Career opportunity: Domino security expert

Career opportunity: Domino security expert
By Leslie Goff

If you've ever wondered about the value of becoming a Domino security expert, your time has come.

The demonstration in July of security vulnerabilities in Domino and Notes applications by consultants from Security Design International (SDI) Group and The Trust Factory at the annual DefCon meeting in Las Vegas brought attention to the fact that just following Domino's built-in security procedures may not be enough to protect your applications and databases from corporate intruders.

"There's been a shared assumption that if you had a tight Domino server, you were pretty safe. But now, beyond just Domino security, an overall understanding of Internet security is clearly a benefit," says Paul Della-Nebbia, a principal of The Learning Continuum, Boca Raton, Fla., a Notes distance learning provider. "When you have a strong understanding of security issues, it sets you apart from other Domino professionals."

Too many Domino administrators lack even rudimentary Domino security expertise, says Chris Goggans, director of operations at the SDI Group, Anandale, Va., who was one of the DefCon presenters. In his last 20 vulnerability assessments for corporate clients, he says, he found basic security flaws in Notes deployments. In one company, for example, the Domino servers were accessible via the `Net and critical system databases, like names.nsf, were available to anonymous browsing.

"There seems to be a shortage of people who have even the basic Notes/Domino security features down pat," Goggans says. "Beefing up your security expertise is definitely a good way to move your career forward."

In the Domino environment, at least 90% of the security burden lies with administrators rather than developers, notes Jeff Allen, a programmer at Computerworks, an Albany, N.Y.-based Lotus ISV. "As a development platform, Domino has some inherent security features built into it and developers are forced to work within those guidelines," he explains.

Domino administrators are well advised to come up-to-speed on at least the access control list and execution control list. "That's just a given, a bare minimum," Goggans says. Ultimately administrators should take a more holistic approach, going the extra mile to master the security features of the operating systems on which Domino runs, including Windows, Unix and AS/400.

"Domino administrators get too wrapped up in the specific applications rather than looking at big picture security issues," Goggans says. "In our assessments, we've been able to compromise Domino applications because of vulnerabilities in the operating system they were installed on. If the administrators were more [OS] savvy and knew how to tighten down [the OS], they wouldn't have been so vulnerable."

Not only will your company benefit from the extra effort, your career will benefit as well. Goggans points out that combining Domino administration experience with OS security expertise "makes you more well rounded and opens up a lot of doors."

And according to the 1999 salary survey of 11,064 systems administrators by the SANS Institute, administrators who managed three or more platforms earned higher salaries than those responsible for only one or two. Security administrators, security auditors and security consultants earned more than database administrators, systems administrators or network administrators.

RESOURCES
Domino security links
Lotus Security Zone
http://www.lotus.com/home.nsf/welcome/securityzone 

Lotus Notes and Domino R5.0 Security Infrastructure
Revealed
http://www.redbooks.ibm.com/abstracts/sg245341.html 

Securing Your Application: A Notes.net Learning Byte
http://www.notes.net/lbytes.nsf/308c971706adfdef8525640500696fa8/bade62a338429f13852565cb0071c4a3?OpenDocument 

Lotus Notes Vulnerability Details from the SDI Group-Trust
Factory DefCon Presentation
http://www.sdi-group.com/lotus-notes-detail.htm 

Security News, Alerts and Response Information 
Computer Emergency Response Team
http://www.cert.org 

The SANS Institute
http://www.sans.org 

Security Focus
http://www.securityfocus.com 

SecurityPortal
http://www.securityportal.com 

Security primers for beginners
Security 101 (at SecurityPortal)
http://www.securityportal.com/research/research.sec101.html 

Tech Tips (at CERT.org)
http://www.cert.org/tech_tips 

How to Eliminate the 10 Most Critical Internet Security
Threats (at SANS.org)
http://www.sans.org/topten.htm 

Mistakes That End-Users, Executives and IT Professionals
Make That Lead to Security Breaches (at SANS.org)
http://www.sans.org/mistakes.htm 

Information Security Reading Room (at SANS.org)
http://www.sans.org/infosecFAQ/index.htm 

Security education and training links
GIAC Training and Certification Program (developed by SANS
and the Global Incident Analysis Center)
http://www.sans.org/giactc.htm 

CERT Training and Education (in conjunction with the
Software Engineering Institute at Carnegie Mellon
University)
http://www.cert.org/nav/training.html 

Capitol SANS
http://www.sans.org/capsans.htm 

This was first published in September 2000

Dig deeper on Domino Resources - Part 3

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchEnterpriseLinux

SearchDataCenter

SearchExchange

SearchContentManagement

Close