4/11/2011
Information Security and Risk Management in Context
The Context
Dr. Barbara Endicott-Popovsky
Center for Information Assurance and Cybersecurity (NSA/DHS CAE-R)
CIAC
The Center for Information Assurance and Cybersecurity
at the University of Washington
• Promotes multi-disciplined, regional collaboration
• Produces innovative research
• Provides CNSS-accredited educational programs
• Develops well-prepared information assurance professionals
http://ciac.ischool.washington.edu/
Barbara Endicott-Popovsky, DirectorCenter for Information Assurance and CybersecurityFaculty, Information School and CS UW Institute of Technology TacomaEmail: [email protected] Office: Suite 400 RCBPhone: 206-284-6123 Website: http://faculty.washington.edu/endicott
Barbara Endicott-Popovsky (Pittsburgh, Pennsylvania) is the Director of the Center for Information Assurance and Cybersecurity at the University of Washington, Seattle, WA, USA, with a joint faculty appointment in the Information School and the Computer Science Department at the UW Institute of Technology Tacoma. She previously held executive positions with The Boeing Company, Seattle, WA. Her current research interests into the Unintended Consequences of the Information Age includes impacts of technology on the legal structure include the calibration of low layer network devices, network forensic readiness methodologies, security vulnerabilities in critical infrastructure.
She earned her Ph.D. in computer science at U. Idaho, Moscow, ID, USA, (2007); She has an MS in information systems engineering from Seattle Pacific University, Seattle, WA, USA (1987); and an MBA from the University of Washington, Seattle, WA, USA (1985), and a BA in Liberal Arts from the University of Pittsburgh, Pittsburgh, PA, USA (1967).
Ms. Endicott-Popovsky is a member of the IEEE, a founding member of the NW Regional Computer Forensics Cooperative, Principal Investigator on numerous grants, producer of the televised Unintended Consequences of the Information Age Lecture series. She has served on organizing committees for the Information Security Compliance and Risk Management Institute, the International Workshop on Systematic Approaches to Digital Forensic Engineering and the Recent Advances in Intrusion Detection (RAID) conference and is on the editorial board of a Special Edition of the Journal on Educational Resources in Computing.
NSA/DHS NIETP Program:
“Growing” information security professionals in our universities
UW/West Coast opportunity
Center for Information Assurance and Cybersecurity
CommunityCommunity
SponsorsSponsorsSponsors
Outreach
Academics
Research
• PRCCDC• IRMSCI Institute• Unintended
ConsequencesLecture Series
• Projects• Grants• Publications
• IP• Consulting• Directed
Research
• Classes• Workshops• UW Certificates Outreach
Academics
Research
• PRCCDC• IRMSCI Institute• Unintended
ConsequencesLecture Series
• Projects• Grants• Publications
• IP• Consulting• Directed
Research
• Classes• Workshops• UW Certificates Outreach
Academics
Research
• PRCCDC• IRMSCI Institute• Unintended
ConsequencesLecture Series
• Projects• Grants• Publications
• IP• Consulting• Directed
Research
• Classes• Workshops• UW Certificates
Research
AgoraPractitioner Community
Community
Research
AgoraPractitioner Community
Community
Research
AgoraPractitioner Community
Community
Center forInformation
Assurance and Cybersecurity
NSA-CAE-R
Center for Information Assurance and Cybersecurity
Multi-Disciplined IA Approach
Goal of System
PolicyPolicy
Security Awareness
Training
Security Awareness
Training
Procedures & PracticesProcedures & Practices MechanismsMechanisms
Secure System
IA Audit Feedback
Business School—ITiSchoolEvans School—Internet CenterLaw School—Shidler Center
Business School—ITiSchoolEvans SchoolLaw SchoolTech Comm-Eng
iSchoolComputer ScienceElect Engr
Business School—ITiSchoolTech Comm-Eng
Academics
