Category: Security Education

Security education, training, and awareness

Careers, Concepts, Security Education, Security Management

Why Aim for the Ground? Teaching our kids the right computer skills

Posted on by Ron Woerner

We’re in a national crisis. Many kids know how to point and click, but they don’t know how the underlying technology works or worse yet, basics on how to keep themselves and their information safe online. This leads to bad choices. To make it worse, most teachers lack resources to teach technology to teenagers. In a talk at DerbyCon 2014, Professor Phil Fitzpatrick explains why our kids need to learn fundamental computer skills in a fun and ethical way; through education and competitions like CyberPatriot. It’s a discussion of why high school students should learn more than just simple computer applications and what security professionals can do to help.

Below are are problems as we see it:

–  The general public understands that most jobs out of high school, are based in knowing and having IT skills. Yet, most parents hand off their kids starting in 6th grade assuming all areas of education are covered, especially technology.
–  High schools are trying to answer the call for more IT workers by adding technology classes to their curriculum. However, they don’t have a lot of room for a variety of courses because of school year length, teaching expertise and availability, and their nature of school environment.
–  Kids only need to take one technology course to graduate and they look for the easy “A” rather then what will help them with their careers.
–  Schools are challenged with keeping the curriculum and technology up to date to meet current needs.
–  High schools are more concerned with getting students ready for college or working by teaching necessary life skills.

There are solutions available:

–  Establish technology academies in schools that teach a variety of cyber skills, not just what’s on the computer science AP test.
–  Provide courses in application develop, systems and network administration, database management, and cybersecurity.
–  Encourage teachers to build their knowledge base on different computer skills needed by industry.
–  Use grants to ensure technology is up to date.
–  Promote competitions and clinic like US CyberPatriot (http://www.uscyberpatriot.org/).
–  If you’re an IT or Cybersecurity Professional, become a mentor. These kids need someone with experience to help guide them in the journey. They’re not looking for an expert, just someone who cares. AND it’s very rewarding for the mentor.

Lastly, educate yourself. Here are some links to get you started:

–  Cybersecurity’s hiring crisis: A troubling trajectory – http://www.zdnet.com/cybersecuritys-hiring-crisis-a-troubling-trajectory-7000032923/
–  Developing the Next Generation of Cyber Leaders – http://www.serco-na.com/docs/materials/2012-cisse-nextgencyber.pdf
–  DoE: Science, Technology, Engineering, and Math: Education for Global Leadership – http://www.ed.gov/stem
–  Cyber-Security, IAS and the Cyber Warrior – http://www.cisse.info/archives/category/29-papers?download=297:p11-2012
–  High School 12-Week Cybersecurity eLearning Pilot – http://www.cisse.info/archives/category/29-papers?download=295:p09-2012
–  Secure Coding Education: Are We Making Progress? – http://nob.cs.ucdavis.edu/~bishop/papers/2012-cisse/seccode.pdf
–  Where are the STEM Students? – http://www.stemconnector.org/sites/default/files/store/STEM-Students-STEM-Jobs-Executive-Summary.pdf
–  ACM: Toward Curricular Guidelines for Cybersecurity – http://www.acm.org/education/TowardCurricularGuidelinesCybersec.pdf

Also see the previous post, “Hacker High – Why we *need* to teach hacking in school.”

Please help be part of the solution by promoting cyber education in your community.

Security Education

Before You Hit Your Head Against a Wall

Posted on by Ron Woerner

As both an educator and a security professional, I often see people who get frustrated.  It could be with a school or work assignment.  To help reduce frustration, here are some words of advice:

