Practical challenges to worthwhile intentions for training more security professionals

While it’s hard to see the current emphasis on information security training as anything other than a positive trend, the popularity of security programs at many higher education institutions may not produce the next generation of appropriate skilled and qualified infosec professionals without some consideration of how the training is structured. Undergraduate and graduate degree programs in information security (or information assurance, or cyber security, or any of the trendier labels for such programs) are often marketed to individuals based on the anticipated need for workers trained in security, without much regard for the prior educational background or work experience of the prospective students. Most of the institutions offering these programs also try to get their curricula approved by the Committee on National Security Systems (CNSS) or other government bodies, since the Department of Defense and other government agencies use such approvals to determine the validity of the training that information security job seekers have had (along with attainment of certain certifications designated in DoD Directive 8570). CNSS produces training standards for information assurance professionals, which in general specify the set of topics and functional responsibilities that people working in various security-related positions should master.

Institutions and their faculty members face the challenge of taking students from introductory information assurance basics through to a level of knowledge sufficient to establish them as qualified to take on specific infosec responsibilities. This task is made harder in some topic areas by the fact that few technically focused information security textbooks are produced, and the ones that are tend to cover broad ranges of security topics without the level of detail or rigor necessary to develop a thorough understanding of the topic. The materials that are available for this purpose include narrowly focused product or task-specific reference books and manuals, so that supporting a typical graduate course curriculum with such materials might incorporate content from a large number of sources. There’s nothing inherently wrong with this situation, and in fact it reflects business as usual for much of the practice of information security, but both instructors and students often prefer having just one or a couple of comprehensive references to cover a topic, and finding such references often proves an elusive goal.

To use intrusion detection as an example, consider the content coverage necessary for a course that seeks to address all of the major aspects of the topic:  network-based and host-based intrusion detection and prevention; signature-based and anomaly-based detection methods; protection against external and internal threats; technical underpinnings of intrusion analysis, related threats and vulnerabilities, and use of detection mechanisms to mitigate those; and positioning of intrusion detection in relation to other related disciplines such as network security monitoring, incident response, forensic analysis, event correlation, and defense in depth. There are excellent technical references available for all of these topics, but no comprehensive coverage of these topics in a single source, in a format that might be used effectively as a course text. In the graduate Information Assurance program at University of Maryland University College (UMUC), the course on intrusion detection and prevention for many years used Paul Proctor’s Practical Intrusion Detection Handbook as one of its core texts, in large part because Proctor tried to address, in a single volume, network-based and host-based IDS, deployment alternatives, behavioral analysis, operational models for intrusion detection activities, and factors organizations typically consider when evaluating vendors and tools in the IDS market. The value of Proctor’s book, like most security references, has diminished significantly over time since the book was published in 2000, and now large portions of it are so out of date that they are inaccurate as well as irrelevant. Due largely to its age, UMUC replaced Proctor with a more recent work in the same general topic area, Ryan Trost’s Practical Intrusion Analysis, which aside from being current also illustrates the two prevalent types of IDS technology through descriptions of Snort and Bro. Trost’s book has some shortcomings as anything other than a reference for some specific sub-sets of intrusion detection topics, particularly because the book was assembled from a separately-produced group of chapters by different authors, and has not been favorably regarded by some expert security practitioners. In the context of a course text on intrusion detection, Trost’s book matches the approach of quite a few others in focusing exclusively on network-based intrusion, which limits the applicability of the material in the book in terms of the relevant threats and organization security objectives it addresses. Practical Intrusion Analysis also reflects a trend seen in many recent books to try to cover only new or unique topics, assuming the reader already has other references available that describe the basic material that serves as the foundation for what’s in the book. This assumption may be valid for security professionals, but is rarely true for students.

In theory, the best way to approach a course purporting to cover — at least at some level — all the major topics related to intrusion detection and prevention would integrate smaller content contributions from a potentially large number of reference sources. This would result in a custom curriculum that might be difficult to replicate from program to program, given the added effort (and often complexity) associated with obtaining the appropriate copyrights for chapters or excerpts from multiple publications. Another alternative might be to assemble the relevant content in a single volume specifically intended to serve as a textbook (which nevertheless might end up being valuable as a general security reference), although such an approach runs the risk of producing an aggregation of content that isn’t well integrated or doesn’t have enough logical flow to be understandable by its target audience. The key advantage to assembling relevant content from ostensibly authoritative sources is that changes to content can be more easily accommodated when there are multiple authors responsible for specific pieces, particularly if the material is made available electronically and not only in bound and printed editions. From a purely pedagogical standpoint, it might be preferable to have a single author responsible for the content, but with respect to intrusion detection, it seems likely that any author or instructor attempting to produce a textbook that fully covers the topic would be dependent on input from multiple other parties.