1 / 43

Cyber Security Education: Issues & Approaches

Cyber Security Education: Issues & Approaches. John Baker Director, Undergraduate Technology Programs Johns Hopkins University School of Professional Studies In Business and Education (jb@jhu.edu). What is Cyber Security?. Preventing a problem from occurring in your system

Leo
Download Presentation

Cyber Security Education: Issues & Approaches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security Education:Issues & Approaches John Baker Director, Undergraduate Technology Programs Johns Hopkins University School of Professional Studies In Business and Education (jb@jhu.edu) FISSEA - March 10, 2004

  2. What is Cyber Security? • Preventing a problem from occurring in your system • Protecting people, data, software, hardware & facilities • Requires a wide-range of preparation • Awareness, planning, policies, procedures, tools, technologies, training, education, dedication, ‘soft-skills’ & common sense • Preparation ranges from Security to Cyber Forensics FISSEA - March 10, 2004

  3. Preparation Spectrum Security Event Time line • Cyber Forensics: • Investigation • Analysis • Recovery • Improved preparation • Security: • Preparation • Prevention • Detection • Minimize Problem FISSEA - March 10, 2004

  4. Cyber Security Changes Source: Dr. Peter Saflund, NWCET FISSEA - March 10, 2004

  5. Early 2000’s Cyber Security Problems seen as event driven Wait for a problem to occur Attack simulation not usually performed Network admin proud of hacker’s lack of success (hero after the fact). Posture primarily Reactive, not proactive Security more of an add-on, not integrated FISSEA - March 10, 2004

  6. Pre 9/11…. Major vulnerabilities were laptops Theft, loss of data Desktop workstations vulnerable to viruses Installing virus protection software Constantly upgrading Defenses primarily Access control software Front door to applications Emphasis on authorized users FISSEA - March 10, 2004

  7. Attacks Rising Source: Dr. Peter Saflund, NWCET FISSEA - March 10, 2004

  8. Increasing Economic Costs $ Billions 1999 2000 2001 Source: Dr. Peter Saflund, NWCET FISSEA - March 10, 2004

  9. Labor Demand Picture—Cyber Security 89% of businesses expect large scale cyber attack within 2 years @60% feel they are unprepared to defend themselves 4/5 feel the US generally is unprepared to defend Many large scale attacks are unreported (confidence issues) Better mousetraps make better mice FISSEA - March 10, 2004

  10. On the Demand side:Over the past 50 years, the need for “skilled” workers has grown from 20% to 65% of the available workforce. Professional Unskilled Skilled 1950 1991 2000 Source: Bureau of Labor Statistics FISSEA - March 10, 2004

  11. But, we are not preparing enough skilled workers. Adults > 25 years FISSEA - March 10, 2004

  12. The Field of Cyber Security Security skills will be a part of all technical jobs 2-year grads will not have sole responsibility for security audits, policies, strategies Current workers need/desire upgrading/certification There will be “Demand Pull” for Cyber Security FISSEA - March 10, 2004

  13. The Field of Cyber Security • “Ideal” worker has… • 4-year(+) degree • 1 – 2 years technical education • Several years of experience • Employers prize “soft” skills as much or more than technical skills • Communications, information literacy, team work, interpersonal skills, self-motivation, problem-solving FISSEA - March 10, 2004

  14. Security Professional Background(How do they get there?) 4+ years college Job Promotion 4-year degree 2-year degree Work Experience Some College Self teaching Certification Individual courses On the job training FISSEA - March 10, 2004

  15. Protection Needs • To protect: • People, data, systems, networks, facilities • From: • Viruses, hackers, attacks, physical damage, spyware, personnel problems (intentional & unintentional) • Involves: • Technical skills, management, financial resources, research • Each requires different: • knowledge, skills & abilities (KSA’s) • Many interact with each other or overlap FISSEA - March 10, 2004

  16. Business structure • Policies/procedures • People actions & reactions • Storage technology • Encryption • Data Recovery methods Research • Access methods • Anti-virus • Anti-spyware • Cryptography • Intrusion detection • Anti-hacking • Biometrics • Physical access control • Disaster prevention • Recovery funding • Hardware & software budgets Financial • Facility costs (purchase or lease) • Operational costs • Hardware, software & transmission budgets • Personnel budgets • Investigation $ • Publicity containment $ Managerial • Investigation policies • Right-to-know policies • Business structure • Retention issues • Data protection needs • Access policies • Network management • Network design • Facilities design • Facilities management • Network monitoring • Net. Implementation & operations • Access security • Biometrics • Disaster recovery • User-id/password • Anti-virus • Anti-spyware • Training • Awareness • Support • Encryption software • Backup & Recovery Technical People Data Systems Networks Facilities FISSEA - March 10, 2004

