Education in IS. Expectation vs Reality

Kamilla Kuanysheva, Security Vision

Introduction

Information security is one of the key areas in the modern world, where new threats and challenges emerge every day. Students studying at universities gain valuable knowledge and skills in the field of information security, but often remain unprepared for the real challenges faced by professionals in this field.

In this paper we will examine the difference between the skills obtained after classical university training and the skills that are actually required in practice in the field of information security. The problems and contradictions faced by graduates will be discussed, and ways to improve educational programmes to better prepare professionals for work in cybersecurity will be suggested.

This topic is relevant and important because in the field of information security, decisions are made based on practical experience and up-to-date knowledge of current threats, technologies, and defence methods. Analysing the differences between education and practice in information security will help to identify the key aspects that need to be addressed when training professionals in this field.

Theoretical knowledge vs Practical skills

Firstly, we would like to highlight the most common problem, which lies in the lack of practical skills among students. And it concerns not only IS directions, but also many other educational programmes. In particular, as far as IS is concerned, at university students are usually taught the basics of cryptography, network protocols and other basic things. However, in practice, information security requires skills in practical implementation of information systems protection, the ability to analyse vulnerabilities, conduct security testing, respond to incidents, analyse malware, etc. Therefore, theoretical knowledge is undoubtedly important, but it is equally important to be able to apply theory in practice. Everyone would probably agree that no one has ever learnt to drive a car or swim just by reading a book. Therefore, it is necessary to learn the rules of the road for everyone, but you can't go far on theory alone.

Let's imagine the following situation: a young specialist who has just graduated from university has been hired to work in an accident investigation department. What problems do you think he will face when solving his first investigation task, having only one theory about this process in his luggage of knowledge? We can assume that there will most likely be problems with reading and analysing audit logs, system logs and network logs. In order to competently go through this phase, as part of the investigation, and ‘squeeze out’ maximum information, you need to know what an anomaly looks like and what is considered an anomaly. More often in universities, when teaching, this point is missed and a couple of lectures and seminars are devoted to the log, and that is to analyse simple situations on generalised, synthetic ‘examples’.

The second thing a novice is likely to have problems with is a lack of practical skills in working with SIEM systems. As part of the response, this is an important step. Most often students only know the definition of SIEM-systems, know about the existence of such systems, but, alas, do not have any practical experience with them. And as a result, this leads to the fact that, being already behind the combat task, the specialist simply simply can not determine, for example, where there was a bruteforce, and where some phishing attack.

System analysis also requires good knowledge of utilities and scripts. Such as Process Exlorer (to view running processes and dependencies), Wireshark (to detect suspicious traffic), Autoruns and other programs. Many students hear about these tools, maybe even study them superficially, within the framework of academic disciplines, but, again, there is no practice of using them on at least ‘artificial’ cases.

And we all realise that in addition to the fact that these problems, unfortunately, will cause increasing stress for the novice specialist, it will also ‘hit’ the company's business and reputation very hard. In the case, with the work dynamics described above, the investigation of the incident will be delayed and the company will not be able to respond promptly to the threat. As a result, the incident will lead to more serious consequences than it could have if the professional had the necessary practical skills.

There are several options to address the lack of practical experience among students:

1) Introduce CTF training and competitions.

Participation in such events will help students to develop real IS skills, including pentesting, vulnerability analysis, cryptography; to work in a team, communicate and share their experience with co-teams. Moreover, this competition format arouses great interest among ‘young minds’.

Examples of well-known Russian CTF competitions: Yauza CTF, VolgaCTF, RuCTF, Kaspersky Industrial CTF and others.

The minus of this approach is its ‘elitism’. Few universities are ready to ‘ground’ CTF at the level of each student, to develop methodologically correct and accessible courses with a low entry barrier, and to distribute them to all graduates. ITMO University has a significant experience in this sense, having built around this approach the education of entire groups of students. Thus - here we would like to see the introduction of ready-made courses, possibly coupled with the study of the basics of response to cyber exercises, because, in fact, the infrastructure for CTF can be transformed into the basic infrastructure for cyber exercises and vice versa, and the skills of counting successful attacks can be transformed into the skills of searching for real indicators of compromise.

2) Implementation of practice-oriented training.

This option will allow practising skills in detecting and responding to cyberattacks under conditions that are as close to the real world as possible.

The case approach is based on analysing real situations that may arise in the professional activities of information security specialists. The main principles of this method include:

1) Realistic: Cases are based on real or as close to real situations as possible, allowing students to better understand the context and significance of their actions.

