Month: June 2024

Are Security Certifications Worth Renewing?

Almost weekly I see someone post a question on social media asking: “Is renewing my security certification worth it?” This is a valid question since security certifications are often expensive, time consuming and hard won. Maintaining your security certification may be required to land a new job, but not required to continue in the role. At the end of the day the question people are really asking is: “Is the continued expense of this certification worth it after I’ve landed the role I’m after or achieved my career objectives?” In this post I’ll explore the pros and cons of renewing a security certification and wrap up with my specific recommendation for those of you looking for guidance.

Getting Certifications

There are a number of popular security certifications that can demonstrate general or specific expertise. Some of the most popular are:

  • CISSP
  • CISM
  • CEH
  • Security+
  • CISA
  • CCSP

Along with the variety of certifications there are different ways to earn a certification. The least expensive and most time consuming is to purchase the course material, self study and then sit for the exam. The most expensive and least time consuming is to attend a boot camp and then test for the exam on the last day. If you are lucky your employer will pay for or reimburse the expense of the certification. No matter which way you go, there is a material cost in terms of dollars and time. This cost can make people reluctant to let certifications expire because the certifications have a high barrier to entry, but a (relatively) low maintenance cost.

Pros To Renewing

One of the main reasons to continue to maintain your certification is because they are required by some job roles in order to be hired and perform the role. One example of this is in the U.S. Government Department of Defense (DoD) 8570 Approved Baseline Certifications. The 8570 specifies “Personnel performing IA functions must obtain one of the certifications required for their position, category/specialty and level to fulfill the IA baseline certification requirement.” So if you want the job, and want to keep the job, then you need the certification.

In addition to job requirements, maintaining an active certification gives the impression of having expertise in a particular area. Demonstrating expertise is useful when speaking, consulting, providing legal testimony or simply cementing your position as an expert in the field of security. Expertise is useful when trying to land a new role or get a promotion. This can also be useful to limit personal liability if you can demonstrate you followed the best practices indicated by the certification. Maintaining a certification and this expertise is arguably a low cost, low effort activity with a lot of upside and not a lot of downside. Even though there is a dollar cost for renewal, this is a minor amount compared to the overall expense or time invested in getting the certification in the first place.

One final reason to maintain your security certifications is because it demonstrates you have a baseline level of knowledge as indicated by the certification. When you were studying and testing for the certification you were learning new concepts and confirming mastery of other concepts. This can be useful to validate your expertise, but also to demonstrate to others that you have mastered these concepts and can operate at the same level as other individuals that have the certification. This goes beyond demonstrating expertise in that is establishes a baseline of knowledge for security practitioners in the field and this is why employers often list specific certifications on job descriptions.

Cons To Renewing

Even though there are a number of benefits to maintaining a certification, there are also a lot of cons.

First, there is the obvious annual cost for renewing the certification. Not only is there a dollar cost, but there is also usually a time cost in the form of continuing education credits that have to be earned and submitted throughout the year. The idea is to drive engagement in the security community by requiring these continuing education credits, but in my opinion this has had mixed results. For anyone on the fence about renewing a certification the time and dollar cost can be the breaking point where it no longer makes sense to continue to invest in something that isn’t demonstrating continued value.

Speaking of continued value, what are you really getting by spending time on continuing education and paying the renewal fee? You get the privilege to list the certification on your resume, but you’ve already gained the knowledge and passed the test. Renewing doesn’t typically require another test so is there really continued value (assuming you aren’t required to maintain it for your job)? The value is questionable if it isn’t required and so it can be difficult to justify maintaining.

Another downside to maintaining the certification is the continuing education credits. There are a number of low cost or free ways to earn credits, but it can be difficult or almost impossible to get to the required number without spending money. This is a con in my opinion because renewing the certification is perpetuating additional expenses such as more certifications, attending more conferences or other expenses just to earn enough credits. This means even though there is a low renewal cost, there can be a really high dollar or time cost to earn enough continuing education credits to maintain the certification.

In the pros section I listed the DoD 8750, which requires certain certifications to obtain and perform certain roles. However, requiring certifications for a job can also have a downside by eroding the exclusivity of the certification. This happened to the MCSE in the late 90’s and early 2000’s when everyone wanted an MCSE because it paid really well. However, soon everyone had it even if they weren’t doing the job and the MCSE became useless. It was no longer a good barometer for demonstrating expertise because so many non experts had it. Some security certifications are the same way and the DoD 8570 (or other employers) can contribute to this erosion of exclusivity if the people earning the certification are simply getting it to fill the role instead of becoming experts in the field.