As an NSA-designated Center, the CIAC offers certificates, courses workshops in Information Assurance
– UW Certificates• Information Assurance & Cybersecurity http://www.extension.washington.edu/ext/certificates/inf/inf_gen.asp
• IT Security http://www.extension.washington.edu/ext/certificates/iss/iss_gen.asp
• Network Engineering http://www.extension.washington.edu/ext/certificates/dac/dac_crs.asp
– Classes• Information Ethics, Security, and Privacy
– Workshops• ISCRMI• IP3 Seminars • CISSP Bootcamps
Research
The CIAC partners with industry and government:
• Theory, Conceptual Models– Adding the 4th R– Theoretical Framework for Organizational Network Forensic Readiness
• Projects and Grants– PNNL: Next Generation Honeypots
– China/Microsoft: IA Compliance Framework
• Publications– Deception Taxonomy (for honeypots)– Drive-by Downloads
• Directed research, IP, Consulting – WSDOT
– Compliance-Ready Networks
Center for Information Assurance and Cybersecurity
Pacific Northwest National Laboratory As the Center’s research partner, the PNNL expands the capacity and
capabilities of the University of Washington to do classified and sensitive research and provides a foundation for a regional research
center in information assurance.
Deborah Frincke, Initiative Lead for the Information and Infrastructure Integrity Initiative (I4), and Chief Scientist (Cyber Security capability), Computational & Statistical Analytics Division
Nat’l Security Directorate
• Troy Thompson, Research Engineer• Frank Greitzer, Chief Scientist (Cognitive Informatics R & D Area), Computational and Information
Sciences Directorate. • Glenn Fink, Senior Research Scientist, Information and Infrastructure Integrity Initiative (I4),
Computational & Statistical Analytics Division, National Security Directorate
Center for Information Assurance and Cybersecurity
Center Contributors
• Mike Simon: CTO, Creation Logic, Asso Dir. Applied Research CIAC, Pres. Infragard Seattle Chapter
• Kirk Bailey, UW CISO, CISSP, Agora Leader, CISO UW, Security 7 Award
• John Christiansen, Christiansen IT Law< HIPPA, legal and regulatory compliance
• David Dittrich, Sr Security Engineer Researcher, Applied Physics , research on Distributed Denial of Service attack tools
• Ernie Hayden, CISSP, CEH, CISO pioneering CISO positions, previously with the Port of Seattle
• Seth Shapiro, CPCU, ARM, AIS, Are , Enterprise risk management and information security management
• Joe Simpson, IA Consultant , systems engineering and the application of systems engineering to IA.
• Merike Kaeo, Double Shot Security, Internet governance and protocol expertise
Academic ResearchersPractitioner Researchers
Electrical Engineering•Radha Poovendran, Asso. Dir. Research, CIAC, Asso. Prof. Comm. & Networking, Dir. UW Network Security Lab
•Ming-Ting Sun, Prof, EE, Machine learning, video processing
Information School•Barbara Endicott-Popovsky, Dir. Ctr for IA & cybersecurity, Res.Asso. Prof., digital forensics, secure code, enterprise IA
Computer Science and Engineering•Henry M. Levy, Wissner-Slivka Chair, Spyware/Security, OS
•Steve Gribble, Torode Family Endowed Career Dev.Prof CS, Spyware/Security projects, OS
•Tadayoshi Kohno, Asst. Prof. CSE, Security in pervasive computing; electronic voting, wireless security and privacy
UWIT Tacoma•Sam Chung, Asso. Professor, secure code
Mathematics•Neal Koblitz, Prof. Mathematics, Cryptography, theory of numbers, security issues in genus-2 hyperellipticcryptography, co-inventor elliptic curve cryptography
Law•Jane Winn, Charles I. Stone Prof of Law, Electronic commerce law developments in the US, EU, China
Center for Information Assurance and Cybersecurity
Current Center Activities
Funded Projects White Papers
Next Generation HoneypotsAn assessment of using virtualization for network instrumentation, deception and measurement will be incorporated into recommendations for next generation honeypot design.
