Pashkov Kuzma - Lead InfoSec, EMC trainer @ training.muk.ua/courses/security

0. Information security as an activity

I got the first significant experience in the field of information security (hereinafter IB) in the laboratory of developing information protection tools of one of the largest system integrators in the North-West in the early 2000s. The laboratory provided a full cycle of creating automated systems in protected execution: starting with research and development, continuing with the stream creation of protection systems, and ending with the organization of their warranty service.
')
The created systems were supposed to be used in both commercial and state secrets mode, so they were obligatory to pass certification / tests for compliance with the class / level of security. The professional staff of the laboratory staff shone by people from the best military higher educational institutions of the country ( AFA them. AF Mozhaisky and EAS them. S.M. Budenny ), such as Zima Vladimir and Sohen Victor. At the same time, students in the field of " information protection ", like me, were involved in the work in the laboratory as engineers of start-up engineers.

The systems were created on the basis of Hewlett-Packard equipment, Microsoft software and information protection tools of the NPC Informzaschita . The customer made severe demands on the qualifications of the Contractor’s personnel, therefore the laboratory management allocated a budget for training and certification. And if with the authorized courses and vendor certifications (HP, Microsoft, Informzaschita) everything was obvious, there was uncertainty in the part concerning the minimum set of knowledge and skills in information security.

The job seekers of the engineer showed a completely different level of training in information security, and the management made a strong-willed decision to use the presence of vendor-independent certification status CompTIA Security + as an input requirement. This choice was obvious, as there was no national equivalent of this certification, and the CompTIA A + , Network + and Server + statuses were already successfully used by other divisions of the integrator in recruiting and training personnel. In general, I began to prepare for my first certification in information security.

1. Familiarity with certification

Information security is at the junction of a number of sciences, and in connection with the explosive growth of risks, information security is also a dynamically developing scientific discipline. That is why the task of determining the minimum set of knowledge and skills on information security requires a systematic approach with continuous analysis of the state of the information technology market and regular adjustment of this set.

For more than 13 years, the largest operator of vendor-independent certifications Computing Technology Industry Association (CompTIA) under the control of the American National Standarts Institute (ANSI) has successfully solved this problem in accordance with the ISO / IEC Standart 17024 family of open standards of training and certification.

Over the years, Security + certification has redefined a set of knowledge and skills on the basics of information security 4 times. The first iteration looked like a computer test with code SY0-101 and I passed it as a novice design engineer at the Prometric testing center, paying $ 250 for attempting to put it. In 2015, at the time of this writing, the 4th version of the test with code SY0-401 is relevant , I also passed it out of professional interest as a teacher of the author's course of preparation for this certification.
Exam SY0-401 consists of 100 questions in English, lasts 90 minutes (plus 30 minutes for those who are not native speakers), and tests both theoretical knowledge and practical skills in 6 domains (topics):

1) network security
2) compliance and security operations
3) threats and vulnerabilities
4) application, data and host security
5) access control and entity management
6) cryptography

An extensive list of requirements for candidates for the exam can be presented as follows:

- knowledge of the fundamental principles of the development and implementation of a set of measures to manage information security risks;

- knowledge of reference information about well-established policies / standards / procedures for information security, features of the safe use of modern information technologies, vulnerabilities and a general understanding of the associated attacks;

As well as practical skills of using publicly available information security tools that implement the discretionary (in Windows / Linux operating systems) and role-based (in business applications) access control models.

2. Method of preparation

For those who have not studied in my specialty and have no experience in information security, but specializes in information technology, I strongly advise you to get or at least prepare (without direct examinations) for CompTIA A +, Network + and Server + certifications - they are indicated in the input requirements for Security + candidates.

