Pros and Cons of Information Security Certifications

This week we discussed, among other things, job descriptions and certifications.  We all had our own views about available certifications.  It is apparent that many times these certifications are not only desired by employers, but many times they are required.  While we were discussing this this week, I ran across the article "Pros and Cons of Information Security Certifications" on the SearchSecurity site. 

In this piece they also state that one of the questions they are most frequently asked, by both prospective and currently enrolled students, ask which security certifications would be best in or to be competitive in the information security field.  The response to this question is far more complex than one would think, and is therefore there is no simple response.  However, the real question students should be asking have more to deal with the value that certificates provide for a security professionals career.  There is no Holy Grail of security certifications.  The most important thing for one to do is to understand what certifications represent and what they do not, as well as understanding that certifications have both pros and cons.

One of the more exciting things about information security is that the knowledge in the discipline is constantly and rapidly changing.  This is both positive and negative for the information security profession.   While one we get to enjoy an ever changing landscape, this is also the cause for the us to have to keep our skills and knowledge updated.  Unlike other sciences where challenges are presented by nature, our challenges lie in people.  People can be our adversaries and highly motivated to cause damage.  These highly motivated people only need find one weakness in order to exploit a system and gain access to any information they desire.  So we need to find those weaknesses and strengthen them.  This is why when security education in practice is considered, security professionals do not have a straight forward, static reply.  The information security professionals career is dynamic.

So one wonders where certificates fit into all this.  According to this author, certificates should be viewed as a measurement of master in ones career in the profession of information security other than as an end.  Security professionals are less dependent on memorization and passing a certification and more dependent on the ability to learn and think independently.  The author feels that professional development in security is much more about continuing one's education and keeping one's skills and knowledge current than about certifications and all the letters they add behind one's name.

This is not to be taken as saying that certifications are not important.  Certifications have a place.  For some, a certification provides motivation to learn something new while the eventual completion of the test is gives them visual verification of what they have learned.  Certifications can also be used for measurements in employment.  In some cases, employees can earn more money by earning certifications.  In some cases, employers require certification as a condition of employment.  Many of these certifications require periodic renewals as well as continuing education in order to maintain them.

The best certification to get is the one that will help one continue to learn and stay current on what is happening in the security realm.  It is best to always keep in mind that a certification is a milestone, not the end of the road.

Reference

Jacobson, D. a. (Unknown). SearchSecurity - Pros and Cons of Information Security Certifications. Retrieved from techtarget.com: http://searchsecurity.techtarget.com/opinion/Pros-and-Cons-of-Information-Security-Certifications

 

South Carolina's Recent State Tax Return Breach

So, this week's reading discussed Firewalls and encryption.  Very ironic considering the piece seen on the MSN front page on Wednesday afternoon.  "Data Breach Targets 3.6M taxpayers" the headline screamed from the screen.  Naturally, being inquisitive as I am, and considering my current Degree pursuit, I had to click on the headline and get the details.  As I read, I had to shake my head.

Apparently, citizens that have filed a South Carolina tax return anytime since 1998 are at risk of having their identity stolen.  Hackers accessed the state Department of Revenue server in August of this year and accessed 3.6 million Social Security numbers and 387,000 debit and credit cards.  Five thousand of those debit and credit cards were expired, and the Department claims that the rest were expired.

However, the 3.6 million Americans who had their Social Security numbers stolen will have to monitor their credit for many years to come.  These people include children who do not even know what a Social Security number is, yet they may end up learning the hard way because of this breach. 

Apparently hackers like to target state and local governments who are either unwilling or unable to sufficiently secure their information.  From late September through mid-October of this year damaging hacks were reported by the City of Burlington, WA, the Centers for Medicare and Medicaid Services in Baltimore, MD, the town Council of Chapel Hill, NC, the Robeson County Board of elections in Lumberton, NC, the Brightline Interactive, Army chief of Public Affairs office in Alexandria, VA, the City of Tulsa, OK, and the town of Willimantic, CT, and these are just the entities that have willingly disclosed breaches.

Only one in four State Chief Information Security Officers nationwide report that they are confident in the ability of their State to stand against an attack on data from an external cyberattack.

In the South Carolina instance, the State has negotiated a $12 deal with Experian in order to provide the affected people, who sign up, a free year of credit monitoring, a lifetime of fraud resolution with personalized assistance if an account is opened in their name.  This offier also applies to children that have been effected.

Of course, that State has recommended that victims immeddiatly begin to monitor their credit reports, and bank and credit card accounts for any suspicious activities.

I just begin to wonder, with this occurring over and over when will Government entities and businesses realize how at risk their data is.  Information security seems to be the last thought and the last place anyone wants to invest money, giving hackers the opportunity to ruin the everyday man's credit.

References

Datko, K. (2012, October 30). MSN Money. Retrieved from msn.com: http://money.msn.com/saving-money-tips/post.aspx?post=99d34310-0d33-44f2-9981-b2dc18667074