columns
security matters
Education for First Defenders: The CERT Survivability
and Information Assurance Curriculum [2006
| 7]
Editor’s Note
In this installment of the Security Matters column, guest columnist Larry Rogers introduces news@sei readers to the CERT Survivability and Information Assurance (SIA) Curriculum. Rogers is a senior member of the technical staff at the SEI CERT Program and the chief architect and designer of the curriculum.
The SIA Curriculum (at http://www.cert.org/sia) is available to any interested college student, graduate student, faculty member, business, or network or systems administrator. Free to the Internet community, both student and instructor materials are available for download. (Instructors must register and accept the terms of the license agreement.)
Since the launch of the Web site in January 2006, the SIA Curriculum has achieved a number of successes. Nearly 100 faculty members from 88 institutions in 29 U.S. states have requested and received access privileges to the faculty download area. More than 900 general downloads by users in 87 countries have been recorded. Users represent a mix of businesses, individuals, and educational and governmental organizations.
You can read Larry Rogers’ complete article about the SIA Curriculum at http://www.cert.org/sia/SIA_Curriculum.pdf.
Richard Lynch
Editor
Introduction
In today’s world of computer and network security, much emphasis is placed on personnel referred to as first responders. While responding to computer and network intrusions is important, comparable attention should also be placed on first defenders, that is system and network administrators whose job it is to configure and install, manage, and maintain computer systems and network infrastructure components.
First defenders can be more effective in securing computer systems and network-infrastructure components if they are properly educated and trained. They need a way to think about security issues and a set of skills to help them integrate security policy, practices, and technologies into their operational infrastructure. Success in this area makes the job easier for first responders.
The Survivability and Information Assurance (SIA) Curriculum (http://www.cert.org/sia) is designed to teach experienced first defenders about survivability1 and information assurance2 as well as a means to integrate these concepts into their routine tasks, in order to produce a more secure and stable operational state.
The concepts described in the SIA Curriculum are old in some ways and new in others. For example, tasks performed by first defenders now have names and a defined order using methods such as Security Knowledge in Practice (SKiP).3 While the tasks are old, the order is new. Similarly, many first defenders have been aware of policies and procedures—the old way—but using these policies and procedures as constraints that govern actions represents a new way of thinking. Lastly, there is a direct connection between hardware and software technology and the mission of the enterprise, and this too is an example of new thinking.
The SIA Curriculum lays the educational foundation that we believe first defenders need as the basis for the technical training necessary to manage the enterprise network. Education and training are complementary and both are needed for long-term success. Often training addresses only short-term needs and must be repeated as technology changes. Because of its educational focus, the SIA Curriculum is much less sensitive to technology changes, which in turn means that it should be able to lay a firm foundation for the foreseeable future.
Target Students and Audience
The SIA Curriculum is a 3-course, 13-semester-credit hour (162.5 total hours) educational product. The curriculum is intended to be used by community colleges, four-year colleges and universities, and graduate schools.
While the intended audience is the experienced first defender, industry professionals who manage first responder teams can benefit as well. The recommended amount of administration experience is two years. In the absence of this experience, a student should have a solid computer science or information technology educational foundation, including networking. Managers may benefit by learning the SIA principles so they can better understand and manage the first defenders who work for them.
Courses
This curriculum teaches a new method for performing traditional systems-administration tasks, and it integrates the concepts of survivability and information assurance into these tasks. Each course is discussed in the next sections.
Course 1 – Principles of Survivability and Information Assurance
This course presents the 10 principles of survivability and information assurance.4 These 10 principles are the basis for the entire SIA Curriculum. Much as a highway is only as sound as the roadbed on which it is built, the enterprise network is only as sound—from a survivability and information assurance perspective—as the roadbed of principles used to build it. The principles of survivability and information assurance provide a firm, modern, and realistic roadbed for today’s and tomorrow’s enterprise computer networks.
The principles of survivability and information assurance are presented in a technology-independent way. It is important for first defenders to grasp the fundamental issues of these principles, independent of the corresponding technology. The reason for this approach is that all too often first defenders view the set of problems they face and the solutions to those problems in terms of the technologies they know. This technology-constrained perspective limits the range of problems and issues that a first defender can see and their available solutions.
