All network administrators should have some security basics in their
toolkit, but there is also growing need for dedicated Windows 2000
security admins.
Job Title:
Windows 2000 network security administrator
Variations:
Network security analyst, security specialist
Responsibilities:
The security administrator's job is twofold: to proactively prevent
network security breaches, including intrusions, viruses and
compromises to corporate data, and to detect and react to security
incidents. Beyond securing the machines themselves, the security admin
must also be concerned with processes surrounding data protection and
access.
Skills required:
Security administrators should have prior network or systems
administration experience. In the Windows 2000 network environment,
they must have a solid command of Active Directory and proficiency in
deploying bug fixes and security patches, says Stephen Northcutt,
director of the Global Incident Analysis Center (GIAC) at the SANS
Institute in Baltimore.
They should also have a good grounding in server software running on
top of the OS, such as Microsoft Internet Information Server, Microsoft
Exchange, Lotus Notes/Domino, etc., as well as any operating systems
that may co-exist in the Windows 2000 environment, such as Windows NT,
Sun's Solaris or Linux. Previous software testing experience is useful as
are other technical skills, such as familiarity with data encryption
standards like PGP (Pretty Good Privacy), e-mail filters, firewalls and
other security techniques and standards.
Troubleshooting, problem-solving, logical thinking and communication
skills are also essential, adds Jeffrey Carpenter, technical manager at
the CERT Coordination Center, in Pittsburgh, a security incident
response center. "Usually you have a set of symptoms or conditions and
you have to diagnose a cause," Carpenter explains. "In some logical,
thoughtful way you have to assess, 'What are probable causes that could
result in this?'"
For example, with the recent Anna Kournikova virus, security admins had
to arrive at an understanding of what the virus actually does and what
the effect of it was. "You have to do that through observation and
collaboration with others; you have to come up with theories and figure
out which is probably right and which is not," he says.
Certification requirements:
Certification is highly recommended for security administrators -- and
the MCSE isn't enough. A number of vendor-specific programs are
available, but an independent, vendor-neutral certification will ensure
the most thorough training. Options include (in alphabetical order):
Typical day on the job:
In proactive mode, on a day when there are no incidents, security
administrators read the daily security alerts, (Northcutt recommends
the SANS Alert www.sans.org, the CERT newsletter www.cert.org and
Bugtraq www.securityfocus.com.), download and test preventative
patches, establish incident recovery procedures, and run through
intrusion detection processes.
When an incident is detected, they must go through an established
incident handling process for clarifying the problem and its cause,
fixing it, and restoring the system. Northcutt recommends following
established best practices for incident handling, such as those used by
GIAC or CERT.
Career path options:
Security experts are in such high demand that consulting is a definite
option. Staying within the corporate fold, options include moving up
the management ranks in security and network infrastructure, shifting
focus from physical network security to customer/data privacy, or
applying security expertise in other network, infrastructure or
operations roles, such as network architect or director of operations.
Demand:
As corporate networks extend across the Internet, there is no debating
that demand for security administrators will grow. What is up for
debate is whether the security role should be separate from the network
administrator's role.
Many IT organizations assign the security function to network
administrators. But, the number of new security incidents is growing at
such a rapid rate that it is difficult for network admins to keep up
with all the new information and still perform their regular duties,
Northcutt says.
For example, in February GIAC detected a new Windows NT exploit that
enables intruders to store illegal software -- such as pirated software
or child pornography -- on NT servers and effectively hide it from the
NT administrator. Northcutt says security experts are still researching
how intruders exploit the NT OS, but have found that once an intruder
is in, a technique called "rootkitting" grabs space on the server.
"Dealing with these (exploits) requires fairly specialized skills. The
best solution is to have one or two dedicated security administrators
who are part of your network administration group."
Salary range:
Security administrators earned an average of $63,598 in 2000, according
to a survey of 7,038 network and systems administrators by the SANS
Institute. Security consultants earned the highest pay, averaging
$79,395, while security auditors' salaries averaged $71,404.
Best types of companies to work for:
Many smaller companies are outsourcing network security, so ISPs and
ASPs are prime spots for security administrators. In terms of salaries,
the biotech and pharmaceuticals, aerospace, computer and software,
network services and banking industries are the leading contenders,
according to the SANS Institute salary survey.
