ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY

Building a Better Information Assurance Degree and Promoting Cybersecurity Education

Building a Better Information Assurance Degree and Promoting

Cybersecurity Education

20 – ISSA Journal | May 2013

AbstractFor thirteen years, colleges and universities have offered de-gree programs and concentrations with a focus on cybersecu-rity. Much of the initial impetus in the development of these programs can be attributed to the creation of National Cen-ters of Academic Excellence (CAE) by the US National Secu-rity Agency to encourage universities and students to enter the information security profession. As many of these “early adopter” programs reach their initial maturity stage and are joined by a bevy of new academic degrees, it becomes vital to assure that these programs are positioned to offer sufficiently diverse educational offerings to fill the needs of this dynamic field. Colleges and universities offering information assur-ance education need to engage their alumni in life-long rela-tionships that offer continuing acquisition of knowledge, col-laboration, and connectivity with current and past students.

First came certification, then degree programs

Almost thirteen years ago, the US National Security Agency created the National Centers of Academic Excellence to encourage universities and students to

enter the information security profession. The creation ini-

tiative occurred amidst increasing cyberattacks, including mass-mailer viruses, blended threats, and distributed denial of service (DDoS) attacks that generated chaos on networks and crippled websites. At the same time, as if designed to pro-duce the “perfect storm,”1 businesses saw the emergence of e-commerce as a transformative technology that would revo-lutionize the way we do business and conduct our personal lives. Information security practitioners during this nascent era of cybersecurity had limited tools to assist their efforts to hold their ground against cyberattackers. The arsenal of defensive weapons appeared inadequate when faced with in-novative hacker exploits, such as blended threats. In addition, insecure software, flawed default configurations, and embry-onic discovery mechanisms constrained organizations’ abil-ity to prevent and detect attacks until significant infiltration occurred. Many “early adopters”2 of an information security career did not necessarily come from a security background, but rather

1 “Perfect storm” describes an event where a rare combination of circumstances will aggravate a situation drastically. http://en.wikipedia.org/wiki/Perfect_storm.

2 An early adopter is a minority group that is first to try new ideas, processes, goods and services. Early adopters generally rely on their own intuition and vision, choose carefully, and have above-average education level. http://www.businessdictionary.com/definition/early-adopters.html.

For thirteen years colleges and universities have offered degree programs and concentrations with a focus on cybersecurity. As many of these programs reach their initial maturity stage, it becomes vital to assure they are positioned to offer sufficiently diverse educational offerings to fill the needs of this dynamic field.

By Kerry A. Anderson – ISSA member, New England, USA Chapter

came from IT, audit, and other technology areas.3 In some worst-case scenarios, individuals assigned to information se-curity positions had limited or no background in security or technology areas. In one company, a running joke was the way to become an Information Security Officer (ISO) was not to attend a meeting where the topic was under discussion. Understandably, early practitioners were hungry to acquire knowledge to assist in managing their newly assigned do-mains. Many practitioners turned to certification as the first milestone in their career development. The certifications du jour were most often the Certified Information System Audi-tor (CISA) or Certified Information System Security Profes-sional (CISSP). The Information Systems Audit and Control Association (ISACA) first offered the CISA in 1978 to address the challenge of increased automation of business systems for auditors. The International Information Systems Security Certification Consortium (ISC)2 launched the CISSP creden-tial in 1994 in response to a need for a standardized certi-fication to prove competence in security related knowledge areas.4 The number of certification holders for both creden-tials grew exponentially from the late 1990s to present. These certifications launched an entire training industry aimed at preparing for these exams and a plethora of textbooks. Both ISACA and (ISC)2 have since launched a variety of certifica-tions representing different specialization with information security. After pursuing certification, many practitioners looked for other potential avenues for professional development and career advancement. The early 2000s saw the introduction of academic options for information security practitioners, mainly at the graduate-degree level. A number of these pro-grams offered online matriculationPrior to the 1990s, few colleges or universities offered spe-cific courses in computer security. When a computer secu-rity course was offered, it was as an elective for an auditing degree. The number of colleges and universities offering in-formation assurance (the academic terminology used for in-formation security) programs grew rapidly as academic insti-tutions discovered this popular program option. The annual Colloquium for Information Systems Security Education5 be-gan holding an annual conference that offered supporters of information assurance programs a forum for discussion and information sharing about creation of programs.

