During a live Network World chat, expert Adam Gordon discussed the best security certifications, the tricky aspects of gaining real-world hacking experience and why our government should get with the program of ethical hacking. Gordon is the CTO and CISO for computer training firm New Horizons CLC of South Florida. He has personally completed most of the major security certifications (he's got over a dozen including MCSE + Security, CISSP, ISSAP, SCNP, CWSP, CEH and Security + CompTIA) and has been an IT trainer for over 20 years. What follows is a full transcript of the chat.Moderator-Julie: Welcome and thank you for coming.
Adam_Gordon: Hello everyone, happy to be here, let's do some talking, or chatting anyway.
Moderator-Julie: While Adam types up his answer to his first question, here's a pre-submitted one: I have limited time and want to update my resume for the job market. Which is better to pursue a vendor-specific security training cert (Cisco, Microsoft) or a more general one?
Adam_Gordon: (SANs, CompTIA etc.) You should view your resume as a pyramid. What is at the base provides the foundation for you to build on as you add more layers, and complexity. If your base is not broad and deep, then your additions will not survive and help you to thrive professionally. Add the basics to prove your desire and ability to be in the field, Security+ and SSCP for instance, and then create additions carefully based on your area of professional interest such as CWSP, or CISM.
Wasup: What kind of demand is there by employers for CompTIA's Security+? A recruiter told me there is no demand for it at all. What's the truth?
Adam_Gordon: Employers will look at certs that are "in demand" and "in alignment" with the current needs of the workplace. Keep looking, as Security+ is in demand and it is a good baseline to present yourself with.
Steven: What is the most popular certificate required for a network security career?See also: Josh Wright chat: Wireless security foiled by new exploits]
Adam_Gordon: Depends on what area of security you are looking to focus on. If you are looking to be in forensics, then CISA, or CHFI are a good bet. If you want to do wireless, then CWNA, CWSP are good. Overall security, then Security+, CEH, SSCP, and MCSE + SEC are all good as well. [
Nobledc: The government and large U.S.-based corporations face real cyberthreats daily. The federal government has proposed to hire expert hackers who don't fit the government security mold. Will classes taught by these hackers help one become a hacker in order to fight hackers?
Adam_Gordon: The best defense is a great offense, and lots and lots of ice... Let me explain. Real world experience and knowledge are what will carry the day. The best hackers are not the certified ones, but are the ones that are doing it for real and normally do not poke their heads up too often. Be practical, not certified. The ice is for all the bumps and bruises that you will get along the way.
Extreme: So by having a great offense, do you mean that the government or businesses should encourage hacking?
Adam_Gordon: I think that it should be the business of any and all interested and LEGITIMATE players in the security field to pursue solutions that encourage a better defensive solution for all. Let's face it, almost every other government and major corporate and military installation in the world has engaged in this behavior at some point, and/or is actively doing so now. Why should we bury our heads in the sand and pretend that it is not happening? Google TITAN RAIN, or Chinese Military/government hacking vs. US government and see for yourself.
Moderator-Julie: Pre-submitted question: What are your thoughts about ethical hacking? Should people be paid for finding vulnerabilities?
Adam_Gordon: Let me give you the standard disclaimer, which is that I am a CEH,[Certified Ethical Hacker] as well as a CEI [Certified EC-Council Instructor]. Now, having said that, I believe that Ethical Hacking has a valuable place in the community for a set of professionals that use their skills for the betterment of the communities that they serve. Should people be paid to do it? If you can get paid to do it would you turn down the money? People should be paid to do what they are good at, and what their employer hired them to do. It comes down to being honest with yourself, your community, and your employer about your skills and your career path.
Extreme: How do you get real world hacking experience without getting in trouble with the law?
Adam_Gordon: VERY, VERY CAREFULLY! Seriously though, it can be hard and is a challenge. When I was starting out in this business over 20 years ago, it was a whole different world, the rules were different, the people and the times were different, and so was technology. Today, If I had to do it from scratch, I would virtualize the technologies that I wanted to figure out, and do all of my research and hacking there. Once I had figured it out, I would then seek to transfer that knowledge into the real world through engagement in my place of employment if that was possible. If not, I would seek to connect the dots with others that had similar interests through user groups and trade groups, and see if you could put together a "hackers' challenge" of some sort that is sponsored and public.
