CompTIA Addresses Need for Security Professionals

Posted on
Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone

CompTIA Ensures the Foundation-Level Security Knowledge of IT Workers


Surely by now you’re familiar with CompTIA’s vendor-neutral, foundation-
level certifications (A+, Network+, Server+, etc.). The newest
certification in CompTIA’s stable has been dubbed Security+. And to
catch up with demand for IT pros with foundation-level security
knowledge, CompTIA has accelerated development of the new exam.



Development of the Security+ exam is in progress. The process, Fran
Linhart, director of certifications for CompTIA, said, consists of a job
task analysis, focus groups in the Americas, Europe and the Pacific Rim,
item writing and review and beta testing. The cornerstone committee,
including members involved in the IT industry, government, training and
academia, has not finalized the exam objectives yet, but when it does,
more information will be posted on CompTIA’s Security+ Web site, at  



The Security+ beta exam is expected to be offered late in the third
quarter of 2002, which is three to six months ahead of the typical
development schedule for a CompTIA certification. The actual exam should
be available before the end of 2002.



In the meantime, CompTIA is looking for subject matter experts (SMEs)
around the world to aid in the development process. There are a number
of ways to help, including participation in the focus groups, writing
exam items and taking the beta exam. Security+ SME candidates should



* High-level knowledge of networking fundamentals.

* Three or more years of experience working in technical and
security-related job roles.

* On-the-job or formal security-related training or certifications.

* Expert-level knowledge in at least one of the following:
fundamental network defense, network countermeasures, network
auditing/vulnerability analysis, intrusion detection, incident
reporting, viruses, user authentication, smart cards, privilege
management, firewalls, remote access, operating system security,
patch installation, virtual private networks, wireless network
security, wireless device security, public key infrastructure,
digital certificates, cryptography, biometrics, forensics,
security policy and/or security law.



For more information on the new certification, or to find out more about
participating as a SME, visit


Report: Hybrid Threats and Vulnerabilities Will Continue to Threaten



Internet Security Systems (ISS), a provider of information protection
solutions, released the Internet Risk Impact Summary (IRIS) report for
the first quarter of 2002. The report illustrates cyber-attack trends
based on monitored security devices, actual attacks detected and
research on vulnerabilities.



IRIS was developed by the X-Force, ISS’s security research organization,
and includes information from more than 350 network- and server-based
intrusion detection sensors monitoring networks on four continents. Also
included in the report is data from more than 400 managed firewalls, X-
Force research and information gleaned from interaction with government,
industry and academic sources.



According to the IRIS report, the average “AlertCon” risk level for the
first quarter of 2002 was 1.5 out of 4, which means that an unprotected
network device would be compromised in less than a day after it is
connected to the Internet.



The most significant online risk comes from hybrid threats, including
Nimda and Code Red. These threats combine viral payloads with multiple,
automated attack scripts and take advantage of common computer
vulnerabilities. In the first quarter of 2002, ISS monitored more than
7.5 million hybrid-related attacks.



Other findings include:



* X-Force uncovered and documented more than 537 new vulnerabilities
in the first quarter.

* Hybrid threats and pre-attack reconnaissance together accounted
for more than 80 percent of detected attacks.

* Computer-driven attacks (attacks that use automated scripts that
execute commands according to code instructions) were operating
24×7 from January through March.



In light of some software vendors’ recent claims that they will focus
more on security (e.g., Bill Gates highly publicized e-mail making
security Microsoft’s priority), ISS expects the discovery of
vulnerabilities to decrease. But this decrease will take time, so
vulnerabilities are going to be a problem for “the foreseeable future.”



The complete IRIS report can be found at ISS’s Web site, White papers on hybrid threats and other handy
topics can be found at


Hands-On Training for Self-Studiers



As more and more certification vendors add performance-based elements to
their exams, hands-on training prior to the exam is becoming
increasingly necessary. If you’re enrolled in instructor-led training,
you’re likely to get some hands-on time in the classroom. But
instructor-led training is usually the most expensive way to learn, and
in t
Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone


Posted in Archive|