Upload
robyn-henry
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
FISSEA - March 10, 2004 1
Cyber Security Education:Issues & Approaches
John BakerDirector, Undergraduate Technology Programs
Johns Hopkins University
School of Professional Studies
In Business and Education
FISSEA - March 10, 2004 2
What is Cyber Security?
• Preventing a problem from occurring in your system
• Protecting people, data, software, hardware & facilities
• Requires a wide-range of preparation– Awareness, planning, policies, procedures, tools,
technologies, training, education, dedication, ‘soft-skills’ & common sense
• Preparation ranges from Security to Cyber Forensics
FISSEA - March 10, 2004 3
Preparation Spectrum
Security:•Preparation•Prevention•Detection•Minimize Problem
Cyber Forensics:•Investigation•Analysis•Recovery•Improved preparation
Security Event
Time line
FISSEA - March 10, 2004 4
Cyber Security Changes
Source: Dr. Peter Saflund, NWCET
FISSEA - March 10, 2004 5
Early 2000’s Cyber Security
• Problems seen as event driven– Wait for a problem to occur
• Attack simulation not usually performed• Network admin proud of hacker’s lack of
success (hero after the fact).• Posture primarily
– Reactive, not proactive
• Security more of an add-on, not integrated
FISSEA - March 10, 2004 6
Pre 9/11….
• Major vulnerabilities were laptops– Theft, loss of data
• Desktop workstations vulnerable to viruses– Installing virus protection software– Constantly upgrading
• Defenses primarily– Access control software– Front door to applications– Emphasis on authorized users
FISSEA - March 10, 2004 7
Source: Dr. Peter Saflund, NWCET
Attacks Rising
FISSEA - March 10, 2004 8
0
2
4
6
8
10
12
14
Melissa Code Red Love Bug W32 Worm
$Billions
1999 2000 2001
Increasing Economic Costs
Source: Dr. Peter Saflund, NWCET
FISSEA - March 10, 2004 9
Labor Demand Picture—Cyber Security
• 89% of businesses expect large scale cyber attack within 2 years
• @60% feel they are unprepared to defend themselves
• 4/5 feel the US generally is unprepared to defend• Many large scale attacks are unreported
(confidence issues)• Better mousetraps make better mice
FISSEA - March 10, 2004 10
20%
20%60%
20%
45%
35%20%
65%
15%
Source: Bureau of Labor Statistics
1950 1991 2000
Professional Unskilled Skilled
On the Demand side:Over the past 50 years, the need for “skilled” workers has
grown from 20% to 65% of the available workforce.
FISSEA - March 10, 2004 11
No HS Diploma19%
High School35%
Some College17%
Associate7%
Bachelors +22%
Adults > 25 years
But, we are not preparing enough skilled workers.
FISSEA - March 10, 2004 12
The Field of Cyber Security
• Security skills will be a part of all technical jobs
• 2-year grads will not have sole responsibility for security audits, policies, strategies
• Current workers need/desire upgrading/certification
• There will be “Demand Pull” for Cyber Security
FISSEA - March 10, 2004 13
The Field of Cyber Security
• “Ideal” worker has…– 4-year(+) degree– 1 – 2 years technical education– Several years of experience
• Employers prize “soft” skills as much or more than technical skills– Communications, information literacy, team work,
interpersonal skills, self-motivation, problem-solving
FISSEA - March 10, 2004 14
Security Professional Background(How do they get there?)
4-year degree
Certification
2-yeardegree
Work Experience
SomeCollege
JobPromotion
On the job training
Individualcourses
4+ yearscollege
Selfteaching
FISSEA - March 10, 2004 15
Protection Needs• To protect:
– People, data, systems, networks, facilities
• From:– Viruses, hackers, attacks, physical damage, spyware,
personnel problems (intentional & unintentional)
• Involves:– Technical skills, management, financial resources, research
• Each requires different:– knowledge, skills & abilities (KSA’s)
• Many interact with each other or overlap
FISSEA - March 10, 2004 16
People Data Facilities
Research
Financial
Managerial
Technical
•Investigation policies•Right-to-know policies
•Business structure
NetworksSystems
•Training•Awareness•Support
•Personnel budgets•Investigation $•Publicity containment $
•Business structure•Policies/procedures•People actions & reactions
•Storage technology•Encryption•Data Recovery methods
•Encryption software•Backup & Recovery
•Access methods•Anti-virus•Anti-spyware
•Recovery funding
•Cryptography•Intrusion detection•Anti-hacking
•Hardware & software budgets
•Hardware, software & transmission budgets
•Retention issues•Data protection needs
•Access policies
•User-id/password•Anti-virus•Anti-spyware
•Network management•Network design
•Network monitoring•Net. Implementation & operations
•Biometrics•Physical access control
•Disaster prevention
•Facility costs (purchase or lease)
•Operational costs
•Facilities design•Facilities management
•Access security•Biometrics•Disaster recovery
FISSEA - March 10, 2004 17
Standards
• What are they?– Definitions of KSA’s for various professional (and non-
professional) levels
• How are they developing?– Government definition: NSA ,NIST, Homeland Sec.
