MCSA Recertification Meets Growing Requirements for Security Specialization

Stay current with exam 70-699: Windows Server 2003, Microsoft Certified Systems Administrator (MCSA) Security Specialization Skills Update. MCSA Security Specialization plus recertification demonstrates current status on the latest security-related functions and tasks on Windows Server 2003 and Windows Vista or Windows 7. In 2010, the Department of Defense, among other organizations, will require employees to meet credential requirements accredited by the American National Standards Institute (ANSI) or an equivalent authorization body.

New Course 6407B: First Look: Getting Started with Security and Policy Control in Windows Server 2008 Hands on Lab

Course 6407B: First Look: Getting Started with Security and Policy Control in Windows Server 2008 Hands-On Lab

This one and one-half hour lab provides hands-on experience with the following security and policy enforcement functionality in Windows Server 2008: Security Enhancements in Windows Server 2008 and Network Access Protection in Windows Server 2008.

Security Learning Path: Planning Security into Your Cloud Strategy

Security in the cloud must marry the capabilities of the outward-looking Web (reach, customer interaction) with the inward-looking requirements (data retention, security, employee productivity) of an organization. Use this learning path to find out how to flexibly deploy an application on-premises or in the cloud, or both, and learn what you can do to help the business attain its goals of flexibility, usability, and security.

Learning Path http://technet.microsoft.com/en-us/security/ee519613.aspx

Windows Azure Platform Training Kit

The Azure Services Training Kit includes a comprehensive set of technical content including hands-on labs, presentations, and demos that are designed to help you learn how to use the Windows Azure platform including: Windows Azure, SQL Azure and .NET Services. The October release includes new videos and labs in addition to VB code snippets and updated content for SQL Azure October CTP.

This training kit contains the following content:

Presentations

• Azure Platform Overview
• What is Windows Azure?
• Windows Azure Storage Overview
• Introduction to Windows Azure
• Building Services using Windows Azure
• Introduction to SQL Azure
• Building Applications using SQL Azure
• Scaling Out with SQL Azure
• Introduction to .NET Services
• Building Applications Using the .NET Service Bus

Demos

• Deploying Windows Azure Services
• Hello Windows Azure
• Windows Azure Guestbook Demo
• Windows Azure Logging and Configuration Demo
• Windows Azure using Blobs Demo
• Windows Azure Worker Role Demo
• Windows Azure Using Queues Demoo
• Windows Azure Using Tables Demo
• Preparing your SQL Azure Account
• Connecting to SQL Azure
• Managing Logins and Security in SQL Azure
• Creating Objects in SQL Azure
• Migrating a Database Schema to SQL Azure
• Moving Data Into and Out Of SQL Azure using SSIS
• Building a Simple SQL Azure App
• Scaling Out SQL Azure with Database Sharding
• .NET Services Service Bus Direct Connection Demo
• .NET Services Service Bus webHttpRelayBinding
• .NET Services Service Bus Publish and Subscribe
• .NET Services Service Registry
• .NET Services Service Bus NetOneWayRelayBinding

Hands On Labs

• Building Windows Azure Services
• Windows Azure Native Code
• Windows Azure and PHP
• Getting Started with Windows Azure Storage
• Using Windows Azure Tables
• Building ASP.NET MVC Applications with Windows Azure
• Building ASP.NET Web Form Applications with Windows Azure
• Migrating Applications to Windows Azure
• Introduction to SQL Azure
• Migrating Databases to SQL Azure
• Building Your First SQL Azure App
• Introduction to the .NET Service Bus
• Building Hybrid Applications

Samples and Tools

• Windows Azure MMC
• PhluffyFotos
• Bid Now
• Contoso Cycles

Download from: http://www.microsoft.com/downloads/details.aspx?FamilyID=413E88F8-5966-4A83-B309-53B7B77EDF78&displaylang=en

Free Anti-Virus Software from Microsoft (Security Essentials)

http://www.microsoft.com/security_essentials/ 

About Microsoft Security Essentials

Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.

Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple.

Microsoft Security Essentials runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.

