The Failure of Cybersecurity Education

Image for post
Image for post

Several years ago, I was interviewing for an assistant professor position at the college I had been teaching at as an adjunct. Part of the process involved sitting with the provost and having a face-to-face interview. During this portion, he asked me what I would change about the current program. My response, which likely cost me the position, was simply that we needed to provide more classes before we gave our stamp of approval on graduates. As I saw him recoil in horror at the thought, I realized that was the wrong answer.

Since that time, I’ve had a lot of opportunity to think about this concept. First as that same adjunct teaching undergrads as well as eventually moving on back into the private sector leading teams of techs and engineers in various consulting roles and in C-level positions at startups. The one thing I’ve found almost universally is that no one truly does this critical function well.

I will interject here to say that this piece came about from a discussion I was having with my daughter, who is an information security manager in a mid-sized company. We were both lamenting the quality of graduates and how many basic concepts they still needed to be taught once they reached the “real world”. This eventually led to my dusting off some notes and engaging in this thought experiment on how a cybersecurity program should be conducted.

The Issue

Security is as much art as it is science. A person cannot approach a security function by rote memorization of a process. There has to be a certain level of creativity involved. A good security engineer knows how to keep data safe from ALL threats. A great security engineer has a certain feel for their system and knows where to look for not only vulnerabilities but also how to quickly and accurately determine if that vulnerability has been exploited.

In this regard, our schools tend to graduate adequate security personnel. This works for the schools because they get a huge chunk of change to churn out graduates. Students, on the other hand, go in with dreams and aspirations both for ability and a lucrative career potential. However, the undereducated don’t have the insight to realize their standing, therefore they enter the world and wonder why nothing works like they expected. This system relies on employers and on-the-job training to develop these students. Eventually, some become great in the field, but most burn out or move on to something else before they reach that point. As such, we owe it to not only the students but also their future employers to increase the level of proficiency and understanding before they leave the hallowed halls of academia.

Problems

One of the big problems I identified in both teaching and talking with my peers is there is a dearth of qualified personnel actually teaching. Certainly, there is no shortage of PhDs and well certified professors prowling the front of classrooms everywhere, but practical experience is in very short supply. As a result, students are exposed to a very narrow view of the threats they face along with a theoretical basis of practical problems that are not reflective of the state of the art.

Technology moves fast. In the past decade alone, we have seen a mass migration from on-premise solutions and a random assemblage of disparate online services to consolidated cloud infrastructure. Few current instructors can spell Kubernetes while even fewer still have looked at it with more than a passing glace and almost none have actually faced its implications in a security context. And this is a technology that drives the backbone of so many cloud deployments. That is but one minor example.

This cuts to the bone of the major issue with most cybersecurity programs. They are viewed as somehow an extension of Computer Science at best. They are considered a trade program at worst. Both views sell the discipline short.

From a Computer Science perspective, security is looked upon as an outgrowth of software engineering. Courses are heavily laden with Intro to Programming, Database management, Secure system design, and networking. Sometimes, for good measure, courses with such lofty topics as Computer Forensics or Information Security are thrown in. In 50 credit hours, students are turned loose on the world to do what students do.

As trade programs, students are usually provided with more hands-on experience. Sometimes they will mirror some entry level certifications such as A+, Network+, Security+, or whatever else CompTIA has that was hastily turned into a textbook and pushed by the publishers to sell to harried instructors looking for something “current”.

This is no way to educate students entering a demanding and critically important field. It’s a good thing accounting hasn’t changed that much, or we’d be faced with economic collapse under a similar scenario.

Where does that leave us?

As I’ve said previously, we need to improve the depth of our courses. Here is what I propose.

Students need a firm foundation and one that reflects current technology in all its forms. The challenge is bringing students to a common level of knowledge and experience. This is no different than requiring a certain proficiency with reading, writing, and mathematics upon entry. However, the SAT or ACT does not test for this, so it is best to assume no basis in knowledge to begin. The first year would need to be an exercise in catching up.

1. Introduction to computers: This course would cover basic computer architecture and the concepts involved in making digital logic work. It would provide a thorough dissection of binary counting, binary math, electronic theory, processors, RAM, firmware, and computer construction.