– Private groups: CFWEG
– Independent organizations: (ISC)2, CompTIA
– Colleges & Universities
– Sometimes a collection of all at once
FISSEA - March 10, 2004 18
Standards
• Why are they needed?– A way to ensure quality & consistency
– Process for understanding KSA’s at different levels
• How do they translate into education/training?– Independent courses
– Certifications
– Sequence of courses for a specific topic
– Program in part of a degree
– 2-year, 4-year, advanced degrees
FISSEA - March 10, 2004 19
Standards – Federal Gov’t
• NCISSE– National Colloquium for Information Systems
Security Education– Academia, Industry & Government – James
Madison University– Foster curriculum development based on best
practices
FISSEA - March 10, 2004 20
Standards – Federal Gov’t• CNSS
– Committee on National Security Systems– Formerly NSTISSC - National Security Telecommunications
and Information Systems Security Committee– 21 US government depts. & agencies– 4011-minimum training standards for I.S. security
professionals– 4012-Government Designated Approval Authority– 4013-System Administrator in IS security– 4014-IS Security Officers– 4015-System Certifiers
FISSEA - March 10, 2004 21
Standards – Federal Gov’t
• NSA-NIETP– National Security Agency – National INFOSEC
Education and Training Program– Centers of Academic Excellence (CAE)– Courseware evaluation of CAE’s based on
CNSS (NSTISSC) standards
FISSEA - March 10, 2004 22
Standards – Federal Gov’t
• NIST – CSD/CSRC– National Institute of Standards and Technology
– Computer Security Division/Computer Security Resource Center
– 800-16 – IT Security Training Requirements, training standards, needs and course development targeted to job functions (not positions)
– 800-50 – Building an IT Security Awareness and Training Program
FISSEA - March 10, 2004 23
Standards – Private• University (standards and / or research)
– Dartmouth – Institute for Security Technology Studies– George Mason – Center for Secure Information Systems– Johns Hopkins – JHU Information Security Institute– Purdue – CERIAS
• Center for Education & Research in Information Assurance Security
• NWCET (National Workforce Center for Emerging Technologies)
– Bellevue Community College– Research – tech. workforce needs, skill standards,
education
FISSEA - March 10, 2004 24
Standards – Private
• ISC(2)– International Information Systems Security – 10 domain areas (CBK), standards research
• CompTIA– Computer Technology Industry Association, business
consortium– Standards & research in security and technology
• ISACA– Information Systems Audit & Control Association– Standards for IT auditors - security policy auditing
FISSEA - March 10, 2004 25
Cyber Security Content Areas(Examples at all training / education levels)
• Systems maintenance, patches, upgrades
• Content security
• Data assurance
• Physical security
• User education
• Detection (hacks, probes, etc.)
• Deterrence (fire walls, honey pots, etc.)
• Forensics (evidence gathering, preservation)
• Policy development
• Forward planning and professional development
• Preparation for certification
• Security budgeting & public communications
• Research – all areas
FISSEA - March 10, 2004 26
Program Components
• Technology– Technology specific
items– Skills development
(hands-on)– Theory and research
• Critical Thinking– Analysis and decision
making
• Problem solving– Finding unique solutions
• Information Literacy– not just technology
literacy
– Research process
• Interpersonal skills– Team work
• Communications capabilities– Writing, presentations
FISSEA - March 10, 2004 27
How We Approach It:Training
• Teaches specific aspects of security– Often focuses on tools / techniques
• Using product X
• Upgrading software, software patches
– Network operations, virus protection
• Usually skills based (intense ‘hands-on’ experiences)
• May have some ‘educational’ components• Range from single course to certificate
FISSEA - March 10, 2004 28
Training(Examples)
• Colleges & universities– Sometimes vendor specific
• ITAA– Information Technology Association of America
– Information Security Awareness Certification
– Focuses on Employee awareness and accountability
– Audience is staff and knowledge worker
FISSEA - March 10, 2004 29
Training
• ISC(2)– CISSP – Certified Information Systems Security
Professional• ISSAP -architecture• ISSMP - management
– SSCP – System Security Certified Practitioner
• SANS– Wide variety of training, lots of hands-on– GIAC – Global Information Assurance Certification– 11 individual certifications
FISSEA - March 10, 2004 30
Training
• CompTIA– A+, Network+, Security+– Many more in I.T.