Centers for Academic Excellence The US National Security Agency (NSA) established the Cen-ters for Academic Excellence6 (CAE) program in 1999. The two primary goals of the CAE program were to assist in reduc-ing vulnerabilities in our national information infrastructure by promoting higher education in information security and

3 From the author’s experience in working in information technology from 1996 to present.

4 History of (ISC)² – https://www.isc2.org/isc2-history.aspx.5 Colloquium for Information Systems Security Education – http://www.nsa.gov/ia/

academic_outreach/nat_cae/colloquium.shtml.6 National Centers of Academic Excellence – http://www.nsa.gov/ia/academic_

outreach/nat_cae/index.shtml.

increasing the number of professionals with expertise in the information security. The number of CAE institutions grew from the original seven to 166 as of last year.Despite the NSA’s original intent to develop academic programs using a uniform set of criteria for certi-fied programs, there exists a great deal of diversity among programs.7

One reason for this diversity is that CAE criteria are applicable to two-year, four-year, and graduate programs. Programs at each level target specific student populations, each with different objectives in re-gards to outcome. For instance, a two-year college may concentrate on offering training geared toward entry-level technicians, while a graduate-level program may have its focus in creating senior-level security architects or cyber-security managers. The program now divides the certification among three different programs under the CAE umbrella:1. CAE in Information Assurance Education (CAE/IAE) 2. CAE in Information Assurance Research (CAE/R) Pro-

gram3. CAE in Information Assurance 2-Year Education

(CAE/2Y)In 2012, NSA launched a fourth program, the CAE for Cyber Operations.8 This program supports the president’s National Initiative for Cybersecurity Education (NICE): “Building a digital nation” to further the goal to broaden the skilled work force capable of supporting a cybersecure nation. The Cyber Operations program will focus on technical and inter-disci-plinary areas with opportunities for hands-on experience.These CAE designations differentiate each program’s spe-cific objectives. However, it may still be confusing to both prospective students as well as employers desiring to recruit program graduates.

One-size-fits-most or custom-fit approachIn light of the current cybersecurity challenges, it might be an opportune time to innovate cybersecurity education, es-pecially at the college/university level. The cyberthreat landscape continues to evolve to create an increased need for cybersecurity practitioners. New special-izations are needed to manage the diverse and complex threat landscape, for example, ethical hackers/penetration testing, awareness/education, secure development, computer foren-sics, security governance, and compliance. This mirrors a

7 “University Information Assurance Programs Lack Consistency” Information Security Magazine February 2013 – http://searchsecurity.techtarget.com/ezine/Information-Security-magazine/The-China-Syndrome-Security-factors-to-consider-before-buying-Chinese-IT.

8 National Centers of Academic Excellence: Cyber Operations – http://www.nsa.gov/academia/nat_cae_cyber_ops/index.shtml.

This mirrors a trend in security certification over the last decade, which has focused on specialization and concentrations within existing certifications.

May | ISSA Journal – 21

Building a Better Information Assurance Degree and Promoting Cybersecurity Education | Kerry A. Anderson

new and established, might seek to attract “non-traditional” prospective students to bring new insights and diversity to the information security profession. A good model for marketing to “non-traditional” students ex-ists in many academic institution continuing education pro-grams. Many of these programs were introduced in the late 1960s and 1970s in response to a growing number of working adults looking to further their education and become more competitive in the job market that was increasingly looking for technology and knowledge workers. These programs tar-geted adult and other “non-traditional” student populations by offering the opportunity to build an educational program that worked with their current lives and responsibilities by of-fering flexible educational options such as night classes. Prior to the inception of these continuing education programs, “non-traditional” students, such as working adults and par-ents, had limited opportunities to acquire college degrees. Online degree programs were the natural extension of this concept. IA programs will need to continue to address the needs of both traditional and “non-traditional” populations.A potential “non-traditional” student segment for IA pro-grams will be a trend toward individuals seeking to transi-tion from another professional domain into information security roles. Most “transitioners”10 have a number of years of experience from another professional domain with strong competencies that could be harnessed to create powerful synergies with information security roles. However, “tran-sitioners” may lack technical background and require some acquisition of baseline knowledge of information technology (IT) and security principles to let them “hit the ground run-ning” and compete with classmates coming from technology backgrounds. Another “non-traditional” IA student sector is women. Wom-en are under-represented in the cybersecurity profession. Ac-cording to a 2006 IDC survey,11 women are only 13 percent of US cybersecurity professionals. While women make up 55-60% of students on US campuses,12 they still constitute a small minority of IA students. Few female mentors and facul-ty exist in many cybersecurity programs.13 Other professions, such as accounting, have made significant inroads in increas-ing women’s participation in their work forces14 by recruiting women into academic degrees and professional positions.