  17. Standards • What are they? • Definitions of KSA’s for various professional (and non-professional) levels • How are they developing? • Government definition: NSA ,NIST, Homeland Sec. • Private groups: CFWEG • Independent organizations: (ISC)2, CompTIA • Colleges & Universities • Sometimes a collection of all at once FISSEA - March 10, 2004

  18. Standards • Why are they needed? • A way to ensure quality & consistency • Process for understanding KSA’s at different levels • How do they translate into education/training? • Independent courses • Certifications • Sequence of courses for a specific topic • Program in part of a degree • 2-year, 4-year, advanced degrees FISSEA - March 10, 2004

  19. Standards – Federal Gov’t • NCISSE • National Colloquium for Information Systems Security Education • Academia, Industry & Government – James Madison University • Foster curriculum development based on best practices FISSEA - March 10, 2004

  20. Standards – Federal Gov’t • CNSS • Committee on National Security Systems • Formerly NSTISSC - National Security Telecommunications and Information Systems Security Committee • 21 US government depts. & agencies • 4011-minimum training standards for I.S. security professionals • 4012-Government Designated Approval Authority • 4013-System Administrator in IS security • 4014-IS Security Officers • 4015-System Certifiers FISSEA - March 10, 2004

  21. Standards – Federal Gov’t • NSA-NIETP • National Security Agency – National INFOSEC Education and Training Program • Centers of Academic Excellence (CAE) • Courseware evaluation of CAE’s based on CNSS (NSTISSC) standards FISSEA - March 10, 2004

  22. Standards – Federal Gov’t • NIST – CSD/CSRC • National Institute of Standards and Technology – Computer Security Division/Computer Security Resource Center • 800-16 – IT Security Training Requirements, training standards, needs and course development targeted to job functions (not positions) • 800-50 – Building an IT Security Awareness and Training Program FISSEA - March 10, 2004

  23. Standards – Private • University (standards and / or research) • Dartmouth – Institute for Security Technology Studies • George Mason – Center for Secure Information Systems • Johns Hopkins – JHU Information Security Institute • Purdue – CERIAS • Center for Education & Research in Information Assurance Security • NWCET (National Workforce Center for Emerging Technologies) • Bellevue Community College • Research – tech. workforce needs, skill standards, education FISSEA - March 10, 2004

  24. Standards – Private • ISC(2) • International Information Systems Security • 10 domain areas (CBK), standards research • CompTIA • Computer Technology Industry Association, business consortium • Standards & research in security and technology • ISACA • Information Systems Audit & Control Association • Standards for IT auditors - security policy auditing FISSEA - March 10, 2004

  25. Cyber Security Content Areas(Examples at all training / education levels) Systems maintenance, patches, upgrades Content security Data assurance Physical security User education Detection (hacks, probes, etc.) Deterrence (fire walls, honey pots, etc.) Forensics (evidence gathering, preservation) Policy development Forward planning and professional development Preparation for certification Security budgeting & public communications Research – all areas FISSEA - March 10, 2004

  26. Technology Technology specific items Skills development (hands-on) Theory and research Critical Thinking Analysis and decision making Problem solving Finding unique solutions Information Literacy not just technology literacy Research process Interpersonal skills Team work Communications capabilities Writing, presentations Program Components FISSEA - March 10, 2004

  27. How We Approach It:Training • Teaches specific aspects of security • Often focuses on tools / techniques • Using product X • Upgrading software, software patches • Network operations, virus protection • Usually skills based (intense ‘hands-on’ experiences) • May have some ‘educational’ components • Range from single course to certificate FISSEA - March 10, 2004

  28. Training(Examples) • Colleges & universities • Sometimes vendor specific • ITAA • Information Technology Association of America • Information Security Awareness Certification • Focuses on Employee awareness and accountability • Audience is staff and knowledge worker FISSEA - March 10, 2004

  29. Training • ISC(2) • CISSP – Certified Information Systems Security Professional • ISSAP -architecture • ISSMP - management • SSCP – System Security Certified Practitioner • SANS • Wide variety of training, lots of hands-on • GIAC – Global Information Assurance Certification • 11 individual certifications FISSEA - March 10, 2004

