Educating Cyber Professionals:

Transcription

1 SECURITY TRAINING AND EDUCATION Educating Cyber Professionals: A View from Academia, the Private Sector, and Government Mischel Kwon Mischel Kwon and Associates Michael J. Jacobs Cybersecurity Consultant David Cullinane Ebay Christopher G. Ipsen State of Nevada James Foley Georgia Tech How do we solve the workforce problem? Guest editor Mischel Kwon brought together a group of people from government, private-sector, and academic backgrounds to discuss the challenges in educating cyber professionals. How should we break up our fundamental security needs into learning areas for example, into information assurance, policy work, technical security operations, technical security administration, and even executive management taking into account the resources involved, both human and financial? Michael J. Jacobs: What you ve identified, generally speaking, follows the developed [information assurance] curriculum, which is at the core of the [National Security Agency] Center of Excellence program and evaluation process. In terms of certificate or degree programs, these are the general topics covered by that curriculum, and schools participating in such a program need to, at a minimum, cover them. But from my perspective, the single greatest gap that exists today in educational programs is the topic of policy how to develop it, how to enforce it, and making certain that system operators and owners and executive managers are prepared to do the policy enforcement and development. In looking at systems over the past 48 years, this is always the missing ingredient. We have great ideas. We ve got a lot of technical capability working on the problem. But we don t do what s really necessary, and that is to develop a cogent set of policies and then ensure either through technical or auditing means that they are enforced. Without that enforcement, don t bother writing the policy. Frankly, without writing the policy and without enforcing it, don t bother putting all these technical things in place because you re going fail. Christopher G. Ipsen: In terms of the types of training, one of the things that frustrates me is getting to the 80 percent level. Several organizations put out different training modules, and I think there should be more of a systematic approach. We should be able to leverage the economies of scale more effectively, and I m not seeing that happening. We need basic training obviously, it won t cover all challenges, but the goal would be to standardize on the first 80 percent. After that first 80 percent, focus in on those tiers of training necessary on the back end. Right now, one area with a deficit is quantifiable technical capabilities from a security perspective, and one of its missing components is validation testing in terms of skill sets. We need a way of validating the skills of the individuals being trained so that not only do they receive a certification but we also know their specific quantifiable skills, from the technical to the analytical. 50 March/April 2012 Copublished by the IEEE Computer and Reliability Societies /12/$ IEEE

2 We have an NSA Center of Academic Excellence in Las Vegas that we re hoping to keep. Its funding is coming under some scrutiny, and one of my primary goals is to keep it and then to build on it. How do we expand the base training that an NSA Center of Academic Excellence can do out to conferences Black Hat, DEF- CON, and other trade conferences that come through Las Vegas and capture those individuals through, say, a world-class datacenter like Switch Communications? What can we do to pull all of those pieces together into a cohesive training program that can maybe address the second 20 percent, so that we can be innovative, so that we can use individuals who are at the bleeding edge of security threats and create an environment that capitalizes on and maximizes their unique understanding of these problems around either very specific exploits or around the challenges associated with big data? I think Nevada has an interesting opportunity. What is it that we re not doing in academia to prepare our CS graduates for the workforce? What do we need to do to assure the workforce that our graduates are qualified? Can we take something from other areas of academia? For example, are companies satisfied with the level they get when an electrical engineer graduates a master s program? We have great ideas. But we don t do what s really necessary, and that is to develop a cogent set of policies Michael J. Jacobs James Foley: In both engineering and CS, there s an emphasis on problem-solving and learning by doing, and to the extent that our information security courses emphasize labs and actually setting up networks to be secure and figuring out how to detect attacks, the more hands-on experience the better. Ipsen: In addition to leveraging the traditional CS approach to cyber education, I believe that there is also value to be derived from other academic disciplines like psychology and the arts. In Wired a couple of issues ago, an article talked about feedback loops and those types of disciplines that build resilient change in terms of people s behavior. I think there are some valid observations we can pull from that discussion. One of the examples given was the concept of people speeding. They don t always necessarily want to speed, and they have a speedometer in front of them that can validate their speed, but when you put an external stimulus out there that says, Oh, by the way, here s your real speed as you re driving down the road, not only do people slow down, they actually drive a little bit slower for the rest of their trip. This outcome-based training capability has nothing to do with the speedometer and nothing to do with the physics of the car or the brakes or anything else. So how do we build feedback loops for people doing the correct behavior associated with information security? Is there a way for us to say, You clicked on a link, and you know that s bad behavior. Please don t do that anymore? It s nonjudgmental in the way that it presents the information, but it encourages people to do the right thing, which I think most people genuinely want to do. They just don t know what that is, or they ve forgotten. We can use it in structured technical fields to reinforce how people learn their cyber security dos and don ts. Jacobs: That makes perfect sense, and it fits right in with the idea of usable security and making things obvious in terms of what s going on and what you should and shouldn t do. Foley: It does, but it also goes back to the point about policy. You can t keep smart people from doing the wrong thing if there isn t a policy base that s deployed into the environment so that they understand what they should and shouldn t do. A perfect example was signing into WebEx for this discussion. One of the policy engines on my laptop is Norton, and there are some subroutines running on WebEx that Norton didn t recognize. I got three different banners at the bottom of my screen, saying, We think it s safe, but we don t know very much about it. Some people wed to Norton might ve just dropped out because Norton couldn t tell them anything. So, I think there s a technical aspect to helping people understand what they should and shouldn t do as well as a policy aspect that long list of things that, through trial and error, we know are the wrong things to do and they both have to be deployed into the environment. Jacobs: There are technical solutions out there. You can deploy policy enforcement engines into your enterprise, both agent based and agentless, to look at your IP address to see what kind of behavior you re manifesting. They can report it to you or to the audit function. But one of the things I ve found, particularly with some large commercial enterprises, is an aversion to strict policy. I recall a conversation I had with a 51

