Managing Network Security

Security Education in the Information Age

by Fred Cohen



Series Introduction

Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


The Face of Education is Changing

It saddens me to think that many of today's and tomorrow's college graduates and graduate students may never get to see their professors live and in the flesh. Clearly, students learn better when multiple modes of learning are engaged - and physical presence brings a great deal more to classroom discussions - but it has become harder and harder to ignore the advantages of distance learning, and I have recently become convinced that, especially in the information security arena, distance learning is the place to be.

My wife recently decided to go back to school for her masters degree, and to my surprise, she found a lot of opportunities to learn over the Internet. She ultimately chose an accredited Internet-based masters program from a university over driving several hours to and from the closest available program every day - a wise choice in my opinion. But is wasn't just the convenience that led her to the decision. Learning over the Internet is, in many ways, a more thoughtful process than classroom learning. The written word and the fact that everything you post to the class is available to everyone in the class now and for the rest of the semester makes it a bit different than a classroom discussion. People tend to do their homework before they enter into a discussion. There is time to think and read before you jump to answer questions.


Some of the Things I have Tried

Over the last few years I have tried a variety of delivery mechanisms for educational and informational material, both to educate myself and to help others become knowledgeable. I started the effort in earnest with the all.net web site, which features a lot of articles and other useful materials. This worked reasonably well, but most audiences were unable to really use it effectively for a variety of reasons. I have since seen many other Web sites spring up, and while there is a lot of good (and poor) information out there, the truth is, none of it is effective as educational material as far as I can tell.

The next innovation I tried was the addition of automated analysis software and gaming of various sorts. The gaming was more effective than the other automation because, frankly, until you already know most of the information, the automation is a mystery. Once you understand all the issues, the automation is useful in making sure you don't forget anything and at giving you some notions of what to look at and why, but it is not education in any real sense.

Gaming turned out really well. The people who try the automated scenarios available from the all.net web site demonstrate a wide range of skill sets when they start out, and many give up fairly quickly, but some of them get interested in the game to the point where they do things like write automated password guessers to run against the password simulations. Many of the participants look up related material and come back to do better. The addition of informative pointers to game areas along with th3e instant feedback helps engage people in the learning process. The games provide feedback on performance over time, and this helps in terms of evaluating the effectiveness of learning. All good things.

More recently, I started to try to translate the things educators do in the classroom over to the educational efforts. The most recent innovation was to record live lectures and include them along with the power point slides on CD-ROMs. This has some real advantages in that it does a much better job of simulating class attendance and makes things come more to life than they otherwise might. It also has a lot of disadvantages that have to be compensated for in other ways, but I will focus on the positive for now. Others have tried to deliver voice directly over the Internet, but it has largely failed, in my opinion, because the performance of the Internet is poor compared to a CD-ROM. The CD-ROM also has the advantage that you possess it and can replay or loan it out as you like, while getting a few hundred megabytes over the Internet leaves you with storage and usage problems.

In my long-past, I had experience with a variety of educational software (the language "PIL" comes to mind... an indication of my age and the obscurity of my references I am certain). The notion was that you could build lessons and have the computer measure and act on performance. I have not tried this insecurity education yet, largely because I think that nobody has developed a logical progression through the security educational space where one thing depends on the next and we can effectively diagnose your understanding in order to fix any mistakes before going on. I also think the audience wants to move along and come back later rather than get mired in something they do not yet understand.


Some of The Uniqueness of Security Education

One of the reasons I have difficulties in automating many aspects of security education is that the field is so diverse and so populated with people of different knowledge and skill sets. There is no common skill set for security professionals, no common background, no common mathematics, and if there were, it would likely take 20 years to get a degree in the field because it is so broad and far reaching.

Another important thing about information security is that is seems to be changing at a very rapid pace these days. For example, legal briefings need to be updated at least every 6 months in order to include recent rulings. International issues in the legal aspects are so complex that nobody fully understands them and it would take a major league legal team to even start to address the issues. The changes in operating system and network security mean that a major new course is likely to be needed every year or two. Just consider that over the last few years, we have largely adopted intrusion detection, firewalls, e-commerce, various cryptographic standards, Java and other related Browser security methods, Web server security, front-end / back-end Internet security, and new classes of virus defenses into the list of items a security education needs to address. Each of these requires a substantial course in order to address even at a rudimentary level, and for hands-on education, the task is even more daunting.

Add to these factors, the enormous market pull for expertise, the lack of university programs in the field, the lack of university professors with even a little bit of expertise, the lack of widely accepted text books and curricula, and the rapid introduction of security requirements for individuals who are on the road or located around the world, and you have a situation where classical educational methods simply will not get the job done.


