Risk
8/26/2010
06:05 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Next In Cybersecurity Certifications

Cybersecurity certifications from organizations provide important benchmarks that are often a requirement for government jobs.

Cybersecurity certifications from organizations such as CompTIA, (ISC) 2, SANS Institute, CyberSecurity Institute, ISACA, Cisco, and the federal government provide important benchmarks that are often a requirement for government jobs. Still, they can also be overused and misunderstood.

"People think it means you're expert in everything, but we don't sell it that way," says Hord Tipton, executive director of (ISC)2, which manages the Certified Information Systems Security Professional certification.

A recent report from the Center for Strategic and International Studies warns that cybersecurity certifications create "a false sense of security" and are used too often to demonstrate "expertise in documenting compliance" rather than real skills.

Some certification programs overemphasize how to do well on multiple-choice tests. "Some people are really good at taking an exam, but that's only one piece of it," says Vernon Ross, director of talent and organizational capability for IT with Lockheed Martin.

The CSIS report argues that mandated certification and licensing requirements aren't enough and recommends another approach: creation of an independent board of cybersecurity examiners akin to the National Board of Medical examiners.

Several of the CSIS report authors have created such an organization, the nonprofit National Board of Information Security Examiners, led by Mike Assante, former cybersecurity executive at Idaho National Labs and North American Electric Reliability Corp. However, some observers warn of a potential conflict of interest, given the CSIS tie.

Assante (who isn't one of the report authors) says the newly formed board doesn't aim to compete with existing certifications, but to employ more advanced "performance-based" testing than is used elsewhere. That might include hands-on tests and simulated environments.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVE-2014-8154
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

CVE-2014-9197
Published: 2015-01-27
The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request.

CVE-2014-9198
Published: 2015-01-27
The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.

CVE-2014-9646
Published: 2015-01-27
Unquoted Windows search path vulnerability in the GoogleChromeDistribution::DoPostUninstallOperations function in installer/util/google_chrome_distribution.cc in the uninstall-survey feature in Google Chrome before 40.0.2214.91 allows local users to gain privileges via a Trojan horse program in the ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.