3 SECURITY TRAINING AND EDUCATION CFO of a major corporation when we were going in to do what we characterized as a comprehensive review, evaluation, and then configuration to optimize the enterprise s security profile. When the subject of policy came up, he asked what I meant. When I discussed some examples such as use restrictions and peer to peer, he balked at the notion that we would be restricting employee access to the things they wanted, none of which were related to the business of the enterprise and would continue to present security weakness in the system. David Cullinane: There s another distinction between education and training. I need to educate my executives on the threat that s out there, how real it is, the risk of that threat, and what we need to do about it, and be able to demonstrate to them that I m spending their money appropriately. I need to train my developers to write better code so that they re not only more productive, but they also don t build problems into our products, our environment, and things of that nature. For things like clouds, we need to educate people about the security issues associated with cloud computing so they understand those issues, and then, also train them on how to deal with the security issues of the cloud. What are the protections they ll have to have to put in place? What are their options? There s a balance there, and I think education s sort of the higher-level explanation of why this is important and what is needed, and it s needed for a certain audience. It s probably needed for all the people who will get trained, too, but the training should be customized to the audience that s going to use it. So, if your development team is doing your website, it gets trained on website security issues and how to avoid cross-site scripting and things of that nature. If your team is doing database administration, it needs to be trained on database security issues and what things to watch for and that sort of thing. There s a distinction there that applies when you re trying to teach anyone about security, whether it s one of your employees or the students in a classroom. The situation is complex because we re talking about a lot of different kinds of education and training, with qualifications and certifications. What do we need to do to ensure that our professionals are qualified? Cullinane: Certifications have a value to me as an employer in the sense that they let me know that at least this person went through a test and successfully passed it. But determining how creative and good people are at that type of thing is something that you can only really learn when you see them in practice and start to identify the really sharp people. The Cloud Security Alliance is trying to do certification in the body of knowledge that the CSA has determined is fundamental to dealing effectively with cloud security. This offers some value as an employer: Here s an emerging technology that I think I want to use. I know I need somebody that knows what they re talking about in this space, so at least I have some validation that this person has proven or demonstrated some level of knowledge and understanding. I also think it s good when I send an employee to something like that and he or she comes back with a certification if I ve done my job as the boss and made sure that the training is good and the quality is there and the content that I m going to need my employee to understand is there, then I know that the employee learned what he or she needed to learn. Putting it into practice is something I ll need to manage as a manager. So, I see some big value there, but bridging that with, How do I ensure that new college graduate Mary Jones has enough knowledge to be able to step in and do what I need her to do right now? is a much more complex question. At least in the private sector, it also varies widely by type of environment and business. Ebay s almost entirely based on Web applications, so that s the skill set I need. How do I measure that as a primary criterion and do it effectively? CISSP [Certified Information Systems Security Professional] tells me that Mary knows the fundamentals of security, so she s got a basic level of knowledge and has demonstrated it to someone. How do I go beyond that and see what skill level she has, and even more important, figure out what skill levels she s going to need and find that training? I ve participated in various and sundry groups for more than five years that have tried to get developer training at the college level to include much more on security, and it s still not happening. That s part of what we also need to do impact the curricula, so that people who are doing jobs that aren t necessarily purely security are coming out with at least basic security knowledge. Are there effective government programs that we can expand to include the private sector, to address these problems? Ipsen: I saw a really interesting approach yesterday, and at first, I wasn t sure that it was the right way to go, but as I thought through it, it really resonated with me. At UNLV [University of Nevada, Las Vegas], the NSA Center of Academic Excellence is in the School of Informatics, and it s working on the concept of 52 IEEE Security & Privacy March/April 2012