2) Active learning: Students are actively involved in discussing and solving cases, which enhances learning.

3) Critical thinking: Case work encourages students to analyse information, assess risks and make informed decisions.

4) Teamwork: Many cases are solved in groups, which develops co-operation and communication skills important for future professionals.

5) Interdisciplinarity: Cases often cover several areas of expertise, which helps students see the connections between different aspects of information security.

It is important to note that the case method should contain a stepped learning approach, depending on the learner's knowledge. By gradually increasing the complexity of the material, we achieve a deeper assimilation of knowledge in students. After such training, the future specialist should have all the practical skills to solve a whole problem for the enterprise, regardless of the level of complexity of this task.

The case method in information security requires especially frequent updates. A few of our recommendations for case study updates in IS:

- Quarterly updates: due to the rapid pace of change in IS, it is worthwhile to review and update cases at least once a quarter. This will enable new threats, attacks and defence techniques to be included.

- Monitor current incidents: regularly monitor the latest IS incidents and attacks through specialised sources such as reports from cyber security companies (e.g. Kaspersky, Symantec), news sites and expert blogs. Include the most relevant and instructive examples in case studies.

- Feedback from students and professionals: It is important to incorporate the experiences of students and practitioners who may be facing new types of threats in the real world. Conduct surveys and gather feedback to adapt cases to current realities.

- Analyse trends and forecasts: Use analytical reports on trends and forecasts in IS to incorporate long-term strategies and future threats.

Thus, regular updating of IS case studies is essential to keep training materials up-to-date and prepare professionals to effectively counter today's cyber threats.

Where to get cases from? At each position of the case study being designed, it is necessary to involve a company, organisation or vendor, so that the data for practical tasks can be automatically transferred to the educational institution by prior agreement or by agreement that arises in the course of training. There is also the option that the case provider itself will take an active part in the training and generate the data for the students.

In the course of training based on the case method, the future specialist will have the opportunity to face situations that require analysis and immediate solutions. After all, in practice it often happens that not everything that we see in the system corresponds 100% to the real situation. Therefore, the student should make sure on site that the system, for example, has no unregistered assets, every feature and every metric really works, and every auto-deployment scenario is really able to ‘auto-deploy’ if needed.

Example: a backup implemented on specially written scripts reports a successful operation to migrate the backup database to the server. In reality, the transfer does not take place, but the script did not include a branch responsible for reporting an error in this situation. The backup administrator learns about this situation only when the backup from this server is not restored in a real emergency.

Cyber drills can also be considered to address the lack of practice. For the most effective cyber exercises, it is recommended that they be based on the same effective case method: that is, live cases are used as a basis for simulating incidents.

Let us explain what information the data collected in step 6 may contain to update the scenarios:

- Changes in regulations

- Threat forecasts

- New technologies in the field of IS

- Latest threats and vulnerabilities (0 day)

- Innovative solutions from leading IS companies

- Receive best practices in data protection

- Information about new real cases

Knowledge of standards and technologies vs Ability to adapt

At university, students learn about security standards, encryption methods, technologies and tools from experts. In addition, it is also required to be able to quickly adapt to new technologies and threats, as well as to develop their own methods of defence. Moreover, it should be noted that the situation is aggravated by the outdated literature in universities, which is most often used to teach students. Accordingly, a student in the process of training receives the information that was relevant several years ago. And, coming to work as a specialist, he has a problem because of the discrepancy between what he has in his luggage of knowledge and what he will have to work with.

To solve the problem with the ability to adapt, we can recommend at least a couple of options: organisation of internships for students; cooperation with different vendors.

Let's focus on the second one. Our company, coming to partner universities, to customers, as part of training, just tells about its vision of standards and solutions for organisations and in practice shows how to implement it. We quite often encounter the necessity of landing methodologies, standards and best practices in customised customer infrastructures. At the same time, each customer has its own job descriptions, regulations, habits, corporate culture and specialised security stack. What have we learnt over a long period of time? We have learned that there are no generic standards or one-size-fits-all solutions; we have learned that every organisation needs customisation that is as easy to configure as possible. To simplify the process of customising SOC procedures, we use a low-code no-code platform. This gives us a significant advantage in implementation projects: there is no need to code anything, all cases are detailed by system settings, modified by workflows and directories.

That's why our advice: don't choose rigid hard code solutions, look for modern frameworks and projects with community support, which has already developed many variations of libraries and functions. The more flexible the system is, the easier it is for you to adjust to the dynamically changing external environment.

