often particularly valuable for employees at small and midsize companies. "Security is an ominous issue that's not adequately dealt with" at many of these companies, says Jason Wright, a research analyst at Frost & Sullivan. "It's an afterthought. The thinking is, 'If we have the time and money, we'll do it next year.'" That can lead to problems. Because IT staff at many of these companies are left to learn security practices on their own, they wind up "halfway trained and not qualified to protect an organization of any size," he says.

Guarracino says the course he attended helped him get up to speed about common hacker threats such as viruses, denial-of-service attacks, and software back doors. After the training, he immediately made changes to the VPN installation at Zenith's Sarasota, Fla., branch office, where he works. By its nature, a VPN is a secure network, "but the server it lives on isn't because the network interface card is exposed to the Internet," Guarracino says. To reduce the risk that hackers could break in via that server, he shut down all ports and protocols on the system, except those running the VPN.

"Think of a highway as an IP protocol and its lanes as a port," he says. "Each lane has an application and this lane has to be open for traffic to get into the server. If the lane is not open, traffic can't get into the server. Shutting down a lane or port reduces what you have to monitor going into your server."

Guarracino has also developed an incident-reporting plan related to hacker attacks. As part of that plan, the company is posting legal statements on its Web sites that warn surfers to stay away unless they have interactions with the business. "It's like a no-trespassing sign on a business," he says. "If you don't do this, you're really welcoming them in." In taking this step, Guarracino says, Zenith can actually sue potential hackers-if they're caught -for trespassing.

In addition to providing information on common hacker threats and how to protect against them, the Administrator track Guarracino is on covers fundamentals such as network topologies and the structure and function of a TCP/IP protocol. In August, Global and ICSA will offer the Network Security Engineers Certification, for higher-level network engineers who define security policies. This program focuses on network forensics and delves deeper into intrusion-detection and VPN issues. It also provides a "security boot camp" where students build security architectures from scratch.

Both certifications attempt to turn concepts into practical applications, with labs accounting for 40% to 70% of each course. For example, students learn where a firewall fits in the architecture, the differences between software and hardware firewalls, and how to configure a Check Point firewall.

This approach helped Erik Wyand, a network engineer at not-for-profit Orlando Regional Healthcare Systems, who attended the same course as Guarracino. The hands-on experience, he says, better equipped him to ensure that all the hospital's firewalls were set up correctly as it begins to share patient account data with insurance companies over a secure link.

ICSA will begin administering the exam in July for the administrator designation and in January for the engineering designation.

Security certifications that are not tied to a particular vendor's product aren't new. The Certified Information Security Systems Professional certification, offered by the nonprofit International Information Systems Security Certification Consortium, started in 1995. There are now 2,500 CISSPs in 31 countries. Before taking the CISSP exam-which queries users on topics such as good password discipline rather than on specific security products or platforms-a candidate must have three years of experience in the computer security field.

The consortium also offers an eight-day training course to help users attain the certification; it covers topics ranging from physical security and cryptography to security architecture, laws, investigations, and ethics, but doesn't include hands-on lab experience.

The CISSP certification isn't designed for those who actively implement products, says Rick Koenig, VP of sales at the consortium, but for professionals who develop policies, manage security functions, and perform consulting, and need a good understanding of how security realms interrelate.

continued...page 2