"There are positions in the IA field for lots of folks," says Likarish, assistant professor and program chair for the information technology department at Regis.
The nation's critical infrastructure is vulnerable because it's based on older technology. Stuxnet, now that it's out in the open, can be deployed by the black hats and cyber terrorists. Video game systems, like Sony's PlayStation, are being targeted, and their networks aren't as secure as they should be. "There's going to be quite a set of skills that are needed," Likarish says.
People with good analytical backgrounds that understand regulatory compliance are in demand. Then, defenders of the IT systems will always be in demand. "We need the tens of thousands that can manage those ... defenders and then we need 100,000 that are out there learning the trade, that are passionate about what they do and that are willing to put in the extra hours to keep the citizens of the nation and the state secure," he says.
Universities like Regis are offering classes in information assurance, software development, mobile technology and cloud computing; now is a better time than any to get involved. "I'm encouraged because we're early in the employment cycle and the numbers are just great," Likarish says.
In an exclusive interview about information assurance education, Likarish discusses:
- Opportunities for today's students and grads;
- Trends impacting information assurance education; and
- Today's morphing threat vectors.
Opportunities abound in the public and private sectors for trained professionals. And Regis is just one example of a school stepping up to meet the educational needs of these new pros.
Likarish is responsible for the Information Assurance and Systems Engineering curriculum at Regis University. He is also the Director of the Colorado Front-Range Center on Information Assurance Studies and the principle investigator for major grants from the Colorado Institute of Technology, CISCO, Hewlett Packard, and Hitachi Data Systems. Professor Likarish's research and teaching interests include the design of Web 2.0 teaching tools, work flow for 21st-century knowledge workers, and distributed secure trusted systems.
IT Security Threat TrendsTOM FIELD: There's been so much in the news in recent months. We've seen Stuxnet. We've seen a procession of high-profile data breaches. What have we learned from some of these trends that we've seen over the past 12 months or so?
DAN LIKARISH: As we've known for quite a while within the profession, now it's becoming publicized, becoming public knowledge, our critical infrastructure is vulnerable. And it's for a good reason. And the good reason is that it's well established, it's based on older technology. The way I look at it is our grid systems, whether they're water, power, rail, communication, they're overlaying this older, physical-type technology that's a logical implementation.
Now the telecom industry is in a pretty good place because they've had to keep up with the times. But what the Stuxnet worm attack has shown is that our industrial systems are available to compromise. The dirty little secret about Stuxnet is, now that it's out in the open, it can be deployed by the black hats, the terrorists, those that are not our friends, our enemies. We and the rest of the world are very susceptible to SCADA intrusions. That's why I like to keep everyone current with today's problems, and that was just addressed at a conference that I attended this week. It was a security conference for the CAEs and that was one of the big problems that we're trying to address. We're adjusting that at Regis quite well.
And then, the other side of the spectrum not terribly far away from that are the attacks that are occurring against gaming systems. It's the PlayStation vulnerabilities, the media attacks that seem to be rolling through on a daily basis. It's difficult to separate cybercrimes and cyber terrorism. One goes to the other. Cybercrime, where you're going after account information, that's a very important area to defend. We've got to maintain people's privacy. We've got to maintain their intellectual property. We have to maintain companies' privacy, intellectual property and the employees that work there. Those are the current trends that I'm seeing that are just at the top of the list.
FIELD: As you say, you've just come back from a conference, so I know you've got some fresh perspectives. How do you see the threat vectors having evolved in recent months?
LIKARISH: The interesting result, and this is reported by university researchers, government researchers, is that the threat vectors are changing. I mentioned the Stuxnet attack against the centrifugal uranium processing equipment. That, in and by itself, is interesting. The threat vector has morphed on this very specific case of uranium processing, aggregating uranium for explosive intent. And now, Siemens has admitted that all of their controllers- and by example, that entire volume of SCADA systems - are very vulnerable. By having the Stuxnet virus available, it can be deployed against many different sectors. So that's not a good thing. That's an expansion into the SCADA system of the current threat.
The interesting thing on the PlayStation attack is that you really don't want to make German hackers mad. At a Berlin conference, the hacking community went out of its way to publish, in detail, what the PS2 security model looked like. That's a tutorial for disaster. That allowed the hacking community, the cybercrime community, to take advantage of those vulnerabilities. It was a race against time and Sony lost. They were able to obtain over 100 million - who knows how many - credit cards from that weakly defended and improperly architected system; that was published by the gray hat community.
The threat vector seems to be morphing. Cybercrime terrorists are going after credit information and going after the financial sector. That's a threat surface that's very exposed.
FIELD: What about mobility? What vulnerabilities with mobile devices and technologies concern you?
LIKARISH: It's the security model for the Android, the iPhone, pods and the tablets. They seem to be fairly well protected, but there are beginning to be published vulnerabilities on those devices. The interesting thing about the marketplace is that Apple only has 4 percent. That's 4 percent, the last published data that I saw, of market penetration. And there are reasons for that. On the other hand, the Android market is about 50 percent. That raises both devices into the area of interest for cybercrime. I guarantee in the next 18 months, we're going to start seeing security patches blowing out your phones or your devices without knowing it, because our devices are weakly defended. They are where we keep our credit card information. If you're purchasing through Amazon on your device, that means you're a target because you have credit card information.