One last con for renewing certifications is you may no longer be doing the type of job that requires the certification. In the past I held the GCIH, GREM and GPEN certifications, but I no longer do those hands on activities so it doesn’t make sense for me to maintain those certifications. If your career has taken you on a different path, then you no longer need to maintain the cert. Also, I will argue your job title can be more useful to demonstrate expertise than a certification. This isn’t always the case and this can sometimes be difficult to tease out with discretionary titles, but generally if you have carried the CISO or CSO title in some capacity do you really need to maintain an active certification? I’ve seen several individuals list their expired certifications on their resume, which continues to demonstrate the expertise, but without the added expense.

My Recommendation

If you are on the fence about whether or not to renew your security certification here is a simplistic flow chart for helping you with the decision. Feel free to recreate and add your own additional criteria as necessary.

My particular recommendation is as follows: if you want to maintain the credibility, demonstrate expertise, are still doing the job and can afford the renewal cost (both time and dollar), then renewing is typically not too expensive and worth it. I am also seeing a lot of job descriptions require active certifications so if you are about to job hunt or at risk of getting laid off then maintaining your certifications is a good idea. If you are no long doing the job, don’t need the credibility or expertise and the certification isn’t required by your job then I suggest no longer renewing and focusing on other areas. In my case, I have dropped most of the specialist certifications, while maintaining the generalist certifications in line with my role.

Navigating Hardware Supply Chain Security

Lately, I’ve been thinking a lot about hardware supply chain security and how the risks and controls differ from software supply chain security. As a CSO, one of your responsibilities is to ensure your supply chain is secure, yet the distributed nature of our global supply chain makes this a challenging endeavor. In this post I’ll explore how a CSO should think about the risks of hardware supply chain security, how they should think about governing this problem and some techniques for implementing security assurance within your hardware supply chain.

What Is Hardware Supply Chain?

Hardware supply chain relates to the manufacturing, assembly, distribution and logistics of physical systems. This includes the physical components and the underlying software that comes together to make a functioning system. A real world example could be something as complex as an entire server or something as simple as a USB drive. Your company can be at the start of the supply chain by sourcing and producing raw materials like copper and silicon, at the middle of the supply chain producing individual components like microchips, or at the end of the supply chain assembling and integrating components into an end product for customers.

What Are The Risks?

There are a lot of risks when it comes to the security of hardware supply chains. Hardware typically has longer lead times and longer shelf life than software. This means compromises can be harder to detect (due to all the stops along the way) and can persist for a long time (e.g. decades in cases like industrial control systems). It can be extremely difficult or impossible to mitigate a compromise in hardware without replacing the entire system (or requiring downtime), which is costly to a business or deadly to a mission critical system.

The risk of physical or logical compromise can happen in two ways – interdiction and seeding. Both involve physically tampering with a hardware device, but occur at different points in the supply chain. Seeding occurs during the physical manufacture of components and involves someone inserting something malicious (like a backdoor) into a design or component. Insertion early in the process means the compromise can persist for a long period of time if it is not detected before final assembly.

Interdiction happens later in the supply chain when the finished product is being shipped from the manufacturer to the end customer. During interdiction the product is intercepted en route, opened, altered and then sent to the end customer in an altered or compromised state. The hope is the recipient won’t detect the slight shipping delay or the compromised product, which will allow anything from GPS location data to full remote access.

Governance

CSOs should take a comprehensive approach to manage the risks associated with hardware supply chain security that includes policies, processes, contractual language and technology.

Policies

CSOs should establish and maintain policies specifying the security requirements at every step of the hardware supply chain. This starts at the requirements gathering phase and includes design, sourcing, manufacturing, assembly and shipping. These policies should align to the objectives and risks of the overall business with careful consideration for how to control risk at each step. An example policy could be your business requires independent validation and verification of your hardware design specification to make sure it doesn’t include malicious components or logic. Or, another example policy can require all personnel who physically manufacture components in your supply chain receive periodic background checks.

