Cyber Security Education: Issues

1
Cyber Security EducationIssues Approaches

• John Baker
• Director, Undergraduate Technology Programs
• Johns Hopkins University
• School of Professional Studies
• In Business and Education
• (jb_at_jhu.edu)

2
What is Cyber Security?

• Preventing a problem from occurring in your
  system
• Protecting people, data, software, hardware
  facilities
• Requires a wide-range of preparation
• Awareness, planning, policies, procedures, tools,
  technologies, training, education, dedication,
  soft-skills common sense
• Preparation ranges from Security to Cyber
  Forensics

3
Preparation Spectrum
Security Event
Time line

• Cyber Forensics
• Investigation
• Analysis
• Recovery
• Improved preparation

• Security
• Preparation
• Prevention
• Detection
• Minimize Problem

4
Cyber Security Changes
Source Dr. Peter Saflund, NWCET
5
Early 2000s Cyber Security

• Problems seen as event driven
• Wait for a problem to occur
• Attack simulation not usually performed
• Network admin proud of hackers lack of success
  (hero after the fact).
• Posture primarily
• Reactive, not proactive
• Security more of an add-on, not integrated

6
Pre 9/11.

• Major vulnerabilities were laptops
• Theft, loss of data
• Desktop workstations vulnerable to viruses
• Installing virus protection software
• Constantly upgrading
• Defenses primarily
• Access control software
• Front door to applications
• Emphasis on authorized users

7
Attacks Rising
Source Dr. Peter Saflund, NWCET
8
Increasing Economic Costs
Billions
1999
2000
2001
Source Dr. Peter Saflund, NWCET
9
Labor Demand PictureCyber Security

• 89 of businesses expect large scale cyber attack
  within 2 years
• _at_60 feel they are unprepared to defend
  themselves
• 4/5 feel the US generally is unprepared to defend
• Many large scale attacks are unreported
  (confidence issues)
• Better mousetraps make better mice

10
On the Demand sideOver the past 50 years, the
need for skilled workers has grown from 20 to
65 of the available workforce.
1950
1991
2000
Source Bureau of Labor Statistics
11
But, we are not preparing enough skilled workers.
Adults gt 25 years
12
The Field of Cyber Security

• Security skills will be a part of all technical
  jobs
• 2-year grads will not have sole responsibility
  for security audits, policies, strategies
• Current workers need/desire upgrading/certificatio
  n
• There will be Demand Pull for Cyber Security

13
The Field of Cyber Security

• Ideal worker has
• 4-year() degree
• 1 2 years technical education
• Several years of experience
• Employers prize soft skills as much or more
  than technical skills
• Communications, information literacy, team work,
  interpersonal skills, self-motivation,
  problem-solving

14
Security Professional Background(How do they get
there?)
4 years college
Job Promotion
4-year degree
2-year degree
Work Experience
Some College
Self teaching
Certification
Individual courses
On the job training
15
Protection Needs

• To protect
• People, data, systems, networks, facilities
• From
• Viruses, hackers, attacks, physical damage,
  spyware, personnel problems (intentional
  unintentional)
• Involves
• Technical skills, management, financial
  resources, research
• Each requires different
• knowledge, skills abilities (KSAs)
• Many interact with each other or overlap

16

• Business structure
• Policies/procedures
• People actions reactions

• Storage technology
• Encryption
• Data Recovery methods

Research

• Access methods
• Anti-virus
• Anti-spyware

• Cryptography
• Intrusion detection
• Anti-hacking

• Biometrics
• Physical access control
• Disaster prevention

• Recovery funding

• Hardware software budgets

Financial

• Hardware, software transmission budgets

• Facility costs (purchase or lease)
• Operational costs

• Personnel budgets
• Investigation
• Publicity containment

Managerial

• Investigation policies
• Right-to-know policies
• Business structure

• Retention issues
• Data protection needs

• Access policies

• Network management
• Network design

• Facilities design
• Facilities management

• Network monitoring
• Net. Implementation operations

• Access security
• Biometrics
• Disaster recovery

• User-id/password
• Anti-virus
• Anti-spyware

• Training
• Awareness
• Support

• Encryption software
• Backup Recovery

Technical
People
Data
Facilities
Networks
Systems
17
Standards

• What are they?
• Definitions of KSAs for various professional
  (and non-professional) levels
• How are they developing?
• Government definition NSA ,NIST, Homeland Sec.
• Private groups CFWEG
• Independent organizations (ISC)2, CompTIA
• Colleges Universities
• Sometimes a collection of all at once