But on the other hand, where is all that information consolidated? It's not all consolidated at the company, it's also kept out on the cloud, and that also raises issues. The cloud is well defended. We haven't seen massive intrusions on the cloud other than Amazon having a problem with that. It may have been more of an internal, infrastructure architecture problem. We know that mobile phones and devices are going to be a problem in the near future.
FIELD: I ask you these questions for a reason, because what I'm going toward is, with all of these trends, how do they impact information assurance education today?
LIKARISH: I saw this at last week's conference. What's going to happen is the Department of Homeland Security is going to start rolling out public service announcements talking about what individuals can do. They're already working with Fortune 1,000 companies to be able to try to codify and give the best advice and practices. The other thing is the K-through-collegiate curriculum is changing, both within the area of software assurance, as well as the management of cybersecurity. Our marching orders from this week have been to continue to take a look at our curriculum and make sure there's quality there. That's sort of the top-down approach that you get out of the government. But specifically, we are bringing our curriculum into concurrence with Carnegie Mellon software assurance curriculum. You'll see us respond with courses in software assurance - a huge field - as well as the current classes in information assurance, cybersecurity and management security.
FIELD: With the changes in the threat vectors in information security and trends, did this impact the type of student that you need today going into information assurance?
LIKARISH: Yes. One of the things that I want everyone to understand is there's a broad spectrum of defenders that is needed. So many times I get wrapped in the technology, but there's a need for regulatory personnel, management and audit compliance. Those are fancy words for business people. It's not only just the accounting side of the house or somebody that's experienced in systems and architecture. There's going to be quite a set of skills that are needed; people with good analytical backgrounds that understand the regulatory compliance and how they inject that into their business processes. And then, of course, there are always the 1,000 defenders that we need that are really good. We need the tens of thousands that can manage those really good defenders and then we need 100,000 that are out there learning the trade, that are passionate about what they do and that are willing to put in the extra hours to keep the citizens of the nation and the state secure.
FIELD: What are the career options that are open to information assurance professionals today? Have they changed?
LIKARISH: Yes, they've changed. The government has done a really good job of trying to enunciate the need, and it's not based on inflated numbers. We're moving into this mature Internet and mature lines on ITIS systems, Information Technology Information Systems. That's a broad field. There's awareness on the government side.
Here's what happened. The government established the regulatory climate in conjunction and in collaboration with business. That's always the way things happen. Once that gets established, it's tested over on the government side, especially with the DOD. That's been going on for several years. And now they're fully mature security models that will be made available to business. Guess what? In a few years, it's not only available, but it's arm twisting. And then in a few more years, it's, "Are you compliant? You're not compliant; you can't do business with us." And we've already started down that path. That's nothing new.
On the federal contractor side, contractors are required to have "X" number of these classified people, that are not only classified but trained people. And they're relying on the Centers for Academic Excellence at the university level to do research and to train professionals. You're going to see a movement towards standardization across the community colleges. So the CAE/CCs are out there. And the initiative for K-12 is expanding. Those of you with young families, you'll start seeing IA cybersecurity curriculum, whatever it's going to be called, in middle school through high school.
FIELD: Let's talk about Regis. What's new from Regis University since last we spoke in response to some of what we've talked about today?
LIKARISH: I'm working with Dr. Doug Hart, our software engineering program coordinator. I'm working with him to be able to bring up a good software assurance program based on the Carnegie Mellon model. It'll be adapted to our resources and our abilities at Regis. We'll have that available.
And then it's the modernization of the courses. We offer a good suite of forensic courses that are in a continual state of quality control and assurance. We have a fairly broad curriculum in terms of what we're doing within management. One of the ancillary courses we're offering is XBRL education. I haven't confirmed it, but I think we're the only university that's doing that at the moment. XBRL is the international reporting language for accounting both for federal and international. It's a very specific course, but that's the sort of thing we try to do. We're not leading edge, but we're definitely cutting edge in what our students will be trained in. Those are some of the highlights. And then there's the usual work in the trenches.
FIELD: I have a final question for you. What advice would you give to somebody that wants to start a career in information assurance today?
LIKARISH: I'll give you the same advice that the University of Texas at San Antonio fellows gave me. The men and women down there, when we were talking about if we should get involved in the regional, they said, "Look, you've just got to be in the middle of it." They've looked at our resources, at how we were able to do canvas and said we're better off than most. A lot of them just sort of had been working at it for quite a while and just got onto it. That's the same advice I would give to somebody considering either a career change or is new to the field of IA. We have so many IT people that are interested in IA because you're going to chase where the jobs are. That's a good thing.
Don't be intimidated by anyone. There are positions in the IA field for lots of folks. I'm encouraged because we're early in the employment cycle and the numbers are just great. In the next three to five years, we're going to see maturity of the business processes; the way companies and government handle this. You just have to be adaptable and you just have to learn off hours. If you need to go to a community college and get some background, that's great. If you need to pick up a book and start thumbing through it, I think what you'll find is IA is a field where once you've learned the language, you're going to find a lot of similarities in the lexicon between software programming, systems engineering, business processes and architecture. So just get involved. That's the best I can offer people.