Whether it’s the Hollywood hacking of the Pentagon’s war machine or the very real breach of credit-card information on file with a national retailer, stories of compromised computer security have become commonplace.
Quickly reacting to that threat, Pennsylvania College of Technology in Fall 2008 began offering a four-year degree (information technology: information technology security specialist concentration [no longer available, we now offer Information Technology: Information Assurance and Security Concentration]) focusing on protection of an organization’s data from hostile and accidental intrusions. Students in the college’s School of Business and Computer Technologies can enhance their marketability by acquiring a set of skills demanded by the 21st-century workplace.
The U.S. Department of Homeland Security has collaborated with a number of organizations to set security standards for government-used computer systems, including curriculum guidelines disseminated by the National Security Agency. Jacob R. Miller, associate professor of computer science, and Sandra Gorka, assistant professor of computer science, said the new bachelor’s degree implements two of those standards – a core curriculum and a risk-analyst specialization – with a number of other specialties to be added as the major grows.
NSA already has certified the curriculum through its Information Assurance Courseware Evaluation program, which ultimately could allow the college to be designated as a National Center for Academic Excellence in the field. The credential, valid through June 2013, confirms for employers that Penn College students have completed a course of study compliant with NSA’s published standards.
“For government agencies, this core curriculum is becoming a necessity of employment,” Miller said. “Having the background prior to being hired gives our students a competitive edge over those who would otherwise have to be sent to training.”
The college officially was certified during the 12th Colloquium for Information Systems Security Education, held in early June in Dallas.
The relative speed of that curricular review speaks both to the need for qualified graduates and the quality of the college’s existing IT curriculum. When he and his colleagues sat down to realign the security majors with what the market demands, Miller said, “We weren’t that far off” from NSA expectations.
The curriculum also has the blessing of the school’s corporate advisers, many of whom – health-care providers and financial institutions, for instance – worry daily about the data disaster that could result from a vulnerable information system.
Miller and Gorka explained that Penn College’s new major even transcends NSA requirements in adding a component that will give graduates the edge in the job market. Not only can students learn to create and implement comprehensive security plans, they will be introduced to the process of investigating a computer incident using forensic techniques.“We all strongly believe that we should be able to demonstrate that the curriculum delivers what the student is paying for. The first step in that direction was the NSA evaluation,” Miller said. “As the curriculum rolls out, we will be assessing students to identify what knowledge they are obtaining from the curriculum. This enables us to plan for eventual changes in delivery and content that will ensure that the curriculum remains current and delivers as promised.”
With each day’s news bringing more examples of cybercrimes large and small, a variety of government and private-sector security positions is likely to await graduates in the new major. The coursework is not for everyone – faculty members stress the need for strong math skills, including calculus – but successful graduates can find employment ranging from IT engineer to network administrator to operations analyst.
About 20 students have transferred into the major, and it is anticipated that hundreds more will follow. Because the jobs are there, so is the interest among information technology students: A preliminary Ethical Hacking and Penetration Testing course, teaching students how to prepare against computer attacks, was filled soon after it was opened to scheduling.
Faculty members are equally invested: Four of them signed on to train for and teach the main security curriculum, and others provide supportive classes in their respective areas.
“Trainings range from basic information security to specialized work in cryptography, biometrics, steganography, forensics, penetration testing and risk analysis,” Miller said. “In most cases, we have at least two faculty trained in a given area and where that is not the case, we are planning trainings to ensure we have at least two experts in each area the curriculum covers.”
The school worked with Information Technology Services (the department overseeing the college’s computer infrastructure) to equip a dedicated lab for students to simulate and correct security weaknesses.
In a “fireproof” setting far removed from the campus’s real-life network – with appropriate penalties for crossing stringent educational boundaries – students can put themselves into the minds of computer hackers. Or, as they did over spring break, they can remove the makeshift network’s protection in order to attract the instructive interest of the mischievous and the malicious alike.
“It’s an anonymous lab, so hackers don’t know it’s affiliated with a college,” Miller said. “And, trust me, a machine without a firewall is like a lightning rod, a honey pot” for people who wish to exploit a network’s flaws and shortcomings.
While some new machines were purchased for the lab, the school used a substantial number of computers recycled from other areas of campus. One reason for that, Miller explained, is that the software used for forensics tends to work better on older machines.
“ITS purchased forensic-specific hardware for us, as well,” Miller said. “The students get an opportunity to use write blockers in the forensic class. These devices allow the connection of a suspect’s hard drive to the investigation system while blocking any write activity to the hard drive. This ensures that the data on the evidence drive cannot be altered while the drive is copied or imaged.”
That is very important in the event the data becomes evidence in a criminal or civil trial. The concept and devices are simple, Miller noted, but it takes some effort to handle the setup and teardown correctly to ensure the integrity of the evidence. Students also seem to take more away from the physical demonstration than just a discussion, he added.
“ITS also purchased software to help familiarize students with the tools law enforcement uses to conduct an investigation,” he said. “Since our graduates may be involved with assisting such an investigation, it is helpful if they not only know the process, but also have some familiarity with the tools so they can understand what they are being told by law enforcement about an investigation. Knowing the capabilities of the tools also helps them determine what to ask for when requesting an investigation.”
Hardware and software are neither trivial nor cheap (although some free programs can be used to help students understand how systems are compromised), and Miller said the school is grateful for ITS assistance – especially since many curricular requirements could not be identified until after faculty had its formal training.
The course is a textbook example of Penn College’s degrees that work: hands-on education, a mix of classroom instruction and practical application. Gorka added that coursework throughout the school’s IT security emphases will be supplemented by valuable visits from employers. Susquehanna Health and Omega Bank, for instance, were among those who shared their workplace experiences with students at a campuswide observance of cybersecurity awareness. ■