School is in: 7 computer security tips for students

These tips can help protect the computers you use for school from viruses, hackers, spyware, and other attacks. 1. Perform basic computer safety maintenance Before you surf the Web, you should perform three key maintenance steps to help improve the computer’s security. Visit Protect your computer in 4 steps and follow the steps online to: • Use an Internet firewall. • Update your computer. • Use up-to-date antivirus software. • Use up-to-date antispyware software. 2. Don’t open files from strangers E-mail and instant messaging (IM) can spread viruses and worms if you aren’t careful. (Most e-mail viruses are spread by people who are tricked into opening an infected file.) You should never open a file attached to an e-mail or an instant message unless you recognize the sender and you are expecting the file. For more information on helping to avoid viruses, visit Help avoid viruses that spread through e-mail attachments, and Instant messaging safety and privacy tips. 3. Help fight spam and online scams You can use technology to help keep junk e-mail from deluging your screen. To see how, read Help keep spam out of your inbox. Phishing is another threat to your privacy that could lead to the theft of your credit card numbers, passwords, account information, or other personal data. To learn more, read Recognize phishing scams and fraudulent e-mails. 4. Learn how to protect yourself from spyware If your Web browser has been taken over by pop-up ads, or there are toolbars on your computer that you didn’t download intentionally, your computer might be running spyware. Spyware is software that collects personal information from you without first letting you know what it’s doing, and without asking for your permission. You might get spyware if you download music or file-sharing programs, free games from sites you don’t trust, or other software programs from a suspicious Web site. If your computer is running Windows Vista you have spyware protection built-in. Learn more by reading What is spyware? 5. Take precautions when you go wireless Many high school and college campuses have wireless networks, so you can surf the Web in the library, cafeteria, or a classroom. These networks are convenient, but they do come with a security risk. If you set up your own wireless network at home or in your dorm room, read Windows Vista Features Explained: Wireless Networking or Improve the secuirty of your wireless home network with Windows XP and pay special attention to the section on wireless network security. Also read Use public wireless networks more safely to get more tips on WiFi security. 6. Password protect your computer—and lock it Passwords are the first line of defense in protecting your computer from criminals, pranksters, or a careless roommate. If you don’t use a password to log on to your computer, anyone can access your computer and unlock it. Use our tips for building stronger passwords now, and be sure to lock your computer when you’re not using it. (To “lock” your Windows computer, hold down “Windows logo key + L.” Follow the instructions on the screen to unlock your computer when you’re ready to use it again.) 7. Back up your work The image of students losing their term papers because they forgot to back up their work has almost become a cliché. Still, many of us don’t have the time to back up. If you use Windows Vista read Windows Vista Features Explained: Complete PC Backup. If you use Windows XP, you can let the Backup Utility do the work for you. To find out how, read Windows XP Backup Made Easy.

Learning Path: Security

Learning Path: Improving Database Security with SQL Server 2008

Use this learning path to find out about new tools and security features in SQL Server 2008 to help keep your databases more secure. For example, learn how to create a policy that defines the desired surface area settings, enforce the Windows password policy on your SQL Server accounts, and activate Web Service endpoint authentication.

Learning Path: Providing Security for an Evolving IT Infrastructure Use the resources in this learning path to better understand how to approach security issues like dissolving network perimeters, disrupted security models from new technologies like virtualization, and the evolving Web platform.

Microsoft Security Development Lifecycle Template: What It Means for Developers Find out more about the new process template for Microsoft Visual Studio Team System, which is intended to ease adoption of the Microsoft Security Development Lifecycle (SDL), in this Channel 9 interview with Microsoft SDL Program Manager Jeremy Dallman.

What is Microsoft Security Essentials? What’s happening to OneCare?

Today Microsoft unveiled Microsoft Security Essentials, a no cost beta version of a new kind of hassle-free security software designed for people who don’t want to spend too much time thinking about computer security.

Download the beta.

Sales of Microsoft’s current antivirus software, Windows Live OneCare, will stop in September 2009. If you have a OneCare subscription, rest assured that you will be supported until that subscription runs out. For more information, see Facts about OneCare.

Microsoft Security Essentials is a standalone download for the Windows XP, Windows Vista, and Windows 7 operating systems.

“Customers around the world have told us that they need comprehensive, ongoing protection from new and existing threats, and we take that concern seriously,” said Amy Barzdukas, senior director of product management for the Online Services and Windows Division at Microsoft.

“This new, no-cost offering will give us the ability to protect an even greater number of consumers, especially in markets where the growth of new PC purchases is outpaced only by the growth of malware.”

Mandatory cyber certification: What good is it?

Will mandatory cybersecurity training or licensing make government systems more secure?

• By Ben Bain  – Jun 26, 2009

Few people would advocate putting cops on the street or soldiers into battle without first giving them proper training. Yet there is no standard governmentwide preparation program required for those who protect the government’s information systems and computer-controlled infrastructure from bad guys intent on mischief or harm.

Whether an obligatory return to the classroom will make a difference in countering those threats is at the heart of a debate spurred by a proposal to license cybersecurity professionals that work for or contract with the government. The mandate is part of an ambitious cybersecurity measure the Senate initiated, and it would affect tens of thousands of information technology workers.

