Firewalls and the difficulty of teaching Information Technology

The hardest thing about teaching IT (and Cyber Security) is keeping up with the speed at which technology changes. When long-held beliefs are only held for 5 to 10 years (or less), it’s hard to determine what should be taught. This was brought to my attention last week in an article from Dark Reading, Why the firewall is becoming irrelevant.  The author, Asaf Cidon, makes two good points regarding the possible irrelevance of firewalls:

  1. Data resides on company servers and unsecured employee devices. The BYOD revolution, and the use of cloud-based software such as Dropbox to store data, has made it easy for employees to do work from the office by syncing company data to their mobile devices.  The problem, of course, is that a firewall can’t protect data once it’s left the secured company server.
  2. Consequently, as he points out, that data ends up everywhere – with employees, suppliers, partners, clients, etc., and it’s likely that none of them are securing your data.  How can a firewall protect that data?

From an academic point-of-view, is that this is rather disturbing.  Our second Cyber Security course at Armstrong is entitled Network Security: Firewalls and VPNs.  Is it reasonable to be teaching our students firewall concepts and practices if they’re “irrelevant?”

I would like to think that’s not the case – companies still place their data on corporate servers that must be protected.  And, in a “point-counterpoint” kind of article, Firewalls sustain foundation of sound security,  author Jody Brazil makes the point that firewalls are still a valuable tool in securing the enterprise.  As he states:

While paradigms including mobility, virtualization and the cloud have created a new set of challenges (along with opportunities) to invoke additional security controls, the resulting distribution and hyper-segmentation of networks has in fact only made effective firewall management more important than ever before.

His defense of firewalls stands on three points:

  1. Firewall dependencies are expanding, not contracting.  95% of 700+ respondents to the 2014 FireMon State of the Firewall Report indicated that the use of effective firewalls are more important to protecting their security management.
  2. Firewalls provide an effective and important means of securing virtualized network environments
  3. “Firewalls are one of the few security technologies with a positive whitelist security model – allowing only necessary network traffic while denying the rest –the best defense against evolving threats.”

I read Dark Reading daily, and when I read the first article, my initial thought was “oh no, we’ve devised and implemented a curriculum that’s already obsolete.” Then I read the second, and felt somewhat vindicated. We still need to teach our students the basic components of an effective, layered defense of systems and networks. What we have to do going forward is recognize that IT is always changing, and that while we continue to teach the basics, we embrace the future, and ensure that our students understand how change is affecting the way we defend our information systems.

Appalling Violations of Basic Principles

Cyber / Information Security can’t be that hard, can it? The guidelines are available, the principles are available, the regulations exist, and if you’re in the government, the NIST docs and FISMA exist, too. I teach my students in our Cyber Security I (Fundamentals of Information Security) course that if you need to secure your business, there’s no better place to start than to use the NIST 800-series docs as a guideline. And yet, as described in the New York Times article on the Chinese hack into the Office of Personnel Management, a lot of the basic principles were violated.  Some of which were:

  • Failure to inventory computers, especially laptops containing sensitive information (or even those that didn’t contain that kind of information)
  • Failure to require secure passwords, and to change those passwords regularly, according to a schedule
  • Failure to install the necessary security & update patches
  • No firewall set up, and no Intrusion Detection and Prevention Systems (IDPSs) set up
  • Failure to encrypt data
  • Failure to monitor the network (again, IDPSs would be one component of doing this)

All of these precautions are not only in the textbook we use for our first Cyber Security course, they’re in the NIST docs that the government requires its personnel to use as guidelines for managing information security.  It’s just astounding that the very principles set forth by the federal government for their own agencies to use, very valid principles, were not followed by a governmental agency.

Perhaps the students we graduate from our program at Armstrong will go into government service and help straighten them out.

It’s impossible to stop the hackers, or is it?

Knowing that I’m a professor of IT who teaches Cyber Security, one of the questions I am repeatedly asked (usually, it’s more of a statement than a question) is: “it’s just impossible to stop ‘them’ (substitute criminals, China, N Korea, etc. for “them”) from hacking.” Those who ask this (or perhaps, state it to me) just throw up their arms as if it’s a foregone conclusion.  But I posit that it’s NOT.  To quote the cartoon character Pogo (paraphrased from US Navy Commodore Oliver Hazard Perry in the War of 1812), “we have met the enemy, and he is us.”  That’s right, you just cannot remove people from the system.  And consequently, you just cannot remove the lunk-headed, misguided, or just plain ignorant (accidental) things that people do from a computer system.  When people click on links in spear-phishing e-mails, they’re compromising their entire network, because that link may drop malware onto their networked desktop.

In the opinion section of today’s CNN, in the article “Why the Cyberattacks Keep Coming,” Associate Professor Arun Vishwanath of the State University of New York at Buffalo makes that very claim – that we are the insiders who unintentionally, and accidentally, hand over the keys of the network to the bad guys.  He gives two good reasons why insiders (employees) accidentally give over the keys to the kingdom to hackers.  The second is something that I teach my students here at ASU over and over again, and I’ve made mention of this in several presentations and TV interviews:

The second problem stems from people’s cyber habits, where many online actions such as checking emails and texting have become so routine that people are often unaware of when they perform these behaviors. As a result, many people quickly open emails or mindlessly click on links and attachments with nary a thought of its consequences. Smartphones, which the majority of us now use to connect to the Internet, have further exacerbated the problem by making it possible for people to check email frequently while simultaneously being engaged in a number of other activities. Smartphone apps and screen sizes also restrict how much information is presented, which can make it difficult to check the veracity of an email even if one is so inclined.

I often teach that users need to “mouse over”  a link in an e-mail to see where it’s actually going before clicking on it.  Once you see that the e-mail came from some source other than where you thought it was coming from, you’ll know enough not to click on that link, and to delete the e-mail. He makes that point – that we need to train users how to spot a fraudulent e-mail.  I use the Sonicwall e-mail test in my classes (and presentations) to show people how to spot one.

We’ve all just become so used to technology that we expect anti-virus software, firewalls, etc., to do the job for us, when, in fact, we need to become more tech-savvy and do the job for ourselves.  Since so many attacks are caused by hackers looking for information that we have provided them, we all need to be trained to reject their advances and ensure that we don’t make their job easier by falling prey to their lures.