fissea - march 10, 20041 cyber security education: issues & approaches john baker director,...

FISSEA - March 10, 2004 1

Cyber Security Education:Issues & Approaches

John BakerDirector, Undergraduate Technology Programs

Johns Hopkins University

School of Professional Studies

In Business and Education

([email protected])


What is Cyber Security?

• Preventing a problem from occurring in your system

• Protecting people, data, software, hardware & facilities

• Requires a wide-range of preparation– Awareness, planning, policies, procedures, tools,

technologies, training, education, dedication, ‘soft-skills’ & common sense

• Preparation ranges from Security to Cyber Forensics


Preparation Spectrum

Security:•Preparation•Prevention•Detection•Minimize Problem

Cyber Forensics:•Investigation•Analysis•Recovery•Improved preparation

Security Event

Time line


Cyber Security Changes

Source: Dr. Peter Saflund, NWCET


Early 2000’s Cyber Security

• Problems seen as event driven– Wait for a problem to occur

• Attack simulation not usually performed• Network admin proud of hacker’s lack of

success (hero after the fact).• Posture primarily

– Reactive, not proactive

• Security more of an add-on, not integrated


Pre 9/11….

• Major vulnerabilities were laptops– Theft, loss of data

• Desktop workstations vulnerable to viruses– Installing virus protection software– Constantly upgrading

• Defenses primarily– Access control software– Front door to applications– Emphasis on authorized users



Attacks Rising


0

2

4

6

8

10

12

14

Melissa Code Red Love Bug W32 Worm

$Billions

1999 2000 2001

Increasing Economic Costs



Labor Demand Picture—Cyber Security

• 89% of businesses expect large scale cyber attack within 2 years

• @60% feel they are unprepared to defend themselves

• 4/5 feel the US generally is unprepared to defend• Many large scale attacks are unreported

(confidence issues)• Better mousetraps make better mice


20%

20%60%

20%

45%

35%20%

65%

15%

Source: Bureau of Labor Statistics

1950 1991 2000

Professional Unskilled Skilled

On the Demand side:Over the past 50 years, the need for “skilled” workers has

grown from 20% to 65% of the available workforce.


No HS Diploma19%

High School35%

Some College17%

Associate7%

Bachelors +22%

Adults > 25 years

But, we are not preparing enough skilled workers.


The Field of Cyber Security

• Security skills will be a part of all technical jobs

• 2-year grads will not have sole responsibility for security audits, policies, strategies

• Current workers need/desire upgrading/certification

• There will be “Demand Pull” for Cyber Security


The Field of Cyber Security

• “Ideal” worker has…– 4-year(+) degree– 1 – 2 years technical education– Several years of experience

• Employers prize “soft” skills as much or more than technical skills– Communications, information literacy, team work,

interpersonal skills, self-motivation, problem-solving


Security Professional Background(How do they get there?)

4-year degree

Certification

2-yeardegree

Work Experience

SomeCollege

JobPromotion

On the job training

Individualcourses

4+ yearscollege

Selfteaching


Protection Needs• To protect:

– People, data, systems, networks, facilities

• From:– Viruses, hackers, attacks, physical damage, spyware,

personnel problems (intentional & unintentional)

• Involves:– Technical skills, management, financial resources, research

• Each requires different:– knowledge, skills & abilities (KSA’s)

• Many interact with each other or overlap


People Data Facilities

Research

Financial

Managerial

Technical

•Investigation policies•Right-to-know policies

•Business structure

NetworksSystems

•Training•Awareness•Support

•Personnel budgets•Investigation $•Publicity containment $

•Business structure•Policies/procedures•People actions & reactions

•Storage technology•Encryption•Data Recovery methods

•Encryption software•Backup & Recovery

•Access methods•Anti-virus•Anti-spyware

•Recovery funding

•Cryptography•Intrusion detection•Anti-hacking

•Hardware & software budgets

•Hardware, software & transmission budgets

•Retention issues•Data protection needs

•Access policies

•User-id/password•Anti-virus•Anti-spyware

•Network management•Network design

•Network monitoring•Net. Implementation & operations

•Biometrics•Physical access control

•Disaster prevention

•Facility costs (purchase or lease)

•Operational costs

•Facilities design•Facilities management

•Access security•Biometrics•Disaster recovery


Standards

• What are they?– Definitions of KSA’s for various professional (and non-

professional) levels

• How are they developing?– Government definition: NSA ,NIST, Homeland Sec.