4 developing programs in conjunction with other cohorts, so bringing business, security, and other facets together in a degree program makes a lot of sense. What I mean specifically by that is the type of individual that we re looking to train in the future we need highly specialized people, but we also need generalists who can access information from those highly trained individuals. We also need generalized training for those people who are neither managers nor highly trained specialists. In this three-tiered system, one tier is the generalist, the next is the hybrid middle manager who needs to reinforce the concept of security, and the last is those people who develop policies and discrete security practices moving forward. We have to understand what it is that we need to train to, and we need to look at existing programs that can help us achieve those outcomes. But coming back to the earlier discussion, there s also tremendous value, particularly in the business community, in saying, Not only does this person have a certification, but we ve validated it through performance-based testing. That always seems to resonate. We need to develop ongoing tests of people s capabilities, both against their peers and emerging threats. If we can demonstrate skills, we bring together all the concepts of the training paradigm to validate that testing is outcome based rather than theoretical based. We also need generalized training for those people who are neither managers nor highly trained specialists. Christopher G. Ipsen It s hard to get funding for training on real systems, and it s expensive to put together a training lab that s new enough to be relevant to today s problems. How do we deal with that issue? Foley: That s a real challenge. Part of it requires equipment vendors, who have been very good to some schools, to broaden in terms of donations and reach out further. There are certainly things to be done with virtual labs and computer simulations, but beyond labs, we need to look at education. I was just reviewing Georgia Tech s distance learning masters in information security, which offers a lot of these courses online. One of the things I d like to see happen is for more schools to become receptive to using other schools learning material as part of a course. We could take, for instance, an undergraduate introduction to information security course that has good video lecturers and make that available to schools that don t have their own information security expert, packaged in a way for a faculty member with general computing knowledge to facilitate the course. It s going to be a long time before every computer science program has a faculty member who s a specialist in information security. What about reduced resources? For example, as you look across US universities, you actually see a drop in the number of Centers of Academic Excellence and a significant drop in schools that offer even basic computer science programs. Foley: I don t see a drop in the number of schools offering CS degrees. There was an enrollment drop, but the good news is that it has leveled off and in some schools is increasing, and hiring has also picked up in the computing segment. Those are some good signs, but there is a continuing concern the computer science degree is perceived by some as being isolating and not about real-world problems. Neither perception is factual. Clearly, the training and education we make available for computer scientists won t work for everyday users protecting themselves and their data. We need to figure out who the various audiences are, what they need to function securely, and how and how often we can provide them with knowledge and feedback. What is clear from this discussion is that the need is great, and that addressing it requires flexible, diverse approaches. Mischel Kwon is president of Mischel Kwon and Associates, a cybersecurity consultancy in Fairfax, Virginia. Contact her at mischel@mkwonassoc.com. Michael J. Jacobs is a cybersecurity consultant and former director of information assurance at the US National Security Agency. David Cullinane is the CISO for Ebay, where he s responsible for global fraud, risk, and security strategy. Christopher G. Ipsen is CIO for the State of Nevada. James Foley is a professor in the School of Interactive Computing at Georgia Tech. Selected CS articles and columns are also available for free at

5 This article was featured in For access to more content from the IEEE Computer Society, see computingnow.computer.org. Top articles, podcasts, and more. computingnow.computer.org