Computer Security Training for Professional Specialists and Other Personnel Associated with Preventing and Responding to Computer Attacks
Anatoly A. Malyuk,* Nikolai S. Pogozhin, and Aleksey I. Tolstoy
Moscow Engineering Physics Institute
INTRODUCTION
The level of knowledge and skills required in the area of information security is among the basic factors determining the effectiveness of efforts to counter computer attacks on real targets. Therefore, the training of specialists in this field may be considered one of the most important organizational-technical means of ensuring information security. As noted in the Doctrine for Information Security in the Russian Federation, “the development of a system for training personnel involved in ensuring information security” is among the top-priority measures to be taken in implementing state policy for ensuring Russia’s information security. The training system for information security personnel, for which the foundations have already been created, is one of the most important elements of information security as a whole. This report reviews the characteristics of the information security personnel training system in Russia, defines the basic areas of educational activity, and highlights the most promising of them, which are associated with continuing education. The report also discusses the basic problems that need to be resolved in order to ensure that the necessary level of training is provided for specialists and other personnel at facilities where information technologies could be subject to computer attacks.
THE TRAINING SYSTEM FOR INFORMATION SECURITY PERSONNEL IN RUSSIA
Russia has laid the foundations for a state system for training personnel in information security. This system is composed of the following elements:
Training Providers
-
higher educational institutions (more than 80) having licenses to educate students in one of seven specialties included in the state classified listing of specialties and areas of training for degreed specialists
-
regional training and scientific centers (22), based at leading higher educational institutions in the various regions of Russia and designed to address problems of providing training for specialists in a specific region
-
continuing education training centers (as a rule, not state run; established in almost all regions of Russia, so it is difficult to determine their numbers), created by organizations actively operating in the information protection services market and licensed to conduct their training activities by local governmental authorities responsible for education
Participants
-
university students and other course participants being trained at higher educational institutions, regional training and scientific centers, and continuing education training centers
-
instructors at the various educational institutions and centers
-
administrative personnel organizing and facilitating the training process
Educational and Methodological Resource Support
-
state educational standards for higher professional education in the seven specialties included in the information security classification
-
educational plans for training specialists in the specific specialties
-
educational programs for specific training courses in the seven specialties
-
educational programs for continuing education or retraining courses aimed at allowing participants to obtain additional qualifications
-
textbooks, educational and methodological handbooks, and practical laboratory training exercises
-
informational materials supporting the training process
Management Subsystem
-
Russian Federation Ministry of Education, which issues licenses for educational activities conducted by higher educational institutions
-
executive-branch entities at the regional level responsible for education and the licensing of educational activities associated with continuing education
-
educational methodology associations—public organizations composed of representatives of educational institutions that train specialists in the information security field, as well as organizations and departments that employ such specialists (These associations monitor the educational activities of the various institutions and centers to ensure that students are provided with the necessary training at a level meeting the requirements established by the State Educational Standards.)
The two basic types of educational activities being carried out within the system for training information security personnel are as follows:
-
training of degreed specialists: specialist (seven specialties; title: mathematician or information protection specialist; training duration: five or five and a half years); bachelor’s degree (four years); master’s degree (six years)
-
continuing education: qualification improvement (72 or more training hours); additional qualification (up to 500 training hours); complete retraining (more than 500 training hours)
An evaluation of the need for information security specialists to deal with the problems of countering computer attacks indicates that the first type of training is not meeting all objectives for the following reasons:
-
the long duration of training for specialists (up to six years to complete training). The training system that has been created is just getting under way in Russia. It will show its full capabilities once the first six-year training cycle is complete.
-
the insufficient number of specialists being graduated. Given the number of higher educational institutions that graduate information security specialists (about 80) and the average number of specialists per year graduating from such institutions (about 20), the average number of specialists graduating each year is estimated at about 1,600. According to several estimates, state institutions alone need to hire about 1,500 such specialists per year, and this does not take into account the needs of the large number of private enterprises and organizations.
-
the inertia of the educational process associated with the long-term stability of educational programs and plans (lasting about one training cycle). During this time, the subject matter requirements could change significantly.
-
problems of professional orientation for incoming students owing to the difficulty of instituting strict principles for the selection of personnel to be trained in information security specialties. The existing educational system is oriented toward the training of young people, beginning from the first year in
-
university (age 17–18). Even if a strict system of selection were to be put in place not only on the basis of knowledge but also taking into account psycho-physiological characteristics (and this is very doubtful), effective selection will not be ensured, as during the training period (up to six years) the given parameters could change substantially. Furthermore, young people’s life goals are also subject to significant changes. As a result, specialists graduating from these higher educational institutions could either not work in their area of specialization or could carry out functions antithetical to the goals of information security protection.
-
difficulty of organizing targeted training for specialists to meet the needs of specific enterprises. Unfortunately, at present it is difficult for any enterprise to define the skills and knowledge that information security specialists will need when they graduate four to six years from now.