Secure Coding ProjectRecognizing the need for college-level, secure coding curriculum, the CIAC is piloting a program that will train Puget Sound faculty for two years, reaching over 1200 students. Success will be determined by internal and external evaluation. Once externally evaluated, curriculum modules will be disseminated inside and outside the region.
IA Compliance FrameworkA lack of regulatory controls and subsequent enforcement in China has focused outsourcing discussions on this growing challenge. An IA governance framework, adapted from industry, is proposed as a control to mitigate.
Cyber WarriorDefining recruiting profiles, mentoring and management strategies for the cyber defenders
Virtual World SecurityDefining and developing unique aspects of Virtual World security
Systems Engineering in IADeveloping implementation models for allocating systems engineering goals throughout an organization.
IPSEC InteroperabilityDefining IPSEC terminology, reconciling IETF RFC’s, implementing IPSEC procedures, recommending best practices
Trust along the Supply ChainDefining role of trust and IA in building supply chain relationships
Center for Information Assurance and Cybersecurity
Cyber Warrior:Effectively Defending
Cyberspace
• Motivation– Dearth of cyber defenders– New MOS’s under development– Industry-expressed frustrations:
– Identification and recruiting challenges– Training out-of-the-box thinking– Stress burnout to incident response
• Need for “cockpit” studies
• Preliminary work begun
Center for Information Assurance and Cybersecurity
Welcome to Cybersecurity Islandhttp://www.youtube.com/watch?v=fvYOaf-9n-o
Center for Information Assurance and Cybersecurity
Asset Protection Model
Configuration
Value Protection
Storage
ProcessingTransmission
Integrity
Confidentiality
Availability Tec
hn
olo
gy
Po
licy
, P
ract
ices
Hu
man
Fac
tors
System
Threat Target
Exposure
Action Effect
Type
Specifi-cation
Program
The Asset Cube
The System CubeThe Threat Cube
The Target Cube – [CMISS]
SystemSystemSystemSystem
ConceptsConceptsConceptsConcepts
SM
• Incorporates threat and systems perspective with target [CMISS]
• Establishes standard organizational basis for learning and analysis
• Provides cognitive support as well as a static and dynamic view of the model information
Center for Information Assurance and Cybersecurity
IPSec Interoperabilityfor Boeing-led Working Group
Project Overview: Testing interoperability issues during IPSec VPN configuration on different vendors’ products.
– Begun last year closely analyzing products of different vendors(Sonicwall, Fortigate, StoneSoft).– Identified /compared parameters each vendor uses for hashing, encryption and authentication during IPSec VPN configuration.– Reviewed unique approach for configuring IPSec VPN proposed by ICSA lab– Compared this approach with default method available in each vendors product for configuring IPSec.
Research divided into two phases:• Homogenous Environment:
– Configured and tested IPSec configuration between two same-vendor devices (e.g ., Sonicwall device at both endsof IPsec tunnel).
– Used common method of configuring IPSec Vpn developed by ICSA lab .– Verified that one unique method doesn’t work for all vendors.
• Heterogeneous Environment: – Proposing to configure / test the IPSec VPN tunnel between different vendors' product
(e.g., Sonicwall at one end and Fortigate at other end).– Matrix of options developed and method to configure IPSec VPN tunnel.
– Will begin testing shortly.