Nobledc: So this outlawed art is wanted -- a professional gunslinger -- but in this day and age nobody wants you to practice or train. The corporations and the government needs those strange vampire-like people that start work around midnight or dumpster dive a target or cold call for inside help ... but they don't have a means to train "straight" folks to be as good or better than the backroom people. Is anyone out there offering this special training?
Adam_Gordon: I am not aware of any classes that focus on being a vampire or a dumpster diver specifically, but I am open to a new twist on the "practical" aspects of learning. I believe that there are many, many ways to acquire skills, training is just one. Look outside yourself, what do you do? What do those around you do? What resources exist at an arm's length from you that you can leverage? BE CREATIVE and BE FEARLESS... DO NOT BE COWED, and DO NOT BE A SHEEP. THINK OUTSIDE THE BOXES.
Michelle: Is there a thin line between penetration testing and cracking? If so, what's the legality of one vs. the other?
Adam_Gordon: There is a clear and incredibly big and bold demarcated boundary between the two that is as big as it is wide and deep. Pen tests are carried out with permission of the network owner, and their FULL knowledge and acceptance of the plan. Cracking is ALWAYS ILLEGAL, by any definition, and is carried out undercover, without prior knowledge and consent.
SteveY19: I am a recent university graduate with a B.S. in computer science. I have been working just over a year with a major oil company as a systems analyst and also doing program management. My company pays for training, however I only get a certain amount of time to complete the training. In your opinion what would be the first two or three certificates to focus on?
Adam_Gordon: Network +, SSCP (ISC 2), and CWNA (if wireless is important), if not, then CEH (EC-Council).
Moderator-Julie: Pre-submitted question: What are the key difference of CISSP courses and EC-Council's certification?
Adam_Gordon: In short, CISSP is a credential that is broad (the Common Body of Knowledge, i.e. CBK, is made up of 10 areas), and is focused at a managerial level. EC-Council certifications are deep by specific areas, i.e. CEH for Ethical Hacking, and focused on hands-on practitioners in the field.
Wasup: Is Security+ considered the most basic of the security certs?
Adam_Gordon: Not the most basic, but the most basic building block would be the correct way to look at it. You need a good foundation of applied and theoretical knowledge to build a resume and a career on, and this is the beginning point for most. FOLLOW THE YELLOW BRICK ROAD!
Moderator-Julie: Pre-submitted question: Of all the security certifications that you possess, which do you feel was the most valuable to for opening doors career-wise? Which was the most valuable in the applied sense?
Adam_Gordon: Most valuable for my career would be the very first certification that I ever got, which would be a non–security certification. Actually it was my MCP, since it gave me the "bug" that allowed me to get excited about technology and to try out different things as I attempted to figure out what I wanted to focus on. Most valuable in the applied sense would not be a single certification, but rather the cumulative effect of the experience and the weight of the work that I have done over my career to help me to stay informed and current in the eyes of my clients. Practical experience and hands on work is very, very important.
Ed: What field experience can be leveraged or accounted by a cert? What cert does this?
Adam_Gordon: CISA (ISACA), CEH and CHFI (EC-COUNCIL), CWNA and CWSP.
Ed: What groups or blog forums would you refer us to get the real-world hands-on experience, if we can not financially commit to a cert?
Adam_Gordon: I would suggest that you look at what user groups and or organizations are active in your local area based on your interests, I.E., does ISACA have a local chapter, does RACF have a local user group, does Cisco have a local user or technology group that you could associate with? In terms of blogs, this blog is good to read, but will not give you real-world experience, talking to practitioners and field staff will. Check out the URL though: http://www.astalavista.com.
Yvette: What areas of security are in the greatest demand by companies?
Adam_Gordon: Depends on what the company does. If it is in IT, or IT services such as an outsourced solution provider, then it will be looking for architects and ethical hackers, or penetration testers. If the company is a consumer of IT services and technology, then it will need the same skills, but also a forensics person, and probably a good generalist who is a network person first, and a security person second. Never underestimate the value of a good plumber.
Moderator-Julie: Pre-submitted question: Overall, what will the five hottest security skills be in the next five years?
