As I prepare to dive into this week's Federal Friday post I can't help but notice that it's that time of the year again. The days are longer, the mercury rising, a sweet smell of B.B.Q filling the air, and students around the country are heading out of the classroom and into their summer vacation. They leave their respective schools and previous grades behind, and for the next few months they will embark on numerous adventures, filling their heads with all types of stories that they'll be bursting at the seams to share with their classmates when they return to school in the fall. While their experiences throughout the summer will be unique to each of them, one constant theme remains – the dreaded summer reading list…
That brings me into my topic for this week: how the ability to adapt and address persistent threats in cyber security defenses is inherently tied to education.
My interest in this topic was piqued by a blog I was reading in the Harvard Business Review, “Cyber Security Depends on Education” by Marisa Viveros. In her post, Ms. Viveros, a VP at IBM, clearly outlines the current short-falls in talent available to address the rapidly increasing threat landscape that security teams of every vertical and sector face every day. The shift in spotlight for most organizations from an IT-run infrastructure to a heavier focus on cyber security has these teams seeking highly specialized personnel. This trend has created multi-layered issues stemming from the fact that many IT teams were not previously focused on security - other than deploying an AV program – and are unprepared to tackle aggressive attacks that take place every day. Bottom line: organizations are under-resourced when it comes to experienced security professionals. While Ms. Viveros speaks directly regarding the challenges facing her larger organization, the same issues are taking shape in everything from small start-ups through the enterprise level and federal targets. Even “Main St.” is facing issues in regards to PCI, with the increasing threat that they will be seen by attackers as the backdoor to larger vendors that they do business with. For more on the HBR blog you can check it out here: http://blogs.hbr.org/cs/2013/06/cyber_security_depends_on_educ.html
That's great John, but you called this Federal Friday so where is the federal angle?
Great question John, the federal tie-in came as I read on.
The full report Ms. Viveros was blogging about - “Cybersecurity education for the next generation” - was developed at the IBM Center for Applied Insights and hammers down on the point that none of us will be able to reduce risk without collaboration, beginning and ending with education. This education begins at the university level by increasing the emphasis on security in the computer sciences curriculum. This is more in depth than simply adding a few courses; it's a change in mindset, both in curriculum and also in practice. It involves the creation of labs, student-driven hacking groups (like many that are out there for professionals), and collaboration with other edu institutions, as well as commercial and government organizations. Ultimately the goal is to plant the seed that will instill in the younger generations the desire to constantly be learning and adapting in this ever changing cyber landscape. Even after graduation. If you would like to view the full report you can get he PDF here: http://public.dhe.ibm.com/common/ssi/ecm/en/ede12345usen/EDE12345USEN.PDF
The interesting point out of that was the emphasis placed on three major institutions coming together; universities, commercial and government institutions.
For the government's part, the NSA's Information Security Panel started a discussion regarding the science of cyber security in 2008. Robert Meushaw discussed this in his article “NSA initiatives in cybersecurity science.” The agency was looking to determine if we could look at this topic as a science and develop a methodology around cyber in order to address the coming storm. Being able to define cyber security as a science was the first step to creating an atmosphere of collaboration. The creation of a new set of “scientists” who are focused on cyber security will be able to enhance the capabilities of many of the organizations that have been defending information for decades. DARPA, IARPA, NSF, AFRL, ARO, DC3, NSA and more recently DHS and NIST have all been charged with researching, establishing and creating some of the most valuable tools and standards we use to defend our nation and our national secrets. Being able to add highly specialized personnel, who have been trained extensively will only enhance the effectiveness of these organizations to develop new techniques and standards. However, this can only be practical with the help of, and cross-functional collaboration with, the education and private sectors.
This has already begun to take shape. The NSA had initially funded three “lablets” at three separate universities; Carnegie Mellon, University of Illinois and NC State. These lablets are using federal funding to establish footholds at accredited institutions for the pursuit of furthering the understanding of the science of cyber security. NSA, in a partnership with DHS, have sponsored the National Centers of Academic Excellence which has 165 current locations. The goal here is to help patch the current holes in our national cyber infrastructure by creating a concerted focus on higher education, research and effectively trained security professionals who are ready, willing and able to apply their knowledge through numerous disciplines. To read Mr. Meushaw's article you can download the PDF here: http://www.nsa.gov/research/tnw/tnw194/articles/pdfs/TNW194_article4.pdf
There is also a heavy focus at the DoD to enhance their capabilities as well. The old adage that defense wins the game still holds true, but in order to actually win you need to score some points. The Defense Cyber Crime Center, DC3, a division of the Air Force Office of Special Investigations, is able to fill multiple roles for the DoD, from training and research to targeted analytics in critical mission areas, as well as counterintelligence and counterterrorism. DC3, like many of the cyber teams located around the country, uses a mixed personnel group consisting of military, civilian and defense contractors. However DC3 also has 23 liaisons/detailees from many other agencies as well. These include DHS, OUSD, DAMO, NSA, FBI, DCIO, Military Intelligence, and CYBERCOM.
Teams such as this, and the Air Force's 92nd IOS, are able to draw from the unique backgrounds of their members. Rather than coming from the same school of thought, these mixed teams are able to use their unique knowledge, skills and abilities to focus their energy on one goal, enhancing the security of the nation with the ability to adapt to a wide variety of ever-evolving attacks.
Rapid7 does its part in participating with educational institutions, public, private and federal. By being able to grant, free of charge, licenses for our products, we are able to put practical, real-world tools into the hands of professors and students. Getting training in both classroom and lab environments will enable a future generation of cyber security professionals for professional security roles. Additionally we have a wide range of information available on SecurityStreet (hey, you're here now!), which draws from a variety of topics, with contributions from our technical staff, as well as our users, contributors and the community at large.
For those of us no longer ready to embark on another college experience, there are options out there. A wide range of training is available through a variety of resources and institution such as SANS. These courses can provide the necessary enhancements to the existing knowledge base within security teams. These training programs generally draw from the recommendations of NIST and DHS protocol providing the peace of mind that the information you are learning is up to date and recognized, if not established by these organizations in collaboration with multiple institutions. This needs to be an ongoing effort and many courses require recertification due to the consistent atmosphere of change that is inherent in the global threat landscape. The training available ranges from vendor- and sector-specific to vendor-agnostic and general security training. Here is a good place to start researching available certifications: http://searchsecurity.techtarget.com/tip/SearchSecuritycom-guide-to-information- security-certifications
Cyber security education doesn't simply stop with security personnel, it is imperative to have a highly educated and aware work force. News of high profile attacks, launched using a variety of evolving tactics, seem to come to light almost daily. 73% of these attacks are the result of an employee's error, according to Ms. Viveros research. Which means many of these attacks could be prevented by a better educated and wary work force. Security education needs to be organization wide and encompass a variety of fronts. Utilizing programs such as Security Mentor, help you teach your users about risks through simple and highly consumable, but important security lessons. Tools such as the social engineering campaigns in Metasploit Pro help you identify high-risk users that need further educational efforts. These processes need to be a constant and consistent presence within your organization, and your tactics for training need to be changing all the time. This is no small task, but the better prepared you are, the better prepared your organization can be.