Besides, knowledge of standards without their practical application is just immersion in a boring and incomprehensible framework, studying and memorising text, which is enough to have as a reference material. In our opinion, work with standards should come to the level of practice-oriented coursework, parsing solutions, practical situations together with invited professionals. Ideally, each student in the senior year should be accompanied by a teacher from outside the university, a mentor, noting the practical difficulties that actually arise. A good idea in this sense is cooperation between the university and integrators implementing complex solutions, inviting specialists from among the practicing employees of such organisations.

We should not forget that standards are written by specific regulators. And what is included in a standard is best known to those who apply it on a regular basis. Universities can and most likely should invite representatives of the FSTEC, Ministry of Defence and Security, Roskomnadzor, NCCI to teach specific disciplines oriented to the requirements of regulators, which will reduce the gap between the knowledge of the graduate and the real requirements of the standard and regulations.

Returning to the practice-oriented approach in training, it can be noted that cases are good because the student does not have a ready-made solution or the solution may be unexpected.

Example: implementation of firewalling in an organisation led to successful network segmentation, but the digital signature service failed because it turned out that the CPU server had been moved from its own network segment to another by the IT department ‘to speed up the system’ without documentation or approval.

The cases also help students to find non-template solutions to problems and make the transition from a standard solution to a non-standard one. For example, we know how a certain process, such as asset inventory, is implemented according to a standard. When we come to a particular enterprise, there are a lot of complexities related to network constraints or some organisational problems. And this situation requires a new, optimal and correct solution regarding the implementation of inventory in this enterprise. And, accordingly, the student, facing such problems for the first time, does not know how to solve it and what to do in such a case. And here the case method allows to understand in practice how to make the transition from standard to non-standard. Later, after the experience of solving such practical problems, the future specialist will have no problems with solving such tasks.

A big plus and addition to this will be the feedback from the organisation that will give such cases. Thus the student will realise how well he/she has done the task offered to him/her. Certainly feedback, no matter how it turns out to be, will have a positive impact on the student's further development.

Vulnerability testing and analysis vs Prevention and response

Identifying and analysing vulnerabilities, pentesting and other security tests are important aspects that can be mastered at university. However, in practice, it is required not only to detect problems but also to take proactive measures to prevent incidents and respond to threats in real time.

Again, it is important to mention cyber polygon simulations as solutions, here, CTF training games. Also the involvement of professionals, specialists, mentors, who can guide students and share their experience and ‘bumps in the road’.

And in this point I would also like to mention the positive side of training with the help of the case method regarding incident response.

Real-life stories and cases are always more interesting to students than abstract theoretical models. They make the learning process more engaging and motivating, which contributes to better student engagement. Students see a direct link between their studies and real professional activities, which increases their interest and commitment to improve their skills. Also, studying real cases allows students to learn from others' mistakes and successes. By analysing which actions led to a successful resolution of the incident and which ones made the problem worse, students can avoid making similar mistakes in their practice. This is valuable experience that helps shape more effective incident response strategies and techniques.

Legal and ethical compliance vs Moral dilemmas and ethical standards

The university focuses on the legal aspects of information security. But in practice, professionals in the field are often faced with moral dilemmas, ethical standards and behavioural requirements that are not always covered in the curriculum. Quite often in our implementations we see a situation (especially in conservative structures, structures with a high degree of formalisation of processes and a rigid management structure) where regulations are the basis for decision-making and are followed unconditionally. At the same time, social engineering attacks to exploit this very human factor are now gaining popularity. Using dipfake, attackers can call on behalf of a manager, imitate the voice of the shop floor manager and issue instructions that will disrupt the production process or reveal confidential information. To address this problem, securitisation practices need to be implemented across the board. Awareness raising will help us identify the fraudster by the keywords that are most commonly used in the scripts of the perpetrators; by the absence of jargonisms or mode of speech adopted by one or the other team; and by the mechanics of the attacker's action, which are now popular in the technique of executing an attack through social engineering.

Therefore, it is important that in the course of training, students gain experience in solving problems not only of a technical nature, but also those related to social engineering. Given that attacks using psychological manipulation are constantly being modified and gaining momentum.

Thus, we can conclude that classical university education provides students with fundamental knowledge and skills necessary for a successful career in information security. However, it is important to realise that practical skills and work experience in a real-world environment also play a key role in a successful career as an information security professional. Therefore, for maximum effect, it is necessary to combine university study with practical skills gained through internships, professional development courses and participation in practical projects. And if we talk specifically about training at university, then the most effective training here will be using a case approach, because in the course of solving real problems the student will gain practical experience, which will help him/her to achieve high results in the future and successfully cope with emerging challenges and problems.