Adam_Gordon: Envelope please ... my crystal ball says: 1. security architecture and design for the business as a whole, holistically; 2. wireless, wireless, wireless; 3. virus and malware design research; 4. honeypots and honeynets; 5. Software as a Service solutions are getting hotter by the day, securing them will be important. [See also: Neil Anderson chat: The five hottest skills for your networking career]
Moderator-Julie: Another pre-submitted question: Of the following upcoming security technologies, which ones seem to be most promising for enterprise use and why? NAC, CardSpace, encrypted hard drives, UTM, data leakage protection -- something else?
Adam_Gordon: I think that they all are going to impact the enterprise in surprising ways. I also think that they all offer tremendous potential value IF they are understood and deployed appropriately. All right, so I guess my answer without any more hedging would be that NAC is most promising. This is due to its all-encompassing touch at the perimeter, and the need for more and more of that today, and going forward, its ability to integrate remote users securely into our daily business flows. If you had to choose, over the long run of many years, which makes more sense financially, attending a university for an engineering degree or keeping current with certifications?
Wasup:
Adam_Gordon: Do you want to have a career that requires a university education? Or do you want to be in the IT/security world for a living? When I hire, I do not look at university degrees as indicators of ability, however having said that, I do look at them as an indicator of commitment. Spend time getting as much REAL WORLD and LEGITIMATE experience as you can, and document everything you do. That will bring you the richest ROI in the long run.
Ed: What are some good Web sites that offer free security material to use for studying for these types of certs?
Adam_Gordon: The old adage about getting what you pay for applies here. Make sure that if it is important enough to you for you to spend time on it, that you are prepared to spend a little bit of money as well. Having said that, check out the following urls: http://www.linuxsecurity.com/ and http://www.windowsecurity.com/
Moderator-Julie: Pre-submitted question: What are your recommendations for getting some lab time on cheap to practice for some of the tougher security certs?
Adam_Gordon: Virtualization technologies are opening up all sorts of new and innovative possibilities for home labs and mobile, laptop-based solutions. Also, check out the possibilities that hosted solutions offer for virtual labs over the Internet from vendors, as well as linking up with local user groups and organizations that deal in the technologies that you are interested in. See if they have a plan to provide services to members, and if not, try and start something by pooling technology and skills for the betterment of the community as a whole.
Extreme: Could you give some examples of what types of technology to virtualize and where to get it. i.e. MS virtual PC?
Adam_Gordon: Microsoft Virtual PC, or Virtual Server is good, so is VMware. Both platforms offer free software and guidance on how to get started. In terms of what technologies to virtualize, anything that you can think of. I use VM's for everything from Windows 95 all the way up to the latest versions of Linux and UNIX to run my hacking classes and my forensics classes. Be creative and try to figure it out, the worst that will happen is that it will not work.
SteveY19: Do you think that vendor-neutral certifications, such as Planet 3's CWNA, are given the respect that they deserve?
Adam_Gordon: I think that it is up to the practitioners that hold these certifications, as I do (I am a CWNA and a CWSP) to create the respect through their actions and their representations of themselves and their community. Vendors have a responsibility to publicize and to market certs, but the community that adopts them through pursuing them is as responsible, if not more so, for how they will be perceived.
Moderator-Julie: Pre-submitted question: My husband has a master's in IT and a bachelor's in finance. He is re-entering the workforce after five years of owning a restaurant. He worked at Intel as a project manager prior. What courses can he take to quickly get back into the workforce, especially in the area of security?
Adam_Gordon: As painful as it is to say, I would say that the answer will depend on how much he has kept up with technology in the interim since he was at Intel. If he has not had much contact with technology, then I would start out with some CompTIA certifications such as A+, Network+, and Security+, check out the Web site http://certification.comptia.org/
Ed: Do you really need to have a programming background in order to pursue a security cert? Wouldn't network and operating system knowledge be enough?
Adam_Gordon: No doubt. I happen to have a background in all three, but it just depends on what you want to do and how you want to do it. I think that the most qualified person in the room is the person that solves my problem practically, and quickly, not the one that theorizes about it for an hour first.
Moderator-Julie: Pre-submitted question: What do you think are good steps to take toward becoming a CISO? Do you recommend an MBA or Master of Information Systems? Any particular certifications (other than CISSP)?
