Career opportunity: Domino security expert
By Leslie Goff
If you've ever wondered about the value of becoming a Domino security expert, your time has come.
The demonstration in July of security vulnerabilities in Domino and Notes applications by consultants from Security Design International (SDI) Group and The Trust Factory at the annual DefCon meeting in Las Vegas brought attention to the fact that just following Domino's built-in security procedures may not be enough to protect your applications and databases from corporate intruders.
"There's been a shared assumption that if you had a tight Domino server, you were pretty safe. But now, beyond just Domino security, an overall understanding of Internet security is clearly a benefit," says Paul Della-Nebbia, a principal of The Learning Continuum, Boca Raton, Fla., a Notes distance learning provider. "When you have a strong understanding of security issues, it sets you apart from other Domino professionals."
Too many Domino administrators lack even rudimentary Domino security expertise, says Chris Goggans, director of operations at the SDI Group, Anandale, Va., who was one of the DefCon presenters. In his last 20 vulnerability assessments for corporate clients, he says, he found basic security flaws in Notes deployments. In one company, for example, the Domino servers were accessible via the `Net and critical system databases, like names.nsf, were available to anonymous browsing.
"There seems to be a shortage of people who have even the basic Notes/Domino security features down pat," Goggans says. "Beefing up your security expertise is definitely a good way to move your career forward."
In the Domino environment, at least 90% of the security burden lies with administrators rather than developers, notes Jeff Allen, a programmer at Computerworks, an Albany, N.Y.-based Lotus ISV. "As a development platform, Domino has some inherent security features built into it and developers are forced to work within those guidelines," he explains.
Domino administrators are well advised to come up-to-speed on at least the access control list and execution control list. "That's just a given, a bare minimum," Goggans says. Ultimately administrators should take a more holistic approach, going the extra mile to master the security features of the operating systems on which Domino runs, including Windows, Unix and AS/400.
"Domino administrators get too wrapped up in the specific applications rather than looking at big picture security issues," Goggans says. "In our assessments, we've been able to compromise Domino applications because of vulnerabilities in the operating system they were installed on. If the administrators were more [OS] savvy and knew how to tighten down [the OS], they wouldn't have been so vulnerable."
Not only will your company benefit from the extra effort, your career will benefit as well. Goggans points out that combining Domino administration experience with OS security expertise "makes you more well rounded and opens up a lot of doors."
And according to the 1999 salary survey of 11,064 systems administrators by the SANS Institute, administrators who managed three or more platforms earned higher salaries than those responsible for only one or two. Security administrators, security auditors and security consultants earned more than database administrators, systems administrators or network administrators.
Domino security links
Lotus Security Zone
Lotus Notes and Domino R5.0 Security Infrastructure
Securing Your Application: A Notes.net Learning Byte
Lotus Notes Vulnerability Details from the SDI Group-Trust
Factory DefCon Presentation
Security News, Alerts and Response Information
Computer Emergency Response Team
The SANS Institute
Security primers for beginners
Security 101 (at SecurityPortal)
Tech Tips (at CERT.org)
How to Eliminate the 10 Most Critical Internet Security
Threats (at SANS.org)
Mistakes That End-Users, Executives and IT Professionals
Make That Lead to Security Breaches (at SANS.org)
Information Security Reading Room (at SANS.org)
Security education and training links
GIAC Training and Certification Program (developed by SANS
and the Global Incident Analysis Center)
CERT Training and Education (in conjunction with the
Software Engineering Institute at Carnegie Mellon
This was first published in September 2000