F-22 Raptor stealth fighters tore across the tranquil, picturesque desert sky of Hill Air Force Base in northern Utah as Patrick Lane, senior manager of product management at CompTIA, prepared to discuss high-level IT security with a conference room full of information assurance workers. He took in the sights, awed by the planes’ high-tech acrobatics; they flew at what seemed like impossibly slow speeds, then impossibly fast ones, banked and turned on a dime over the mountain-ringed valley abutting the Great Salt Lake. It was breathtaking, all the more so because of the danger involved. Hill Air Force Base is one of the few live-fire Air Force training ranges in the country.
But what brought Lane to Hill Air Force Base was a facet of national security more intangible than such impressive machines. Invited to speak on behalf of the Armed Forces Communications and Electronics Association, he was there to present on unauthorized network entry, newly evolving malware threats and the tools an advance IT pro can use to fight both.
Lane’s visit to Hill Air Force Base’s is but one of the steps he’s taken to increase the nation’s level of cybersecurity preparedness, a critical goal given disconcerting news about both the increasing sophistication of malware and its increasingly invasive uses. For Lane, there is only one solution to the growing problem – the CompTIA Advanced Security Practitioner (CASP) certification.
Lane said, “If [someone has] a CASP certification, they can be hired by a state – hopefully by the U.S. – to fight the fight that’s going on all around us.”
So what, exactly, is that fight? While there has been no out-and-out declaration of cyber-war by one state against another, there has nevertheless been a proliferation of hacking cases targeting both state and corporate enterprises suspected to have been executed by nation-state actors. The spate of point-of-sale malware attacks that plagued U.S. retail enterprises over the past few years seems to have, according to Lane, given way to espionage malware focused on gaining access to and harvesting intellectual property and state secrets.
Recent headlines reflect this. The hack of Sony’s email servers, which led to the theft and public release of private emails between Sony employees, celebrities and others, was eventually attributed to North Korea – though North Korea denies involvement. More recently, some have pointed the finger at China regarding a breach at the U.S. Office of Personnel Management (OPM) that resulted in the personal data of at least four million current, prospective and former federal employees – possibly up to 18 million people – being compromised. The attack appears to have been under way for a protracted period of time and the fallout from it remains to be seen.
The obvious similarity between these two attacks is the alleged involvement of state actors. But these attacks also both used a specific type of technology. The espionage malware used in both attacks represents a newer, more sophisticated form of cyber-attack known as an advanced persistent threat (APT). APTs are adept at infiltrating, then residing undetected on networks. They can hide themselves in the essential APIs of a system, quietly sending information back to a command-and-control server.
“Whereas it used to be [hackers would] walk up, break the window, walk in and leave, now it’s almost as if someone broke into your house and is waiting in the cabinet,” Lane said.
Lane sees hope, though, for the government wrapping its mind around this malware model. That’s where CASP comes in.
Unlike some other certifications, CASP is meant to assess – in addition to the knowledge of specific tools – experience. It tests the sort of deductions an IT professional with 10 years of overall IT experience or five years of security experience should be able to make.
“[CASP] is unique because we’re focusing on the people [who] are actually going to have to sit there and figure out the problem and try to fix it,” Lane said. “Our certification is built to assess workers [who] have a chance of defeating these attacks or at least scattering them.”
Lane is similarly confident that cyberattacks on government infrastructure, like what occurred with OPM, could be limited with widespread CASP certification.
“What you’re trying to defend against is the hacker’s ability to extract targeted information,” Lane said. “In theory, if you had a bunch of CASP guys there [in the case of OPM], they would have been using CASP ideas. They would have understood that users are the biggest problem as far as launching malware into networks. So you would hope that the attack would have been detected and stopped before the breach took place.”
The U.S. military sees the importance of having a certification that assesses an IT professional’s ability to identify and combat advanced persistent threats. CASP was developed at the request of the U.S. Navy and since then it has been adopted by the broader Department of Defense for Directive 8570.01-M.
The CompTIA advisory committee for CASP, which is constantly revising the requirements for the certification to make sure its skills assessment remains on the cutting edge, features some of the biggest names in technology, business and government. Target, RICOH, the U.S. Navy Center for Information Dominance and the U.S. Department of Veterans Affairs are only a few of the names on the list. These organizations contribute their hands-on cybersecurity expertise to the CASP exam.
And so, despite cyberattacks growing in target size and technical sophistication, according to Lane, it’s possible to stay ahead of these threats. If these attacks can be understood as acts of quiet aggression in a pervasive, decentralized cyber war, Lane believes that CASP will play a big role in making sure it’s a war we can win.
“To tell you the truth, the stuff that they’re doing isn’t difficult to stop, necessarily,” Lane said. “You just have to figure out what they’re doing.”
Matthew Stern is a freelance writer based in Chicago who covers information technology, retail and various other topics and industries.