Arrive the Internet

With all of these factors mixing together, it seems to me that security education has reached a point where the Internet offers the only cost effective - perhaps the only effective at any cost - education in information protection that can be created and sustained on a large enough scale to get the job done.

Now I don't want to give the misimpression that the Internet is a panacea for solving the problems of security education. In fact, it is a poor second in terms of quality to what you can get from a high quality program taught on site and live by knowledgeable expert professors at a major University. Unfortunately, except a few hundred students a year who live in the right places, this is simply not available today.

I also don't want to discount the short course companies. They have done a fine job in this area for many years - particularly at the MIS Training Institute and the Computer Security Institute. Unfortunately, the high cost, limited effectiveness, and rapid pace of the information provided in these venues combined with the difficulty of getting the information you want where you want it and when you want it, limits the utility relative to the scale of the job we need to get done. Indeed, the professional experiences shared in these venues has more value to me than the many talks I attend, and I value them, but they do not effectively educate the large number of people over the required time frames while allowing them to continue working in the field and serving their employers well.

I guess I am trying to say that we need to spread expertise too thin and education too widely for any of the classic technologies to fill the void. And as a customer of security education, it is also frustrating because I have to spend a lot of time and effort in order to get the limited education I get along the way. I need to be able to get the information I want quickly, confidentially, and from a real expert, and to do so without arranging trips weeks in advance and without spending days on a risk venture. I don't mind spending a few hundred dollars to get the information I need in a few days, especially if what I learn will help me for a long time to come and serve as a reference like my old university texts did for the first few years of my career.


I haven't Found it Yet

I have the great fortune of having 13 students working for me over this summer, and as a part of the deal, I tech them about issues in information protection. These class sessions combined with work experience seem to me to be one of the most effective methods for educating students on information protection. According to the most commonly accepted learning theories, they combine multiple modes of learning, which should engage the brain more effectively than can be done with fewer modes. Students whose daily work includes putting hardware and software systems together into networks, pulling up computer floors and running wiring, replacing broken boards, configuring operating systems, doing designs, taking classes, and working in a group that combines forces in related areas, the experience is very rich.

To give a sense of the value of this, consider that when I teach them about vulnerabilities in the class session and indicate that physical entry under the computer floor is often possible, they think back on whether there was under-floor entry to the facility they were just crawling under the floor of. When they return to the facility the next time, on their own, they lift up the floor again and check, and from then on they start to notice these things as a matter of course. Once they begin to think this way, their view of the world changes, and this is a fundamental issue in security education.

Getting the world view to change via the Internet without the experience of rewiring a room would seem to me to be less effective than it can ever be in person, but it can be done. For example, the class assignment for the week could include a series of experiences that the students have to have on their own. The problem is that not every student has the same availability of these experiences and trying to arrange a global network of experience locations is probably impractical. One of the ways around this is to have a week or two on-site as a part of the overall program, but of course the cost then skyrocket, and it is particularly onerous for people half a world away. An alternative to this is a set of experiences can be had almost anywhere, or large numbers of optional experiences so that some will be available to everyone and nobody will be able to complete them all. The students can then share their experiences with each other. It's not as good as being there, but it's better than not doing it.


Conclusions

Interaction with students is another important issue in education. I often change my presentation substantially in response to the audience, as I think most teachers do. In remote classrooms this just doesn't work as well. For example, in the 1980s I taught at the University of Southern California (to help pay for my doctoral program) using their interactive television network in some of the classes. This was quite a different experience than teaching a class full of live students - even though half of the students were present in the room. For one thing, the presentation was more constrained because all of the information had to go out over the television network. All of my hand motions and expressions were wasted on the television audience because having a full-up production crew is far too expensive for this venue, and as a result, the visuals are all fit on a screen in front of the professor. Now days, I do the same thing with power point slides. The ability of remote students to interrupt was really not used very much, so only questions and answers were really done interactively. Since this was a one-way-at-a-time system, except for being a bit more instantaneous, you could do it with email almost as well.

My assessment is that Internet-based security education today is rapidly approaching the level of effectiveness and interaction that televised two-way education achieved 20 years ago, and that it will likely not go far beyond this for quite some time to come. The reason is the same as the reason that televised education didn't go much further. Because 80% of the quality at 20% of the cost is about as good as you can do. While a few minor improvements will be made, today, you can get almost as good an education by the combination of CD-ROMs, email interaction, Internet-based content, strategic scenario gaming, and well thought-out homework assignments as you can in a classroom with a slightly less knowledgeable professor and a less than ideal set of laboratories.

While this is not as good as it could get, it is as good as it is likely to get for some time to come. With the large number of students requiring education in this area and the lack of adequate facilities and experts in academia, I can't see it going any other way for now.


About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net or visiting /

More Information