190 likes | 203 Views
Explore the need for information systems security education and the demand for security professionals. Learn about built-in versus strapped-on security techniques.
E N D
Effective and Efficient Techniques for IT Security Education LTC John M. D. Hill LTC Curtis A. Carver, Jr. LTC Daniel J. Ragsdale
Security Education in Computer Science Programs LTC John M. D. Hill Presentedto the 13th Annual Federal Information Systems Security Educators’ Association (FISSEA) Conference
Agenda • Introduction • Need for IS in CS programs • Difficulties • Some things that can be done • Conclusion Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Statement of Concern • Prevalence of information systems in business, government, utilities, and control systems • Information systems are a key component of most of the critical national infrastructure • Executive Order 13010 established the President’s Commission on Critical Infrastructure Protection • Identified “cyber threats” as electronic, radio-frequency, or computer-based attacks on the information or communications components that control critical infrastructures. • One of the critical requirements for addressing cyber threats was the need for more information systems security education • Identified the need to review undergraduate and graduate education in information systems security and identify necessary changes and required resources • The goal of these changes would be to meet the national demand for professionals in the field Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Demand for Information Security (IS) Professionals • The demand for professionals stems from two very serious issues related to information systems security education • The first issue is the large numbers of existing vulnerabilities in information systems • The second issue is that for future information systems to be secure, their designers and implementers must be knowledgeable about information security Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
“Built-in” versus “Strapped-On” • There is a familiar discussion that security is either strapped-on to an information system, or it is built-in during the initial development. • Many existing systems have strapped-on security to address security vulnerabilities not considered in design and implementation. • Simmel (Carnegie-Mellon) notes that the demand for security-knowledgeable management and technical personnel to fix flaws will rise and that there is an insufficient supply. He advocates focusing efforts on designing systems with security from their inception. • Chin (Syracuse) presented a security education initiative in which he described a “culture of engineering” where the goal is to “engineer secure systems ab initio with assurance rather than to discover that what we have built is inadequate.” He believes that competence in security policy design, testing, and assessment must be part of the education of system implementers. Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Need for IS Education • Spafford (Purdue) testimony before Congress: • “To ensure safe computing, the security (and other desirable properties) must be designed in from the start. To do that, we need to be sure all of our students understand the many concerns of security, privacy, integrity, and reliability.” • “Our students and soon-to-be students will be designing our information technologies of the future. We are endangering them and ourselves because the majority of them will receive no training in information security.” • According to Spafford, the lack of visibility, training, and coordinated research efforts has led to a significant shortage of practitioners trained in practical computing security. • There is an associated issue of a critical shortage of academic faculty prepared to offer advanced instruction in this area. Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Shortage of Academic Faculty • Limited number of graduate students receiving degrees for security-related research. • Spafford: • “Of particular note are the small numbers of Ph.D. graduates going into academia. It is clear that we are falling short in building an educational infrastructure to support the increased need for training in security.” (Reminiscent of Denning’s “Seed-Corn” article). • Graduates are more interested in joining a commercial enterprise where their efforts have more immediate results. Also, there are many opportunities in industry, with better pay. • Advancement is more difficult in academia in this field, and the lectures and laboratory exercises require substantially more effort than in other fields. • Substantial resources are required, but institutions have difficulty in sustaining them. The struggle for acquisition of resources discourages students and encourages faculty to consider leaving academia. Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
IS Education Approaches and Outcomes • Irvine (Naval Postgraduate School) related the idea of “built-in” versus “strapped-on” to security education and noted two different approaches to information security education were emerging • The first education approach treated security in information systems as “an ad hoc set of functions which are modified as vulnerabilities are identified.” • The second educational approach treated security as something that “can be built into our systems ab initio using an engineering-oriented approach based on fundamental principles.” • Chin, et al., identify two criteria for selecting education outcomes for IS: • “must address security needs consistent with the security challenges encountered by the graduates in their professional roles” • “must be consistent with the educational context and larger outcomes of the specific program Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Need for IS Foundation in Computer Science Programs • Bishop (UC-Davis) argues that “to improve computer security education, we must increase the average computer programmer’s understanding of the issues of computer security.” Often, students work to produce a solution, but are not required to thoroughly debug and test the code – a methodology that contributes to security problems. • Chin says that “Security concepts are fundamental ones which apply to all levels of system design and application. As such, technically meaningful ways must be sought to integrate security into the engineering and computer science curricula charged with the education of the majority of system designers and implementers.” • Salter, et al., note that before being able to design systems with built-in security, “designers must thoroughly understand the means, motives, and opportunities of adversaries.” Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