This type of educational activity represents only one segment of the training requirements. Information security specialists are commonly employed in the development and creation of complex information protection systems requiring a broad range of knowledge and skills.
In contrast to the training of degreed specialists, continuing education has a number of substantial advantages. These include
-
short duration of training (72–500 hours)
-
flexibility and possibility of changing educational programs
-
ease of implementing targeted training geared to the interests of specific enterprises
-
possibility of meeting quantitative needs for trained specialists
Therefore, we might expect that this form of educational activity will find broader application in the training of professional specialists and other personnel involved in combating computer attacks. This activity is oriented toward the utilization of specific information technologies and information protection systems. It would be useful to review the particular features of continuing education in greater detail.
Continuing Education in Information Security
When we account for the problems that arise during the educational process, it is possible to define the special characteristics of continuing education in information security by answering the following questions: “Who should be trained, what should be taught, and how and where should training take place?” “How should the training be managed?” “How should learning be evaluated?” We shall now attempt to answer these questions.
The answer to the question “Who should be trained?” is associated with the selection of the contingent of students. It is appropriate to follow the principle of a differentiated approach aimed at determining the categories of students working at specific enterprises. These categories could include the following:
-
information technology specialists working in units responsible for the operation of hardware and software
-
specialists who use information technologies in units involved in carrying out an enterprise’s primary mission
-
information protection specialists working in information security units
-
information security administrators responsible for monitoring the level of information protection
-
physical security specialists. Modern physical protection systems are complex automated control systems consisting of devices (microprocessors, video equipment, other special hardware, computers, communications channels and systems) and software (systems software and applications) operated by security service personnel. An automated system of this sort processes “sensitive” information, the loss or distortion of which could reduce the operational effectiveness of the entire physical protection system and, as a result, could help terrorists accomplish their objectives.
-
unit managers
-
senior management
It should be noted that training managers at all levels is a requisite component of personnel training. Knowledge of the basic objectives involved in countering cyberterrorism and of ways of accomplishing these objectives is a mandatory condition for effective decision making both at the stage of creating an information security system and at the stage of responding to a critical situation.
Another point is that functional responsibilities involved with the management of information technologies and those involved with the management of information security subsystems must be divided among various specialists. Because of this requirement, those receiving training should be divided into different groups.
The question “What should be taught?” may be answered through the selection of training programs. The special nature of the professional knowledge and skills of information security specialists combined with the possibility of using such dual-use knowledge and skills for contrary purposes allows us to formulate the following principles that should provide guidance in the selection of training programs:
-
Offer a differentiated approach to training, that is, different training programs for different categories of students.
-
A specialist should have only the knowledge and skills he is supposed to have. Extra knowledge and skills could lead the specialist to develop ambitions that could lead to his carrying out unauthorized operations on his own initiative or under the influence of an outsider. The consequences could be catastrophic. Consequently, extra knowledge and skills among information security specialists could be harmful, and this must be kept in mind in designing training programs. Representatives of the enterprises whose employees are being sent for training must therefore play an important role in the program design process. This will help to ensure that the continuing education programs are targeted to the specific needs of the enterprises.
-
Establish authorized access to the educational content. Given the nature of the knowledge and skills possessed by information security specialists, this sort of knowledge should be conveyed only to those who need it. Students are selected solely by the enterprises sending personnel for training. This also helps to ensure the targeted nature of extended training programs.
-
Ensure the information security of the training system. This principle follows from the preceding one. The training system must ensure the accessibility, confidentiality, and integrality of information needed for the educational process (primarily with regard to the material covered in training).
Answering the question “How should training take place?” makes it possible to define the technological requirements involved in implementing continuing education programs. Most training centers in Russia generally use traditional educational technologies (lectures, seminars, practical exercises), which require that students take time off from work to participate. The development of the system for training information security personnel is oriented toward the use of modern information and educational technologies. This makes it important for the educational system to introduce distance-learning technologies such as virtual training courses, electronic textbooks, and remote testing. This should increase efficiency and reduce training costs because of a reduction in the amount of time required for training (trainees spend less time away from their worksites).
The answer to the question “Where should training take place?” is already determined in the given case. At present, it can be stated that the necessary facilities for the information security training system have already been established, as described above. The further development of these facilities entails the resolution of such problems as how to improve methods for their management, how to ensure the information security of the training process, and how to develop their material and financial infrastructure.