  • DON’T PANIC. This is my first rule of incident response. Getting all worked up never solves the problem. Take a deep breath or a time-out if needed and then proceed.
  • Understand “Who Owns the Headache?”  So often, we get frustrated with things outside of our realm of control. Basically, we try to fix things that we can’t because we don’t have control or “Own the Headache.”  Acknowledge what you can control and what you can’t.  Only focus on the things you can.
  • Research it. Ask yourself: Is this information available from an Internet source (iow, Google it)? One thing hammered into me when I was in ROTC was “use your resources.” You don’t need to know everything. You just need to know how to find the information and then use it intelligently.
  • Look at the problem from a different perspective. Is there another way to solve the problem? In computers, there’s usually at least 2, if not many more ways to solve any problem. That’s why I don’t usually have a set answer in mind. You may think of something I haven’t that works just as well.
  • Take a time out. Step away from the problem for a little while. Sometimes they resolve themselves, as in the case with bellevue.edu being down. Sometimes, it will give you a chance to think about it and think it through. This also gives your subconscious some time to process and develop a solution. (Have you ever had a “duh, I should’ve thought of that” moment?)
  • Ask someone. A person is also a resource (see use your resources above). First try a fellow classmate or colleague. I love it when students work together and help each other to solve problems. The student’s who collaborate get bonus points in my book. It’s truly a win-win for everyone. This is also part of my personal mantra, “By helping each other, we’re all smarter/stronger/better.”
  • Ask good questions. If no one else has the answer (about an assignment), then ask your professor or your boss. If something’s not clear, then ask for clarification. In today’s world, it’s not the answers you have, but the questions you ask. Come up with good questions, then be bold and ask them.

The idea is to prevent frustration, which inhibits learning and growth.

Coach Ron
“Every man…should periodically be compelled to listen to opinions which are infuriating to him. To hear nothing but what is pleasing to one is to make a pillow of the mind.” St. John Ervine

1
Security Education, Security Management

Hacker High – Why we *need* to teach hacking in school

Posted on by Ron Woerner

This rant is in response to Quinn Norton’s opinion piece from May 20, 2014, “Everything is Broken.”  (Link: https://medium.com/message/81e5f33a24e1)

<rant>

I have a simple solution that’s hard to implement: TEACH HACKING IN HIGH SCHOOL*! Yes, you heard it right. We need to teach our kids all about technology. Including how to break it and how to fix it. It’s incredible how little they really know. To them it’s PFM (Pure Frickin’ Magic). We won’t solve this problem with our adults. That’s why we need to get the kids involved. The problem is that they think they understand technology, but it’s only how to use it. Many (most) are clueless about systems & network administration as well as security. “Dad, the computer’s broken again…” I don’t think this is just my teenage kids.

The curriculum development is easy; adoption is hard. This is for three reason:

1.  Cyber isn’t included in the common core curriculum, so they don’t have time to teach it as a primary subject. They try to teach it on the side with limited affect. The problem is also with our government officials who don’t see cyber as important. A fun study would be to see how many government leaders are proficient in technology. My hypotheses is that it’s less than 10%.

2.  We don’t have teachers qualified to cover it and the good computer folks don’t want to take the huge pay cut. [At my daughter’s middle school, cybersecurity is taught by history and English teachers… I’ve volunteered many times to come into their classrooms and hear crickets…] It’s often that the teachers don’t know what they don’t know and are afraid to look ignorant if they ask for help. [NOTE: There are some fantastic teachers out there doing great work. This doesn’t apply to them. The problem is that they are the minority. They are also limited by what they can do and what they can teach.]

3.  There’s no standard curriculum for Information Technology or cybersecurity. It’s up to the teacher to develop his/her own, which is therefore based on his/her knowledge. (See #2.) Local school boards are responsible for deciding what’s included in their schools curriculum, but they don’t seem to understand cyber. Another fun study would be to see how many school board members are proficient in technology. My hypotheses is that it’s less than 20%.  We need a standard cyber curriculum for the teachers to work from.  It should be broad enough to allow flexibility for the teachers, yet cover primary topics of how the technology works.

We need to find a way to teach IT and cybersecurity to our kids starting in elementary school and then throughout middle and high school. The problem is that we’re blocked by adults who don’t understand the necessity.  The solution is out there people.  For example, see staysafeoneline.org and stopthinkconnect.org.  We just need to use it.