Processes

Designing and implementing secure processes can help manage the risks in your supply chain and CSOs should be involved in the design and review these processes. Processes can help detect compromises in your supply chain and can create or reduce friction where needed (depending on risk). For example, if your company is involved in national security programs you may establish processes that perform verification and validation of components prior to assembly. You also may want to establish robust processes and security controls related to intellectual property (IP) and research and development (R&D). Controlling access to and dissemination of IP and R&D can make it more difficult to seed or interdict hardware components later on.

Contractual Language

An avenue CSOs should regularly review with their legal department are the contractual clauses used by your company for the companies and suppliers in your supply chain. Contractual language can extend your security requirements to these third parties and even allow your security team to audit and review their manufacturing processes to make sure they are secure.

Technology

The last piece of governance CSOs should invest in is technology. These are the specific technology controls to ensure physical and logical security of the manufacturing and assembly facilities that your company operates. Technology can include badging systems, cameras, RFID tracking, GPS tracking, anti-tamper controls and even technology to help assess the security assurance of components and products. The technologies a CSO selects should complement and augment their entire security program in addition to normal security controls like physical security, network security, insider threat, RBAC, etc.

Detecting Compromises

One aspect of hardware supply chain that is arguably more challenging than software supply chain is detection of compromise. With the proliferation of open source software and technologies like sandboxing, it is possible to review and understand how a software program behaves. Yet, it is much more difficult to do this at the hardware layer. There are some techniques that I have discovered while thinking about and researching this problem and they all relate back to how to detect if a hardware component has been compromised or is not performing as expected.

Basic Techniques

Some of the more simple techniques for detecting if hardware has been modified is via imaging. After the design and prototype is complete you can image the finished product and then compare all products produced against this image. This can tell you if the product has had any unauthorized components added or removed, but it won’t tell you if the internal logic has been compromised.

Another technique for detecting compromised components is similar to unit testing in software and is known as functional verification. In functional verification, individual components have their logic and sub-logic tested against known inputs and outputs to verify they are functioning properly. This may be impractical to do with every component if they are manufactured at scale so statistical sampling may be needed to probabilistically ensure all of the components in a batch are good. The assumption here is if all of your components pass functional verification or statistic sampling then the overall system has the appropriate level of integrity.

To detect interdiction or logistics compromises companies can implement logistics tracking such as unique serial numbers (down to the component level), tamper evident seals, anti-tamper technology that renders the system inoperable if tampered with or makes it difficult to tamper with something without destroying it and even shipping thresholds to detect shipping delay abnormalities.

Advanced Techniques

More advanced detection techniques for detecting compromise can include destructive testing. Similar to statistical sampling, destructive testing involves physically breaking apart a component to make sure nothing malicious has been inserted. Destructive testing makes sure the component was physically manufactured and assembled properly.

In addition to destructive testing, companies can create hardware signatures that include expected patterns of behavior for how a system should physically behave. This is a more advanced method of functional testing where multiple components or even finished products are analyzed together for known patterns of behavior to make sure they are functioning as designed and not compromised. Some hardware components that can assist with this validation are technologies like Trusted Platform Modules (TPM).

Continuing with functional operation, a more advanced method of security assurance for hardware components is function masking and isolation. Function masking attempts to mask a function so it is more difficult to reverse engineer the component. Isolation limits how components can behave with other components and usually has to be done at the design level, which effectively begins to sandbox components at the hardware level. Isolation could rely on TPM to limit functionality of components until the integrity of the system can be verified, or it could just limit functionality of one component with another.

Lastly, one of the most advanced techniques for detecting compromise is called 2nd order analysis and validation. 2nd order analysis looks at the byproduct of the component when it is operating by looking at things like power consumption, thermal signatures, electromagnetic emissions, acoustic properties and photonic (light) emissions. These 2nd order emissions can be analyzed to see if they are within expected limits and if not it could indicate the component is compromised.

Wrapping Up

Hardware supply chain security is a complex space given the distributed nature of hardware supply chains and the variety of attack vectors spanning physical and logical realms. A comprehensive security program needs to weigh the risks of supply chain compromise against the risks and objectives of the business. For companies that operate in highly secure environments, investing in advanced techniques ranging from individual component testing to logistics security is absolutely critical and can help ensure your security program is effectively managing the risks to your supply chain.

References:

Guarding Against Supply Chain Attacks Part 2 (Microsoft)

Long-Term Strategy for DoD Trusted Foundry Needs (ITEA)