Computerworld - IT professionals and trainers are blaming insufficient security training offered under the nationwide Microsoft Certified Systems Engineer program for contributing to the spread of Code Red and other damaging viruses.
In an e-mail newsletter sent out last week to its 96,000 members, the Bethesda, Md.-based SANS Institute, a research and education organization for systems administrators, urged MCSEs to take a free class offered by the institute on how to reconfigure and patch Windows-based systems against the vulnerabilities exploited last month by the Code Red worm. The core courses required to attain MCSE certification don't provide the level of security training engineers need to protect their systems, according to SANS Institute officials and other industry experts.
Security Optional
Required core exams for Windows 2000 MCSE certification:
70-210 Installing, Configuring and Administering Microsoft Windows 2000 Professional
70-215 Installing, Configuring and Administering Microsoft Windows 2000 Server
70-216 Implementing and Administering a Microsoft Windows 2000 Network Infrastructure
70-217 Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure
MCSE trainers and students contacted by Computerworld last week said they agree with the organization. Most noted that while basic security is covered as part of the Microsoft Official Curriculum for MSCE certification, in-depth security training is optional and not a core requirement.
The shortfalls in MCSE training are "one of the root causes of lax security in the private sector," said Keith Morgan, chief of information security at Terradon Communications Group LLC, a Nitro, W.Va.-based network security services company.
"Every MCSE that comes through our door has to be quizzed on his level of security understanding," said Morgan. "Most of them have to be trained in even the most basic of security principles. It costs us time and money."
MCSEs design, install, support and troubleshoot information systems based on Microsoft Corp. software.
Alan Paller, director of the SANS Institute, said the recent outbreak of the Code Red worm, which took advantage of vulnerabilities in Microsoft's Internet Information Services (IIS) software and a misconfiguration in the Internet Server Application Interface (ISAPI), is a perfect example of how MCSE training falls short.
"It is a situation where MCSEs had no idea that there is a fundamental vulnerability in IIS and ISAPI mapping and so had no way to protect their systems other than after-the-fact patching," said Paller.
"One of the saddest dimensions of information security is that hundreds of thousands of people earned MCSE certifications without being required to demonstrate any competence in security," stated the SANS newsletter.
Robert Stewart, general manager of training certification at Microsoft, countered that each of the
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