Adam_Gordon: CISM, as well as practical real world experience will be very helpful. MBAs and MAs in IS are nice, but I think that being able to relate to security issues from the perspective of the teams that you would manage will be crucial to your success.
Steven: I have the CCIE R&S, and I am thinking of going deeper into security. Should I take the CCIE Security or the CISSP?
Adam_Gordon: BOTH! I would tell you that Cisco is getting hotter by the day, and being at the top of its food chain is not a bad place to find yourself. CISSP is the GOLD STANDARD for security management for a reason. Just keep your focus on what is core to your career path, and stay on track with that line, deviations are good if they create opportunities to open new areas of interest, but be wary of blind alleys and black holes that go nowhere. [See also: Cisco certifications: Everything you need to know]
Moderator-Julie: Pre-submitted question: Is there a legitimate reason to hold over a dozen security certifications? For that matter, is there a legitimate reason to have over a dozen security certifications available? I hold one, CISSP, and have had opportunities to add to that number. Why should I pay a cert body for more initials that do not offer any more credibility to my CV? Obviously there are some differences in certifications, i.e. leaning more towards management vs. technology or visa versa. But a dozen or more? This is a fund raising activity at best.
Adam_Gordon: Your opinion, like everyone else's, is as valid as your horizons allow it to be. I obviously have a broader horizon then you do, as I see value where you see a conspiracy of dollars and marketing. I do however find it interesting that you hold the CISSP, and therefore subscribe not only to the ISC code of ethics, but also the idea of amassing 120 CPE's to keep your status as a CISSP active and in good standing, which does include continuing education.
Ballayji: I am in the unique position whereby my manager and I are "creating" a security role for me. My question is about job titles. What are the entry-level security job titles? I was thinking ISO (Information Security Officer) or ISSO (Information Systems Security Officer). Any other common ones used out there?
Adam_Gordon: SRE (Secure Relocative Engineer -- i.e. Janitor with a Padlock in the Garbage Bin) Just a little bit of humor. I think titles are highly overrated and hyped, and at the end of the day do not matter as much as the person behind them does. Let the title find you, worry more about what you are going to do to be worthy of the trust and faith that your employer is about to put in your hands by helping you to create a vantage point in the business to impact decisions in a meaningful and focused way.
Yvette: I am a software trainer for a school district. I have my degree in organization management and I am looking to stay within IT, but I would like to go into security forensics, security architecture, or wireless. How can I get more information about these topics?
Adam_Gordon: Google them (that is the best kept secret in IT by the way... sssshhhhhh...) Try Google, and from there be creative, talk to co-workers or friends. Go to a bookstore such as Barnes & Noble and hang around the networking section for a little while and talk to people that are browsing for books about what they do. Call your local college's computer science school and see what kind of classes and information they have available.
Moderator-Julie: Pre-submitted question: How important is it for someone on the IT team to have specific computer forensics knowledge?
Adam_Gordon: If your IT security needs involve forensics, then it is an absolute requirement. If your IT security needs are more mundane and run of the mill, virus on a workstation, or an infected file or download of malware, then you are not looking at a "must have" but rather a "nice to have" skill set. [See also: LAN switch security: what the hackers know that you don't]
Nobledc: Is there a industry-wide universal acknowledged cert for all-around security? Like CCNA for Cisco, MCSE for Microsoft. Some cert that has all the wonderful functions -- a catch-all cert in security across many vendors.
Adam_Gordon: NOPE. But, if you will pay to achieve it, I promise that I will create one for you. These things that claim to be all encompassing are garbage. How can you be all encompassing across multiple platforms, languages and system architectures and be deep enough to provide a valuable stamp of skills assessed? Go broad and deep, across one or more platforms as you have an interest, that is the best way to build and skill up. [See also: Everything you need to know about Microsoft certs (and then some)]
Moderator-Julie: Pre-submitted question: What's important to know about Linux security and where would I get the training I need to know it?
Adam_Gordon: Linux Security is as complex, and as simple as any other security solution is. What you do not know is the perennial problem in ALL security solutions. How much experience and knowledge you have is the key to how successful you will be. Where to get knowledge? I am a firm believer in going to the source: Start by checking out the following web sites: http://www.linuxsecurity.com/ and https://www.redhat.com/training/security/courses/
SteveY19: What are your thoughts on those weeklong or longer boot camps?