Center for Information Assurance and Cybersecurity
Trust along Supply Chain
• Application: Drug trial outsourcing to China
• Microsoft / UW governance model developed
• Collaborations:• Interdisciplinary: Law / medical school • Cross cultural: UW / China • Industry partner: Microsoft
APEA 2010
Center for Information Assurance and Cybersecurity
Securing the Future
Innovative Integration
Key Collaborations
Diverse Disciplines
Emerging Technologies
Organizational & Technical Management
Technical Approaches
Information Assurance Processes
CommunityCommunity
SponsorsSponsorsSponsors
Outreach
Academics
Research
• PRCCDC• IRMSCI Institute• Unintended
ConsequencesLecture Series
• Projects• Grants• Publications
• IP• Consulting• Directed
Research
• Classes• Workshops• UW Certificates Outreach
Academics
Research
• PRCCDC• IRMSCI Institute• Unintended
ConsequencesLecture Series
• Projects• Grants• Publications
• IP• Consulting• Directed
Research
• Classes• Workshops• UW Certificates Outreach
Academics
Research
• PRCCDC• IRMSCI Institute• Unintended
ConsequencesLecture Series
• Projects• Grants• Publications
• IP• Consulting• Directed
Research
• Classes• Workshops• UW Certificates
Research
AgoraPractitioner Community
Community
Research
AgoraPractitioner Community
Community
Research
AgoraPractitioner Community
Community
OutreachThe CIAC sponsors community lectures and workshops.
– The Unintended Consequences of the Information Age Lecture Serieshttp://www.uwtv.org/programs/displayseries.aspx?fid=2121
– Pacific Rim Collegiate Cyber Defense Contest (PRCCDC) http://ciac.ischool.washington.edu/?page_id=234
– The Annual Information Security Compliance and Risk Management Institutehttp://www.engr.washington.edu/epp/infosec/index.html
– NWSec – Tacoma http://students.washington.edu/greyhat/NWSec_at_UWT_Website_v1.5/FEB_15-16_2007_NWSec_at_UWT_Website_v1.5/nwsecPresenters.html
Unintended Consequences of the Information Age
A lecture series exploring controversial issues emerging in our "point and click” world
• Privacy: Reconciling Reality• Privacy vs. Free Speech• Our Infrastucture: Online and Vulnerable?
http://www.uwtv.org/programs/displayseries.aspx?fid=2121
Pacific Rim Collegiate Cyber Defense Contest (PRCCDC)
Information Security Compliance and Risk Management Institute:
Where Information Technology, Law and Risk Management Converge
September 16-17, 2009
University of WashingtonUW Tower AuditoriumSeattle, Washingtonhttp://www.engr.washington.edu/epp/infosec/index.php
CONTEXT: UNINTENDED CONSEQUENCES OF THE INFORMATION AGE
Transition from the Industrial Age to the Information Age is creating massive, upending, untended consequences in spite of our best efforts to think through change. As we contemplate the ICANN transition from management by the US/DOC to independence, we should consider this context.
Context Evolution
Agricultural Age
Industrial Age
Information Age
AttributeAgricultural
AgeIndustrial
AgeInformation
Age
Wealth Land Capital Knowledge
Advancement Conquest Invention Paradigm Shifts
Time Sun/Seasons Factory Whistle
Time Zones
Workplace Farm Capital equipment
Networks
OrganizationStructure
Family Corporation Collaborations
Tools Plow Machines Computers
Problem-solving Self Delegation Integration
Knowledge Generalized Specialized Interdisciplinary
Learning Self-taught Classroom Online
Smashing
Industrial Age
Infrastructure!
And just whom do you think is going to clean up this mess, Noah?
THE PROBLEMCan’t get enough technology
Our Love Affair with the Internet
Shoppers embrace the
online model
POSTED: 0727 GMT (1527
HKT), December 20, 2006
Embracing Internet
Technologies
Baby Boomers Embracing Mobile Technology
US Internet Users Embrace Digital Imaging
Docs Embracing Internet
WORLD INTERNET USAGE AND POPULATION STATISTICS
Internet UsersDec. 31, 2000
Internet UsersLatest Data
Penetration(% Population)
Growth2000-2010
Users %of Table
Internet UsersDec. 31, 2000
4,514,400 110,931,700 10.9 % 2,357.3 % 5.6 % 4,514,400
114,304,000 825,094,396 21.5 % 621.8 % 42.0 % 114,304,000
105,096,093 475,069,448 58.4 % 352.0 % 24.2 % 105,096,093
3,284,800 63,240,946 29.8 % 1,825.3 % 3.2 % 3,284,800
108,096,800 266,224,500 77.4 % 146.3 % 13.5 % 108,096,800
18,068,919 204,689,836 34.5 % 1,032.8 % 10.4 % 18,068,919
7,620,480 21,263,990 61.3 % 179.0 % 1.1 % 7,620,480
360,985,492 1,966,514,816 28.7 % 444.8 % 100.0 % 360,985,492
.
