Security+: The Foundation for Solid Network and Information Security 1-800-COURSES www.globalknowledge.com Expert Reference Series of White Papers Introduction The focus of this white paper is to introduce the Security+ certification and the foundation for a career in Information security as well as data networking it can provide. We will cover: • Historical overview • How times have changed • The War on Terror—information terror that is! • Real-world data about the CompTIA Security+ • The focus of the certification • Key benefits for becoming CompTIA Security+ certified: Over the course of several centuries, the Industrial Revolution saw the development of new manufacturing processes that changed much of the world’s economy and ways of doing business. Whereas it took centuries to develop new business manufacturing processes of the Industrial Revolution, a new revolution, what I call the IT Revolution, has occurred over the past 35 years, and it has literally changed the face of the world. This great change in business and economic focus took years to develop and is still being perfected till this very day. The changes brought about by the technology revolution not only affect the USA but also every country with which we do business . This revolution has brought us such great things as the personal computer, software for the personal computer, computer networking, digital cash registers, computerized medical equipment and, of course, the Internet. The technology revolution has brought us huge intangibles as well, such as productivity, quality , larger profit margins , v ast new markets to increase sales, and efficiency. These intangibles have been the driving force to make the technology revolution the most important revolution during the existence of man. Along with the social and economic changes, we have been introduced to a “dark side” as well. Criminals looking for a quick buck and the thrill of wreaking havoc on computer systems and data networks alike have popped up all over the world. New w ays of hacking systems glorified by Hollywood movies have tak en on mainstream appeal. T he mystique of the hack er life style has intrigued most, if not all, of the IT professionals. Virus activity, spy ware and malware, denial of service attacks, email bombs, worms, Trojans, spam, browser helper objects, and pop-ups have all become the rage for internet and network data terrorists. The folks at Webster’s dictionary were quoted in the Wall Street Journal as saying that the, “Technological Revolution of late 20th and 21st centuries has been responsible for the most additions” to their dictionary and 95% of those new words have come directly from the Data Security and Integrity sectors . ” Timothy H. Euler, Global Knowledge Instructor, MCSE NT4.0, MCSE WIN2K, MCSE 2003, Sec+, Net+, Server+, CCNA, CCNP Security+:The Foundation for Solid Network and Information Security Copyright ©2007 Global Knowledge T raining LLC. All rights reserved. Page 2 W hat does this mean for the average business looking to reap the benefits of the technical revolution? Well, this can be summed up in a single word: training. If businesses are to truly reap the benefits of the new tech- nology, their employees, and I mean all employees, have to be educated and trained as to the appropriate ways of dealing with the dark side of information terror. In simple terms, all computer users have to learn the safe practices for their computers, their business networks, and the Internet. The security basics of “what to do” and “what not to do” become the front-line defense for most businesses. That being said, data and network professionals have in-depth training to recognize threats and security holes, monitor for attacks before they are executed, create security policies, use the various tools available, like IDS and firewalls, and how to repair damaged networks after a threat has been discovered. These abilities are a must for all Network Engineers and System Administrators. When we segregate security to a specific depart- ment, then we develop a scenario where other departments seem to pass the buck when an attack is waged. Everyone must become involved if we are to win this war on information terror. Technology training has many great avenues for bringing security best practices and technology to the masses, making us all better prepared to win this w ar. Cisco ® , Microsoft ® , Checkpoint ® , Red Hat ® , and CompTia ® have all created fantastic learning opportunities and ways to measure students’ knowledge through their certifica- tion paths. The best all-around certification, not only for the average user, but also for the data center professional, is CompTia’s Security+ certification. This is an entry level certification but by no means should it be treated that way . The technologies and topics introduced throughout the course are the absolute foundations for all of the other disciplines mentioned above. The beauty of this certification is clear; it is not specific to any one technol- ogy like Cisco or Microsoft. This foundation will introduce the Security+ candidate to the real world, a world of the dreaded mixed environment. This is the only certification that will arm holders with the broad foundation for recognizing and dealing with the bulk of the issues those security professionals will deal with. These issues arise