2. Introduction to Networks: How do computers talk to each other? Build upon the lessons from the Intro to Computers to discuss how signals travel along the wires and how they work wirelessly. Cover both 802.11 as well as cellular communications. Delve into protocols such as IP, TCP, UDP, and finish with application specific protocols such as HTTP, SMTP, and SSH.

3. Introduction to Operating Systems: Most students today are functional with windows, OSX, and Android or iOS. Build upon that to go into how operating systems are constructed. Introduce students to Server operating systems from Microsoft, Linux, and Unix.

4. Introduction to Security: This course would tie together the other courses in the freshman year and introduce students to the CIA (confidentiality, integrity, and availability) triangle. Students would learn about threats, threat vectors, and vulnerabilities. Students would get introduced to risk and how to properly evaluate it along with mitigation strategies.

In a liberal arts world, all this would be in conjunction with academic core classes and electives commonly taken in the first year. The second year begins to ramp up quite a bit. Again, as most undergrads are still in the midst of finishing requirements, this would also have four classes, though most of these would be supplemented with labs.

1. Operating Systems: This course would pick up where the introduction left off. The key objective would be to provide a level of proficiency with whatever operating system was thrown at a student. Windows and Linux would be covered in depth along with the most current version of Mac OS, android, and iOS. The key focus would be from a security perspective. Particular attention would be paid to evidentiary important aspects of operating systems such as logs, data storage, configuration files, and manipulation.

2. Network Defense: Up until now, the courses have focused on concepts and theory, but this would be the first practical application course. This would focus on common devices used in network defense such as firewalls, proxy servers, intrusion detection and prevention, infrastructure configuration using segmentation, and monitoring. The key here would be in giving students an understanding of the function rather than the specific application of a specific device.

3. Network Architecture: Even the simplest systems are comprised of multiple computers networked together in a unified manner. Students have to be provided with a frame of reference for how computers work together both in a functional state as well as an ideal, security-focused one. This course would cover topologies and common configurations but also delve into the proper arrangement of network resources for both function and protection. During this time, students will gain an understanding of critical network information and directory services at a much deeper level.

4. System Monitoring and Analysis: Much like in the freshman year, this course would begin to wrap everything together from the previous courses. The aim of this lecture and lab would be to introduce students to logging in all its formats from individual machines to centralized systems along with various network devices. The challenge would be to bring all of these disparate pieces of data into a cohesive whole and begin the challenge of finding useful information through the noise.

Here begins the transition from neophyte students into upperclassmen. The classes also get more challenging and dive deeper into the practice of security both from an engineering perspective but also as a manager of security. The Junior year starts out running:

1. Introduction to System Programming: Unlike typical Comp-Sci focused coursework, this class and lab would provide a student with the fundamentals of programming in a scripted language. The core objective would be to provide students with a command of programming structures (conditionals, loops, arrays, functions, objects, etc.) while also reinforcing good practices (input checking, variable manipulation, type enforcement, etc.). The aim is not to create programmers but provide a basis for continuation.

2. System Analysis II: This course would continue where the previous year’s system analysis course left off. Using the lessons and concepts learned in System Programming, students would refine the collection of logs and begin to leverage programmatic methods to analyze the data at a larger scale and faster pace. Automated tools would be introduced along with visualizations. The key concept outside the technical skills developed is to provide an understanding of the need for effective data management via the challenges of not having it, which sets up for the next course.

3. Introduction to Databases: It is hard to think of a more important and critical point of failure that exceeds the venerable database. This course would provide students with an understanding of both relational and non-relational database systems and explore the means of accessing data both manually and programmatically from each. A key component of this course would be examining database abstraction as used in system design and means of transferring raw data to application servers (i.e., JSON, GQL, etc.).

4. Databases II: Continuing on from the previous course, this class would focus on the security and monitoring of databases. The time spent would additionally cover alternate forms of data storage (raw buckets, CSV, SQLite, and other less common systems such as KDB and the like).

5. Risk: This course would continue the discussion began in Information Security and delve into risk assessment, validation, verification, and evaluation. An introduction to risk models and frameworks would cover common processes such as PCI, NIST, and ISO. Evaluations of risk are central to business decisions that drive initiatives, set budgets, and quantify impacts. This course sets the student on a path of asking the critical questions beyond “can we do it,” but into “should we do it,” and “what is the impact of doing it?”