Help spread the word that we need to TEACH HACKING IN SCHOOLS. Talk to your local school board and elected officials.

*NOTE: I use the broad definition of hacking, meaning developing a curiosity on how things work. It’s not the malicious kind. When teaching hacking, ethics must be included. The intent is to keep the kids out of the orange jumpsuits (even if it’s the new black).

</rant>

[This rant reflects my opinion and not necessarily the views of my employer. ]

Concepts, Security Education, Security Management

My Security Bookshelf

Posted on by Ron Woerner

I recently was asked, “What books, article, websites, blogs, or videos do you recommend for those just beginning in Cybersecurity?”
It’s a great question with many answers. Too bad you can’t just come to my office and look on my bookshelf…

There are many reading and viewing options for cybersecurity.  The challenge isn’t the lack of material, but the overabundance (which is a good topic for another blog post).
The following resources are great for all levels of cybersecurity professionals.

Blogs & websites:

– Bruce Schneier on Security: https://www.schneier.com/
– Dark Reading: http://www.darkreading.com/
– CSO Online: http://www.csoonline.com/
– Threatpost: http://threatpost.com/

Videos:

– RSA Conference 2014 On-Demand Sessions: http://www.rsaconference.com/events/us14/downloads-and-media/video-index
– TED Talks Playlist, Who are the hackers? – http://www.ted.com/playlists/10/who_are_the_hackers.html
– TED Talk, Bruce Schneier: The security mirage: http://www.ted.com/talks/bruce_schneier.html
–  Cambridge Ideas, Professor Risk (Dr. David Spiegelhalter): http://www.youtube.com/watch?v=a1PtQ67urG4

Books:

– “The Cuckoo’s Egg,” Clifford Stoll,
– “Secrets & Lies,” Bruce Schneier
– “The Art of Deception,” Kevin Mitnick
– “Spies Among Us,” Ira Winkler

Book Reviews & Commentary:

– At the 2014 RSA Conference, Rick Howard of Palo Alto Networks  gave a talk titled, “The Cybersecurity Canon: Must-Reads.” You can also find the list of his favorite cyber/security books on his Terebrate blog at http://terebrate.blogspot.com/2014/02/books-you-should-have-read-by-now.html.

– Ben Rothke, a well-known security guru / speaker / writer, provides numerous book reviews for RSA including The Best New Books from RSA Conference 2014.  You can see all of his RSA blog posts at www.rsaconference.com/blogs?keywords=rothke.

The time you spend on these resources will be well spent in developing yourself as a cybersecurity professional.  If you have one you think is missing, please provide a reply or email me.

1
Human Aspects, Online Safety Tips, Security Education, Security Management, Threat Modeling

My Tweets from the 2014 RSA Conference

Posted on by Ron Woerner

The RSA 2014 Conference took place in San Francisco February 24-28.  It’s the top gathering of information security and risk professionals in the world with over 25,000 attendees.  I had the privilege to attend (and lead a CISO panel).  While I was there, I used twitter (@ronw123) to record my thoughts of the sessions and events.  Below is a snapshot with commentary:

Security Awareness and education was a common theme throughout the conference.  The industry is finally realizing it’s about the humans and people will always be the weakest security link

@ddkirsch: Heard at #RSAC — Even my Mom knows that #HTTPS isn’t a plural of HTTP. #ITsecurity” < too bad
so many moms, dads, & kids don’t

Chris Hadnagy (@humanhacker & Social-Engineer.org) talked about, “Social Engineering: When the Phone is More Dangerous than Malware.”  

Wow! Even @humanhacker got caught w/ phishing. It can happen to you. There are no stupid users, just uneducated
ones. @SocEngineerInc

@humanhacker @SocEngineerInc showing stats from . Scary. But there’s hope. 🙂

Jack Jones (@JonesFAIRiq) had a great presentation titled, “Ending Risk Management Groundhog Day.”  He didn’t even realize that there was a running panel from 2008-2010 that I was on with the name “Security Groundhog Day” (2008, 2009, 2010).  Jack is the father of FAIR and provides great ideas for proactively using risk management practices to manage security.