Continuing challenges for IA educatorsInformation assurance educators still face significant chal-lenges despite a positive outlook for enrollments in IA aca-demic programs and employment opportunities. One issue is

10 This may actually not be a “real word” but was coined by the author to describe members of this group.

11 This is one of the few and newer studies/surveys that attempted to quantify percentage of women in cybersecurity roles. www.isc2.org/uploadedFiles/Industry_Resources/wfs_gov.pdf.

12 S. Blum, Women Dominate Higher Education,” Huffingtonpost.com – http://www.huffingtonpost.com/susan-d-blum/women-dominate-higher-edu_b_1961683.html.

13 From both the author’s own personal experience and a sampling of IA program faculty listings.

14 Number of Female Accountants Increasing – http://www.accountingweb.com/topic/education-careers/number-female-accountants-increasing.

trend in security certification over the last decade, which has focused on specialization and concentrations within existing certifications.While many practitioners wish they were the cybersecurity equivalent of all-knowing, omniscient, and powerful Wizard of Oz, the reality is that this domain and its associated chal-lenges continue to expand, making it infeasible for one prac-titioner to be equally skilled at all of them. It is reasonable to assume that academic information assurance (IA) degree programs will become increasingly specialized for technical knowledge realms; program offerings with IA generalists and management will continue to flourish. The one-size-fits-all approach to IA education may not be sufficient for prospec-tive students or employers.While the NSA’s CAE program will continue to be the imple-mentation preference for many academic institutions as well as students, other education options might provide a custom alternative to the traditional educational channels.In addition to CAE-certified programs, some programs have made the decision not to certify or delay certification until later for a number of reasons, including the following:

1. Faster time to market2. More flexibility in program design or specializations

offered3. Did not feel that undertaking the certification would

add significant value to the programSome programs are offering technically oriented students hybrid education alternatives, such as flexible certificate pro-grams with core courses and a number of electives that allow participants to customize their programs to suit their specific needs. Other IA degrees, both CAE and non-CAE, combine professional certification with traditional academic pro-grams by giving certification holders advanced placement, enabling them to skip courses or substitute core courses with additional electives.

Serving new markets in IA educationInformation assurance educational programs are reaching a point where they have matured past the initiation, conta-gion, and control stages9 and are transitioning into the mid-point of the maturity continuum. This transitional period is marked by increased competition among both CAE and non-CAE programs, need for program differentiation, develop-ment of marketing strategy for target populations, enhanced service delivery models, integration with emerging technolo-gy trends such as use of social media and mobile devices, and building relationships with potential employers. Programs might also work to establish collaborative relationships with other programs, both internal and external to the institution, as well as leading certification organizations. Programs, both

9 Maturity stages used in the Nolan stages theory from “Managing the Crises in Data Processing,” Harvard Business Review, March 1979. http://www.comp.dit.ie/rfitzpatrick/Business%20Perspectives%20slides/Conceptual%20Business%20Models/Managing%20the%20crises%20in%20data%20processing%20-%20Nolan.pdf.

Gartner Security & Risk Management Summit 2013June 10 – 13National Harbor, MDgartner.com/us/securityrisk

Don’t miss the premier IT security and risk event of the yearSave $300 on the standard price with priority code GARTMP1.

Discover five complete programs targeted to your specific security and risk needs•ChiefInformationSecurityOfficer(CISO)Program

• ITSecurityProgram

•BusinessContinuityManagement(BCM)Program

•RiskManagementandComplianceProgram

•TheBusinessofITSecurityProgram

GUEST KEYNOTES

©2013Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.oritsaffiliates.Formoreinformation,emailinfo@gartner.comorvisitgartner.com.

Scan to save!

Admiral Mike MullenChairman of the Joint Chiefs of Staff 2007‑2011

Mastermind Interview keynote with Steve BennettCEO and Chairman of the Board, Symantec

Keith FerrazziCEO, Ferrazzi Greenlight; Author, “Who’s Got Your Back” and “Never Eat Alone”

22 – ISSA Journal | May 2013

Building a Better Information Assurance Degree and Promoting Cybersecurity Education | Kerry A. Anderson

Gartner Security & Risk Management Summit 2013June 10 – 13National Harbor, MDgartner.com/us/securityrisk

Don’t miss the premier IT security and risk event of the yearSave $300 on the standard price with priority code GARTMP1.

Discover five complete programs targeted to your specific security and risk needs•ChiefInformationSecurityOfficer(CISO)Program

• ITSecurityProgram

•BusinessContinuityManagement(BCM)Program

•RiskManagementandComplianceProgram

•TheBusinessofITSecurityProgram

GUEST KEYNOTES

©2013Gartner,Inc.and/oritsaffiliates.Allrightsreserved.GartnerisaregisteredtrademarkofGartner,Inc.oritsaffiliates.Formoreinformation,emailinfo@gartner.comorvisitgartner.com.