As for me, training in an institution of higher education in the specialty “Information Security” gave an understanding of the fundamental principles of ensuring information security, and working in a team of design engineers who streamline protection systems made it possible to put this understanding into practice in solving applied problems. Therefore, I will try to describe the most obvious principles for each domain:

1) network security: the concept of network perimeter and the implementation of control functions at its points; control of access to the organization’s data transmission medium and data protection in the course of transmission over communication channels;

2) compliance with requirements and safety of operations: laws and regulators as the main sources of protection system requirements; organizational, administrative, design / operational documentation;

3) threats and vulnerabilities: sources of threats and their features; quantitative and qualitative risk assessment;

4) security of applications, data and hosts: options for decomposing an automated system and implementing control functions over its results;

5) access control and entity management: the essence of control; access attribute lifecycle and privilege management;

6) cryptography: problems of using symmetric / asymmetric cryptography and methods for their solution; public key infrastructure

Perhaps these principles will reveal to you video courses (Computer-based training - CBT), which can be found in search engines by the names of their leading world, for example, Pluralsight (formerly CBT Nuggets), developers, and also by the names of certification statuses and exam codes. Bruce Schneider’s books, Applied Cryptography, Security of Global Network Technologies by Vladimir Zima, and the passage of an authorized Microsoft course 2821, Designing, Start-Up and Maintenance of Public Key Infrastructure Based on Windows Technologies, helped me very much. Since then, it is read with success in the leading educational centers of Moscow and Kiev .

If I didn’t have problems with understanding and applying the principles in 2003, with reference information about the features of various closed and open protection technologies there was definitely a failure. Even now, with more than 10 years of experience teaching a variety of IT courses, technologies like Kerberos, RADIUS / TACACS +, etc., the specific names of policies and standards, as well as the characteristics of American cryptographic algorithms, require at least the need to concentrate. , re-read the literature and refresh your memory before passing the exam.

Therefore, according to the established tradition, one has to intensively engage in self-study with the help of textbooks for self-training from the world's leading publishing houses on IT / IB topics: Wiley, Sybex, Syngress, Microsoft Press, etc.

By the name of certification status and phrases like “study guide”, for example, “CompTIA Security + exam study guide” in search engines and subject forums, such as www.certification.ru , you can easily find 2-3 books by different authors to familiarize yourself with different approaches to the preparation. Textbooks are overwhelmingly in English, so be sure to bring up technical English.

Practical skills of using publicly available information security tools are fairly easy to obtain if you have a stand and a set of laboratory works that match the exam description. The stand can be assembled on cheap hardware using shareware hypervisors (Oracle Virtual Box, Microsoft Hyper-V, VMWare ESXi, etc.) as a set of virtual machines with various operating systems and business applications. For detailed instructions on its creation and the laboratory workshop itself, look in the previously mentioned self-help manuals.

Also, do not forget that every attempt to pass the exam is paid (now around $ 266), so it’s worth “dragging yourself” into paid testing systems (Boson, TestOut, MeasureUp, etc.) with a pool of corresponding exam level questions that emulate what happens on real exam. In search engines and subject forums like www.certcollection.org you can always find these testing systems by exam codes.

Having achieved a consistently high percentage of correct answers (> 90%), one can hope for the successful passing of the exam from the first attempt in the actual testing system of Virtual University Enterprise (www.vue.com) or Prometric (www.prometric.com)

The first time I spent 2 months doing the preparation in my free time (I didn’t cancel work at the university or work), after 10 years of continuous work in my specialty it took me 3 weeks to draw conclusions.

3. Result

In 2003, the successful passing of this exam for Life + Security + status, now it is given for 3 years and for its extension it is required to regularly confirm to the CompTIA operator that you maintain your qualifications up to date in the Continuous Education program .

4. Perspectives

Security + is a convenient starting point in the career of a specialist in information security and is counted both in engineering certifications on information security tools of leading manufacturers (Microsoft, RSA, IBM, Cisco, etc.), and in expert vendor-independent certifications from ISACA, (ISC) 2 , EC- Council and others

Also, for those who have not read other articles from the CompTIA Certification series, I remind you that in many American universities, undergraduate / graduate programs, as well as additional professional education, CompTIA certification counts, saving time and money for training.

5. Continuation of the story

The subsequent transition to a managerial position, attempts to manage a team of engineers, the need to justify costs, personal responsibility for the actions of subordinates and the terms of execution of work forced me to quickly deal with the methodology of project management. But this is the story for the next article, the topic of which is CompTIA Project + certification.

I look forward to questions about training and certification CompTIA at PashkovK@muk.com.ua

CompTIA certifications for IT professionals. Part 1 of 7: CompTIA A +
CompTIA certifications for IT professionals. Part 7 of 7. CompTIA CTT + (Certified Technical Trainer)

MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service