Slashdot Mirror
U.S. Cybersecurity Report Available
Kaelem writes "Kevin Rose put up a copy of the report Cybersecurity for the Homeland (pdf), due to be released tomorrow. It talks about some interesting things, like expanding the US-CERT website as well as funding for colleges to develop cybersecurity curriculum."
Definitely something worth investigating, just wondering what a few billion in research dollars is going to reveal - hopefully more than "it's a problem that's difficult to fix" report.
Video Phone Blogs send video messages straight to the web.
That is very true. Many colleges simply have a few security courses, and that is it.
But there are some colleges with offer the five major security certifications and offer network security, ecommerce security, network programming, penetration testing, operational security, forensics, enterprise security managment, and more courses which basically make up a secondary Computer Science program. Those students still have to learn all of the fundamentals, but also push themselves to learn the security aspects. These courses are also often taught by ex-government workers, ex-hackers, and such. I know of at least one that is also broadening their program to include electrical engineering and hardware aspects as well, so things like biometric sensors are covered in addition to programming databases.
I was suprised at how many programs there are in the nation which gear into this stuff; unfortunately, it is probably not enough. Most CS or IS programs focus on the theory and some practical implications, but stop at the security implications.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
That just cut off Orlando from "homeland defense funds" for 2005, even though they get 44 million visitors a year (disneyland, etc).
The local news is sure pissed off about that. Kinda makes you wonder what their priorities are. Oh wait, Bush got re-elected, I guess the hype is over.
Yeah, I currently attend Dakota State University http://www.dsu.edu and we have a Computer Security Major & Minor, as well as a Masters in Information Assurance. It was created after 9/11 because the NSA said there was a shortage in computer security professionals. We're recognized by the NSA and both the DoHHS, it's pretty cool, but the courses from the degrees are awesome.
Actually, as I mentioned in another post, the students in these programs must basically double-up duty. They must learn the fundamentals as well as the security aspects.
The expiration date is true of most majors. I received my bachelors degree in Electrical Engineering and had three years of Mechanical Engineering, and beyond the basics, most of the specializations which students take on during their masters study, given technology trends, will carry an expiration date. That is why most college graduates should consider continuing education. In our program, the students learn the same fundamentals as a "regular" CS student, but then must learn in courses such as:
Some courses offered:
--Computer Security
--Secure Electronic Commerce
--Enterprise Security Management
--Secure System Administration and Certification
--Network Security
--Computer and Network Forensics
--Information System Assurance
--Advanced Computer Security
and I know there is also an Operational Security course being discussed, among others.
They also earn certificates in:
Information Security Professional (INFOSEC), Designated Approving Authority (DAA) and System Administrator (SA), Information Systems Security Officer (ISSO) and System Certifier (SC)
They must also carry out special side research projects as well.
Yes, burn out is initially high until the students become accustomed to having a lot asked of them, but the students make it through it and come out as highly competitive professionals (and highly paid), and the agencies they go into often pay to send them to school to keep up with technology trends. In five years, they can expect to be right back in the classroom (while working), but they will be paid for this. They are also paid to go to conferences. I would say that, after they emerge from the fire, most of them actually have a better understanding of the fundamentals because they get to apply them in a specific area, and also concentrate beyond the narrow focus of getting something to work, but to get it to work securely. They still go through the basic programming, operating systems, networking, and other courses as the other students do.
Also, because of their constant presenting and paper-writing in addition to their regular studies, they come out of the program as personable professionals who can write and speak in a public forum, basics that are often neglected in other programs.
The students in this specialization don't get out of the fundamentals. Call it fundamentals+.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Can we please shorten this report to two simple words?
Common Sense
My career in computing security; which consisted mainly of securing sites for small companies; taught me that much of what is going on is lack of clear policy and common sense.
Much of what I see missing can be traced back to the lack of a clear, well thought security policy.
This one document (often not more than a simple statement) is the root of all security related activities within an company or organization.
It have collaped and wet my pants while laughing at what I have seen for 'security' at some organizations.
An example: A company with some of the greatest tools and equipment; firewalls, VPN, the whole works. But with no clear documentation on how to configure what. Everything kept between the ears of the lead sysadmins. If they quit or get laid off (which happens); all this information gets lost.
Firewall set nice and tight (nothing in at all except VPN and port 80 to a machine on a security island). However, the VPN was configured with shared passphrase that was 'secret' and with no restrictions on what IP can initiate a connection.
Or VPN's that have proper certificates but with no revocation lists. Road Warrier VPN clients with the passphrase hard coded on the box and not having to be keyed in: Stolen laptop - direct acces to company VPN to inside network.
Or, nice tight firewall and VPN; but with open wireless ports inside (easily reachable from the parking lot or common building lobby or better still, the public cafe on the ground floor).
What realy keels me over laughing is how vendors are allowed free access to the company network. And how that access it not properly terminated upon conclusion of the contract.
Couple this with no clearly written and fully agreed upon (throughout the entire enterprise) security policy. Easy path to desire.
Luv you all
Cleara
Am I the only person who is tired of the rhetoric "Since September 11th, each and every American's life has changed"? For those outside of the goverment, and particularly the military, has it really? Certainly we have mangled the Bill of Rights beyond recognition, but am I the only one whose reaction to the 2nd attack on the WTC was "well, it finally happened?" And the notion that using commercial airliners as weapons was unthought of? Given that Tom Clancy is a best selling author, the odds that no one in our security infrastructure read about that scenario is close to zero.