Adam_Gordon: Great way to meet people, lot's of great junk food. Not very productive unless you are the unique individual who already has all the knowledge necessary to get through the material on your own and your are there to focus on the GAP's and prepare for an exam. I think that the market for these classes is legitimate, but I also think that many, many people that are not fit for this model are sucked into it without fully understanding the potential liabilities.
Moderator-Julie: Pre-submitted question: Two part question: 1) Should the Common Body of Knowledge (CBK) for the CISSP certification be 'modernized?' and, 2) is the recent (Oct., 2007) draft Information Technology (IT) Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development; by the National Cyber Security Division of the Dept. of Homeland Security headed in a useful direction?
Adam_Gordon: Part 1: CBK is modernized in an ongoing review process that is peer driven, by appointment to a review committee, as all of the Bodies of Knowledge for all of the ISC certifications currently in market. Part 2: Useful is relative to where you are, what you do, and if it helps you with those things or not. I would say that it is a good beginning, but it has some fundamental issues and holes that need to be addressed before it will be operationally effective.
Wasup: What about VoIP Security? Is anything happening in that area?
Adam_Gordon: Lots and lots. VoIP is getting hotter due to the whole SaaS concept (Software as a Service) and the whole cloud computing concept. Pursue this area, as it is one that will become increasingly important over the next 12 - 36 months.
Moderator-Julie: Pre-submitted question: Do you feel that real security threat simulation software (scenario based) targeted at internal leaks has a role to play? I'm thinking in particular if it is used by external/internal auditors and risk managers to evaluate security products, networks, user behavior, security policies and applications in use by the company. Does this "war games mentality" to discover where data leaks may come from by running threat scenarios actually work?
Adam_Gordon: I think that it is an interesting variant on "cat and mouse" and I have used it successfully for several clients, but I do firmly believe that the skills of the practitioner are the most vital element in all success and failure stories in security. If you are good enough to use it as a tool, you will benefit from it. If you think you are but really are fooling yourself and your customer, then you will not get anything of value out of the experience. [See also: Nick Selby chat: Bogus security promises and how to detect them]Â
Michelle: I currently have Security+ and working as a network security admin for almost a year now. Would it be advisable to wait until I'm eligible for CISSP, or get more certs while waiting?
Adam_Gordon: Do both. You can become an Associate CISSP (kind of like a CISSP in training) until you get all of the prerequisites. Also pursue the SSCP from ISC 2, which is a good next step for you as an interim.
Tskimmy: I obtained the CompTia Network+ certification last spring. This was my first certification and I do not have a university degree. I am currently the network administrator and only IT person within the organization. Would you recommend that I pursue the A+ cert or the Security+ cert first? I would also like to know if you recommend taking the class through a university or a technology school? I attended a local technology school to obtain the Network+ certification, but when I tell people where I went to school, I get the impression that it's not as respectable to go there as it would be if I went to a university.
Adam_Gordon: First, who cares what others say. I think that the best place for you to go is where you feel comfortable, get the best results, and learn the most. Second, A+ will give you the background that will be very helpful for Security+, but either way would work. Flip a coin, and then close your eyes. If you can walk across the room without killing yourself you probably do not need to do either, as you can earn them by using the Force. Otherwise, pick one, get serious, do not look back, and good luck.
Moderator-Julie: Out time is up, but I want to thank you all for coming and to thank Adam Gordon for being our guest today. Please remember to join us for our next chats, all of them begin at 2 p.m. ET, at www.networkworld.com/chat.
-- Tuesday, April 22, The future of networking careers with Brad ReeseJonathan Zittrain
-- Monday, April 28, Why the iPhone (and gadgets like it) harm the Internet with Internationally famous
-- Monday, May 5, When it comes to Network Access Control, what's truth and what's fiction with security guru Joel Snyder
-- Thursday, May 15, Open source and its changing role in the enterprise with Stormy Peters
Adam_Gordon: Thank you all for your questions and your thoughts... Please feel free to follow up with me at ADAM.GORDON@NEWHORIZONS.COM if you would like... :) Cheers.