CERIAS Recap: Panel #3

Once again, I’ve attended the CERIAS Security Symposium held on the campus of Purdue University. This is one of several posts summarizing the talks I attended.

The “E” in CERIAS stands for “Education”, so it comes as no surprise that the Symposium would have at least one event on the topic. On Thursday afternoon, a panel addressed issues in security education and training. I found this session particularly interesting because it paralleled many discussions I have had about education and training for system administrators.

Interestingly, the panel consisted entirely of academics. That’s not particularly a surprise, but it does bias the discussion toward higher education issues and not vocational-type training. This is often a contentious issue in operations education discussions. I’m not sure if such a divide exists in the infosec world. Three Purdue professors sat on the panel: Allen Gray, Professor of Agriculture; Melissa Dark, Professor of Computer & Information Technology and Associate Directory of Educational Programs at CERIAS; and Marcus Rogers, Professor of Computer & Information Technology. They were joined by Ray Davidson, Dean of Academic Affairs at the SANS Technology Institute; and Diana Burley, Associate Professor of Human and Organizational Learning at The George Washington University.

Professor Gray began the opening remarks by telling the audience he had no cyber security experience. His expertise is in distance learning, as he is the Director of a MS/MBA distance program in food and agribusiness management. The rise of MOOCs has made information more available than ever before, but Gray notes that merely providing the information is not education. The MS/MBA program offers a curriculum, not just a collection of courses, and requires interaction between students and instructors.

Dean Davidson is in charge of the master’s degree programs offered by the SANS Technology Institute. This is a new offering and they are still working on accreditation. Although it incorporates many of the SANS training courses, it goes beyond those. “The old days of protocol vulnerabilities are starting to go away, but people still need to know the basics,” he said. “Vulnerabilities are going up the stack. We’re at layers 9 and 10 now.” Students need training in legal issues and organizational dynamics in order to become truly effective practitioners.

Professor Dark joined CERIAS without any experience in providing cybersecurity education. In her opening remarks, she talked about the appropriate use of language: “We always talk about the war on defending ourselves, the war on blah. We’re not using the language right. We should reserve ‘professionalization’ for people who deal with a lot of uncertainty and a lot of complexity.” Professor Burley also discussed vocabulary. We need to consider who is the cybersecurity workforce. Most cybersecurity professionals are in hybrid roles, so it’s not appropriate to focus on the small number who have roles entirely focused on cybersecurity.

Professor Rogers drew parallels to other professions. Historically, professionals of any type have been developed through training, certification, education, apprenticeship or some combination of those. In cybersecurity, all of these methods are used. Educators need to consider what a professional in the field should know, and there’s currently no clear-cut answer. How should education respond? “Better than we currently are.” Rogers advocates abandoning the stove pipe approach. Despite talk of being multidisciplinary, programs are often still very traditional.”We need to bring back apprenticeship and mentoring.”

The opening question addressed differences between education and training. Gray reiterated that disseminating information is not necessarily education; education is about changing behavior. Universities tend to focus on theory, but professionalization is about applying that theory. As the talk drifted toward certifications, which are often the result of training, Rogers said “we’re facing the watering-down of certifications. If everybody has a certification, how valuable is it?” Dark launched a tangent when she observed that cybersecurity is in the same space as medicine: there’s so much that practitioners can’t know. This lead to a distinction being made (by Spafford, if I recall correctly) between EMTs and brain surgeons as an analogy for various cybersecurity roles. Rogers said we need both.They are different professions, Burley noted, but they both consider themselves professionals.

One member of the audience said we have a great talent pool entering the work force, but they’re all working on same problems. How many professionals do we need? Davidson said “we need to change the whole ecosystem.” When the barn is on fire, everyone’s a part of the bucket brigade; nobody has time to design a better barn or better fire fighting equipment. Burley pointed out that the NSF’s funding of scholarships in cybersecurity is shifting toward broader areas, not just computer science. This point was reinforced by Spafford’s observation that none of the panelists have their terminal degree in computer science. “If we focus on the job openings that we have right now,” Rogers said, “we’re never going to catch up with the gaps in education.” One of the panelists, in regard to NSF and other efforts, said “you can’t rely on the government to be visionary. You might be able to get the government to fund vision,” but not set it.

The final question was “how do you ensure that ethical hackers do not become unethical hackers?” Rogers said “in education, we don’t just give you knowledge, we give you context to that knowledge.” Burley drew a parallel to the Hippocratic Oath and stressed the importance of socialization and culturalization processes. Davidson said the jobs have to be there as well. “If people get hungry, things change.”

Other posts from this event:

Reading is a basic tool in the living of a good life

The title is a quote from Joseph Addison, according to the good folks at the Richmond Public Schools.  Addison was a 17th and 18th century poet, but were he around today, he might have said it is a basic tool in being a good sysadmin.  If you don’t spend a good portion of your work week reading, you’re either doing it wrong or you’re overworked.  So what should you read?  Why, a little bit of everything, of course.

Each morning, I read through my log reports.  I get a lot of important information from a LogWatch report generated by my central log server.  I can see who logged in from where, and where failed logins (read: SSH attacks) came from.  A list of packages that got updated is given, as well as miscellaneous messages that I might want to know about.  Of course, I could look at the report for each individual host, but a centralized server makes life much easier.

Keeping up on the news is important, too.  Technology news is important too, but general news of the world.  Why?  Well, because I like to know what’s going on.  I guess you could do without it, but why?  Fark.com, Slashdot, and Reddit are all good places to get both nerdy and non-nerdy information, as well as discussion by people who (sometimes!) can bring more information to the table than the article itself will provide.

Since this is a blog, I am morally required to mention that blogs are absolutely necessary for sysadmins.  There’s probably a blog or several from the vendor of your OS of choice, as well as your critical applications. Plenty of other sites have blogs, too, but what may be the most interesting are the personal blogs of your peers.  When you’re a new sysadmin, you probably don’t know much outside of your own environment.  Reading what others are doing is a quick and easy way to help expand your horizons.  I have to mention specifically Matt Simmons’ Standalone Sysadmin blog.  I found it by accident a few weeks ago, and have since become an avid reader.  Having worked in academia all of my professional life, I often don’t see things from the perspective of someone working in the private sector.

There’s another source of information that can be very helpful.  There’s probably a building in your county that your taxes fund and it’s full of dead trees.  That’s right: your public library.  I’ve been visiting the library fairly regularly to check out books for recreational reading.  Today I had a sudden revelation: the library has technical books, too!  So I’ve decided to check out a technical book when I visit.  I’d like to read at least two per month, in order to expand and deepen my knowledge.

So what’s the point of all this?  READ!