No Security

It's a dreary day in Georgetown, with rain lashing at the windows of the Marriott Conference Center. Inside Salon H, a group of government employees is paying rapt attention as Sondra Schneider, a small woman with an arsenal of electronic gadgetry, charges through a presentation on the technologies that will soon make computer passwords obsolete.

The air is dense with geekspeak spiced with a dash of federalese. There's talk about encryption and nonrepudiation, digital signatures and biometrics, and more acronyms than you'll find in a bowl of alphabet soup: PKI, VPN, CHAP, TACACS. All this for the DOD and the DOJ, the FAA and the OMB!

During the break, I do what you're supposed to do at conferences: I mingle. Seeing me approach, Philip, a curly-haired guy in the back row, looks anxious. I ask him where he works. He looks at my notepad and considers bolting for the door. "I, uh, am a contractor for the INS," he says reluctantly. "Cool!" I say. "What do you do?" Panic creeps into his voice, as if an image of his credentials being shredded flashes before his eyes. "Uh, I work with biometric [censored], encrypting [censored] for [censored]," he replies. "But you can't use that."

There's a guy in a striped sweater and glasses in the front row who looks brave. I lean over. "Hi!" I say, trying not to sound like I'm grilling an Al Qaeda operative. "What are you working on?" He looks at me as if I've just asked for the PIN to his Cayman Islands bank account. "Army. Comanche helicopters. It's classified."

Welcome to the brave new world of high-tech security, where the unintelligible language of 21st-century computing fuses with the once-unimaginable threats that the country faces. Before September 11, corporate and government security experts worried primarily about online identity theft, credit-card fraud, and rogue hackers. Now they've put cyberterrorism at the top of the list of threats that keep them up at night.

That's bad news for companies, but it's a business opportunity for organizations that are looking to train security professionals to defend their systems. One of the newest and savviest organizations to stake a claim in this space is Security University, an outfit that offers advanced information-security training for executives, network professionals, and systems administrators.

The so-called dean of the university is Schneider, a diminutive cybercommando whose mission is to train an elite corps of security specialists -- much as the Army trains the Green Berets. "I didn't go to war. I didn't fight for my country. But I can make a big difference when it comes to training those people and giving them the tools they need," says Schneider, who is Security University's founder and CEO.

A fledgling operation based in Stamford, Connecticut, Security University is nearly as virtual as a digital signature: There is no campus, no classrooms, and no war room. Schneider and her team of 18 instructors travel the world, holding classes on such topics as intrusion detection, advanced firewalls, PKI (public-key infrastructure, a framework for the secure exchange of digital information), and forensics. Take eight classes and a tough test, and you could earn AIS (Advanced Information Security) Certification, a proprietary credential that the school plans to begin offering next year.

Other organizations provide similar credentials in this field, among them recognition as a Certified Information Systems Security Professional (CISSP) from (ISC)2 and a Global Information Assurance Certification (GIAC) from the SANS Institute. But Schneider maintains that the training at Security University offers more hands-on experience than the others -- a process, she says, that helps students understand how to protect the path to a network's critical assets more effectively and to evaluate new software and security devices before committing company resources to their purchase.

"Lectures are valuable for managers, but they aren't as good for practitioners," Schneider says. "We take our students through the full life cycle of a security technology and its application, including multiple corporate or government scenarios. We encourage people to play with the latest toys that we get from vendors. Most people would never have a chance to do this at work. But if they don't try them, how can they go to management and recommend buying them?"

While Security University's courses may seem esoteric to a nonprofessional, Schneider's tales of information-security lapses can curl the hair of even the most naive generalist. During one security assessment, she says, it took a team of experts just three and a half minutes to access a nuclear power plant electronically. Even a semiskilled hacker can change an IP address in under three seconds. Schneider also warns that something as simple as leaving an "out of office" message on your computer can leave you open to cybermischief.