Scan to save!

Admiral Mike MullenChairman of the Joint Chiefs of Staff 2007‑2011

Mastermind Interview keynote with Steve BennettCEO and Chairman of the Board, Symantec

Keith FerrazziCEO, Ferrazzi Greenlight; Author, “Who’s Got Your Back” and “Never Eat Alone”

The objective should be the publishing of textbooks that fol-low the logical progression from introducing concepts into tactical implementation, wrapping up with the strategic alignment of cybersecurity with business objectives. A good model to emulate would provide a case-based approach to learning similar to MBA programs that utilize cases to in-tegrate concepts into realistic scenarios. Senior-level current practitioners and IA instructors could be recruited to devel-op both textbooks and realistic case studies. A consortium of colleges and universities might jointly develop a database of cases using a standard format and attributes that could be shared by faculty and students of the member institutions.

Establish long-term relationships between the IA program and studentsThe rate of technological innovation continues to accelerate and this will create even greater challenges for information security professionals charged with managing its associated risks. These new challenges will also generate opportunities and career specializations. Many technologies we use did not even exists a decade ago, such as cloud computing, smart-phones, and virtualization. The regulatory environment has continued to expand, creating new compliance areas such as Payment Card Industry (PCI) and Health Insurance Por-tability and Accountability Act (HIPAA). Practitioners will need to refresh knowledge and skills through both formal and informal education channels, including colleges and universities, throughout their careers. College attendance may rarely be a “one and done” experience, instead a series of programs, certifications, and individual courses to maintain professional competencies over the course of a career. Bounce-back learners may opt for a distance-learning option versus the tradition instructor-led classroom environment to balance multiple personal objectives. Some of this learning might involve collaboration with virtual teams using video conferencing, web meetings, mobile devices, and social media that mirror today’s work environments. IA programs might expand by offering alumni new certificate programs, special topic forums, and add-on specializations on top of their exist-ing core degrees. Some IA programs have already implement-ed this strategy by offering opportunities to earn additional degrees using completed core courses plus some additional specialized courses. These programs allow the practitioner to earn another academic degree with a specific concentration such as computer forensics, incident management, or security auditing. These are attractive to alumni because they allow them to re-use courses they have already completed (and paid for), while acquiring an additional academic degree in a spe-cialization. It is a benefit to the institution running these pro-grams because in addition to being another revenue channel, it allows the IA program to run a greater variety of electives that current students can choose from. Another twist on this strategy is developing add-on certificate program options in different cybersecurity domains, such as security governance or security architecture.

around establishment of a baseline of knowledge required for IA programs. A one-size-fits-most approach used by many programs ignores the reality that some students lack tech-nical background that puts them at a significant disadvan-tage among many of their more technically astute peers and may create frustrations both for the student and instructor. While the word pre-requisites may strike terror in the hearts of prospective students, it may make the difference between a student who thrives and one that struggles to a point of abandoning the degree program. It is also not unprecedented in other academic programs, such as MBA programs, which require students to have courses or experience in several disciplines, for example, accounting, economics, and man-

agement. Foundational courses could be provided either through classroom instructor-led courses or through using online learning technology.

Textbooks and course materialsAn area of frustration for many IA instructors is finding current, engaging, and relevant textbooks for students. Many instructors feel that their choices are limited. Some good books are too dated. Some current books focus too heavily on theory. Few books pro-vide coverage of emerging tech-nologies. Increasing globalization

and the requirement to provide information assurance to support international enterprises is another challenge to de-velopment of effective textbooks and learning materials.One strategy is select one book to provided basic back-ground information and heavily supplement with informa-tion gleamed from a wide variety of sources. This can be time-consuming for instructors, leads to lack of consistency among instructors teaching the same course, and may cre-ate a perception to the students that the textbook has limited value. Another option is to utilize multiple textbooks for a course, which can be expensive for the student. An explana-tion for this may be the comparative “youth” of information assurance/cybersecurity as an academic discipline. IA pro-grams are twenty years old or less, in contrast to other degree programs that have been established for 150 years or more.15 In reality, IA degree programs did not get a strong foothold until about a decade ago, so the publishing industry is still just getting started in terms of creating a portfolio of suit-able textbooks. Many of the current textbooks are heavy on theory and lacking the “real world” examples that many stu-dents desire.

