A Security Skills Test

FRAMINGHAM (07/17/2000) - My wife doesn't let me do any electrical work around the house. Smart woman. Despite my engineering degrees from Cornell and MIT and my professional engineer's license, I don't have the requisite knowledge to be a competent electrician. I've never been trained to do that type of work; I don't know the accepted practices or where hidden dangers lie. If I were to claim such expertise and take responsibility for electrical systems, I could hurt or kill people.

Unskilled computer security people also do harm. They hurt their organizations by allowing others to steal credit-card information and other important data or to put the computer-based parts of their organization out of business for short or long periods of time. And they can damage other organizations.

The recent distributed denial-of-service attacks on sites such as eBay Inc. and Yahoo Inc. were directly enabled by security mistakes almost certainly made by unskilled systems administrators at the University of California at Santa Barbara and other universities and institutions.

Similarly, unskilled information security officers are taking responsibility for managing the security of major systems. Because they don't know how to secure them, they create policies that no systems administrator can implement and then blame the administrators when security is breached.

Neither systems and network administrators nor information security officers have been asked to prove that they know how to secure their Internet-connected systems. And they haven't been given the time to train for their jobs. Without the confidence that builds with adequate training, they're uncomfortable demanding the resources needed to keep systems safe. They go along day to day telling management that everything looks OK, all the while holding their breath.

It's time to stop the charade.

The first person to publicly describe the damage being done by untrained security people was Stephen Northcutt, who headed information warfare at the U.S. Ballistic Missile Defense Organization and now heads the SANS Institute's Global Incident Analysis Center. For the past year, Northcutt and a team of global security leaders have collaborated to identify the minimum necessary skills - what they call "security essentials." One of his team leaders provided a set of exemplary questions that organizations can ask their information security officers and systems administrators to determine whether they have the essential skills necessary to be considered minimally qualified for the most basic sysadmin and security jobs:

1. Which of the 10 most critical Internet security vulnerabilities as published by the FBI and SANS (see are present on each of your Internet-connected computers? Why is each one dangerous? The answers will help determine whether the person knows what the biggest security threats are and whether those threats affect his organization.

2. What specific events are and are not being audited on each system? What tool is monitoring and analyzing the audit logs? What has it found in the last 24 hours? This helps determine whether you have an ongoing security monitoring activity.

3. When was the last time you checked the system backups to be certain they restored files accurately? How frequently is each system backed up? If you were called in during a security emergency, would you be able to do a backup to retain the data for later analysis? This verifies that the person knows and acts on the knowledge that the greatest damage from security incidents is often a loss of information that could have been avoided had backups been current and uncorrupted.

4. What protocols and ports are being blocked by the firewall for both incoming and outgoing traffic? Is that sufficient? This verifies that the person has an understanding of basic perimeter protection.

These aren't the only questions that will determine the knowledge and skills of sysadmins and security professionals, but they can serve as an early-warning system to identify dangerous skills shortages. Though IT managers may not be able to secure their systems, they can be held responsible for ensuring that the people they hire are minimally qualified.

Paller is research director at the SANS Institute in Bethesda, Md. Contact him at