The State of Information Security Education
Interview with Prof. Eugene Spafford of Purdue UniversityIn this exclusive interview, Spafford discusses:
- The state of information security education today;
- The communication cap between businesses who need security professionals and schools that educate them;
- Trends in information security education.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with Professor Eugene Spafford of Purdue University. And to quote from his own biography, Gene Spafford, or "Spaff" as he is often called, is one of the most senior and recognized leaders in the field of computing. He has an ongoing record of accomplishment as a senior advisor and consultant on issues of security and intelligence, education, cyber crime and computing policy to a number of major companies, law enforcement organizations, academic and government agencies, including Microsoft, Intel, Unisys, the U.S. Air Force, the National Security Agency, the Government Accounting Office, the Federal Bureau of Investigation, the National Science Foundation, the Department of Justice, Department of Energy, and two Presidents of the United States. What is your biggest information security concern?
EUGENE SPAFFORD: I would say that right now my biggest concern is the problem of knowing what you are running and where your information is. That many of the attacks we are seeing are fitting in Trojans, managing to infiltrate various software artifacts, possibly through the supply chain that compromise your software stack and that are used to leak information or alter the integrity of files on systems and this is a very pervasive problem that is going on, much more complex than many in the field believe it to be and there are primarily focused at spot solutions.
TOM FIELD: Now certainly we see those things in the financial institutions as well in a lot of the threats that we see in the landscape today. Now, we are here to talk about information security education and I want to ask, from where you sit at Purdue, what is the state of information security information today?
EUGENE SPAFFORD: It is not well developed in many ways. The field is actually quite broad and there are a number of things that can fit under that rubric of computer security, information security education. We as field don't necessarily agree as to what the fundamental aspects of that are. The call for our graduates is across a very broad spectrum, and that makes it more difficult, and the teaching materials -- well, we don't' have a lot of materials that we might use. Many of the people teaching at school don't have any experience in the area, and so it is a mine--rather immature, and we are probably not providing the level of response that we need to be making for the current demand for our graduates.
FIELD: And there is a demand there certainly. Gene, in terms of the information security professionals that we are turning out, what are the--how can we be assessing the quality of their training and their education?
SPAFFORD: Well a lot of that depends on really that difference between the training and the education and the role that we want them to fill when they graduate. So, the difference between education and training is really education is more related to the fundamentals and interrelationships of the concepts and allows the students to deal with new problems that they haven't seen before, new situations, comfortably.
Training is more oriented towards using existing solutions and managing existing environments, and we have a need for both, and we provide both here at Purdue. Some schools are oriented more towards one than another. The training aspect is particularly critical if you are looking for people to come in as auditors, forensic investigators, system administrators, individuals who are filling those kind of roles that are really hands-on with a particular platform in a particular environment. Some are getting really excellent training, but a common problem across the academic landscape right now is few places are able to afford the hardware and software to train our students on what is currently in the marketplace because vendors are not inclined to donate any of their products to institutions, and there simply are no funds to buy them. They are very expensive security products that are out there.
So from a training standpoint, academia is not able to really train up in every area students to the level that really are probably demanded by industry. And some areas we are able to do some of that -- we have a very good forensics investigation program for instance, that actually does have cooperation from a number of vendors. But how many schools have a relationship with vendors and a program like that?
On the education side, that requires a little bit broader base of expertise of faculty and resources to train people in fundamental issues that go beyond simply the computing system, beyond current firewalls, Windows, Linux, whatever systems are currently being run, and actually look at some of the history and theory and fundamentals of information security. There we are somewhat limited. We don't have as wide a variety of teaching materials, textbooks, labs, that we might, and a very small number of faculty who actually have some experience in the area to be able to teach to the breadth that we would really like to have.
FIELD: So it sounds like the common themes here are the inconsistencies of programs and the lack of available resources, whether it be training equipment or personnel themselves.
SPAFFORD: That's pretty much the case. We have no problems placing our graduates. There is a huge demand for them, much more than we can fill, and that is part of the problem is that many of the places responding to that demand are doing so without even knowing that they don't have the appropriate resources to do it well. And many of the consumers on the other side also don't know what they are looking for, and so that exacerbates the problem. We've seen that actually going on for over a decade where there has been this mistaken belief that people who are somehow able to find flaws in software or break into systems because of misconfigurations are some how expert in security, which is not the case. But because of a lack of sufficient depth of knowledge by all the parties involved, that is the closest people can get.
FIELD: So it sounds like what a lot of people are getting is on the job training after they leave school. They are getting a whole lot more education when they start this professional career.
SPAFFORD: Again, it depends on the career path, but for those who are in an operational environment, that is usually the case. The threats that come at them are new, the hardware and software they have to learn is relatively new and is changing all the time, and so working as part of a group and staying active in professional associations and continuing education is really a way for those personnel to go.
We are finding that some of the people we are producing for major software companies as architects, as law enforcement investigators, as policy people who are involved in setting security policy issues, and many who work in defense and intelligence fields, the education they are getting through our program -- here in particular is the one I know about best -- is pretty solid. And yes, there is always going to be some growth on the job, but they are not coming in really unprepared.
FIELD: Now based on your knowledge of industry and industry needs -- you've certainly got good connections within industry -- what should be the focus of information education, information security education programs today?
SPAFFORD: Well the information security problem as a whole in industry is not so much that we don't have the personnel available to fix things. The problem is that decisions are being made to continue to buy and deploy system in manners that are difficult, if not impossible to secure well. And therefore, what is really missing is the bridge between the security expertise and the management and purchasing decisions that are being made, or the security and risk assessment knowledge and the CIO level in many organizations.
