Penn State Online #security #and #risk #analysis #information #and #cyber #security #degree, #penn #state
Bachelor of Science in Security and Risk Analysis – Information and Cyber Security Option
“In the not too distant future, we anticipate that the cyber threat will pose the greatest threat to our country.”
—Robert Mueller, Director of the FBI*
Information and Cyber Security
Malware, data breaches, denial of service, phishing, and other cyber attacks are proliferating. Highly publicized attacks on major corporations, governments, infrastructure, and financial organizations are in the news almost daily, underscoring the need for professionals who are trained to recognize and deal with cyber threats.
Cyber attacks can come in a variety of forms, but often the intent is malicious — an attempt to bring down a computer system, or an intrusion seeking to access and steal intellectual or proprietary data and information. At risk are such things as trade or industry secrets, corporate reputation, customer data including credit card information, and even physical damage to equipment. In fact, a recent report by the Office of the National Counterintelligence Executive highlighted the ease with which foreign collectors of economic information are able to operate in cyberspace with relatively little risk of detection by their private sector targets.
As governments and private entities become increasingly dependent on computer technology to transmit and store sensitive data, intellectual property, and financial transactions, the need for information security and risk analysis professionals will increase.
Why Security and Risk Analysis at Penn State?
Former National Security Agency Director Mike McConnell recently warned that the U.S. government is not equipped to detect and deflect a catastrophic [cyber] attack.
Penn State’s security and risk analysis degree focuses on the technologies, education, and policies to protect people, information, and other assets. Students are introduced to the tools and skills needed to determine the required confidentiality, integrity, and availability of an asset (i.e. a person, structure, facility, information, material, or process that has value).
The degree looks at how to design secure systems, evaluate and measure risk, and ensure that proper levels of privacy are maintained for individual technology users, businesses, government, and other organizations. Courses specific to information and cyber security are embedded within the degree program. These courses can provide you with an understanding of the theories, skills, and technologies associated with network security, cyber threat defense, information warfare, and critical infrastructure protection across multiple industries.
Penn State is recognized by the National Security Agency and Department of Homeland Security as a Center of Academic Excellence (CAE) in Information Assurance and Cyber Defense. The Penn State College of Information Sciences and Technology is a leader among information schools, and the faculty are a diverse group of thought leaders from numerous fields, including computer science, engineering, psychology, chemistry, artificial intelligence, and more.
Who Should Apply?
The SRA major is designed to provide a unique, interdisciplinary curriculum that integrates areas of study in information assurance (both digital and physical security), intelligence analysis, and cyber forensics. If you work in or aspire to work in areas of information and data security, system security, network security, cyber security, intelligence, cyber-intelligence, intel analytics, or cyber crime prevention, this could be an excellent program for you.
Career Opportunities for Graduates
As people and organizations continue to shift more of their business and personal interactions to the Internet, the need is growing for professionals who can keep information and data secure. You can find such careers in business and industry, government and intelligence, and protective services and criminology, among others.
With the BS in SRA, you can prepare for positions such as:
- applications security specialist
- network security specialist
- computer forensics specialist
- computer system auditor
- intelligence analyst and specialist
- cyber-intelligence analyst
- business intelligence analyst
- business process analyst
- counterintelligence and counterterrorism threat analysis
- economic crime analyst
- information security analyst,
- international crime officer
- policy analyst
- program and management analyst
Online Education at Penn State
Penn State has a history of 100+ years of distance education and more than a decade of experience in online learning. We create an online learning environment that offers you the same quality education our residential students experience in a face-to-face setting. Learn more about Penn State World Campus .
When you have successfully completed this program, you will receive the same Penn State diploma that all of our graduates receive. You will become part of a worldwide network of alumni and can choose to join the largest dues-paying alumni association in the world with more than 170,000 members.
*RSAC US 2012 Keynote — Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies
—Robert Mueller, Director of the FBI*
Why you shouldn’t train employees for security awareness
If there’s one myth in the information security field that just won’t die, it’s that an organization’s security posture can be substantially improved by regularly training employees in how not to infect the company. [Editor’s note: See Joe Ferrara’s recent article 10 commandments for effective security training .]
You can see the reasoning behind it, of course. RSA got hacked from a Word document with an embedded Flash vulnerability. A few days later the entire company’s SecureID franchise was at risk of being irrelevant once the attackers had gone off with the private keys that ruled the system.