– Private groups: CFWEG

– Independent organizations: (ISC)2, CompTIA

– Colleges & Universities

– Sometimes a collection of all at once


Standards

• Why are they needed?– A way to ensure quality & consistency

– Process for understanding KSA’s at different levels

• How do they translate into education/training?– Independent courses

– Certifications

– Sequence of courses for a specific topic

– Program in part of a degree

– 2-year, 4-year, advanced degrees


Standards – Federal Gov’t

• NCISSE– National Colloquium for Information Systems

Security Education– Academia, Industry & Government – James

Madison University– Foster curriculum development based on best

practices


Standards – Federal Gov’t• CNSS

– Committee on National Security Systems– Formerly NSTISSC - National Security Telecommunications

and Information Systems Security Committee– 21 US government depts. & agencies– 4011-minimum training standards for I.S. security

professionals– 4012-Government Designated Approval Authority– 4013-System Administrator in IS security– 4014-IS Security Officers– 4015-System Certifiers



• NSA-NIETP– National Security Agency – National INFOSEC

Education and Training Program– Centers of Academic Excellence (CAE)– Courseware evaluation of CAE’s based on

CNSS (NSTISSC) standards



• NIST – CSD/CSRC– National Institute of Standards and Technology

– Computer Security Division/Computer Security Resource Center

– 800-16 – IT Security Training Requirements, training standards, needs and course development targeted to job functions (not positions)

– 800-50 – Building an IT Security Awareness and Training Program


Standards – Private• University (standards and / or research)

– Dartmouth – Institute for Security Technology Studies– George Mason – Center for Secure Information Systems– Johns Hopkins – JHU Information Security Institute– Purdue – CERIAS

• Center for Education & Research in Information Assurance Security

• NWCET (National Workforce Center for Emerging Technologies)

– Bellevue Community College– Research – tech. workforce needs, skill standards,

education


Standards – Private

• ISC(2)– International Information Systems Security – 10 domain areas (CBK), standards research

• CompTIA– Computer Technology Industry Association, business

consortium– Standards & research in security and technology

• ISACA– Information Systems Audit & Control Association– Standards for IT auditors - security policy auditing


Cyber Security Content Areas(Examples at all training / education levels)

• Systems maintenance, patches, upgrades

• Content security

• Data assurance

• Physical security

• User education

• Detection (hacks, probes, etc.)

• Deterrence (fire walls, honey pots, etc.)

• Forensics (evidence gathering, preservation)

• Policy development

• Forward planning and professional development

• Preparation for certification

• Security budgeting & public communications

• Research – all areas


Program Components

• Technology– Technology specific

items– Skills development

(hands-on)– Theory and research

• Critical Thinking– Analysis and decision

making

• Problem solving– Finding unique solutions

• Information Literacy– not just technology

literacy

– Research process

• Interpersonal skills– Team work

• Communications capabilities– Writing, presentations


How We Approach It:Training

• Teaches specific aspects of security– Often focuses on tools / techniques

• Using product X

• Upgrading software, software patches

– Network operations, virus protection

• Usually skills based (intense ‘hands-on’ experiences)

• May have some ‘educational’ components• Range from single course to certificate


Training(Examples)

• Colleges & universities– Sometimes vendor specific

• ITAA– Information Technology Association of America

– Information Security Awareness Certification

– Focuses on Employee awareness and accountability

– Audience is staff and knowledge worker


Training

• ISC(2)– CISSP – Certified Information Systems Security

Professional• ISSAP -architecture• ISSMP - management

– SSCP – System Security Certified Practitioner

• SANS– Wide variety of training, lots of hands-on– GIAC – Global Information Assurance Certification– 11 individual certifications


Training

• CompTIA– A+, Network+, Security+– Many more in I.T.