18
Standards

• Why are they needed?
• A way to ensure quality consistency
• Process for understanding KSAs at different
  levels
• How do they translate into education/training?
• Independent courses
• Certifications
• Sequence of courses for a specific topic
• Program in part of a degree
• 2-year, 4-year, advanced degrees

19
Standards Federal Govt

• NCISSE
• National Colloquium for Information Systems
  Security Education
• Academia, Industry Government James Madison
  University
• Foster curriculum development based on best
  practices

20
Standards Federal Govt

• CNSS
• Committee on National Security Systems
• Formerly NSTISSC - National Security
  Telecommunications and Information Systems
  Security Committee
• 21 US government depts. agencies
• 4011-minimum training standards for I.S. security
  professionals
• 4012-Government Designated Approval Authority
• 4013-System Administrator in IS security
• 4014-IS Security Officers
• 4015-System Certifiers

21
Standards Federal Govt

• NSA-NIETP
• National Security Agency National INFOSEC
  Education and Training Program
• Centers of Academic Excellence (CAE)
• Courseware evaluation of CAEs based on CNSS
  (NSTISSC) standards

22
Standards Federal Govt

• NIST CSD/CSRC
• National Institute of Standards and Technology
  Computer Security Division/Computer Security
  Resource Center
• 800-16 IT Security Training Requirements,
  training standards, needs and course development
  targeted to job functions (not positions)
• 800-50 Building an IT Security Awareness and
  Training Program

23
Standards Private

• University (standards and / or research)
• Dartmouth Institute for Security Technology
  Studies
• George Mason Center for Secure Information
  Systems
• Johns Hopkins JHU Information Security
  Institute
• Purdue CERIAS
• Center for Education Research in Information
  Assurance Security
• NWCET (National Workforce Center for Emerging
  Technologies)
• Bellevue Community College
• Research tech. workforce needs, skill
  standards, education

24
Standards Private

• ISC(2)
• International Information Systems Security
• 10 domain areas (CBK), standards research
• CompTIA
• Computer Technology Industry Association,
  business consortium
• Standards research in security and technology
• ISACA
• Information Systems Audit Control Association
• Standards for IT auditors - security policy
  auditing

25
Cyber Security Content Areas(Examples at all
training / education levels)

• Systems maintenance, patches, upgrades
• Content security
• Data assurance
• Physical security
• User education
• Detection (hacks, probes, etc.)
• Deterrence (fire walls, honey pots, etc.)
• Forensics (evidence gathering, preservation)
• Policy development
• Forward planning and professional development
• Preparation for certification
• Security budgeting public communications
• Research all areas

26
Program Components

• Technology
• Technology specific items
• Skills development (hands-on)
• Theory and research
• Critical Thinking
• Analysis and decision making
• Problem solving
• Finding unique solutions

• Information Literacy
• not just technology literacy
• Research process
• Interpersonal skills
• Team work
• Communications capabilities
• Writing, presentations

27
How We Approach ItTraining

• Teaches specific aspects of security
• Often focuses on tools / techniques
• Using product X
• Upgrading software, software patches
• Network operations, virus protection
• Usually skills based (intense hands-on
  experiences)
• May have some educational components
• Range from single course to certificate

28
Training(Examples)

• Colleges universities
• Sometimes vendor specific
• ITAA
• Information Technology Association of America
• Information Security Awareness Certification
• Focuses on Employee awareness and accountability
• Audience is staff and knowledge worker

29
Training

• ISC(2)
• CISSP Certified Information Systems Security
  Professional
• ISSAP -architecture
• ISSMP - management
• SSCP System Security Certified Practitioner
• SANS
• Wide variety of training, lots of hands-on
• GIAC Global Information Assurance Certification
• 11 individual certifications

30
Training

• CompTIA
• A, Network, Security
• Many more in I.T.
• Vendor specific
• Cisco
• CCIE Cisco Certified Internetworking Expert,
  security track
• CCSP Cisco Certified Security Professional
• Microsoft
• 9 different certificates, several with security
  tracks
• Oracle
• 7 different certifications

