BLOG

Computer networks can be difficult to fully protect. There are many avenues of attack available to a hacker which requires defenders to create a layered defensive posture that eliminates as many cracks as possible. We have taught in schools for many years about the importance of a good, layered defense, but it is often interpreted as needing every available bell and whistle for every network. This is not true.

Students need to be aware that different networks have different needs. A corporate network with 5,000 users has different needs than a small storefront with three employees. The smaller network should also have a layered defense, but students should be trained to understand how to scale the layers down to make sense for a network with different needs. Network defense can be expensive, and companies need to balance their resources to be the most effective in their markets.

Companies, even the largest ones, do not have unlimited budgets to spend on computing resources. Hardware is not cheap. Adding firewalls, routers, and intrusion detection systems can cost tens of thousands of dollars, without the additional costs of maintenance contracts. Larger organizations can absorb these costs, but what should a smaller company do?

Critical Thinking in Cybersecurity Strategies
Professors should include lessons that help students critically think about how security methodologies can be applied in these situations. It is unlikely that every cybersecurity graduate will work in a large Fortune 500 company. They should be prepared for that environment and any other environment they end up supporting.

Consider a small business that sells mostly to local clientele and outsources its web services to a 3rd party provider. What level of security do they need? What would be overkill? A student should be trained to understand the differences in needs and be prepared to adapt good cybersecurity techniques to a smaller footprint. Long-taught configurations like demilitarized zones and internal network segments would be overkill. Larger routers and intrusion detection systems would likely collect dust and rarely be updated in these environments.

A better methodology would be to utilize software-based security on each of the organization’s computers along with a small firewall that blocks common international locations where most large-scale hacks originate. Any owner of any company would be happy to have their employees provide a less expensive solution for their cybersecurity needs, and courses that train students in security scalability will make this possible.

Preparing Students for Diverse Cybersecurity Scenarios
Students need to be prepared for every potential scenario. To use a military analogy, special forces operators are trained in many different forms of combat, intelligence gathering, communication, and other areas necessary for potential missions. Each member of one of these teams has a specialty they are extremely proficient in, but they are also capable of taking on the role of one of their team members when needed. They are trained to adapt to any situation. They do not simply arrive on site, blow everything up, and leave. They have the ability to strategically and tactically operate in any environment. This is what makes them so effective.

Computer science is a broad field with a lot of potential specialties and, even within cybersecurity, students can become experts in specific areas. But, just like these special operators, they should also be capable of shifting in a different direction when needed.

The ability to be flexible in network defense is something that is not always recognizable in this field. Any student who applies themselves can learn the requisite technical skills and graduate from a program. But how effectively can they apply those skills? That depends on how professors have presented these topics in the classroom. Most cybersecurity textbooks provide the same information. They provide best practices that often get shaped into cookie-cutter approaches to security. This is a good place to start, but professors should then push their students to think about more creative solutions for clients who need to operate in different environments.

One great practical way to implement this in a classroom would be to provide students with network diagrams of different designs and have them develop a security posture for each one. Rubrics could focus on creating the most streamlined security for each network netting students points for combining capabilities, using open-source applications, and reducing manpower needs. Professors using these types of tabletop exercises put the students in control of a fictitious network to see if they are ready for the challenges of the real world.

The Need for Skilled Cybersecurity Professionals
Hackers only must be right one time to achieve a big victory. Defenders have to be right all the time. If a small company has a series of devices installed to protect its network, it will also need to have a dedicated employee to manage those devices, review the logs, run updates, and constantly analyze attack vectors. Manpower is not cheap, especially for this type of technically skilled manpower. We must consider alternative methods of security and teach students how to customize strategies for any sized network. The best defender is going to be someone who can develop a customized layered defensive posture for any network.

Cybersecurity will always be a need. The internet has become an integral part of business operations and personal lives, and there will always be a need for cybersecurity professionals to provide quality services. We can churn out students into the field, but if we want cybersecurity to be as effective as possible, we need to make sure every student in these programs is trained to critically think through any security scenario. Hackers adapt to the field; defenders should be trained to do the same. We can make a big difference in network security postures around the world if we do a good job in the classroom.