But do phishing attacks like RSA prove that employee training is a must, or just the opposite? If employees and/or executives at RSA, Google, eBay, Adobe, Facebook, Oak Ridge National Laboratory and other technologically sophisticated organizations can be phished, doesn’t that suggest that even knowledgeable and trained people still fall victim to attacks?
One of the best examples ever of the limitations of training is West Point’s 2004 phishing experiment called “Carronade.” Cadets were sent phishing emails to test their security. Even after undergoing four hours of computer security training, 90 percent of cadets still clicked on the embedded link.
Fundamentally what IT professionals are saying when they ask for a training program for their users is, “It’s not our fault.” But this is false—a user has no responsibility over the network, and they don’t have the ability to recognize or protect against modern information security threats any more than a teller can protect a bank. After all, is an employee really any match against an Operation Shady RAT. Operation Aurora or Night Dragon. Blaming a high infection rate on users is misguided— particularly given the advanced level of many attacks.
I’ll admit, it’s hard to find broad statistical evidence that supports this point-of-view—not surprisingly, security firms don’t typically share data on how successful or unsuccessful training is to an organizational body, the way West Point did. But I can share a few anecdotes from my company’s own consulting work that should shed some light on this problem.
The clients we typically consult with are large enterprises in financial services or manufacturing. All of them have sophisticated employee awareness and security training programs in place—and yet even with these programs, they still have an average click-through rate on client-side attacks of at least 5 to 10 percent.
We also frequently conduct social engineering attacks against help desks and other corporate phone banks for customers. While each of the personnel in these security sensitive rolls has extensive training and are warned against social engineering attacks, the only thing that stops our testers are technical measures. In other words, if a help desk employee can technically change your password without getting a valid answer from you about your mother’s maiden name, then a company like Immunity will find a way to convince them to do so.
We’ve also found glaring flaws—like SQL injection, cross-site scripting, authentication, etc.—in the training software used by many clients. This is more humorous than dangerous, but it adds irony to the otherwise large waste of time these applications represent.
Instead of spending time, money and human resources on trying to teach employees to be secure, companies should focus on securing the environment and segmenting the network. It’s a much better corporate IT philosophy that employees should be able to click on any link, open any attachment, without risk of harming the organization. Because they’re going to do so anyway, so you might as well plan for it. It’s the job of the CSO, CISO, or IT security manager to make sure that threats are stopped before reaching an employee—and if these measures fail, that the network is properly segmented to limit the infection’s spread.
Here’s what organizations should do instead of wasting time on employee training:
- Audit Your Periphery — Websites, back-end databases, servers and networks should be thoroughly audited on a regular basis for vulnerabilities msdash;both by internal security personnel and external pen-testers. They should be rigorously tested against current and most likely attacks. Had Citigroup’s website been tested for basic web application flaws, it could have avoided the June 2011 attack that compromised 200,000 customer accounts. This is both cheap and easy to take off the table.
- Perimeter Defense/Monitoring — Robust perimeter defenses should be in place, and regularly tested. These should be protecting the network from both intrusions and data exfiltration. Data exfiltration monitoring should also be ongoing.
- Isolate Protect Critical Data — What valuable information does your business store in online databases? Classifying business data should be near the top of the CSO/CISO’s to-do list. He or she should thoroughly examine the information stored online and locate critical data offline or behind strict network segmentation.
- Segment the Network — Segment your networks and information so that a successful cyber attack cannot spread laterally across the entire network. Had RSA done this, it might have prevented the theft of its SecurID tokens. If one employee’s PC is infected it shouldn’t be able to spread laterally through the entire system.
- Access Creep —What level of access does each employee have to the network and critical data? How well is this monitored? Limiting unnecessary access is another key element of an effective security posture.
- Incident Response — Proactively examine important boxes for rootkits. You’ll be amazed at what you find. And finding is the first step to actually building a defense against “Advanced Persistent Threats .”
- Strong Security Leadership — For a company to have a CSO/CISO isn’t enough. The chief security executive should have meaningful authority too. He or she should have “kill switch” authority over projects that fail to properly account for security, and real say over security’s percentage of the budget. A strong security program should have at least the same budget as the marketing department.
