All network administrators should have some security basics in their toolkit, but there is also growing need for dedicated Windows 2000 security admins.
Windows 2000 network security administrator
Network security analyst, security specialist
The security administrator's job is twofold: to proactively prevent network security breaches, including intrusions, viruses and compromises to corporate data, and to detect and react to security incidents. Beyond securing the machines themselves, the security admin must also be concerned with processes surrounding data protection and access.
Security administrators should have prior network or systems administration experience. In the Windows 2000 network environment, they must have a solid command of Active Directory and proficiency in deploying bug fixes and security patches, says Stephen Northcutt, director of the Global Incident Analysis Center (GIAC) at the SANS Institute in Baltimore.
They should also have a good grounding in server software running on top of the OS, such as Microsoft Internet Information Server, Microsoft Exchange, Lotus Notes/Domino, etc., as well as any operating systems that may co-exist in the Windows 2000 environment, such as Windows NT, Sun's Solaris or Linux. Previous software testing experience is useful as are other technical skills, such
Troubleshooting, problem-solving, logical thinking and communication skills are also essential, adds Jeffrey Carpenter, technical manager at the CERT Coordination Center, in Pittsburgh, a security incident response center. "Usually you have a set of symptoms or conditions and you have to diagnose a cause," Carpenter explains. "In some logical, thoughtful way you have to assess, 'What are probable causes that could result in this?'"
For example, with the recent Anna Kournikova virus, security admins had to arrive at an understanding of what the virus actually does and what the effect of it was. "You have to do that through observation and collaboration with others; you have to come up with theories and figure out which is probably right and which is not," he says.
Certification is highly recommended for security administrators -- and the MCSE isn't enough. A number of vendor-specific programs are available, but an independent, vendor-neutral certification will ensure the most thorough training. Options include (in alphabetical order):
- Brainbench Inc.'s Internet Security and Network Security Exams
- Information Systems Audit and Control Association's Certified Information Systems Auditor (CISA) Program
- International Information Systems Security Certifications Consortium Inc's (ISC2) Certified Information Systems Security Professional (CISSP) Program and Certified Systems Security Practioner (CSSP) Program (information is available from ISC2 in hard copy only; a FAQ is available here.
- Learning Tree International's System and Network Security Certified Professional Program
- ProSoftTraining.com's Master Certified Internet Webmaster (CIW) Administrator/Security Professional Series
- SANS' GIAC (Global Incident Analysis Center) Training and Certification Program
Typical day on the job:
In proactive mode, on a day when there are no incidents, security administrators read the daily security alerts, (Northcutt recommends the SANS Alert www.sans.org, the CERT newsletter www.cert.org and Bugtraq www.securityfocus.com.), download and test preventative patches, establish incident recovery procedures, and run through intrusion detection processes.
When an incident is detected, they must go through an established incident handling process for clarifying the problem and its cause, fixing it, and restoring the system. Northcutt recommends following established best practices for incident handling, such as those used by GIAC or CERT.
Career path options:
Security experts are in such high demand that consulting is a definite option. Staying within the corporate fold, options include moving up the management ranks in security and network infrastructure, shifting focus from physical network security to customer/data privacy, or applying security expertise in other network, infrastructure or operations roles, such as network architect or director of operations.
As corporate networks extend across the Internet, there is no debating that demand for security administrators will grow. What is up for debate is whether the security role should be separate from the network administrator's role.
Many IT organizations assign the security function to network administrators. But, the number of new security incidents is growing at such a rapid rate that it is difficult for network admins to keep up with all the new information and still perform their regular duties, Northcutt says.
For example, in February GIAC detected a new Windows NT exploit that enables intruders to store illegal software -- such as pirated software or child pornography -- on NT servers and effectively hide it from the NT administrator. Northcutt says security experts are still researching how intruders exploit the NT OS, but have found that once an intruder is in, a technique called "rootkitting" grabs space on the server. "Dealing with these (exploits) requires fairly specialized skills. The best solution is to have one or two dedicated security administrators who are part of your network administration group."
Security administrators earned an average of $63,598 in 2000, according to a survey of 7,038 network and systems administrators by the SANS Institute. Security consultants earned the highest pay, averaging $79,395, while security auditors' salaries averaged $71,404.
Best types of companies to work for:
Many smaller companies are outsourcing network security, so ISPs and ASPs are prime spots for security administrators. In terms of salaries, the biotech and pharmaceuticals, aerospace, computer and software, network services and banking industries are the leading contenders, according to the SANS Institute salary survey.
This was first published in March 2001