Proponents see the measure as money well spent to improve information security through a more professional, better-trained cybersecurity workforce. But opponents believe mandatory licensing will tie up the industry in red tape and hinder its ability to keep training up-to-date with rapidly changing technology.

The measure, sponsored by Sens. John “Jay” Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), would direct the Commerce Department to develop or coordinate and integrate a national licensing, certification and periodic recertification program for cybersecurity professionals.

It would then become unlawful for a person lacking the proper license and certification to provide cybersecurity services to an agency or for an information system or network designated as critical infrastructure.

Opinions about the proposal’s potential impact vary, but the different camps agree on one point: There are still many unanswered questions. For example, people wonder how “cybersecurity services” would be defined. They also speculate on which skills would need certification or licensing and whether using company-based certifications would be the right approach.

There are also questions about enforcement, legal liability, the value of certification versus licensing, and how federal requirements would impact states’ rights and their traditional role in licensing various professions.

The Senate measure would apply to all federal IT systems and any others the president deems critical infrastructure, which could include privately owned assets such as the electric grid.

It wouldn’t be the federal government’s first attempt at demanding proof of training for cybersecurity professionals. The Defense Department has had a mandatory certification — but not licensing — requirement for its information assurance workforce since 2004. The program has certified only one-third of the department’s information assurance workforce so far, and though officials have yet to complete an extensive assessment of the program’s performance, they see signs that it is having a positive impact.

Licenses vs. certifications

The new proposal would affect the entire federal IT industry — from contractors to government employees and the many companies that provide information assurance certification and training.

The use of certification as a tool for hiring, placing and promoting employees is certainly nothing new. However, a mandatory licensing program would be unprecedented, and that proposal has proven particularly contentious.

“A lot of people have problems with where do you draw the line: Who has to get a license, who doesn’t, who would be the licensing authority, what would be the extra cost, what are the liability issues?” said Lynn McNulty, director of government affairs at (ISC)² and a former federal information security program manager. (ISC)² is one of numerous organizations that constitute an expansive training and certification industry.

McNulty said he’s not hearing a lot of complaints about the certification requirement, but many people have a problem with the licensing requirement.

During a roundtable discussion on certifications (ISC)² hosted in early June, several participants said the licensing requirement would represent a departure from the state-based approach to validating the qualifications of professionals such as doctors and lawyers.

Federal licensing of cybersecurity professionals “would fly against that principle, and it just doesn’t make a lot of good sense in my opinion,” said John Lainhart, public-sector service area leader for security, privacy, wireless and IT governance at IBM’s Global Business Services. He participated in the (ISC)² roundtable discussion as a representative of the Information Systems Audit and Control Association, which provides cybersecurity training and certifications.

Critics say another problem with licensure and its added layers of federal oversight is that the government’s training and testing programs would not evolve as quickly as industry-driven certification programs.

That would be a significant slowdown for an industry that changes as rapidly as IT does, and could dampen rather than boost the growth of a newly trained cybersecurity workforce, said Dan Liutikas, another roundtable participant and senior vice president, chief legal officer and corporate secretary at CompTIA, an IT industry and training association.

Yet another issue with licensing is what form the testing should take. Alan Paller, director of research at the SANS Institute, a cybersecurity training, certification and research organization, supports the idea of evaluating security professionals’ skills in operational situations, as airplane pilots are tested.

He added that if the government establishes a licensing program for IT security professionals, it shouldn’t belong to the commercial world. “It should be owned by a completely independent organization that isn’t trying to sell something already, and they should not be able to do any training at all — none,” Paller said.

The current state of play

Establishing certification or licensing requirements would force the government to define skill sets and career paths for cybersecurity professionals. Such tracks are common for other government jobs but nonexistent for IT security.

“Everything always points back to the fact that we are calling things apples and oranges and grapes,” said Brenda Oldfield, director of cyber education and workforce development in the Homeland Security Department’s National Cybersecurity Division. “We do not have common terminology across the mission areas. Everything that we attempt to do in developing any plans for training and education of the civilian workforce or of the federal workforce depends upon this common lexicon.”

On that issue, the legislation might be getting ahead of itself, said Patricia Titus, former chief information security officer at the Transportation Security Administration and currently CISO at Unisys Federal Systems.

The Office of Personnel Management still hasn’t designated a job series for IT security professionals, she said. Right now, such workers are categorized as IT specialists, managers or program analysts.