.
.
.
.
..
.
.
.
.
.
.
.
.
.
.
.. .
.
.
.
.
.
.
.
.
.
.
.
RESISTANCE IS FUTILE.PREPARE TO BE ASSIMULATED?
.
.
.
.
.
.
.
. .
.
.
..
...
.
.
.
.
.
.
.
.
.
.
.
.
.
..
.
Species 8472
Courtesy: K. Bailey/E. Hayden, CISOs
Duality in Cyberspace
Benign Malignant
New Opportunities
EfficienciesConvenience New
CrimesPrivacy Loss
ThreatIntrusion
http://www.engadget.com/2009/04/28/electronic-voting-outlawed-in-ireland-michael-flatley-dvds-okay/
Electronic voting outlawed in Ireland, Michael Flatley DVDs okay for now by Tim Stevens posted Apr 28th 2009 at 7:23AM
Yes, it's another international blow for electronic voting. We've seen the things proven to be insecure, illegal,
and, most recently, unconstitutional. Now the Emerald Isle is taking a similar step, scrapping an e-voting
network that has cost €51 million to develop (about $66 million) in favor of good 'ol paper ballots. With that
crisis averted Irish politicians can get back to what they do best: blaming each other for wasting €51 million
in taxpayer money.
July 31, 2009, 12:34 pm
Student Fined $675,000 in Downloading Case
By Dave Itzkoff
Bizuayehu Tesfaye/Associated Press Joel Tenenbaum was found liable for copyright violations in a trial in Boston.
Updated | 7:03 p.m. A jury decided Friday that a Boston University student should pay $675,000 to four record labels for illegally downloading and sharing music, The Associated Press reported.
A judge ruled that Joel Tenenbaum, 25, who admitted to downloading more than 800 songs from the Internet between 1999 and 2007 did so in violation of copyright laws and is liable for damages. Mr. Tenenbaum testified Thursday in federal district court in Boston that he had downloaded and shared hundreds of songs by artists including Nirvana, Green Day and the Smashing Pumpkins, and said that he had lied in pretrial depositions when he said that friends or siblings may have downloaded the songs to his computer. The record labels involved the case have focused on only 30 of the songs that Mr. Tenenbaum downloaded. Under federal law they were entitled to $750 to $30,000 per infringement, but the jury could have raised that to as much as $150,000 per track if it found the infringements were willful. In arguments on Friday, The A.P. reported, a lawyer for Mr. Tenenbaum urged a jury to “send a message” to the music industry by awarding only minimal damages.
http://artsbeat.blogs.nytimes.com/2009/07/31/judge-rules-student-is-liable-in-music-download-case/
Majority think outsourcing threatens network security Angela Moscaritolo September 29, 2009 A majority of IT security professionals believe that outsourcing technology jobs to offshore locations has a negative impact on network security, according to a survey released Tuesday. In the survey of 350 IT managers and network administrators concerned with computer and network security at their organizations, 69 percent of respondents said they believe outsourcing negatively impacts network security, nine percent said it had a positive impact and 22 said it had no impact.
The survey, conducted this month by Amplitude Research and commissioned by VanDyke Software, a provider of secure file transfer solutions, found that 29 percent of respondents' employers outsource technology jobs to India, China and other locations.
Of those respondents whose companies outsource technology jobs, half said that they believe doing so has had a negative impact on network security.
