A growing trend in the cybersecurity industry is rooted in educating everyone about the risks of a cyber attack.
Universities around the world are developing undergrad and graduate degree programs, professional mentors are engaging with high school students, girls are coding. Everyone's getting in on cybersecurity awareness, particularly as it relates to business risk.
That's why MIT is launching a new online course for business professionals titled, Cybersecurity: Technology, Application and Policy.
MIT Professor Howard Shrobe, director of cybersecurity and a principal research scientist at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), said, "We created this course to tackle the ever-important issue of cybersecurity. Cyber-attacks continue to occur and we are basically stuck in what I often refer to as “cyber hell”, paying this reactive game of catch-up in which bad actors always seem to have the advantage."
MIT's mission is to move organizations away from the current “patch and pray” approach toward security by default, where attacks are managed in a proactive and systematic way.
In order to accomplish that goal, "We must educate professionals from a variety of perspectives, including technology, public policy and organizational management," said Shrobe.
Because new technologies will require new policies and incentives, and emerging policies must adapt to future technologies, "We have brought together a pool of world-renowned faculty cybersecurity experts from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) and the Sloan School of Management to teach this online course," Shrobe said.
The six-week course offers a holistic, comprehensive view of key technologies, techniques and systems. The goal, said Shrobe, is for participants to walk away with a broad understanding of hardware, software, cryptography, and policy to make better, safer long-term security decisions.
"Some of the research we focus on is about creating systems that are harder to hack. We’ve demonstrated that it is possible to design a modern computer system that attackers can’t break into and that can protect our information," Shrobe said.
The ability to effectively reengineer systems for today’s needs, allows for removing entire classes of vulnerabilities at a time. "What we are examining now (and that we explore in the course)," Shrobe said, "are the architectural principals that would govern those secure designs."
There are a a handful of these that cover most of the vulnerabilities that exist, such as memory safety. "Memory safety errors account for well over 50% of the vulnerabilities. We explore how these errors can be eliminated completely in many programming languages, even if programmers make coding mistakes," Shrobe said.
Sprinkled with case studies used to illustrate the impact of emerging technologies and look at the policy implications impacting the field, the course examines Bitlocker and using the Trusted platform to build a disk encryption system with passwords, removable devices and trusted hardware methods, Shrobe said.
"We also have a case study on mobile security that looks back at Android’s development: What worked? What didn’t work? What changes have been made to overcome challenges?"
By providing a global, systems-wide look at security, the course allows business professionals to look back through a historical lens and learn from examples of what can go wrong.
"The way in which we architect computer systems has its roots in the 1970’s when the Unix operating system was developed, along with its system programming language C, which is still used for most system programming, but these languages have low-level security properties that can help explain why security is such a hard goal to achieve," Shrobe said.
Professionals can come to understand some of the main causes of security breaches by learning how novel hardware architectures can be used to help enforce the security properties that operating systems and programming languages expect.
"We teach how to enforce properties in hardware, which can be much more systematic and dramatically more efficient than enforcement by software alone," Shrobe said.
Participants will also examine the various design approaches, including complete mediation, and consider all the possible paths to security breaches, "Including permissions, access, Trojans, bugs and many others," Shrobe said.
"We also introduce more advanced notions, such as digital signatures, homomorphic encryption and elliptic curves and examine a variety of solutions to security and how they can be applied in a range of domains."
The rapidly growing reality of IoT and mobile brings a whole new level of concern to cybersecurity. "When you cobble them together, the resulting chain will only be as strong as the weakest link. Professionals will need additional training to bring security and order to the chaos the IoT is generating," Shrobe said.
Still, human beings remain the weakest link, which is why, Shrobe said, the course will also examine managerial, strategic and organizational issues that can help improve performance and reduce the growing cyber threat.
This article is published as part of the IDG Contributor Network. Want to Join?