forked from joras/ITCollege-LaTeX
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathintroduction.tex
More file actions
102 lines (68 loc) · 9.86 KB
/
Copy pathintroduction.tex
File metadata and controls
102 lines (68 loc) · 9.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
\chapter{Introduction}
\label{Introduction}
\begin{quote}
"Genuine cybersecurity should not be seen as an additional cost, but as an enabler, guarding our entire digital way of life." --- Toomas Hendrik Ilves
\end{quote}
\lettrine[lraise=0.1, nindent=0em, slope=-.5em]{\color{Violet}C}{yber} security is a premise for entire digital lifestyle. Information society relies on trust to the information and communications technology (\gls{ICT}) systems. However, every system needs maintenance and care from highly skilled technicians who have sufficient knowledge of securing complicated networks and services.
This thesis focuses on developing a practical hands-on e-course for system administrators who protect the citizens' everyday digital life. Developed laboratories will be used to teach IT System Administration students in Estonian IT College (\gls{EITC}) and also in continuous education field. Moreover, all study materials will be released under Creative Commons Attribution-ShareAlike 3.0 Unported (\gls{CC-BY-SA}) license and all software developed during this work will be distributed under \gls{MIT} and can be used by any institution or interested party.
The cyber security field is rapidly growing and the need for highly educated and security aware \gls{ICT} specialists is increasing. Due to malicious activities proliferating in the Internet, the education in \gls{ICT} field should emphasize knowledge and skills in cyber security field.
Growth of the Internet connected services and networked infrastructure contribute to the magnitude of possible damage that cyber attacks can cause to a country. Several countries have developed cyber security strategies and implementation plans to deal with the problem.
Estonia developed a strategy plan in 2008 \citep{Strategy2008} and the government plans to update the strategy at end of 2013 \citep{StrategyProposal2013}. However, the strategy states that one problem is the absence of sufficient number of highly educated IT professionals. Citation from strategy:
\begin{quote}
"In 2007, a survey of the institutions belonging to Estonia’s critical infrastructure revealed that the biggest shortcoming in the field of information security is the shortage of qualified labour." \citep[p.~16]{Strategy2008}
\end{quote}
Tallinn University of Technology (\gls{TUT}) and University of Tartu (\gls{UT}) have joint Cyber Security Curricula to alleviate the problem. The job titles of the graduates of the curricula may include the following: security analyst, architect, research engineer or managerial roles as project/team leader or technology officer \citep{TUT_UT_curriculum}. Thereof the curriculum is focused on producing the officers for cyber field.
However, officers need line soldiers to perform their duty.
Almost every company needs system administrators (as line soldiers) who are focused on their area but are not necessarily cyber security specialists. Moreover, they often have degree from applied universities or no degree at all, but have good specialised self-education.
The Estonian IT College (\gls{EITC}) is focused on applied higher education. Study programs in \gls{EITC} include development, administration and system analysis. IT System administration curricula was opened in 2000 \citep{website:EITC_history}. In the last ten years the situation in cyber field has turned more hostile and frictional. The partner organizations of \gls{EITC} who provide input to curricula development process, stated the need to include cyber security related skills and knowledge in study subjects.
For example, in 2009 the Rector of Estonian IT College received a letter from \gls{CERT.EE} stating a problem (free-translation):\par
{
\begin{spacing}{1}
\scriptsize
---Original Message-----
From: CERT.EE\\
Sent: Tuesday, February 10, 2009 3:55 PM\\
To: Rector of Estonian IT College\\
Cc: Heads of Curricula \\
Subject: Continuous education\\
Hello,
We have a problem:\\
There is an insufficient amount of IT system administrators in local governments, state agencies and small- and mid-size organizations.\\
...\\
With best regards,\\
CERT.EE Worker\\
---End of Original Message-----
\end{spacing}
}
For full letter (in Estonian), see Appendix~\ref{Letter from CERT.EE to the Rector of Estonian IT College} on page ~\pageref{Letter from CERT.EE to the Rector of Estonian IT College}.
Specialists and lecturers from \gls{CERT.EE} and from the Estonian IT College decided to develop a practical cyber security module for the \gls{EITC} IT system administration curriculum which is usable in higher education and also in continuous education.
