IT Security Education

I taught IPSec to my freshman platform class today. I love teaching this particular section of the book, because I usually expand it beyond the borders of what the chapter covers into a broader discussion of security. This time, as well as the last I assigned the McCumber cube paper (annex?) as a read and respond to lead up to it. It helps the discussion if the students have at least seen the source material. I opened today’s discussion by asking what the students thought of the paper. I had one student tell me that in researching his response, he talked to the industry professionals that he knows and they had never heard of McCumber or his ideas. Further, when asked, the same professionals could not articulate how they would plan for security of a system.  The student wanted to know why this was case, given that I said McCumber provided the model for good security practices. 

Though I never really gave much thought to the issue, the problem is endemic in the IT field. Certainly I see it in my daily dealings with my “service provider”.  The solution however is glaringly clear, and came to me right away: Most likely they had never been taught it. In fact digging deeper, I would suggest that the way the IT security is taught is inherently flawed. 

While I admit I have not done exhaustive research, my experience tells me that Security is generally given second billing or ignored in classes not directly dealing with the topic. It’s certainly true that the Platform technologies class I teach would be this way, were I to go directly from the book. (It basically says using IPSec will help you be more secure).  When security is taught, more often than not, we teach the tools (the technology facet of the cube) and ignore policy and education. Even then, we don’t necessarily teach appropriate use of the tools, leaving IT professionals ill-equipped to deal with the realities of securing systems.

This holds true in every niche in the industry, from coders to database admins to network engineers, creating potentially dangerous knowledge deficiencies which increase risk exponentially. While specially trained IT security personnel can sometimes help to mitigate some of the danger, real world example after example shows that it’s usually not enough. 

The solution is simple, though it will take a shift in the collective pedagogy of the field, and will move with the speed of academia. We need to teach security and security principles as core competencies across the IT discipline. Curricula should include the fundamentals of security as an integral part of technology rather than an overlay. At a minimum, all IT students, regardless of focus should have a dedicated security class early on in their academic careers. Education is one facet of the McCumber Cube. It should be applied to Information Technology professionals as much as any end-user, in fact more so. Early and often. 

Look ma, I Blogged two weeks in a row!

That's right, two weeks in a row. It's a new record for me. It's now one week after what turned out to be the worst flood the Region remembers. I finally started cleaning our basement. It's not too bad, and from what I can tell we haven't lost anything of value, but we were way over do for a cleaning. During this whole flooding mess Purdue Calumet opened a day, and in some cases two days before other institutions in the area. Why? Was it to maintain normalcy for the students' benefit? If that's the reason, it failed miserably. Regardless of what the ultimate goal is, a large majority of PUC students still commute to school. With most of the major roads in the area under water, this was no easy task. Add to this the flooded basements and in some cases whole houses that they had to deal with, and school being open was just one more hassle everyone had to deal with. I know as an instructor that it's hard when you fall unexpectedly behind in the curriculum. I understand that days of the school closing mean salaried employees who are paid not to work. But (This may shock some people) sometimes money's not the most important driver. Maybe there was a good reason for doing what he did, but if I were the Chancellor, I would have waited at least until 80/94 opened. It would have been easier on the students faculty and staff. 

In other flood related news, my friend who owns Critical Effect, the local game store, is feeling the secondary effects of disaster. a small but vital bridge, or the roadway in front of the bridge, suffered severe damage in the flood. The store sits very near though is thankfully a few feet higher than the bridge and they received no damage. However, the city is worried about the gas and electric lines that ran across the bridge and under the road. Until they give the all clear, he has been ordered to remain closed. Does insurance cover revenue loss when there is no direct damage?

I bring this up because I feel bad for my friend and his wife. Though this is not their only source of income, they have worked hard to be fairly successful, and a week or more of lost revenue can't be good for anyone in small business. But I also have a more selfish reason. I realized today that gaming has become an important part of what makes me who I am. (Those who didn't already know this can feel free to make their geek jokes now, I'm not bothered by them anyway.) The few hours a week I spend gaming provides me with an escape from the weekly stresses I deal with. Painting my miniature armies gives me a creative outlet, though I'm not all that good at it. It's also kind of nice to do something that's not IT related all the time, and to talk to people whose lives don't revolve around IT and in most cases don't know much about IT. Maybe that's a techie sin, I don't know. I have (or had,) other hobbies too (also non-computer related in most cases), but life has gotten in the way of a lot of them. It's hard for me in my current situation to leave work at work, and school has become ingrained in some way in most of my life, so it's nice to still have an outlet from both. 

BTW, Chris, if you read this, get in touch with me in a more direct method. We haven't talked in too long, and I don't have any good contact information on you. 

So-called weekly Blog

OK, so this is what? my fourth post in four months? So much for posting weekly, I guess. I will try to be better about keeping up that schedule, now that the beginning of the semester fires are burning themselves out, and I'm starting to get used to the fact that free-time doesn't exist when you are a student, and you work full time, and have a wife and a house and responsibilities, and oh, by the way, technically hold down a part time job on the side. I had a plan to manage my time today. I had a list of things I needed to do, and I was going to get up when Criss left for the kids' band competition (early) and perform a series of mundane house associated tasks and then grade papers, followed by homework. 

Instead I woke to a flood of near biblical proportions. That's an obvious exaggeration, but it was the worst it's been since we've been here. The street was flooded up to the door step, and our back yard had obvious standing water. My poor beat-up Neon is now waterlogged on top of everything else. 

Crissy still intended to go to work, and went into the basement to get her pants out of the dryer. The only problem was, the entire basement was under a little more than a foot of water. 

I went and bought a pump. It's the best $100 I've spent in a long time, once I got the floor drain cleared, it and the pump got most of the water cleared up in about 20 minutes. 

So, I was only about two or three hours behind at this point and could have jumped into action with the housework... instead I went back to bed and slept.

In other news, we had an SOT meeting yesterday. I'm not going to into many details because I don't want to say anything that may jeopardize my employment. I will say though that it put me in mind of my last posts here, so let's take another look at higher education. 

Last time I wrote, I came up with the following definition: An institution of higher learning with teaching and research facilities, made up of colleges and professional schools, which grants both graduate and undergraduate degrees, and is governed by the state and not a private body. 

That's all fine, but it still doesn't answer the question. So, in order to measure anything we need a valid metric. I mentioned before that the metrics currently in use were not appropriate, so let's look at our definition to try to find something valid. The pieces I see as being important to the mission of a university are " with teaching and research facilities" and "grants both graduate and undergraduate degrees". If we take just "with teaching and research facilities" we end up measuring the facilities and not the mission. So instead we focus on he granting of degrees. If we just count number of degrees awarded, or number of different types of degrees awarded, however, we end up back where we started, counting throughput rather than quality. 

Something is still missing. but if we go back and look again at the context under which our public universities are founded, we may find the key. While I said before that not all public universities were founded for the same reason, most have in common the fact that the original purpose was for the training of the population (usually at the state level) in various professional pursuits. Taking those things together, I'm going to make a leap here, and propose a metric. I say that quality should be measured by the number of degree recipients from a given university (who so desire)  that are actively employed in the field for which they were educated. 

I could be wrong, but I think it's a valid metric, and one that is only marginally tracked. Why? I have my thoughts. Maybe I'll talk more about it in a later post.