Sixty-one percent of respondents whose companies outsource technology jobs also said their organization experienced an unauthorized intrusion. In contrast, just 35 percent of those whose company does not outsource did. However, the survey noted that organizations that do outsource were “significantly” more likely than those that do not to report intrusions.
“We're not going to say we have any proven cause and effect,” Steve Birnkrant, CEO of Amplitude Research, told SCMagazineUS.com on Tuesday. “Correlation doesn't prove causation, but it's definitely intriguing that the companies that outsource jobs offshore are more likely to report unauthorized intrusions.”
In a separate survey released last December from Lumension Security and the Ponemon Institute, IT security professionals said that outsourcing would be the biggest cybersecurity threat of 2009.
In light if the recession, companies are outsourcing to reduce costs, but the practice opens organizations up to the threat of sensitive or confidential information not being properly protected, and unauthorized parties gaining access to private files, the survey concluded.
In contrast to their overall views about the impact that outsourcing has on network security, Amplitude/VanDyke Software survey respondents were largely positive about the impact of outside security audits. Seventy-two percent of respondents whose companies paid for outside audits said they were worthwhile investments and 54 percent said they resulted in the discovery of significant security problems.
http://www.scmagazineus.com/Majority-think-outsourcing-threatens-network-security/article/150955/
Connecticut drops felony charges against Julie Amero, four years after her arrest By Rick Green on November 21, 2008 5:16 PM |
The unbelievable story of Julie Amero concluded quietly Friday afternoon at Superior Court in Norwich, with the state of Connecticut dropping four felony pornography charges.
Amero agreed to plead guilty to a single charge of disorderly conduct, a misdemeanor. Amero, who has been hospitalized and suffers from declining health, also surrendered her teaching license.
"Oh honey, it's over. I feel wonderful," Amero, 41, said a few minutes after accepting the deal where she also had to surrender her teaching license. "The Norwich police made a mistake. It was proven. That makes me feel like I'm on top of the world."
In June of 2007, Judge Hillary B. Strackbein tossed out Amero's conviction on charges that she intentionally caused
a stream of "pop-up" pornography on the computer in her classroom and allowed students to view it. Confronted with evidence compiled by forensic computer experts, Strackbein ordered a new trial, saying the conviction was based on "erroneous" and "false information."
But since that dramatic reversal, local officials, police and state prosecutors were unwilling to admit that a mistake may have been made -- even after computer experts from around the country demonstrated that Amero's computer had been infected by "spyware."
New London County State's Attorney Michael Regan told me late Friday the state remained convinced Amero was guilty and was prepared to again go to trial.
"I have no regrets. Things took a course that was unplanned. Unfortunately the computer wasn't examined properly by the Norwich police," Regan said.
"For some reason this case caught the media's attention,'' Regan said.
The case also caught the attention of computer security experts from California to Florida, who read about Amero's conviction on Internet news sites. Recognizing the classic signs of a computer infected by malicious adware, volunteers examined computer records and the hard drive and determined that Amero was not responsible for the pornographic stream on her computer.
The state never conducted a forensic examination of the hard drive and instead relied on the expertise of a Norwich detective, with limited computer experience. Experts working for Amero ridiculed the state's evidence, saying it was a classic case of spyware seizing control of the computer. Other experts also said that Amero's response -- she failed to turn off the computer -- was not unusual in cases like this.
Among other things, the security experts found that the Norwich school system had failed to properly update software that would have blocked the pornography in the first place.
http://blogs.courant.com/rick_green/2008/11/connecticut-drops-felony-charg.html
Growing Threat Spectrum
“If the Internet were a street, I wouldn’t walk it in daytime…”
• 75% of traffic is malicious
• Unprotected computer infected in < 2 minutes
• Organized crime makes more money on the Internet than through drugs
• The ‘take’ from the Internet almost doubled e-commerce
Courtesy: FBI, LE
Interdependence of Critical Infrastructure
We’re overwhelmed!