Get off the “Hamster Wheel of Pain.” Stop repeating past errors. @JonesFAIRiq @alexhutton [Note: I’ve learned
that this comes from “The Phoenix Project”]

@JonesFAIRiq “Policies need to be clear, concise, and useful… & written to a 9th grade level.”

@JonesFAIRiq “We’re really good at fixing symptoms, but not root causes.” #1problem is asking the right questions about risk.

Info Risk Mgmt Groundhog Day. Dude… Really… Again. It’s déjà Vu all over again.

Presentations on risks and threats are now commonplace at the RSA Conference. Here are thoughts on talks by Adam Shostack (@adamshostack), Pete Lindstrom (@SpireSec), and Andy Ellis (@csoandy).

@adamshostack talking New Foundations of Threat Modeling. Asking & answering 4 questions about threat modeling and the right ways to find good threats. [Note: He has a new book out on Threat Modeling.]

@SpireSec just mentioned the Hand Rule (see en.wikipedia.org/wiki/Calculus_).
So few security / risk professionals know anything about it.

@SpireSec – Being a contrarian in security makes you normal. Meaning we seek the truth even if it may hurt.

@csoandy: The true problem of a Prisoner’s Dilemma Scenario is that it disregards the Game Manager.” < tying Game Theory to security

NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014.  Of course, this generated a few comments:

The NIST Cybersecurity Framework, Here we are *again* writes @georgevhulme, Engage
#infosec

News from #RSAC – DHS working with MS-ISAC on offering managed security services to state/local gov’t who adopt Cybersecurity framework.

The National Cyber Security Alliance (NCSA) held a twitter session where they asked pointed questions on encouraging kids to StaySafeOnline.

@StaySafeOnline & others are great! The material is there. It’s getting it out to people who need it the most. #securitychat #ChatSTC

Should there be a license to drive on the Information Superhighway? IOW: Required Education? #securitychat #ChatSTC

We need to challenge more Cybersecurity professionals to get out and educate. Make it required for certifications? #SecurityChat #ChatSTC

@STOPTHNKCONNECT #securitychat #ChatSTC A7: Reach the kids at their level. Don’t talk down to them. Challenge them to teach their parents.

Of course, one of the hot topics was NSA Surveillance: 

“Understanding NSA Surveillance: The Washington View #RSAC” < what’s legal may not be wise – said by both Hayden & Clarke

We need a real debate at #RSAC on the NSA, not pontificating and opinions. High School Debate did it last Nov. see bit.ly/MZJVrQ.

Last, but hardly least is my frustration in the opening keynote of attendees spending their time on their devices and not meeting others.

Listen #RSAC peeps! Stop playing with your phones and start meeting someone new. The greatest minds in Cybersecurity are
here.

These are my quick, but not complete thoughts. No doubt they will lead to many blogs in the future.

Careers, Concepts, Security Education, Security Management

Breaking into Security

Posted on by Ron Woerner

One of the common questions I am asked is, “How do I get a job in information security?”  Infosec continues to be a hot career field with many job opportunities.  Therefore, we continue seeing people who are interested, but don’t know the steps it takes to gain employment in information security.  This blog post answers the question, “How do I break into (the) security (career field)?”

A few years ago, I was asked a similar question of how I got started in security.  It all started as a computer science major at Michigan State University. I was also in Air Force ROTC.  This combination allowed me to start developing my security mindset.  As a military intelligence officer, I learned about data classification and safeguarding sensitive information. I left the Air Force for a job as a UNIX systems administrator where I learned how to apply technical controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The combination of technical and managerial experience led me to security management roles. (You can read more about my experiences here: Me and my Job: Ron Woerner, Bellevue University, SC Magazine, April 2011)

To become a security professional, you need a mix of experience, knowledge, and abilities. It’s not generally an entry level career field, because you need time to develop yourself as a security professional who understands the many aspects of cybersecurity. The security community has a vast number of articles on breaking into the security career field.