It is a change in mindset for today’s first defenders to dig down deeply in search of the root issues and then step back to apply technology. It may also be a change in mindset for their managers to allow first defenders to approach problem understanding and solutions in this manner. This approach is less satisfying in the short term because results (completion of tasks) happen more slowly but is more satisfying in the medium to long term because problems are more thoroughly understood. Instructors will likely face some resistance from students and managers who expect every problem to be solved quickly.
The lab component for this course familiarizes the students with the specifics of the technology used in the curriculum implementation, specifically Red Hat LINUX Version 9. It helps first defenders better understand the guided tours and demonstrations.
Course 2 – Information Assurance Networking Fundamentals
This course applies the 10 principles described and explained in Course 1 to the concepts and an implementation of TCP/IP5 networking. It takes a critical view of the TCP/IP protocols so that the students are well informed when they are challenged to make network-related decisions in the workplace.
Students learn and reinforce their knowledge of networking specifics through out-of-class readings using W. Richard Stevens’ TCP/IP Illustrated, Volume 1 – The Protocols.6 The bulk of the lectures in the class consist of more detailed, critical, and thought-provoking discussions of the TCP/IP protocols. Challenging protocol assumptions and gauging the risks to the enterprise when using these protocols are important parts of these discussions.
Course 3 – Sustaining, Improving, and Building Survivable Functional Units (SFUs)
In this course, students inherit an existing enterprise network, and their objective is to manage it according to the principles learned in Course 1. Course 2 provides the basis for understanding the protocols underlying the existing network they have inherited. This course is designed to provide a framework for managing existing functional units (FUs) using SKiP, assessing the critical information asset risks with the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method, and adding a new survivable functional unit (SFU)7 to the existing infrastructure.
This is a laboratory-based course where students work mostly in teams. Each team sustains and improves a functional unit in a lab-based enterprise network. Improvement, in this case, refers to improving the level of survivability of the functional units, thereby making them survivable functional units. The instructor then demonstrates how to add a new SFU to the network, which is the “building” part in the title of "Sustaining, Improving, and Building Survivable Functional Units (SFUs)". Time permitting, students design and build this SFU and integrate it into the enterprise network in the lab.
Summary
The SIA Curriculum’s goal is to educate experienced first defenders about the principles of survivability and information assurance. Because technology is dynamic but skills training is not, combining education and training is an important part of creating successful first defenders. First defenders who grasp the fundamental issues facing them can continue to be successful even as workplace technology changes. By balancing the enterprise mission and the technology that enables it, first defenders who are able to change their ways of thinking can increase their value to the enterprise and make the enterprise network better able to survive in today’s and tomorrow’s globally connected world.
The SIA Curriculum creates a firm educational foundation on which skills training can be layered. It goes beyond the walls of educational institutions because it contains something for all first defenders concerned with survivability and information assurance.
For more information, contact—
Larry Rogers
e mail: lrr@cert.org
1
Survivability is the capability of a system to fulfill its mission
in a timely manner in the presence of attacks, failures, or accidents.
2 Information assurance comprises the information operations (IO) that protect and defend information and information systems (IS) by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
3 See http://www.stsc.hill.af.mil/crosstalk/2002/11/rogers.html for more information. This is SIA Principle 7, titled “Security Knowledge in Practice (SKiP) provides a structured approach.”
4 See http://www.cert.org for more information.
5 TCP/IP, short for the Transmission Control Protocol/Internet Protocol, is the suite of communications protocols used to connect hosts on the Internet.
6 See http://www.kohala.com/start/tcpipiv1.html for more information.
7 See http://www.cert.org/archive/pdf/04tn004.pdf for more information.
About the Author
Lawrence R. Rogers is a senior member of the technical staff in the CERT Program at the Software Engineering Institute (SEI). The CERT Coordination Center is a part of this program. Rogers’s primary focus is analyzing system and network vulnerabilities and helping to transition security technology into production use. His professional interests are in the areas of the administering systems in a secure fashion and software tools and techniques for creating new systems being deployed on the Internet. Rogers also works as a trainer of system administrators, authoring and delivering courseware. Before joining the SEI, Rogers worked for 10 years at Princeton University. Rogers co-authored the Advanced Programmer’s Guide to UNIX Systems V with Rebecca Thomas and Jean Yates. He received a BS in systems analysis from Miami University in 1976 and an MA in computer engineering in 1978 from Case Western Reserve University.
The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.