Society is not keeping up!
A Metaphor…..
The Unintended
Consequences
Security and Trust in VWs
Trouble in Paradise?
Evolution of Internet Threats
Griefers, Phishing, Hackers, oh my!
Set Your “Evil Bit”* to 1Would you have thought of these attacks?
• Facebook “get rich quick” scams• ….. only $1 down – how can you lose?
• Driveby downloads• Would you like Bots with that?
*See RFC3514 –The Security Flag in the IPv4 Header
What is at risk?• Time• Effort
• Repair damage• Deal with consequences• Prevent re-occurrence
• In-game resources• Computing resources
• Bandwidth• CPU• Storage
• Real world resources• Money• Sensitive data• Identity
Do you trust me? Why?
Security and Trust in Virtual Worlds
• Some ways to attempt to maintain trust• eBay ratings• Craigslist community flagging• Second Life Abuse
• How to manage identity in virtual worlds• User agreement• Side channels• Security zones• Verifying avatars
User Agreements
• VW End User License Agreements (EULAs)• Degrees of Protection• Alternatives to the EULA Scheme• General EULA Awareness
• Issues:• Who reads them?• What are they?
Side Channels: Processes Outside of VW
• Provide “trusted path” to exchange info
• Help achieve authentication goals
• Two main types:• Prior to Virtual World interaction• During Virtual World interaction
Security Zones
• Segregated areas within VW• Training/Education• Corporate clients• Highly valued services
• Issues• Cost: Second Life Private Regions (2009) :
» $1,000 purchase» $295/mo maintenance
• Restricted or open
VW Authentication
• SSL-like authentication for the Avatar
• Accreditation handled by 3rd party
• Issues:• How does VW display accreditation flag?• Potential pitfalls?
Don’t trust anyone!
What starts off in VW can have consequences in real world.
http://oddorama.com/2008/02/11/scamming-the-scammers-5-brilliant-419-reverse-scams/
What else?….
Questions?
Where are the cybersecurity professionals?
If government predictions are right, health IT will create 50,000 new jobs in the future. The new jobs will be needed at all levels, from engineers to IT workers. People who have experience in the computer science and informatics fields will be especially attractive to potential employers, but the federal government will put some money toward training employees. Nurses could have the hardest time transitioning from paper to digital, but the training will help to close the informatics gap
50,000 Health IT Jobs ExpectedOctober 28, 2009 - 5:53pm
U.S. Faces Cyber Security Gap Without Training, EducationMarch 24, 2010 By Kenneth Corbin
WASHINGTON -- As discussions about the federal approach to cyber security continue to percolate across the highest levels of government, one of the most important steps policymakers can take is to nourish the education and training of a new crop of security experts, a senior administration official said here at the FOSE government IT show. Working in concert with the government, the private sector has made significant strides in improving software security and ferreting out vulnerabilities in the supply chain, but the flow of cyber security experts graduating from the nation's universities with advanced degrees remains anemic, according to Richard Marshall, the director of global cyber security management at the Department of Homeland Security.
Homeland Security to hire 1,000 cybersecurity expertsBy Michael CooneyOctober 1, 2009 01:42 PM ET
Network World - The Department of Homeland Security wants to hire 1,000 cybersecurity professionals in the next three years, according to agency Secretary Janet Napolitano.The department has the authority to recruit and hire cybersecurity professionals across DHS over the next three years in order to help fulfill its mission to protect the nation’s cyber infrastructure, systems and networks, she said.
• “OJT” – Primary source
• Certifications – Emergent source• Growing numbers• But which ones?
• Education – Little to nothing• Lack of trained faculty• Little research funding• Few university programs
The Options …
Not scalable!
How do we accelerate preparation of professionals?