from external attacks and from internally launched attacks. Other technology companies have even begun to partner with the CompTIA Security+ certification to make the certification a part of other, more extensive certification paths. For example Microsoft will waive the Microsoft Security requirement for MCSE candidates if they successfully pass the Security+ test. This partnership is just the first of many to come as Monster, the job search giant, has recently released data on the most frequently required technology certification for network engineers with 2-4 years of experience and whose job focus is on security. That certification, as you may have guessed, is Security+. This type of validation will continue to grow as more and more companies discover the v alue of the Security+ certification. A few other statistics about the certification are certainly worth mentioning here. (From the Industry for Network security and CompTIA) K ey benefits for becoming CompTIA Security+ certified: • A solid cr edential that can be utilized in any industry U.S. Deptartment of Defense and Directive 8570: US DOD employees or contractors engaged in work related to information security are required to be certified, as specified in a list of certifications included in the Directive 8570 manual; CompTIA Security+ is one of the designated certifications. Healthcar e industry and HIP AA (Health Insur ance Portability and Accountability Act): This 1996 Congressional Act requires standards be met regarding the security and privacy of data in Copyright ©2007 Global Knowledge T raining LLC. All rights reserved. Page 3 t he healthcare industry. One way that healthcare companies can demonstrate their compliance with the standards in this act is to verify certification of their network and information security staff. Financial industry and web-based attacks: The financial industry and its customers are vulnera- ble to attacks designed to gain access to personal account information. Network security providers are critical in this business, and the CompTIA Security+ certification is an assurance of baseline competency. • Validation of achievement in an industry-valued skill. All industries need trained security professionals to combat hackers and security threats. CompTIA Security+ shows employers you can maintain the integrity of their business communications, infra- structure, and operations. • Viable career path, leading to higher level positions. Seventy-four percent of IT managers say a CompTIA certification is an important factor in considering an employee for a promotion.* The Security+ certification focuses on the major areas of Information security. The following certification out- line was taken from the CompTIA test objectives and shows the focus of the exam. As you will see, all important aspects for a solid foundation of security are included. I encourage you to surf http://www.compTia.com to view the exam objectives in detail. Section 1. Gener al Security Concepts • Access controls • Authentication • System hardening • Recognize attack types • Malicious code discovery • Social engineering • Auditing and logging Section 2. Communication Security • Remote access technologies • Email security concepts • Internet security concepts • Directory security concepts • F ile transfer concepts and protocols • Wireless technologies and concepts Section 3. Infrastructure Security • Device security • Media security • Security topologies • Intrusion detection • Security baselines • Application hardening Copyright ©2007 Global Knowledge T raining LLC. All rights reserved. Page 4 S ection 4. Basics of Cryptography • Cryptographic algorithms • Understanding cryptography • Understanding PKI • Cryptographic standards and protocols • Key management and certificate lifecycles Section 5. Operational / Organizational Security • Physical security of equipment • Disaster recovery • Business continuity • Policies and procedures • Privilege management • Forensics • Risk identification • Education and training of end users • Documentation concepts Conclusion The technology revolution truly has change the world we live in. Now we must arm our employees to protect us from the “dark side.” What better way to accomplish this then with the Security+ certification taught by a certified Global Knowledge technical instructor. Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge course: Essentials of Information Security (Security+) For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative . Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use . Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs. About the Author T imothy H. Euler is the Chief Information Officer for I.T. Data Solutions based in Maryland. He has 12 years of Advanced Networking experience, both in the Microsoft OS line and Cisco. He is also an Instructor for Global Knowledge, teaching in the Microsoft OS curriculum. His certifications include MCSE NT4.0, MCSE WIN2K, MCSE 2003, Sec+, Net+, Server+, CCNA, CCNP. Copyright ©2007 Global Knowledge T raining LLC. All rights reserved. Page 5 . Security+ : The Foundation for Solid Network and Information Security 1-800-COURSES www.globalknowledge.com. Introduction The focus of this white paper is to introduce the Security+ certification and the foundation for a career in Information security as well as data networking