Titan Rain shows need for better training

If the Titan Rain attacks against U.S. defense networks taught the information security community anything, it's that IT administrators need to know how to articulate the dangers of cyberspace to upper management.

That's the message SANS Institute Research Director Allan Paller delivered during a press conference Monday to announce that the Bethesda, Md.-based institute is accepting applications for Master of Science degree programs in Information Security Engineering and Information Security Management.

Titan Rain first gained media attention over the summer, but Paller said it has been going on for a couple of years. In these attacks, Chinese Web sites have targeted computer networks in the Defense Department and other U.S. agencies, compromising hundreds of unclassified networks.

Though classified information hasn't been taken, officials worry that even small, seemingly insignificant bits of information can paint a valuable picture of an adversary's strengths and weaknesses when pulled together.

"The American strategy in the last couple of years has been to keep it secret," Paller said. "That may make people feel good but it doesn't help you defend things. [Secrecy] benefits the attackers, not the victims."

He said the attacks come from individuals "with intense discipline," adding that "no other organization could do this if they were not a military organization." The perpetrators "were in and out with no keystroke errors and left no fingerprints, and created a backdoor in less than 30 minutes. How can this be done by anyone other than a military organization?"

Paller said hackers like those associated with Titan Rain are having an easier time pulling off their attacks because IT security administrators often aren't trained in how to stop them. Stephen Northcutt, director of training and certification for the SANS Institute, said many organizations have a Band-Aid approach to security, and the institute's new education programs are designed to make IT security managers more proactive by giving them leadership skills.

"You need to be able to communicate clearly in speech and writing, to not explain things in an overly technical way," he said, adding that two popular approaches to security management -- to take a single certification exam and be qualified for life, and buy one "all-in-one" security device -- are not enough. There must be a layered defense and managers need leadership skills to drive home the threats and needs to upper management.

As a result, the SANS programs will be writing-intensive. "We'll be pushing people to be able to write journal-level papers," Northcutt said.

Paller said the programs are for two years and 31 credit hours. The cost will be in the $25,000-to-$30,000-range. He added that the programs won't be available to everyone. "Students must have intensive experience in the field, and their companies must say they're being groomed for management," he said.

Degree candidates will have the opportunity to study with faculty "who have written many of the books that other security programs use," the institute said in a statement released before the press conference. "Many on the faculty hold PhD and Masters degrees from institutions like MIT, Carnegie Mellon, SUNY, Mary Washington, University of Texas, Harvard Business School, and other leading schools."

Over the course of the Masters program, all degree candidates will attend three six-to-seven-day residential institutes where they will study and work with other students on a full-time basis, the statement added. "The remainder of their program will involve online training -- particularly live online where the faculty and students are interacting in real time."