31
How We Approach ItEducation

• Heavy doses of theory fundamental principles
• Softer skills writing, communications, problem
  solving, critical thinking, team work
• Some levels include lots of hands-on
• Different approaches depending on level
• Intro. level typically more skills based (also
  a mixed set of students and student backgrounds)
• Intermediate some hands-on but includes
  softer skills (theory, critical thinking,
  problem solving, communications, team work)
• Advanced managerial or research

32
Education

• Community Colleges are the current school of
  choice.
• Average age of CC student 28 yrs.
• Educational degree
• 2-year (AA, AAS)
• 4-year (BS, BA)
• 4 years (MS, MA)
• Doctoral (PhD, EdD, DSc/ScD)
• Elements of both training and education are needed

33
Student Preparation(look for / help prep with)

• Basic technology skills using equipment
• Technology background education theory of
  operation design
• Information literacy capability data
  gathering/problem solving
• Need to understand levels of training
  education, and what comes with each
• Soft-skills problem solving, writing,
  communications, team work, interpersonal skills

34
Student Expectations

• Mind set preparation
• Understanding what the professional does
• Detailed analysis
• Constant monitoring
• Responsibility issues
• Want it immediately
• Expecting hands-on work in most programs
• Employment expectations
• High-paying jobs
• In some areas a security clearance is an issue

35
Faculty Preparation

• Full-time vs. part-time/professional faculty
• Backgrounds vary
• Technically adept but dont teach well
• Good teachers but dont know technology
• Teaching ability preparation in the classroom
• Keeping up with the changing technology
• New theories, problems, tools, techniques
• Developing specialization areas (may go
  out-of-date)
• Balancing hands-on, theory, KSA's, softer
  skills
• Up to date on technology, law, business needs,
  costs/benefits

36
Education Organization Preparation

• Costs
• Program development
• Space development
• Technology (h/s) acquisition, support
  maintenance
• Technology decisions
• What technology do I need?
• How up-to-date does it need to be?

37
Education Organization Preparation

• Control over the facilities (locked-down /
  secured)
• Student background checks
• Student agreements
• Ethical use of knowledge
• Appropriate behavior (in and out of classroom)
• Publicity for unexpected outcomes

38
Business Expectations

• Minimize cost (security not an income producer,
  not sexy)
• Like insurance no measurable/direct benefit
• Imbalance between HR and technology/security
  manager needs
• HR measurable items ( years with X)
• Tech. Manager problem solver, thinker,
  independent worker, etc.
• Detailed technical knowledge problem solving
  teamwork interpersonal skills writing
  communications .

39
Business Expectations

• Fully functional security expert upon
  training/education completion
• Lack of standards/lack of accepted standards in
  profession
• What certifications are acceptable?
• Changing technology/changing nature of security
  needs
• Increasing complexity
• Insufficient up-to-date expertise
• What training / education do I need for my
  business?

40
Regional Cyber Security Approach

• Study of participating CCs 4-year institutions
  in DC area, in conjunction w/PGCC
• Range no curriculum graduate degrees
• Separate courses of study to full degrees
• Stand-alone integrated into other curriculum
• (Business, Criminal Justice, I.T.)
• Articulation Agreements CCs 4-year inst.
• Joint program agreements
• Graduate and Undergraduate programs (JHU model)

41
Sample Programs

• Virginia Community Colleges 7 courses
• Capitol College
• M.S. Network Security
• Security Management (Graduate Certificate)
• Network Protection (Graduate Certificate)
• B. S. Network Security
• University of Virginia
• Information Security Management (Graduate
  Certificate)

42
Sample Programs

• University of Maryland, University College
• IFSM Major (electives)
• IFSM Security Certificate (required)
• IFSM Information Assurance Track
• Johns Hopkins University
• Master of Science in Security Informatics
• Information Security (INFOSEC graduate certif.)
• M.S. in Information Telecomm. Systems (Info.
  Security concentration)
• B.S. Information Systems (Security concentration)

43
Questions ?

• John Baker
• Director, Undergraduate Technology Programs
• Johns Hopkins University
• School of Professional Studies
• In Business and Education
• (jb_at_jhu.edu)