  30. Training • CompTIA • A+, Network+, Security+ • Many more in I.T. • Vendor specific • Cisco • CCIE – Cisco Certified Internetworking Expert, security track • CCSP – Cisco Certified Security Professional • Microsoft • 9 different certificates, several with security tracks • Oracle • 7 different certifications FISSEA - March 10, 2004

  31. How We Approach It:Education • Heavy doses of theory & fundamental principles • Softer skills: writing, communications, problem solving, critical thinking, team work • Some levels include lots of hands-on • Different approaches depending on level • Intro. level – typically more skills based (also a mixed set of students and student backgrounds) • Intermediate – some hands-on but includes ‘softer’ skills (theory, critical thinking, problem solving, communications, team work) • Advanced – managerial or research FISSEA - March 10, 2004

  32. Education Community Colleges are the current school of choice. Average age of CC student = 28 yrs. Educational degree 2-year (AA, AAS) 4-year (BS, BA) 4+ years (MS, MA) Doctoral (PhD, EdD, DSc/ScD) Elements of both training and education are needed FISSEA - March 10, 2004

  33. Student Preparation(look for / help prep with…) • Basic technology skills – using equipment • Technology background education – theory of operation & design • Information literacy capability – data gathering/problem solving • Need to understand levels of training & education, and what comes with each • Soft-skills: problem solving, writing, communications, team work, interpersonal skills FISSEA - March 10, 2004

  34. Student Expectations • ‘Mind set’ preparation • Understanding what the professional does • Detailed analysis • Constant monitoring • Responsibility issues • Want it immediately • Expecting hands-on work in most programs • Employment expectations • High-paying jobs • In some areas a security clearance is an issue FISSEA - March 10, 2004

  35. Faculty Preparation • Full-time vs. part-time/professional faculty • Backgrounds vary • Technically adept but don’t teach well • Good teachers but don’t know technology • Teaching ability: preparation & in the classroom • Keeping up with the changing technology • New theories, problems, tools, techniques • Developing specialization areas (may go ‘out-of-date’) • Balancing: hands-on, theory, KSA's, ‘softer skills’ • Up to date on technology, law, business needs, costs/benefits FISSEA - March 10, 2004

  36. Education Organization Preparation • Costs • Program development • Space development • Technology (h/s) acquisition, support & maintenance • Technology decisions • What technology do I need? • How up-to-date does it need to be? FISSEA - March 10, 2004

  37. Education Organization Preparation • Control over the facilities (locked-down / secured) • Student background checks • Student agreements • Ethical use of knowledge • Appropriate behavior (in and out of classroom) • Publicity – for unexpected outcomes FISSEA - March 10, 2004

  38. Business Expectations • Minimize cost (security not an income producer, not sexy) • Like insurance – no measurable/direct benefit • Imbalance between HR and technology/security manager needs • HR – measurable items (# years with X) • Tech. Manager – problem solver, thinker, independent worker, etc. • Detailed technical knowledge & problem solving & teamwork & interpersonal skills & writing & communications & ……. FISSEA - March 10, 2004

  39. Business Expectations • Fully functional security expert upon training/education completion • Lack of standards/lack of accepted standards in profession • What certifications are acceptable? • Changing technology/changing nature of security needs • Increasing complexity • Insufficient up-to-date expertise • What training / education do I need for my business? FISSEA - March 10, 2004

  40. Regional Cyber Security Approach • Study of participating CC’s & 4-year institutions in DC area, in conjunction w/PGCC • Range: no curriculum – graduate degrees • Separate courses of study to full degrees • Stand-alone – integrated into other curriculum • (Business, Criminal Justice, I.T.) • Articulation Agreements: CC’s & 4-year inst. • Joint program agreements • Graduate and Undergraduate programs (JHU model) FISSEA - March 10, 2004

  41. Sample Programs • Virginia Community Colleges – 7 courses • Capitol College • M.S. Network Security • Security Management (Graduate Certificate) • Network Protection (Graduate Certificate) • B. S. Network Security • University of Virginia • Information Security Management (Graduate Certificate) FISSEA - March 10, 2004

  42. Sample Programs • University of Maryland, University College • IFSM Major (electives) • IFSM Security Certificate (required) • IFSM Information Assurance Track • Johns Hopkins University • Master of Science in Security Informatics • Information Security (INFOSEC graduate certif.) • M.S. in Information & Telecomm. Systems (Info. Security concentration) • B.S. Information Systems (Security concentration) FISSEA - March 10, 2004

  43. Questions ? John Baker Director, Undergraduate Technology Programs Johns Hopkins University School of Professional Studies In Business and Education (jb@jhu.edu) FISSEA - March 10, 2004

More Related