The subjects in current system administration curriculum should also be reviewed and changed according to the needs of the cyber security field. For example, the hands-on class for installing a web server should contain installation, configuration and also the defence and mitigation methods against common attacks.
For system administrators the security aspects should be included in specific subjects extending them instead of creating a separate subjects. On the other hand, some subjects should focus only on the security, architecture and processes.
The author of this thesis focuses on the practical classes in this project. Author's contribution consists of hands-on labs for the IT infrastructure services e-course.
\section{Main Problems}
The main problem is the lack of skilled and security aware system administrators (in Estonia) who are able to build company IT infrastructure and perform everyday maintenance tasks for IT services.
During discussions with partners and private companies several sub-problems in the current situation were listed (for further details see \emph{Problem Analysis}~\ref{Problem Analysis} section).
\begin{itemize}
\item Private companies and the governmental sectors need for security aware professional systems administrators is increasing. Today the Estonian \gls{ICT} educational sector does not fill the gap between demands and the amount of graduated specialists.
\item The study in IT System administration curriculum should have a more practical approach and the cyber defence related hands-on practical classes should give better practical and technical preparation for graduates.
\item Studying cyber defence should be more attractive and playful for students. Defending systems is being considered less interesting than attacking them.
\item IT System administrators in Estonian public sector are often self-taught (in cyber security field) and some of them do not have higher education in the \gls{ICT} field. Moreover, the knowledge needed to protect their IT systems is lesser compared with demands of the industry as described in CERT.EE letter (see Appendix~\ref{Letter from CERT.EE to the Rector of Estonian IT College} on page ~\pageref{Letter from CERT.EE to the Rector of Estonian IT College}).
\item The private education companies offer vendor and product based courses which often do not provide enough related knowledge and do not give a broader view of the problem.
\item The courses should use free and open source software because the knowledge gathered by studying those solutions can be implemented in open or closed proprietary systems.
\end{itemize}
\section{Main Objectives}
The main objective of this thesis is to develop a practical hands-on e-course "Securing IT Infrastructure Services" focusing on the installation, configuring and securing different IT infrastructure services.
This particular objective may be divided into smaller sub-problems and areas.
%Considering the main problems, analyse requirements for hands-on e-course and choose methodology to implement the course.
\begin{itemize}
\item To implement practical hands-on labs for system administrators
\item To improve quality of graduates using lab intensive study to perform realistic laboratory work and increase the amount of practical hands-on study and decrease the proportion of lectures.
\item To improve motivation and increase the role of other skilled students as tutors by using the \gls{Coding Dojo} methodology, known in programmers field to train system administrators. The author would like to name this method \emph{Command Dojo} because most of the work is done in the command line of different servers.
\item To improve student motivation in defence exercises by using a reward model with virtual badges as markers of success in practical task/field. For example, a badge for securing web server from \gls{SQLi}, \gls{XSS} etc. The reward badges are shown in the user profile in the laboratory system and can be seen by other students.
\end{itemize}
\par
\section{Outline of the thesis}
The thesis is divided into following chapters: Analysis chapter covers the problem, similar work, method and analysis of the e-learning course. The following chapter Solution, is focused on design and authoring the course materials. Next chapter the Evaluation of the E-learning Course concentrates on to the feedback and quality of developed course. Next, a Future Research reviews new ideas, problems and areas left out due to time and scope limitations or occurred after or during evaluation of the course. The Conclusion chapter summarises the problem, analysis, solution and evaluation chapters.
\section{Acknowledgements}
The Author would like to thank Rain Ottis for reviewing and ideas, Toomas Lepik, Hillar Aarelaid, for ideas. Author also thanks Kaur Kasak, Risto Vaarandi, Antti Andreiman and Meelis Roos for courses in TUT and UT which gave great inspiration for this thesis. For programming the distance laboratory system, author thanks the team: Aivar Guitar, Carolyn Fisher, Madis Toom, Tiia Tänav. And last but not least Leelo for all support and also for by being with little Margaret, without her effort this thesis would not exist.
The development of e-learning course materials, scripts and environment of distance laboratory are funded by the European Social Fund \gls{ESF} project "Practical Cybersecurity for IT Systems Administrators" \citep{website:ESF_project}.