• Vendor specific– Cisco
• CCIE – Cisco Certified Internetworking Expert, security track• CCSP – Cisco Certified Security Professional
– Microsoft• 9 different certificates, several with security tracks
– Oracle• 7 different certifications
FISSEA - March 10, 2004 31
How We Approach It:Education
• Heavy doses of theory & fundamental principles
• Softer skills: writing, communications, problem solving, critical thinking, team work
• Some levels include lots of hands-on
• Different approaches depending on level– Intro. level – typically more skills based (also a mixed set of
students and student backgrounds)
– Intermediate – some hands-on but includes ‘softer’ skills (theory, critical thinking, problem solving, communications, team work)
– Advanced – managerial or research
FISSEA - March 10, 2004 32
Education
• Community Colleges are the current school of choice.
• Average age of CC student = 28 yrs.• Educational degree
– 2-year (AA, AAS)– 4-year (BS, BA)– 4+ years (MS, MA)– Doctoral (PhD, EdD, DSc/ScD)
• Elements of both training and education are needed
FISSEA - March 10, 2004 33
Student Preparation(look for / help prep with…)
• Basic technology skills – using equipment• Technology background education – theory of
operation & design• Information literacy capability – data
gathering/problem solving• Need to understand levels of training & education,
and what comes with each• Soft-skills: problem solving, writing,
communications, team work, interpersonal skills
FISSEA - March 10, 2004 34
Student Expectations
• ‘Mind set’ preparation– Understanding what the professional does
• Detailed analysis• Constant monitoring• Responsibility issues
– Want it immediately
• Expecting hands-on work in most programs• Employment expectations
– High-paying jobs– In some areas a security clearance is an issue
FISSEA - March 10, 2004 35
Faculty Preparation
• Full-time vs. part-time/professional faculty• Backgrounds vary
– Technically adept but don’t teach well– Good teachers but don’t know technology
• Teaching ability: preparation & in the classroom• Keeping up with the changing technology
– New theories, problems, tools, techniques
• Developing specialization areas (may go ‘out-of-date’)• Balancing: hands-on, theory, KSA's, ‘softer skills’• Up to date on technology, law, business needs,
costs/benefits
FISSEA - March 10, 2004 36
Education Organization Preparation
• Costs– Program development
– Space development
– Technology (h/s) acquisition, support & maintenance
• Technology decisions– What technology do I need?
– How up-to-date does it need to be?
FISSEA - March 10, 2004 37
Education Organization Preparation
• Control over the facilities (locked-down / secured)• Student background checks• Student agreements
– Ethical use of knowledge
– Appropriate behavior (in and out of classroom)
• Publicity – for unexpected outcomes
FISSEA - March 10, 2004 38
Business Expectations• Minimize cost (security not an income producer, not
sexy)• Like insurance – no measurable/direct benefit• Imbalance between HR and technology/security
manager needs– HR – measurable items (# years with X)– Tech. Manager – problem solver, thinker, independent
worker, etc.
• Detailed technical knowledge & problem solving & teamwork & interpersonal skills & writing & communications & …….
FISSEA - March 10, 2004 39
Business Expectations• Fully functional security expert upon
training/education completion• Lack of standards/lack of accepted standards in
profession– What certifications are acceptable?
• Changing technology/changing nature of security needs– Increasing complexity– Insufficient up-to-date expertise
• What training / education do I need for my business?
FISSEA - March 10, 2004 40
Regional Cyber Security Approach
• Study of participating CC’s & 4-year institutions in DC area, in conjunction w/PGCC
• Range: no curriculum – graduate degrees• Separate courses of study to full degrees• Stand-alone – integrated into other curriculum
– (Business, Criminal Justice, I.T.)
• Articulation Agreements: CC’s & 4-year inst.• Joint program agreements
– Graduate and Undergraduate programs (JHU model)
FISSEA - March 10, 2004 41
Sample Programs
• Virginia Community Colleges – 7 courses• Capitol College
– M.S. Network Security
– Security Management (Graduate Certificate)
– Network Protection (Graduate Certificate)
– B. S. Network Security
• University of Virginia– Information Security Management (Graduate
Certificate)
FISSEA - March 10, 2004 42
Sample Programs
• University of Maryland, University College– IFSM Major (electives)– IFSM Security Certificate (required)– IFSM Information Assurance Track
• Johns Hopkins University– Master of Science in Security Informatics– Information Security (INFOSEC graduate certif.)– M.S. in Information & Telecomm. Systems (Info.
Security concentration)– B.S. Information Systems (Security concentration)
FISSEA - March 10, 2004 43
Questions ?
John BakerDirector, Undergraduate Technology Programs
Johns Hopkins University
School of Professional Studies
In Business and Education