6. Junior Capstone: This course would serve as a wrap up on basic security concepts and practice. The students would be tasked with performing a risk assessment on a lab-based network using a control set from one of the frameworks and constructing a report detailing potential risks, identified deficiencies, and milestones for remediation. Students should be proficient on setting up a network and defending it in a local context using good techniques, technologies, and practices.

By this time in the program, a student would be well above most graduating peers as they currently arrive in the workforce, but the senior year would push them farther and set them apart.

1. Introduction to Cloud Infrastructure: This course would introduce students to cloud infrastructure as a model of distributed computing. Key topics would be infrastructure in code, continuous integration, system configuration, and common components. All of this would be introduced from a security perspective as opposed to a typical system engineer perspective as it is usually covered. Particular attention would be paid to drawing parallels from earlier local system-based paradigms to the cloud infrastructure.

2. Network Mapping and Scanning: This course would demonstrate methods of information gathering on networks and cover common tools used both in the enterprise as well as by potential attackers.

3. Incident Response: “Something bad happened and it needs to be dealt with.” This course puts students at the helm of heading off an attacker from numerous vectors, prioritizing critical systems, assessing potential loss, and documenting their actions. Further coursework would entail developing mitigation strategies to ensure there would not be a repeat.

4. Legal Aspects of Data Protection: This course would provide students with a familiarity of operating within a regulated industry such as finance, health care, banking, or any number of areas where security oversight is mandated by a regulator. Topics covered would entail compliance, reporting, audits, and notifications and would dovetail with the Risk class. Security is so much more than simple technology and requests from regulators, auditors, law enforcement, or even litigators is not uncommon. Students will not be experts, but will at least understand the requests and their implications.

5. Red Team: As a penultimate class and lab, students would take the sum of what they learned throughout the program and marry that to newly introduced tools and techniques for breeching protected systems. For the previous courses, students learned to be good administrators and watchers, but this class would explore turning that around and using what they have learned as attackers.

6. Senior Capstone: This final course would have a student design and implement a system from the ground up that adheres to one of the typical frameworks and then defend it successfully against various attacks for a period of time. Students would document their process, outline assumptions and reasons, report on incidents, and provide a final summation to “management” for review and further action.

Moving beyond the core program, several areas of study could be built to focus on key skills for development as part of a sequence of electives, concentrations, or even a minor sequence. Among them would be:

— Security Programming, which would provide students with both the technical capability and body of knowledge to assume a position as a hands-on code reviewer on a security review control group or manage a secure development life cycle process effectively.

— Forensics and Investigation, which would dive deeper into operating systems and networks to not only thwart and attacker and provide incident response but work to analyze collected evidence to determine the extent of damage and quantify facts within an incident.

— Security Analysis, which would go deeper into the data mining of security information and develop systems and processes to handle it more accurately and with better direct resolution.

— Security Management, which would entail a better understanding of the business impact of security events from both an operational and financial perspective.

The realm of security has been described in reference to one of the major certifications in the field as being a mile wide and a mile deep. Within that space, there are almost limitless subdivisions upon subdivisions of topics that could be fully explored to a high resolution. The potential for practical concentrations and electives — even at a high level — are plentiful and only limited by the specific skills and experience of the instructors. However, the important perspective that cannot be lost is to reinforce the foundation of the programs and address actual topics and concepts for the real world.

Conclusion

Every day we hear about security incidents in business, government, or non-profits. In almost all the reports we find they could have been prevented. Most of these incidents come down to carelessness, negligence, or just incompetence. The need is clear that we have to do better. The only way we get better is to provide a pool of qualified entry-level candidates to carry the water and we only do that by ensuring we train intelligent people who not only know the high-level concepts and the newest technology but also understand how to put all the pieces together into a logical view and can then take action appropriately. We have to change how we’re churning out these graduates or we’re doing a disservice to our information systems and especially those graduates who are paying big money to get a degree.

I am a technical strategist and thinker who enjoys writing on the finer aspects of technology, business, compliance, and finance.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store