Certification and Compliance Don’t Make You Secure

Security > Certification + Compliance

Certification and compliance can play a role in security.  They might be part of security, but there is no guarantee that they can provide it. Put another way, they might be necessary, at least for regulatory reasons, but they are not adequate on their own.

Passing a certification exam proves that, well, you have passed a certain multiple-choice exam.

Someone came to me with a question about vulnerability scanners.  They were studying for CASP, the CompTIA Advanced Security Practitioner exam. This certification is for people who already have the introductory CompTIA Security+ certification, and have been working for some time in the field. This person wanted a list of vulnerability scanners, something I would expect someone working in this field to know how to find. But I started to answer their question with a URL:

“H-T-T-P, colon-slash-slash, W-W-…”

“Wait, what’s that ‘slash’?  That’s a punctuation mark, right?  Is that a slash or is it a backslash?  Or is it a dash like what you use between words?”

That’s right, someone working on a second cybersecurity certification, in a position working within this field, did not know the format in which a URL is expressed. As Dave Barry often wrote, I swear that I am not making this up.

Then there was the person who asked me how, in a UNIX/Linux family operating system, one might log the event of a user attempting to change into a directory when they did not have the permission to do so.  He already agreed with me that collecting and investigating that type of log information was a waste of time and storage, simply configure the system correctly to begin with and then have something like Tripwire monitor it to ensure that ownerships and permissions remain correct. But it was a compliance issue.

He explained that he had recently been asked by an auditor to show how they were doing this, but he didn’t know if such a thing were even possible.

Yes, it is, but how did you get through that audit?

Well, as a typical system administrator he had several command prompt windows on his display.  When the auditor asked, he had switched to another command prompt to check a manual page.  However, the one he happened to bring up was one in which happened to be in the middle of paging through a long, cryptic, and entirely irrelevant network configuration file.

The auditor nodded and said “Mmmm, yes, very good. Now, my next question is …”

That’s right, the auditor had no idea what he was seeing, but it looked adequately complicated. So, the checklist item was satisfied and compliance achieved. I still am not making this up.

International auditing standards do not guarantee anything.  CA reported a survey in which IT managers claimed ISO 27001 compliance but simultaneously admitted to bad practices, such as sharing administrator accounts between users and granting broader privileges than needed. They keep moving the URL, ask Google:
pdf privileged user management it's time to take control

Real security requires administrators with the needed knowledge and skill, and full awareness of and adherence to best practices (which means documentation thereof). You can get some knowledge in a three to five day course, but true skill takes time and experience on your own keyboard.

Think of it this way — the rules of tennis are simple enough that you could learn them in an afternoon.  But that doesn’t make you a championship player.

Learning Tree’s Linux server administration course shows you how to set up that file system auditing, and the Cloud Security Essentials course discusses regulatory compliance. Getting to the U.S. Open and learning vi are up to you.

Bob Cromwell

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.