“I think OPM needs to develop an IT security job series, and part of that series then would be the requirements of what the individuals have to do,” Titus said. Those might include certification, appropriate training and relevant job responsibilities, she added.

Oldfield has been working for years to establish a common set of skills for information security professionals in the government. Most recently, that effort has been folded into the education component of the Comprehensive National Cybersecurity Initiative, the multiyear, multibillion-dollar program launched by the Bush administration. Oldfield co-leads the education initiative for DHS in cooperation with DOD.

“We have to be able to validate that cyber professionals have the skills needed, but we have to identify what those skills are uniformly,” she said.

Officials have identified numerous federal documents that specify different IT security competencies that workers should possess. The challenge is to bring them all together. That’s the job of an interagency work group being established to identify critical roles and unify agencies’ training efforts. Such consolidation will also likely produce cost savings by eliminating duplicative efforts.

“Many times there are high-end training classes and laboratory experiences conducted that have empty seats, and they could offer those seats to other agencies if we were comparing apples to apples,” Oldfield said.

DOD’s experience

As experts weigh the potential value of a governmentwide cybersecurity certification or licensing requirement, they are turning to DOD for lessons about how its program has fared.

DOD’s certification requirements cover a spectrum of management and technical information assurance roles for some 90,000 military, civilian and contract employees. Officials created the program in 2004 in response to departmental Directive 8570, released a manual of instructions in 2005 and updated that manual in 2008. Under the program, they identified commercially available, accredited certifications that information assurance employees and contractors need to have to work on DOD systems.

“The idea of a common lexicon that’s provided by these certifications is something that was lacking before,” said George Bieber, director of DOD’s Information Assurance Workforce Improvement Program.

At the launch of the program, Pentagon officials created a working group with representatives from the military services to define the functions or skills the certifications would cover. Then they examined which existing certifications aligned most closely with the desired skills.

DOD’s legal representative originally said they needed to use certifications rather than licensure because the latter is not a federal or DOD function, Bieber said. Officials also decided to take advantage of existing commercial certifications rather than develop custom programs so that employees would have skills they could use in the private sector or at other agencies.

DOD’s program hasn’t moved as quickly as officials had hoped. Their goal was to have about 40 percent of targeted workers certified by now, but only about 30 percent have been. Bieber blamed the shortfall on an aggressive schedule, funding constraints, changing culture and the extra work needed to make changes in supporting systems, such as personnel databases. However, DOD officials still hope to have all 90,000 certifications done by 2011.

Studies conducted by a couple of DOD offices have shown that security seems to improve as more employees are certified. DOD officials are in the process of collecting data to assess the program more broadly.

Bieber said he has heard that certifications help increase a cybersecurity staff’s problem-solving abilities by providing them with a common lexicon when addressing incidents.

“It’s really enabled the security issues to be handled at a lower level, whereas before it was going up,” he said.

The DOD model expanded?

It’s uncertain whether the requirements outlined in the Rockefeller-Snowe bill would expand the DOD model of using commercial certifications or prompt the development of new standards. And experts disagree on which approach is best.

Paller said the way DOD developed its program by surveying commercial certifications was a huge error. He believes a certification program should measure specific skills that people use in specific jobs — something he said DOD’s approach doesn’t do. Rather, it found a lowest common denominator, he said.

“My sense is if we care about this enough to make it a national law, we ought to make it much more technical and much more sophisticated,” Paller said.

However, others see expanding DOD’s approach as the way to go.

Lainhart said DOD’s program, which is based on U.S. and internationally recognized certifications, is preferable.

“Let’s not reinvent the wheel,” Lainhart said. “We’ll achieve a global standard that way by using the certifications that are out there, and I think that’s again consistent with [President Barack Obama’s] cybersecurity policy review.”

Indeed, what will follow from the administration’s recently completed 60-day review of cybersecurity policy could be a big factor in determining the new proposal’s fate.

The reviewers’ report recommends that the federal government initiate a national public awareness and education campaign. It adds that shared training and rotational assignments across agencies — and potentially with the private sector — would be efficient and beneficial. However, the administration hasn’t said whether it favors mandatory certifications and licenses for cybersecurity professionals.

Even with all the unanswered questions, some experts are happy just to be having the conversation. Bieber said he thinks all the focus on cybersecurity will turn more attention on training and certification efforts.

“One of the things I love about the Rockefeller-Snowe bill is it’s provocative, and it’s creating these discussions,” said Mason Brown, director of the SANS Institute and a participant in the (ISC)2 roundtable discussion. “If we expect something in draft format and out of committee or out of the gates to be perfect, we’re a little bit nutty.”