15 “University Information Assurance Programs Lack Consistency” Information security Magazine February 2013 – http://searchsecurity.techtarget.com/ezine/Information-Security-magazine/The-China-Syndrome-Security-factors-to-consider-before-buying-Chinese-IT. Continues on page 43

Many of the current textbooks are heavy on theory and lacking the “real world” examples that many students desire.

24 – ISSA Journal | May 2013

Building a Better Information Assurance Degree and Promoting Cybersecurity Education | Kerry A. Anderson

for excuses. Get cracking with this tool STAT. Run it against entities specific to your organizations and immediately ben-efit. Or there’s always the alternative of waiting and having the hackers do it for you. Ping me via email if you have questions or suggestions for a topic via russ at holisticinfosec dot org or hit me on Twitter @holisticinfosec.Cheers…until next month.

About the AuthorRuss McRee manages the Security Analytics team (security in-cident management, penetration testing, monitoring) for Mi-crosoft’s Online Services Security & Compliance organization. In addition to toolsmith, he’s written for numerous other pub-lications, speaks regularly at events such as DEFCON, Black Hat, and RSA, and is a SANS Internet Storm Center handler. As an advocate for a holistic approach to the practice of infor-mation assurance Russ maintains holisticinfosec.org. He serves in the Washington State Guard as the Cybersecurity Advisor to the Washington Military Department. Reach him at russ at holisticinfosec dot org or @holisticinfosec.

populated in the columns host, ip_address, region, country, latitude, and longitude during module runs. The database schema is included in Figure 4.Finally, you will definitely want to take advantage of the re-porting modules.Tim mentioned that the reporting/csv_file module is great for importing into Excel then massaging the data, while report-ing/html_report module is optimal for producing reports for customers. Figure 5 shows my reporting run against all data I’d written for the db.There are, as is often the case with great toolsmith topics, too many features and killer use case scenarios to cover here. I even suggested to Tim he write the Recon-ng book. Yes, I think it’s that good.

In conclusionI’m really excited about Recon-ng and wish Tim great suc-cess. My two favorite phases are reconnaissance and exploi-tation, and Recon-ng fits the bill to dominate the first and contribute greatly to the second. Setting it up and getting started is a sixty-second proposition and leaves you no room

IA institutions need to maintain ongoing relationships with their alumni beyond solicitations for donations. This does not magically happen. All relationships require nurturing to grow and flourish. Options to engage alumni in a life-long partnership include participation in leadership councils, con-tributing to publications, mentoring current students, as well as developing web events featuring current students, faculty, and alumni. Since many alumni pursue certification in addi-tion to IA degrees, institutions might consider engaging cer-tification bodies and information security organizations such as the ISSA in ongoing partnership efforts.

Learning to runWhen compared with many traditional degree programs, information assurance is still a “kid” with barely a decade of experience in offering these types of programs to signifi-cant numbers of students. However, the rapid rate of change in technology and its associated risks does not afford these programs the luxury of waiting for their natural maturation because of the critical need to an increased, well-trained, cy-bersecurity workforce. IA programs may need to take an ac-tion that horticulturists call “forcing the bulb,” the process of stimulating bulbs to bloom out of season16 rather than their natural cycle. These bulbs need to be coaxed to grow quicker by special care and feeding. For IA programs, both the CAE

16 Forcing Bulbs for Indoor Bloom http://ccesuffolk.org/assets/Horticulture-Leaflets/Forcing-Bulbs-For-Indoor-Bloom.pdf

Building a Better Information Assurance Degree and Promoting Cybersecurity Education continued from page 24

and non-CAE, this means actively working to expand and differentiate programs, including multiple delivery mecha-nisms, new specializations and concentrations, hands-on learning labs, advanced placements for experienced practi-tioners and certification holders, and the innovative uses of learning technologies. Current cybersecurity practitioners and IA faculty members can contribute to this process by developing textbooks and cases, acting as mentors for current IA students, and provid-ing instruction that combines theory with real-world experi-ence. Colleges and universities offering IA education need to engage their alumni in life-long relationships that offer both continuing acquisition of knowledge, collaboration, and con-nectivity with current and past students.

About the AuthorKerry A. Anderson, CISA, CISM, CRISC, CGEIT, CISSP, ISSMP, ISSAP, CSSLP, CFE, MBA, MSCIS, MSIA, is an information se-curity and records management consultant with more than 15 years of experience in in-formation security and IT across a variety of industries. She has worked in information se-curity, application development, financial systems operations, network administration, IT audit, records management, busi-ness contingency planning, and graduate-program instruction. She can be reached at kerry.ann.anderson@verizon.net.

May | ISSA Journal – 43

toolsmith: Recon-ng | Russ McRee