There’s a lot of money and good feeling in running employee training programs, but organizations will be much better off if the CSO/CISO focuses instead on preventing network threats and limiting their potential range. Employees can’t be expected to keep the company safe; in fact it is just the opposite. Security training will lead to confusion more than anything else.
By following an offensive security program, companies can keep their networks, and employees, protected.
Dave Aitel, CEO of Immunity Inc.. is a former ‘computer scientist’ for the National Security Agency. His firm specializes in offensive security and consults for large financial institutions and Fortune/Global 500s. www.immunityinc.com
UAE leads the way in cyber security
DUBAI // The UAE is weeks away from establishing the first national authority for cyber security in the region, to combat online threats to military and critical installations.
Speaking at the Gulf International Cyber Security Symposium, Maj Gen Mohammed Al Essa of the Ministry of Defence, said that the three services of the armed forces were working closely on enhancing the security of digital communications systems to sustain a high readiness to face any threat to national or regional stability.
�The UAE introduced the necessary legislation and regulations which culminated in a special federal decree issued by the President to establish a national authority for cyber security,� Gen Al Essa said.
The new authority, National Electronic Security Authority (Nesa), is in the final stages of establishing itself, with matters of operational procedures and manpower being laid out, sources have said.
Federal Decree No 3 for 2012, establishing Nesa, states that it will be affiliated with the Supreme National Security Council.
It will be financially and administratively independent, with full legal competence and executive and control powers as needed to practise its work.
Nesa will have its headquarters in the city of Abu Dhabi and branches and offices may be established inside and outside the UAE.
According to retired Maj Gen Khaled Al Buainnain, former commander of the UAE Air Force and president of the Institute of Near East and Gulf Military Analysis, the authority is essential to enhancing cyber security.
�The UAE is the most advanced nation in the [Arabian] Gulf and the Arab world with regards to its cyber-technology infrastructure, however, having the most advanced infrastructure makes you the most vulnerable because of the rapidly changing and developing advances in cyber warfare,� Gen Al Buainnain said.
Nesa will not only monitor the front line of the UAE�s war against cyber attacks, but also protect the country�s communications networks and continue to develop, modify and use devices required in the field of electronic security.
The authority also aims to enhance the efficiency of the exchange of information across the country.
�The UAE Armed Forces and security agencies have come a long way in the past � decades and have seen considerable progress on all fronts, especially in enhancing defensive capabilities in the area of cyber space,� Gen Al Essa said, adding that regional and international cooperation is the key to achieving cyber security.
�The UAE firmly believes that cyber security can be achieved only through cooperation with the peace-loving countries.�
Nesa will also be responsible for proposing and implementing the UAE�s national policy on electronic security, developing a national plan to confront any risks, threats or attacks. It will coordinate with the authorities concerned and will spearhead operations to combat cyber crimes in the country.
During yesterday�s summit, military experts underlined the importance of cyber defences.
Former US military central command chief, Gen John Abizaid, described cyber warfare as the newest and fifth realm of war.
�When man first existed there was land warfare as the first realm of war, then he created ships and there was sea warfare, around the time of World War One, the third realm of air warfare was created and, during the Cold War, space warfare became the fourth,� Gen Abizaid said.
�Now we face a new threat and a fifth realm, one that is rapidly developing and growing, cyber warfare.�
Lord John Reid, a former British defence minister, told the audience that governments the world over faced challenges in cyber warfare due to the compartmentalising of various departments that should be working together.
Home > About > Government s Cyber Security Strategy
Government s Cyber Security Strategy
The 2015 Cyber Security Strategy signals the government’s commitment to ensuring New Zealand is secure, resilient and prosperous online.
New Zealand’s Cyber Security Strategy and Action Plan (2015) recognises that the threat to New Zealanders and the New Zealand economy from cyber intrusions is real and growing. The National Plan to Address Cybercrime outlines the Government’s response to cybercrime. The Strategy is also avaliable in a condensed two page Summary document .
The Cyber Security Strategy has four intersecting goals
The Strategy is underpinned by four principles:
- Partnerships are essential
- Economic growth is enabled
- National security is upheld
- Human rights are protected online
The Cyber Security Strategy is accompanied by a living Action Plan. This Plan will evolve to keep pace with technology developments and the emergence of new threats. New actions may be added, and existing actions amended.