This reminds me that everything old is new again. Many of the articles I mention above were written a few years ago. Things really haven’t changed over the years.  The career path still requires education, training, experience, and persistence.

As an extra, added bonus, here’s a 3 ½ minute Ted talk from Richard St. John: 8 secrets of success http://www.ted.com/talks/richard_st_john_s_8_secrets_of_success.html (Watch for his explanation of CRAP).  It’s great, general information on how to succeed in any career.

2
Human Aspects, Online Safety Tips, Security Education, Security Management

Security for the Real World – Password Policies

Posted on by Ron Woerner

Passwords suck.  They always have; they always will.  But we’re stuck with them.  They are the cheapest and easiest means of user authentication.

With passwords, come the ubiquitous password policies.  This post addresses two of them seen at most organizations*:
1. Thou shalt not share they password.
2. Thou shalt not write down thy password.

* “Thou shalt” isn’t usually used in policies.  I’m using it for effect.

There are many problems with these rules.  First, they are almost impossible to enforce, unless it’s a really small organization or you have a large police force.  Second, they are often violated by the top echelon in the company.  How many CEO’s share their account with their admin?  Are you going to tell the CEO that he’s violating the company policy?  That’s a CLM (Career Limiting Move) if you ask me.

Rules like the ones above are to protect the organization, not the employee.  They cannot be enforced, except when something bad happens.  Then, the enforcer can point to the policy and report the violation.  I call it a “speed limit” policy, which are good to follow, but aren’t continually nor consistently enforced.

Here’s the key to making those policies work: make the user responsible for his/her account.  The policy statement would then be, “All users are responsible for protecting their login credentials from unauthorized access like they would protect any other corporate asset.”  This puts the onus on the user.  If someone gains unauthorized access to the user’s account because he/she didn’t follow the rules, then the user is accountable.  They are guilty until they can prove themselves innocent.  If someone (like the CEO) wants to share their account, they can as long as they realize that’s it’s them who will be held responsible for any actions taken by the other party.

With so many passwords to remember, people need to write them down.  Telling people not to just isn’t realistic.  Some use a password vault application.  Others use a piece of paper.  Both are fine as long as it’s rigorously protected.  It’s fine for people to write down their passwords as long as they store it in a very safe location.  My mom has a piece of paper with all of her passwords on it in a desk drawer in her apartment.  I’m fine with it, since I may need it one day as her power of attorney.  Her apartment is in a secure facility, so the risk is minimal.  There’s a lot bigger risk of her becoming incapacitated and me not having access to her accounts.

That’s what it comes down to: understanding RISK and establishing Accountability.  What are the risks associated with the actions?  Who’s responsible?  Answer those and you make a cognitive decision that’s both realistic and enforceable.

Careers, Security Education

Cybersecurity Degree vs. Certification

Posted on by Ron Woerner

What’s best for your career – a Cybersecurity certification or a degree in Information Technology (IT) security?
[Guest Author: Laura Linhart]

A few years ago, this question would not have been as relevant as it is today.  The CISSP® (Certified Information Systems Security Professional) sponsored by the International Information systems Security Certification Consortium (ISC2) first offered as a security certification in 1994, was the first information security certification to meet ISO standards.[1]  Since then, the number and types of information or Cybersecurity certifications and professional organizations that offer these certifications has proliferated.

The growth and evolution of information or Cybersecurity as a degree unto itself has also been significant in recent years.  Today, many colleges or universities offer it is a field or major unto itself, offered as both undergraduate and graduate degrees.  In previous years it was only available as a subset of another major such as data processing, computer networking or computer science.

From a career or professional perspective, information security appears to be a stable and growing profession[2] .  As the profession continues to grow and evolve, the question of which is more relevant – a degree or certifications is now a consideration.   As with most things in life, the best answer is “it depends”.  Where you are at in your career, life’s journey (i.e., age) and your own ambitions are things to consider.