IS Courses in a Computer Science Curriculum • Prerequisites for a Computer Security Course (due to Bishop) • Analysis of Algorithms • Programming Languages • Computer Architecture at least, but better if Operating Systems • Software Engineering • Statistics (mostly in support of Cryptography) • Survey versus More Technical Course • Fewer prerequisites allows for broader exposure • More prerequisites allows for more in-depth work • Elective versus Required Course • Good that such a course is available • However, it means that not every computer science student will take it Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
IS Courses in a Computer Science Curriculum (cont.) • Advantages of a Dedicated Course • Bishop states that a dedicated course brings together all the related areas, teaches how integral computer security is to the discipline, and how deeply it involves mathematics and other disciplines. • Disadvantage of a Dedicated Course • Chin, et al., argue that “specialized courses in computer security and … advanced security courses complemented by research … will be attractive to only a subset of the student population.” Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Constraints in Adding IS Courses to a CS Curriculum • Crowded Curricula • White (USAFA) and Hinton (Ryerson) both identify the inherent conflict between the need for a more solid grounding in computer security and the difficulty in adding another course to the curriculum. • Time Constraint • Spillman (Pacific Lutheran), as early as 1992, identified the difficulty in covering enough IS material in only one semester. • Bishop also identifies time as a serious constraint on how deeply the relationships between computer security and the rest of the discipline (and even supporting disciplines) can be covered. • Irvine, et al., relate how presenting one course left insufficient time for all the important areas. Their solution was to create two courses, one on principles and underlying mechanisms, and the other on practical aspects of structuring and maintaining secure systems. • Quality of Students • Bishop notes that student skill levels are an important constraint. Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Integrating IS into the Computer Science Curriculum • Information Security Tracks • Alves-Foss (Idaho) described undergraduate and graduate education for three career paths: system administrator, system developer, and security researcher. Students take a specified set of additional computer science courses. • Faculty Development • Irvine points out that development of faculty skills in information security fosters the insertion of IS concepts into general computer science courses. • Integration into Other Topics • White proposed weaving information security into the other computer science topics, rather than added on separately. More to the point, he notes that security can be used as a means to teach those other topics, primarily operating systems, networks and software engineering. Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Computer and Network Security Laboratory • In an ideal setting, a computer science program would have a dedicated computer and network security laboratory. • This eliminates the competition with other courses for equipment to run exercises. • It also prevents interference between security exercises and departmental networks or other research efforts. • However, this usually involves a significant expenditure (money, space, effort) • Reasons to isolate the security lab from the Internet • Users must not be allowed to inadvertently release sensitive data or vulnerability information, nor be allowed to bring in malicious programs • Users within the “isonet” should be prevented from intentionally passing information to the Internet, and prevented from running an attack against an Internet host (maliciously or not) • External adversaries should not be allowed to operate within the laboratory Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Computer and Network Security Laboratory • Bishop states that an isolated network (“isonet”) laboratory must provide two additional functions • First, it must keep the “isoinfo” inaccessible to users on the Internet • Second, it must ensure that authorized users can access only the type of information they are authorized to access. • These functions are applicable whether the isolated network is used in support of coursework, strictly for research, or some combination of the two. • More information on isolated computer and network security laboratories will follow this presentation. Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Proposed Framework • Applicability • Not a “one-size-fits-all” approach • However, most academic institutions should be able to implement portions • First, put someone in charge • This can be a formal or informal assignment • It should be someone with longevity • Having a “leader” should help attract students and faculty • Foster cooperation on IS education between professors • Supports goal of expanding the knowledge base and incorporated IS into related courses • Modules • Create modules for the supporting areas, at undergraduate and graduate level • Small survey-style modules for the general CS student • More technical modules for students on an IS track Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Proposed Framework • Support for a modular approach: • Spafford: “It is unreasonable to create separate security curricula isolated from those of engineering and computer science. A reasonable approach is to integrate security concerns in technically meaningful ways into engineering and computer science curricula.” • White: “At institutions where [creation of a dedicated security course] is not immediately possible, security-related supplements can be added to each category in computer engineering and science.” • Develop an Information Security thread or a specified IS track • Consider all the areas where Information Security fits into Computer Science education • Map out how they relate • Establish thread(s) throughout courses in the CS program • Designate a specified IS track and award a designation with the degree Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference
Conclusion • There is a significant need for managers and technical professionals to be well-trained in Information Security. The need will only increase as information systems become for critical. • To meet this need, Computer Science programs will have to successfully integrate Information Security considerations and technical training into their programs. • Such an integration is confronted with several difficulties, all of which must be considered and managed. • There are some relatively simple things that a Computer Science program can do to focus attention and effort on Information Security. • Questions? Presented to the 13th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference