Information security professionals have a tough time of it. Consider what they have to cope with in today's IT environment. You have big data colliding with BYOD, a combination that's as good as an invitation to cyber-espionage. The traditional method for protecting corporate networks was to create a hardened outer shell that restricted access to internal data, the so-called M&M network that's hard on the outside but soft in the middle....
That external shell is tough to crack, but attackers have found creative ways to get to the soft network core, by using lost or stolen devices, for instance, or by employing social networks to glean usernames and passwords.
An effective educational program is one that recognizes the need for security with flexibility.
Meanwhile, attacks on individual and corporate digital assets are on the rise, and the black hats get more ingenious every day. Infosec professionals have to stay one step ahead, and that requires that they be well educated and as thoroughly trained in the dark art of network security as the bad guys. Institutions of higher learning and professional certification programs are continually adapting to the hazardous real-world terrain, developing critical new strategies to make instruction in the science of information security as insightful, pertinent and broad-reaching as possible.
Because the threats are constantly evolving, the education plan must evolve as well. Today, the most comprehensive security curriculum increasingly includes a significant focus on understanding and using a forensics approach, such as that afforded by e-fense Inc.'s Helix and open source forensics tools such as The Sleuth Kit (TSK) and Scalpel, to reverse engineera variety of attacks. By teaching the science of ethical hacking, professional educators are unveiling existing and potential threats in new ways, exploring penetration testing, foot printing and social engineering, scanning, enumeration and operating system weaknesses. Hands-on projects represent the ideal application of classroom teaching. Today's students are best tested when given assignments that include hacking Web servers and wireless networks so they can discover for themselves what an attack looks like from the black hat hacker's perspective.
Going forward, IT security gurus will need to think analytically -- understanding not just how to set up security, but also how to craft security solutions so that they support the business focus while at the same time protecting the business's digital assets.
Focused procedures, such as penetration testing and ethical hacking, can be effective at hunting out specific vulnerabilities, but a holistic approach to network security that blankets the perimeter and protects against a broad range of attacks is better able to adapt to the constant evolution of assaults of this type. Here again, educators are attempting to make this approach understood to the future IT workforce, demonstrating how security components and business functions work in tandem. In top IT classes, students are examining topics such as asset identification, human factors and compliance with regulations, personnel security, risk assessment and ethical considerations. While specific computer and network security tools and methods are explored, coursework today is more likely than ever to investigate the impact of information security on the business process.
Massive attacks, such as the theft of the login credentials of dozens of New York Times employees in late 2012 and 2013, are typically perpetrated by leveraging a variety of vulnerabilities. The New York Times hackers used trusted routes through several university-owned networks to get past the usual perimeter security measures, then installed a mix of malware, including several backdoor applications that were able to evade detection by the Symantec security suite in use by the Times. This example points the way to effective modern infosec education; above all, students must learn to be extremely flexible in their approach.
Today, an infosec student (or professional) can assume nothing, but must examine everything to do with a scenario as a possible vulnerability. To illustrate, one of the first things that a current infosec practitioner checks is the use of an up-to-date antimalware suite. In the case of the Times, despite having a well-respected security suite in place, this pillar of infosec was bypassed by the hackers, and even leveraged to provide a false sense of security.
An effective infosec curriculum must teach students to conduct a thorough security audit that does not assume that any of the organization's security measures have been effective at preventing an incursion. Even with a security suite in place, the student has to assume that there is malware present and be prepared to hunt out and exterminate that malware.
Discussing and researching this growing need for flexibility in approach is certainly a crucial part of IT security education, but students also require a considerable amount of hands-on application in order to thoroughly understand the concept. In the past, most infosec professionals acquired their skills through on-the-job experience, generally starting out as system administrators, then getting into infosec through rough necessity as their network was attacked. Of course, there's nothing like experience for teaching effective practice, but experience can also be something of a hit or miss operation because the practitioner may only see a limited number of scenarios in his or her particular workplace. As noted, these days an infosec pro or student can assume nothing and must, at a minimum, be aware of as many potential scenarios as possible. This is where a well-designed curriculum can provide the experience that may be missing.
An effective educational program is one that recognizes the need for security with flexibility, as part of the entire curriculum -- from entry-level to advanced -- and in all classes, whether they are focused on some aspect of technology or on developing leadership skills.
Similarly, an effective curriculum is one that helps students think like professional hackers while guiding them to develop a risk-based approach to security -- which ensures that appropriate measures are applied to protect key data. The National Security Agency is promoting this new approach to cybersecurity education with its hacking competitions, a hands-on way to showcase potential threats and countermeasures. For their part, universities are moving toward hands-on virtual labs and introducing areas ranging from ethics to social psychology. Just as vital, though, is the need for cybersecurity education for all students, not just those studying information technologies. In the end, every user has a role in creating a dynamic mobile environment that offers flexibility while remaining secure.
About the author:
Lynne Y. Williams is a faculty member in the MSIT program at Kaplan University who has been working with computers and networks since the days of VAX mini-mainframes.
The views expressed in this article are solely those of the author and do not represent the views of Kaplan University