Degree – to expand or gain knowledge.  On the positive side, a degree is forever, and does not require any upkeep.  It will get you in the HR screening process door if an IT degree is a particular job requirement.  It indicates that you have the work ethic to complete something.

Certification – to establish your credibility.  Require continuing care and feeding (continuing certification requirements).  Most also require years of experience in the specific area of certification.   It indicates that you have the subject matter expertise.

Another variable to consider is practical experience.  In some situations, practical experience means the most.  It indicates that you have the ability, and can apply and expand on what you know.

The bottom line is that there is no one answer that fits all.  It depends on your particular circumstances.

In reality, you will probably need both a degree and certification(s).

 

Security Education

What do you need? Security Education or Training

Posted on by Ron Woerner

As you’re looking to improve yourself as a Cybersecurity citizen, you often need help from an outside source to increase your knowledge and/or abilities.   Security is a broad topic encompassing many disciplines and Cybersecurity is no different.  There are technical, procedural, and managerial aspects to be considered to grow what you know about Cybersecurity.  There are often many, different ways to solve the same security problem. Knowing what to do and how to do it requires both knowledge and experience.  How do you gain it though?

The answer is Cybersecurity training and education.  There’s often a question as to which you need: training or education.  There is a difference between the two, which I’ll explain below. You need to be aware of your needs, wants, and goals before proceeding, or there’s a chance you won’t meet them.

Cybersecurity education provides a more general background on the philosophies and concepts behind Cybersecurity.  It allows you to understand the context for security tools, techniques, and technologies. With security education, you understand why it’s important to have particular protection methodologies in place and is at the strategic level of thinking.  Cybersecurity education emphasizes principles of risk management and how security fits into an organizational culture and structure. Education is long term taking many months if not years to acquire. Finally, education teaches critical thinking and allows the student to learn how to learn, which is crucial for new subjects or technologies.

In contrast, Cybersecurity training is more specific to a technology, procedure, or skill.  It’s tactical or operational, rather than strategic. Training emphasizes the building of explicit skills and applying what you know to a particular situation.  When you attend cyber training, you are learning about a specific technology or practice that can meet an immediate need. Lastly, training is short term and can often be accomplished in days or weeks.

In this discussion, I’m trying not to sway your though as to which is better, because both are important for expanding your Cybersecurity knowledge and abilities. You need to decide for yourself the method you want to take in order to meet your goals. The important thing to consider is that you keep growing and increasing your knowledge.  Feel free to comment below on your views of education versus training. Don’t stop learning!

Security Education, Security Management

National Center of Academic Excellence in Information Assurance Education

Posted on by Ron Woerner

In April 2012, the National Information Assurance Education and Training Program (NIETP) office under the authority of the U.S. National Security Agency (NSA) and Department of Homeland Security (DHS) announced that Bellevue University is designated as a National Center of Academic Excellence in Information Assurance Education (CAE-IAE) for the academic years 2012-2017. This is a great accomplishment for the University and demonstrates our continued dedication to not only Cybersecurity Education, but also to the security community. 

The CAE-IAE application, submitted earlier this year passed a rigorous review that was evaluated against a stringent criteria, demonstrating its competency and commitment to academic excellence in Information Assurance education and security practices. The letter received by the University with the announcement demonstrates the quality of our program.  “One reviewer remarked that Bellevue’s submission, ‘demonstrated fine curriculum, expert faculty and noteworthy outreach.’  You are to be commended for submitting such an exemplary application.  Your ability to meet the increasing demands of the program criteria will serve the nation well in contributing to the protection of the National Information Infrastructure. “

Mary Hawkins, the Bellevue University President will be receiving the official certificate of designation signed by the Director, NSA, the IA Director, NSA and the Cybersecurity Assistant Secretary, DHS, at the 16th Colloquium for Information Systems Security Education (CISSE) in June.

An official press release and announcement is forthcoming.