THE SOLUTIONGrowing Information Security Professionals: Pedagogical Institute Model
Global Competition
Technologies & Policies
Professional &Social Trends
Experts & Community/ Business Leaders
Potential:StudentsResearchersEducators
Political Environment
Economy
Outcomes:ProfessionalsNew KnowledgeNew TechnologyEd. Products
IdeologyCulture
Pedagogical institute Model
Emerging Job Market
• Certified Information Systems Security Professional (CISSP) SANS/GIAC
• Certified Information Systems Auditor(CISA)
• Certified Intrusion Analyst SANS/GIAC
• Certified Firewall Analyst SANS/GIAC
• Certified Unix Security Admin SANS/GIAC
• Certified Windows Security Admin SANS/GIAC
• Certified Incident Handler SANS/GIAC
• Certified Network Auditor SANS/GIAC
• Certified Security Essentials
Job Titles– Director, Security – Manager, Security– Sr. Security Analyst – Security Administrator– Web Security Manager– Data Warehouse Security
Manager– Network Administrator
Source: Foote Partnershttp://www.footepartners.com/SSCP.htm
Global Competition
Technologies & Policies
Professional &Social Trends
Experts & Community/ Business Leaders
Potential:StudentsResearchersEducators
Political Environment
Economy
Outcomes:ProfessionalsNew KnowledgeNew TechnologyEd. Products
IdeologyCulture
Pedagogical institute Model
Goals
• ISRM Certificate• Efficient preparation for job market• From literacy to problem solving• Communication skills• Academic and Training credentials
• Course 1: Information Security and Risk Management in Context
• Course 2: Building a Risk Management Toolkit• Course 3: Designing and Executing Information
Security Strategies
Content
Module 1
Module 2 Module 3
Module 4
Mod
ule
5
• No BOK for IA/IS• CISO : ISRM as CEO : MBA• Framework
Teachers• Academic:
– Barbara Endicott-Popovsky, PhD, Information School faculty member and Director, UW Center for Information Assurance & Cybersecurity
• Practitioners:– Mike Simon, CTO, Creation Logic, and UW Information School
affiliate faculty member – Seth Shapiro, Senior VP & Risk Strategist, Kibble & Prentice– Ilanko Subramanian, GRM, Trustworthy Computing, Microsoft
• John Stephens, Director, UW Professional & Continuing Education
Teachers (Cont’d.)Guest Lecturers• Kirk Bailey, CISO UW, Agora• John Christiansen, Principal Legal Counsel, Chistiansen IT Law • Aaron Weller, Managing Director, The Concise Group • Bob Clark, PRESENTATION: ISSA• Dennis Opacki Senior Security Consultant, Covestic• Ernie Hayden, Smart Grid Security, Verizon Business• Todd Plesco, CISO, Chapman University• Michael Ness, CEO Ness Group• Brian Haller, CISSP, Associate/FSO, Booz Allen Hamilton• Jim Poland, FSO, University of Washington• Christian Seifert, Honeynet Alliance and Microsoft Corp.• Ivan Orton, King County Senior Deputy Prosecutor• Joe Simpson, Systems Engineer, Systems Concepts • Ryan Heffernan, Security Analyst, Trustworthy Computing, Microsoft Corp.• Neil Koblitz, Professor Mathematics, University of Washington• Mike Howard, Security PM, Microsoft Corporation• George Graves, IA Advisory, KPMG• Peter Gregory, CISA, CISSP Senior Security Analyst, Concur Technologies• Randy Hinrichs, CEO, 2b3d• Ming-Yuh Huang, Technical Fellow, The Boeing Company • Ashish Malviya, MSIM intern PNNL
NOTE: These are your network
RESULTSWell placed graduates
Sample success stories
• Asst. Dep Secy DHS – Mike Roskind• CISO – Todd Plesco• FSO BAH – Brian Haller• Tech Dir NSA – Darren King• IA Entrepreneur – Aaron Weller• IA audit, system and risk analysts• Research scientists
Unintended Consequences of Embracing the Internet…..
Top Related