• Vendor specific– Cisco

• CCIE – Cisco Certified Internetworking Expert, security track• CCSP – Cisco Certified Security Professional

– Microsoft• 9 different certificates, several with security tracks

– Oracle• 7 different certifications


How We Approach It:Education

• Heavy doses of theory & fundamental principles

• Softer skills: writing, communications, problem solving, critical thinking, team work

• Some levels include lots of hands-on

• Different approaches depending on level– Intro. level – typically more skills based (also a mixed set of

students and student backgrounds)

– Intermediate – some hands-on but includes ‘softer’ skills (theory, critical thinking, problem solving, communications, team work)

– Advanced – managerial or research


Education

• Community Colleges are the current school of choice.

• Average age of CC student = 28 yrs.• Educational degree

– 2-year (AA, AAS)– 4-year (BS, BA)– 4+ years (MS, MA)– Doctoral (PhD, EdD, DSc/ScD)

• Elements of both training and education are needed


Student Preparation(look for / help prep with…)

• Basic technology skills – using equipment• Technology background education – theory of

operation & design• Information literacy capability – data

gathering/problem solving• Need to understand levels of training & education,

and what comes with each• Soft-skills: problem solving, writing,

communications, team work, interpersonal skills


Student Expectations

• ‘Mind set’ preparation– Understanding what the professional does

• Detailed analysis• Constant monitoring• Responsibility issues

– Want it immediately

• Expecting hands-on work in most programs• Employment expectations

– High-paying jobs– In some areas a security clearance is an issue


Faculty Preparation

• Full-time vs. part-time/professional faculty• Backgrounds vary

– Technically adept but don’t teach well– Good teachers but don’t know technology

• Teaching ability: preparation & in the classroom• Keeping up with the changing technology

– New theories, problems, tools, techniques

• Developing specialization areas (may go ‘out-of-date’)• Balancing: hands-on, theory, KSA's, ‘softer skills’• Up to date on technology, law, business needs,

costs/benefits


Education Organization Preparation

• Costs– Program development

– Space development

– Technology (h/s) acquisition, support & maintenance

• Technology decisions– What technology do I need?

– How up-to-date does it need to be?


Education Organization Preparation

• Control over the facilities (locked-down / secured)• Student background checks• Student agreements

– Ethical use of knowledge

– Appropriate behavior (in and out of classroom)

• Publicity – for unexpected outcomes


Business Expectations• Minimize cost (security not an income producer, not

sexy)• Like insurance – no measurable/direct benefit• Imbalance between HR and technology/security

manager needs– HR – measurable items (# years with X)– Tech. Manager – problem solver, thinker, independent

worker, etc.

• Detailed technical knowledge & problem solving & teamwork & interpersonal skills & writing & communications & …….


Business Expectations• Fully functional security expert upon

training/education completion• Lack of standards/lack of accepted standards in

profession– What certifications are acceptable?

• Changing technology/changing nature of security needs– Increasing complexity– Insufficient up-to-date expertise

• What training / education do I need for my business?


Regional Cyber Security Approach

• Study of participating CC’s & 4-year institutions in DC area, in conjunction w/PGCC

• Range: no curriculum – graduate degrees• Separate courses of study to full degrees• Stand-alone – integrated into other curriculum

– (Business, Criminal Justice, I.T.)

• Articulation Agreements: CC’s & 4-year inst.• Joint program agreements

– Graduate and Undergraduate programs (JHU model)


Sample Programs

• Virginia Community Colleges – 7 courses• Capitol College

– M.S. Network Security

– Security Management (Graduate Certificate)

– Network Protection (Graduate Certificate)

– B. S. Network Security

• University of Virginia– Information Security Management (Graduate

Certificate)


Sample Programs

• University of Maryland, University College– IFSM Major (electives)– IFSM Security Certificate (required)– IFSM Information Assurance Track

• Johns Hopkins University– Master of Science in Security Informatics– Information Security (INFOSEC graduate certif.)– M.S. in Information & Telecomm. Systems (Info.

Security concentration)– B.S. Information Systems (Security concentration)


Questions ?

John BakerDirector, Undergraduate Technology Programs

Johns Hopkins University

School of Professional Studies

In Business and Education

([email protected])

fissea - march 10, 20041 cyber security education: issues & approaches john baker director,...

Documents

cyber security slide

cyber security education

nwcet slide

security audits

proactive security

cyber security changes

problemsolving slide

integrated slide