New Cyber Security Certifications from NBISE Will Set High Bar for IT Security Pros

[1]A new non-profit group is developing certifications for information technology security professionals that will set a high bar for IT security practitioners in areas like penetration testing, code auditing and control systems operation.

The National Board of Information Security Examiners (NBISE) [2] is a new, not-for-profit corporation headed by former NERC (North American Electric Reliability Corporation) CSO Mike Assante and overseen by a board of luminaries in the world of information security and critical infrastructure.  The group will be designing certification exams to test the knowledge, practical skill and professionalism of IT security practitioners, with an eye to weeding out the information technology world’s equivalent of quacks and hucksters.

The new tests are designed to supplant a hodge podge of private and industry certifications for IT security practitioners, including the CISSP and certificate programs run by the SANS Institute and other industry and private groups. NBISE claims that too many of those tests test knowledge, rather than hands-on skills required of practitioners.

“This is about a higher level of testing,” said NBISE Director and SANS Institute Director of Research Alan Paller. “Its about having confidence that the person you hired doesn’t just know the answer, but can do the job.”

NBISE Chief Operating Officer Kelly Ziegler likens the exams to those required by the National Board of Medical Examiners for aspiring physicians.

Paller said that the group is working with top practitioners in a variety of disciplines to design exams that test practical knowledge, not just book knowledge. Scenario testing – akin to the now famous “Capture the Flag” tournaments at DEFCON and other hacking conferences -- will be an important component of the NBISE exams, he said.

“If you look at (penetration) testing, you can have multiple choice questions about the correct approach when pen testing, but that’s very different than having an actual set of systems and having to find a flag, rather than just answer questions about how to find it,” Paller said.

NBISE plans to release its first exam in the next 30 days. That test will be an adaptation of the UK’s Council of Registered Ethical Security Testers (CREST) [3] exam for penetration testing. The group is working with the UK government’s CESG – the British equivalent of the U.S.’s National Security Agency – to adapt that exam for use in North America, according to Ziegler.

In other areas, such as the operation of control systems and secure coding, computer forensics and incident response and handling, NBISE is forming national boards of experts to get to work developing exams. The group is also being advised by the National Board of Medical Examiners on ways to devise certification exams that test practical knowledge.

Paller said the new emphasis on certification is a response to an aching skills gap in the IT security space [4]. That gap has been underscored by a series of studies and reports that have pointed to the need to develop IT security expertise within the public and private sectors. Most recently, in June, the Center for Strategic and International Studies issued a report warning of a “human capital crisis” in cyber security.

Paller said that the profusion of different certifications has allowed legions of poorly trained IT professionals to falsely claim expertise in cyber security. Often, their lack of training only becomes evident once they’ve been hired.  

NBISE will also provide more focused instruction than initiatives like the U.S. Departments of Defense’s Directive 8570 (DOD 8570), which provides training and certification guidance for government employees who work in Information Assurance, but give employees a menu of different certifications to choose from in fulfilling the directive, say NBISE organizers.

The NBISE exams, once instituted, will serve as a threshold exam for work in areas like government and financial services, separating those with technical knowledge of a subject from those with both knowledge and hands on experience to perform a job. Paller said that the exams, once adopted, could take business away from certification organizations like The SANS Institute, but that those organizations might merely shift to fulfill a role similar to that of medical schools today: teaching students a body of material and hands on skills necessary to pass the NBISE certification exam.

Links:
[1] http://threatpost.com/en_us/blogs/new-certification-group-aims-set-high-bar-it-security-pros-080510
[2] http://www.nbise.org/
[3] http://www.crest-approved.org/
[4] http://threatpost.com/en_us/blogs/new-cybersecurity-czar-faces-tough-road-060209
[5] http://www.twitter.com/home?status=New Certifications Will Set High Bar for IT Security Pros http://threatpost.com/en_us/c4B

DOWNLOAD ISSUE 27 HERE (September 2010)

Issue 27 has just been released. Download it from:
http://www.insecuremag.com

The covered topics include:

- Review: BlockMaster SafeStick secure USB flash drive
- The devil is in the details: Securing the enterprise against the cloud
- Cybercrime may be on the rise, but authentication evolves to defeat it
- Learning from bruteforcers
- PCI DSS v1.3: Vital to the emerging demand for virtualization and cloud security
- Security testing - the key to software quality
- A brief history of security and the mobile enterprise
- Payment card security: Risk and control assessments
- Security as a process: Does your security team fuzz?
- Book review: Designing Network Security, 2nd Edition
- Intelligent security: Countering sophisticated fraud
____________________________________________________

(IN)SECURE Magazine is supporting the following industry events:

SOURCE Barcelona 2010
Barcelona, Spain, 21-22 September 2010.
Use discount code SOURCEHN10 to get 15% off your ticket price.
http://www.sourceconference.com

Brucon 2010
Brussels, Belgium. 24-25 September 2010.
http://www.brucon.org

InfoSecurity Russia 2010
Moscow, Russia. 17-19 November 2010.
http://www.infosecurityrussia.ru

RSA Conference Europe 2010
London, United Kingdom. 12-14 October 2010.
http://bit.ly/rsa2010eu

__________________________________________________

Visit the (IN)SECURE Magazine web site at:
http://www.insecuremag.com

Subscribe to our RSS feed at:
http://feeds2.feedburner.com/insecuremagazine

Daily security news RSS feed:
http://feeds2.feedburner.com/HelpNetSecurity

Help Net Security on Twitter:
http://twitter.com/helpnetsecurity

Contact:

- For information on contributing to (IN)SECURE Magazine, please contact Chief Editor Mirko Zorz at editor( at )insecuremag.com
- For marketing inquiries do contact Marketing Director Berislav Kucan at marketing( at )insecuremag.com

GOA is a magical place with amazing beaches in the North.  You have miles and miles of beaches to yourself.  Not to mention that GOA is a hub for tourism and it is very inexpensive.   A great place at great price,  do entend your stay a bit to visit the area.  February is one of the best month of the year to visit as well.

nullcon Dwitiya (2.0)
The Jugaad(hacking) Conference

nullcon is an initiative by null - The open security community.