Improving cyber security is a shared responsibility. In developing the Strategy, the government sought input from a wide range of stakeholders across government, industry, non-government organisations and academia.
The National Cyber Policy Office has worked with government agencies and Connect Smart public-private partners to produce the first Annual Report on progress with the implementation of the Action Plan.
Annual Report on Cyber Security Action Plan 2016
Download a copy of the 2016 Annual Report on the Cyber Security Action Plan Read more
Cyber Security Awareness Training
Cyber Security Awareness Training
Educate your users – they are your first and last level of defence!
Cyber threats Phishing, malware, ransomware can go undetected for days, weeks and months. The impact can be considerable with data leakage/loss, network outages, financial loss and reputational damage.
The cyber security landscape is constantly changing phishing and ransomware are compromising organisations and people every day. These threats have to be dealt with in a number of ways by addressing all levels of the infrastructure from the outside world, all the way to the users – what we call our “outside-in and inside-out approach to cyber security as shown below.
Employee education is vital in the defence against phishing ransomware
Even with heavy investments in your security infrastructure, the weakest and most vulnerable level of defence in your organisation are your users. Many of the recent successful cyber-attacks which have crippled organisations, caused severe financial loss and damage to reputation have been as a result of phishing.
Phishing attacks are making daily headline news ranging from data loss/leakage where employees are sharing confidential information via malicious phishing websites to organisations crippled by malware (ransomware) due to an employee opening an email attached document. These attacks highlight the lack of cyber-security awareness of your users – a huge risk to any organisation.
Cyber Security Awareness Training Phishing-As-A-Service
By providing user awareness training can help your organisation in the protection against cyber threats. Our Cyber Security Awareness Training service offers a complete and tailorable package for educating your users including;
- Simulated phishing emails Fully customisable for different requirements and scenarios.
- Simulated phishing websites – Fully customisable to your domain, website and intranet.
- On-Demand branded education landing pages to promote staff awareness training.
- Training modules with videos (customisable), interactive quizzes and tests
- “Cyber Security 101” Classroom Training held onsite, offsite at our training centre or virtually (online), led by Cyber Security trainers for improved staff awareness, security policy compliance and employee inductions.
- Detailed reporting showing stats/graphs after each phishing campaign, illustrating the ‘risk’ to your organisation used to show improvements as more training takes place (ROI)
- Security “pay as you go” services Endpoint vulnerability assessment; “drive-by” threats, file attachment downloads simulated ransomware attacks to highlight the weaknesses in your internal infrastructure. Simulated USB and ‘smishing’ (SMS phishing) attacks available as alternative ways to promote awareness of how an attacker can attempt to compromise your environment.
We have a number of training options available ranging from a single Phishing service (known as a campaign) to multiple services carried out regularly, all tailorable to meet specific customer needs. All training services are carried out and led by only experienced and trained cyber security specialists. Please download our Cyber Security Awareness Training brochure for further details on the service options available.
Why Khipu’s Cyber Security Awareness Training Service?
Khipu Networks “Phishing As A Service” is a unique offering for organisations that wish to protect their environments from the ever-changing cyber threat landscape. Our awareness training includes the following unique value-add services:
Cost Effective and Easy to Scale. A single cost regardless of how many users are “phished” instead of a “per-user” price model which can be expensive and difficult to scale.
Trainer lead: The awareness training service is carried out by only experienced and trained Cyber Security experts. The service is not an “email-only” software solution.
Unique security and training offerings including:
- Unlimited email addresses / users
- Customised awareness training video
- Trainer-led by experienced Cyber Security specialists
- Security “pay as you go” services including endpoint vulnerability assessments and simulated ransomware attacks.
- Simulated USB and ‘smishing’ (SMS phishing) attacks
- Flexible and tailorable services to meet specific customer requirements
Classroom Cyber Security Training Services. Courses, interactive sessions and tests available for improved staff awareness, security policy compliance and employee inductions. Courses are held either on onsite at the customer premises, offsite at Khipu’s training centre or virtually (online).
Khipu – a Complete Networking and Cyber Security Company. We can advise on an organisations entire networking and cyber security strategy as our services and products address all areas relating to cyber threats and attacks.
Simply fill in the details below and we will call you back as soon as we can to discuss your requirements.