CM's Note: The following post is by guest blogger and Rapid7 customer Jim Furstenberg, IT Security Analyst, Ferris State University. Fight that good fight, Jim!
A couple of months ago, I was invited by Rapid 7 to be a test candidate for a pilot program called the Nexpose Certified Administrator (NXA, for short). This new industry certification would seek to educate and help the Information Security workforce convey to the public a certain level of proficiency and prowess in vulnerability assessment/management using Nexpose. I was more than happy to help.
I have been an avid Nexpose user for many years now and felt fairly confident in my understanding of the Nexpose environment. Daily, I rely very heavily on Nexpose to perform vulnerability management and configuration management all throughout the environment. I was fairly confident in my Nexpose knowledge and was curious to see what a certification test would have to offer and what I could learn from it.
Armed with this confidence (or, in hindsight, arrogance); I felt the best way to prepare for this certification test would be to do… nothing. I had faith in my abilities and I wanted to use this test as a tool to gauge my current knowledge of Nexpose. I wanted to get a good baseline of where I was at (I guess establishing baselines just comes naturally for us InfoSec folks).
Needless to say, I failed. Not by a lot, but a fail is a fail.
I learned my lesson. As an old adage states, “simplicity is complex”. In other words, creating anything that is simple to use is a complex endeavor. This was my realization after I failed the Nexpose test. I forgot about all the complexities that Nexpose has to offer and was lulled into complacency. I had taken for granted that Nexpose makes the complex task of vulnerability management very simple, almost deceptively so. All the “under the hood” complexities and configurability of Nexpose can get easily overlooked because it is so easy to create and conduct vulnerability scans. The moral of the story: Nexpose can be as simple as you want… and it can be as sophisticated as you need… the choice is yours. However, as I learned, the key to passing the exam and fully leveraging what the tool has to offer is to refresh oneself and review what is going on under the hood of this very powerful tool.
One of the many challenges that face an InfoSec Analyst is to operationalize vulnerability management into the organization. Our ability to integrate vulnerability management into the daily behaviors, workflows, processes and actions of those directly responsible for the technological infrastructure is one place where we can and must add value to an organization. Using tools like Nexpose helps me to add value …and us InfoSec folks need all the value-adding help we can get. In these days of shrinking or cut IT budgets and shortfalls, I need to provide every bit of value that I can give and get every bit of value out of every tool that I have; Nexpose offers me the ability to do just that. I can keep things very simple or I can get as complex as I want.
With a humbled ego, I studied for the next test and passed. I found the testing to be challenging and educational, as it forced me to reacquaint and reeducate myself with Nexpose. It caused me to think about things I had long forgotten or had just simply taken for granted in my daily vulnerability management activities. It provided me a great excuse to look at things in my scan environment and vulnerability management program and it forced me to get under the hood again and review all the features, functions and value offerings of Nexpose. I consider myself very fortunate to have been offered this opportunity to take the certification test, if only for the reeducation it provided and for reminding me of the fact, that humility is always lurking… just around the corner, ready to provide you with a free “checkup from the neck up “ at any time! ☺ . Keep fighting the good fight!
Jim Furstenberg | CISSP, C|EH, C)PTE, NXA, CLFE