Website:  http://nullcon.net

Calling all Jugaadus(hackers)
It's the time of the year when we welcome research done by the community as paper submissions for nullcon.  So, sip your coffee, dust your debuggers, fire your tools, challenge your grey cells and shoot us an email.

Tracks:
---------------
- Bakkar:         1 Hr Talks
- Tez:              5-30 min Talks
- Karyashala:    2-4 Hrs Workshop
- Desi Jugaad    (Local Hack): 1 Hr

Submition Topics:
------------------------------
1. One of the topics of interest to us is "Desi Jugaad"(Local Hack) and has a separate track of it's own. Submissions can be any kind of local hacks that you have worked on (hints: electronic/mechanical meters, automobile hacking,  Hardware, mobile phones, lock-picking, bypassing procedures and processes, etc, Be creative  :-D)

2. The topics pertaining to security and Hacking in the following domains(but not limited to)
- Hardware (ex: RFID, Magnetic Strips, Card Readers, Mobile Devices, Electronic Devices)
- Tools (open source)
- Programming/Software Development
- Networks
- Information Warfare
- Botnets, Malware
- Web
- New attack vectors
- Mobile, VOIP and Telecom
- VM
- Cloud
- Critical Infrastructure
- Satellite
- Wireless
- Forensics
- Cyber Laws

Submission Format:
------------------------------
Email the cfp to: cfp(_at_)nullcon.net
Subject should be: CFP Dwitiya
Email Body:
- Name
- Handle
- Track & Time required
- Paper Title
- Country of residence
- Organization
- Contact no.
- Have you presented/submitted this talk at any other conference(s)?
- Why do you think your paper is different/innovative?
- Brief Profile ( <= 500 Words)
- Paper Abstract ( <= 3000 Words)

NOTE: The Abstract should clearly mention the techniques and hacks in
detail and merely mentioning that it works will not help in
understanding the research to it's full extent.


Important Dates:
------------------------------
CFP End Date:         30th November 2010
Speakers List Online: 10th December 2010
Conference Dates:     25th - 26th February 2011


Venue:
----------------
Goa, India
(Exact Venue TBD)


Speaker Benefits:
------------------------------

hhttp://promo.pearsonitcertification.com/pages/start/plp-webcast-home/index.html?Campaign_Id=262&Activity_Id=212

Kevin Wallace, expert trainer and best-selling author of the CCNP TSHOOT 642-832 Official Certification Guide and Network Troubleshooting Video Mentor, takes you on a tour of a troubleshooting scenario that is typical of what you might see on the CCNP TSHOOT exam. Kevin walks you through an HSRP trouble ticket. You will review the theory of HSRP followed by a live troubleshooting demonstration and concluding with a Q&A session.

Join us for this Free Pearson IT Certification / Cisco Press Webcast to gain unique insight into what you can expect on the CCNP TSHOOT exam!  Register Now. Hope you can attend!

~Jamie

Jamie Adams, Senior Publicist

Representing technical brands of Pearson in networking technologies (IP Com, network security, storage), and all certifications including Cisco®, Microsoft and CompTIA.

Office: 317-428-3012

Twitter: @ciscopress, @pearsonitcert, and @jamieadams76

Facebook: facebook.com/ciscopress and other Pearson brands at informit.com/socialconnect.

LinkedIn: www.linkedin.com/in/msjamieadams.

To Security Professionals – Important Request:

In case you did not know, I am a Founding Member of the CompTIA Security+ Cornerstone Committee.  I am writing this blog to ask if you would complete an important survey because of your expertise in information security. CompTIA is developing a new advanced security certification exam to follow CompTIA Security+ (or equivalent experience) and we are seeking your input on the exam objectives. We hope you’ll appreciate how important your input is to the development of this certification, and ultimately to those who follow you in their security careers.  Personally, I am excited by the cutting-edge objective set of the intended certification:  It is up-to-date and pragmatic.  It includes (speak of the devil) objectives related to:

• Security and Social Media
• Virtualized Desktops (VDI)
• Insider Threat
• 802.1x
• Fuzzing
• And a plethora of deep, technical, scary stuff!

To begin this approximately ten-minute survey, please go here:  https://s-xut5m-345723.sgizmo.com
In appreciation for your time and participation, CompTIA is giving away a CompTIA T-shirt to every 10th person who completes the survey.

CompTIA values your privacy. Results are completely anonymous and the data will only be viewed in the aggregate. Please complete by September 8, 2010.
Thank you very much for your participation.

Please contact research_at_comptia.org if you experience any technical difficulties with the survey.

Go ahead:  support the community and get a free T-Shirt!

Barry Kaufman, CISSP, CEH, MCSE, ITILv3