So, we need to do a better job there of not only building those bridges so that the security people understand how to talk to some of the C level executives about security issues, but also we need to inject some basic security awareness into the programs and educational backgrounds of those individuals at the C level who are making those decisions. If they continue to buy software and hardware based on purchase price or compatibility with previous generations of word processing software rather than looking at the risks and the issues of making the systems secure against the threats facing the corporate environment, there is not a lot that we can do in the education side to make that better. Applying patches after the fact isn't going to fix things.
FIELD: Sure. Gene, how well are today's students trained within the schools for the real world threats that they are going to face as soon as they get out there in the business world? And as we all know those threats change on a daily basis.
SPAFFORD: It is variable again. In some programs the students drill and study very carefully specific threats, and they know how to deal with them, but you may not therefore have the grounding to deal well with the evolution of those threats. In others it is a generic background, and they haven't seen specific incidences, and that is going to come from experience.
As I mentioned earlier, in a lot of programs the students don't actually have access to current hardware and software that is used in corporate environments, so they are unprepared in that regard to walk in and immediately start handling that equipment. It is a complex set of issues, and I would say probably the biggest failing that we have with our students going off is many of them do not realize the constraints under which they will be required to operate, financial for instance or regulatory in some environments. It is very difficult to teach all environments, so for instance going in to maintain in the banking industry there are regulations that we normally don't reach our students about because it is only a small segment of the population. But they also don't understand just how devious and mercenary some of their opposition may be, and that is a hard thing to get one's head around, I think, particularly for younger people when they have to go out and craft defenses or respond to things. They just don't really have a sense that there are people who are like that.
FIELD: Sure. You could almost give a graduate degree in phishing these days.
SPAFFORD: Sadly, yes.
FIELD: Gene, as you know there has always been a level of miscommunication between industry and academia. You know the schools are always saying 'tell us what it is you need and we will train people for that,' and the businesses are always saying, 'well, give us what we need and we will take your students.' What do you see as the biggest gaps between business and education today?
SPAFFORD: Well I think you touched on it actually in some of your questions. Businesses want people who can immediately hit the ground running. You plug people in positions and have the expertise to suddenly start managing some aspect of the program. We don't' have the capability to teach students to that level for each environment, or even to keep them current with the current technology.
What we do best is actually in providing the students with a grounding that allows them to quickly learn new technologies, new threats, new environments, and to apply their general knowledge to the specific problem and take over. If we move to far in the direction where industry pressure us, we have people who may be very adept for the next three years and then become stale, and it's not a service to anyone because they are no longer able to work as well unless they invest a very large amount of their time in retraining. What I have pointed out to people with the number of individuals who went through community colleges for instance and got training in COBOL are now struggling to deal with Web 2.0 environments. We try to make sure that our graduates have the tools that they are able to adapt and continue along as they go. Of course, if we go too far in that direction and we don't teach specifics, then it takes too long for them to spin up in a position and be able to take on responsibility.
So we, the philosophy that we've taken here at Purdue is to actually get companies involved in the center in the program that we have and provide materials and personnel and internships to help make sure that our students have domain-specific knowledge when they get out, and those of us on the faculty ensure that they have a good general foundations as well.
FIELD: That's good. So the business has got an investment but also a vested interest.
SPAFFORD: Right, and additionally their support. Not only can we address their specific problems, but also they are helping us expand the program to provide more people.
FIELD: Gene, in terms of information security education, what trends are you seeing right now? What do you think we will be talking about two to three years from now?
SPAFFORD: Well, I find it interesting to look at the broad sweep of security history, which is a luxury I have here in academia, not many others necessarily do. But we have had cycles of threats and defenses, very broadly stated and where we are in now is in problems with authentication and isolation of faulty software as major problems. And so the trends that we are moving towards are stronger authentication and attribution, so we are worried about more with cryptographic signing, log in id's, single sign ons, DNS signing, email signing for spam prevention. All of these are generally under the area of better authentication and attribution and that is going to become a bigger problem over the next few years, particularly with issues like phishing and similar threats.
And then a second hot topic that is growing in interest is the whole area of virtual environments and containment; virtual environments, virtual operating system hypervisors is the current work. Not a new concept and there have been two cycles of that previously that we have seen in the industry, primarily for the same reasons to help isolate failures. Every time we've gone back to re-examining host operating systems, and I think maybe about four or five years form now we will probably see some efforts there. But for the moment, containment issues and I think authenticity are going to be the two big buzzwords.
FIELD: Now as you know Gene, we cater to people on our career site that are just starting their careers ,and we cater as well to people that want to make a career move, maybe mid-career and get into information security. If you had a single piece of advice for people looking to move into information security now, what would that be?
SPAFFORD: Well I'm not sure I can come up with one single thing. There may be, I will give you two that I think are important. The first is it is helpful to understand how security fails to learn how to make it better, but the two are not equivalent. I see many people who get led down the path of saying, well if only I can find buffer overflows or holes in somebody's firewall, then that will give me security expertise and I will be able to establish myself. And really that is not the case because much of what we are using now is prove to failure, isn't designed well for security, and finding those flaws isn't really that difficult and doesn't require the deep understanding that is equivalent to designing systems securely. So although I think there is value to be gained there by individuals who look for those problems, that is not really understanding security, that is understanding penetration and there is a difference.
And that leads to the second part of this point, which is, if someone is interested in moving into the area, identify the part of the area that they are interested in moving into. Try to find a good program, either as a continuing education, self-study, or maybe even going back to school, to study fundamentals, architecture, language design, network protocols and the history of security. Understand the big picture - physical security, personnel security and how all those fit together to be addressed comprehensively, not by a particular product, but by a whole mindset and design.
FIELD: Very good. Gene I appreciate your time and your insights today. Thank you so much. For Information Security Media Group, I'm Tom Field. Thank you very much.