Improving and developing the personnel training system in the information security sphere requires a response to the question “How should training be managed?” Here, it is necessary to look at the prospects for the development of
the training system itself, taking into account the key points involved in implementation of the Federal Targeted Program for the Development of a Unified Educational Information Environment (2001–2005), which was enacted by Resolution 630 of the Government of the Russian Federation dated August 28, 2001. This program calls for the “creation of conditions for a phased transition to a new level of education on the basis of information technologies….” Therefore, the system for personnel training in information security must be viewed as part of the unified educational sector of Russia, understood as “the totality of organizational measures, informational and methodological resources, and modern educational and information technologies that ensure the high quality of education in all regions of Russia and the effective utilization of the country’s scientific and pedagogical potential.” Consequently, management of the modern personnel training system for the information security sphere must take into account the following points:
-
standardized educational and methodological resources
-
existing infrastructure of system facilities
-
availability of modern information and educational technologies in the system
-
existence of a tri-level system for the management of education in Russia (Ministry of Education or Regional Administrative Agency—Educational Methodology Association—Educational Institution or Training Center)
-
need to protect information presented in course content
It therefore follows that the system for training information security personnel must look like a corporate training system meeting the need to provide training for specialists within defined limits, for example, the need to ensure information security, and this must be taken into account in managing such a system.
The answer to the question “How should learning be evaluated?” carries with it additional changes in the management of the system for training information security personnel. The nature of the knowledge and skills possessed by information security specialists gives rise to the need for adherence to the following principles in evaluating the level of learning among students:
-
standardized approach to the certification of specialists completing multiyear courses at higher educational institutions
-
differentiated approach to certification of specialists completing continuing education courses
This involves
-
testing of knowledge at the end of a specific course of study completed at an educational institution or center
-
certification of a given level of knowledge and skills by an independent certification center
-
certification of knowledge and skills meeting current job requirements at the student’s worksite (could be conducted by a unit or senior staff at the worksite in cooperation with training or certification centers)
Implementing the measures outlined above entails subsequent changes in the system for managing personnel training in the information security sector:
-
improvement of the testing system
-
creation of the two types of certification systems described above
The requirements of the system for training information security personnel, taking into account the field of continuing education, are based on the experience of the Moscow Engineering Physics Institute (MIFI).
TRAINING OF INFORMATION SECURITY SPECIALISTS IN THE DEPARTMENT OF INFORMATION SECURITY AT MIFI
MIFI has been involved in educational activities in the information security field since 1991. Degree programs are offered for specialists in the fields of comprehensive protection of information technologies and comprehensive information security for automated systems. Graduates of these programs are qualified as information protection specialists, and the course of study takes five and a half years to complete.
Continuing education is provided in the form of qualification enhancement courses. The educational programs are different for the various categories of students and are coordinated in advance with the organization sending students to be trained, taking into account their individual requirements. MIFI’s leading partners (clients for educational services) in the realm of continuing education for information security personnel are the Central Bank of the Russian Federation and the Savings Bank of the Russian Federation. The educational technologies used are both traditional (with students taking time off work) and modern, involving elements of distance-learning technologies (with students spending only part of their training time offsite). Between February 1995 and December 2002, more than 2,500 specialists from all regions of Russia have been trained.
Examples of the continuing education training programs being conducted by MIFI in 2003 are presented in Table 1.
COMMUNICATIONS ACTIVITIES
Experience and information on teaching methodologies in the information security field are shared at conferences at various levels. The following confer-
TABLE 1 MIFI Continuing Education Programs
No. |
Program |
Training duration, hours/days |
Training Cycle 1: Security of Bank Information Technologies |
||
1.1 |
Security of network technologies |
88/11 |
1.2 |
Protected corporate bank networks |
40/5 |
1.3 |
Information security of bank e-mail systems |
40/5 |
1.4 |
Security of bank intranets and virtual private networks |
40/5 |
1.5 |
Cisco Systems solutions for protecting corporate information networks |
40/5 |
1.6 |
Systems for detecting attacks on corporate bank networks |
24/3 |
1.7 |
Monitoring network security |
40/5 |
1.8 |
Anti-virus protection for information technologies |
24/3 |
Training Cycle 2: Administration of Information Technology Security |
||
2.1 |
Information technology administrators |
40/5 |
2.2 |
Administering corporate virtual private networks using FPSU-IP screening routers |
40/5 |
2.3 |
Information security in a Microsoft Windows NT environment |
40/5 |
2.4 |
Information security in a Microsoft Windows 2000 environment |
40/5 |
2.5 |
Information security in an OC Sun Solaris environment |
40/5 |
2.6 |
Data security mechanisms and policies in SQL |
24/3 |
2.7 |
Data security mechanisms and policies in Oracle |
24/3 |
ences are held annually under the aegis of the Ministry of Education of the Russian Federation:
-
Problems of Information Security in the Higher Education System (January, Moscow, MIFI)
-
Information Security (including international participants; June, Taganrog, State Radiotechnical University)
-
Methods and Technical Means of Ensuring Information Security (October, St. Petersburg, State Technical University)
At the international level, efforts to develop systems for training information security personnel in various countries are coordinated by Working Group 11.8 (Information Security Education), which is part of Technical Committee 11 (Security and Protection in Information Processing Systems) of the International Federation for Information Processing. The World Conference on Information Security Education (WISE) is held every other year with the support and direct participation of this organization. The third such conference, WISE-3, will be held in the United States (Monterey, California), June 26–28, 2003, and WISE-4 is scheduled to take place at MIFI in Moscow in May 2005.