Many hands make light work

- Combining regional
resources to make a
powerful
Cybersecurity program

(Fri: 5:00 to 6:00 p.m., P3B-1)

Dr. Ron McFarland, Ph.D., PMP, CISSP
Cybersecurity Project Manager – College of the Canyons
Post-doc Researcher: University of Maryland, University College
Center for Cybersecurity Studies
Collaboration within
a region of colleges
for cybersecurity
education
South Central Coast Regional Consortium of
the California Community Colleges
Introduction
Topics
Topics
• A summarization of the obvious need for increased cyber
security training that will support industry, academia, and
governmental agencies
• Discussion of the opportunity to leverage shared resources for
cyber security training
• How the SCCRC is accomplishing this

4
Organizations and governments are just not
ready…
• An expanding threat scape…
• A predominance of cyber security issues nationally and within our organizations today that
are not being readily addressed.
• GDPR-compliance requirements for companies doing business in the European Union
(EU). Many companies will not be GDPR-compliant by the deadline of May 25, 2018
(Drake, 2017).
• Because of the recent dramatic market swings and expanded popularity of
cryptocurrencies, cybercriminals will focus more on cryptocurrencies (Goldman,
Maruyama, Roesnberg, Saravalle and Solomon-Strauss, 2017).
• As AI more fully develops and becomes more main-streamed, AI-Powered attacks will
increase over the existing high levels of AI-related attacks of 2018. AI will influence an
increase in data breaches (Turchin and Denkenberger, 2018).
• Researchers noted that more Mobile Threats were due to the increasing amount of
unique mobile ransomware. To deliver the malware to the biggest audience, hackers
exploited Google Play store by attacking the Android mobile OS (Goel and Jain, 2017).

5
Organizations and governments are just not
ready…
• Cloud security will be a top priority concern. As the number of
companies is growing, the cloud adoption rate has risen. Cloud
security is a top concern for 70% of IT Professionals, including
unauthorized access, malware, and DoS attacks (Mir, Suhaimi,
Adam, Ul Islam Khan, Mattoo, Mueen, and Olanrewaju, 2017).
• Ransomware and IoT - Ransomware have targeted more IoT
devices in 2018. Many IOT devices are getting locked up by
ransomware (Maurya, Kumar, Agrawal, and Kahn, 2018).
• A Rise in State-Sponsored Attacks - When it comes to state-
sponsored attacks, the intention goes beyond monetary value.
These attacks are political in nature, and they don’t target any
business or person (Jalali and Kaiser, 2018).

6
Organizations and governments are just not
ready…
• Cyber war - In 2018, we can further see the escalation of
international conflicts in cyberspace. This may disrupt the
normal operations of government and financial systems
(Robinson, Jones, Janicke, and Maglaras, 2018).
• The Decline of Password-Only Authentication – Alternative
security access - Multi-Factor Authentication, and Risk Factor
Authentication (Krishnamoorthy, 2018).
• In general, the overall level of data breaches doubled from 2016
to 2017 and is expected to double again when measured at the
end of 2018 (Wang, Jan, Hu, Bossart, and Wang, 2018).
7
1.5 million to 3.5 million security professionals
are needed
• Cisco’s (2014) Annual Security Report ventured a widely popular cybersecurity
jobs forecast stating “It’s estimated that by 2014, the industry will still be short
more than a million security professionals across the globe.”
• In 2015, Symantic anticipated that the demand for cybersecurity talent would rise
to 6 million globally by 2019, with a projected shortfall of 1.5 million additional
personnel needed worldwide.
• Also, a skills gap analysis from ISACA (2016) estimated the global shortage to be
around 2 million cybersecurity professionals by 2019 (a half-million more than
Symantec’s prior estimate). In a more recent discussion regarding the impact of
Artificial Intelligence on cyber security hacking, the author estimated that 3.5
million cyber security positions will go unfilled by 2021 due to new technology
used by attackers (Veiga, 2018).
• In terms of the financial estimates, another study states that cybersecurity jobs
forecasts have been unable to keep pace with the dramatic rise in cybercrime,
which is predicted to cost the world $6 trillion annually by 2021, up from $3 trillion
in 2015 (Askari, 2018).

8
Top salaries are paid in cybersecurity
• CyberSeek (2018) noted the top six cyber-related average salaries,
which includes:

•
• Application Security Engineer: $100,000 to $210,000,
• Network Security Analyst: $90,000 and $150,000,
• IS Security Manager (CISO, CTO, and CDO): $120,00 and
$180,000,
• Cybersecurity Analyst: $90,000 and $185,000,
• Penetration Tester: $90,000 to $180,000,
• IS Security Engineer: $90,000 to $150,000.

9
Educational Issues
• There is a strong need to provide skills training that includes
scenario-based skills practice (Kam, et. al, 2014).
• Given the high-availability of online learning environments,
which include cloud-based and virtual environment alternatives,
training environments that are informal allow learners to engage
in real-life scenarios and activities (Kam, et. al, 2014).
• For more effective learning to occur, cybersecurity education
requires learners to acquire knowledge through hands-on
activities and authentic learning, whereby real-life scenarios are
investigated and acted upon (Kam, et. al, 2014).

10
Educational Issues
• Case studies that provide scenario-based learning opportunities are a
particular viable strategy for authentic learning. Authentic learning allows
learners to discover both the “how” and “why” for given cyber security
attacks.
• Scenario-based training, researchers found that learners expected more
work and felt more fully supported with their learning objectives when
additional discussion opportunities existed with their peers, which
suggests the need for discussions about scenario-based training (Kam,
Gogolin & Emerick, 2014).
• Researchers identified two key challenges with setting up authentic
learning environments.
• (a) the time-consuming process for faculty in setting up a given course
• (b) effectively addressing the potential student bias and emotional attachment
because of prior learning experiences, which may have occurred on-the-job (Kam,
Gogolin & Emerick, 2014).

11
Lecturing and Simulated/Virtual
Environments
• Herbert and Wigley (2015) indicated that lecturing is readily achieved in
higher education, as it pertains to computer networking and related
security courses, but the delivery is often poorly done (Herbert & Wigley,
2015).
• However, several types of tools that can be used in conjunction or as an
adjunct to lecture. Fontes, Mahfoundi, Dabbous, Turletti, and Rothenberg
(2017) define these tool types as:
• Emulation Tools: Emulation tools is used to replicate the function and features of
physical devices.
• Software Simulators: Simulators are programmed to mimic a given environment, yet
due to the limitations of programming, not all real-world scenarios are represented in
a real environment.
• Virtualization: Virtualization is a way to make one or many resource(s) (such as an
operating system) run on a given hardware platform. Each virtualized environment is
identical to the corresponding physical environment.

12
Specific Virtualization Technologies
• Cisco VIRL (Virtual Internet Routing Lab): For computer
networking training, including network security courses,
researchers have found that the Cisco Virtual Internet Routing
Lab (VIRL), released by Cisco Systems in December, 2014, is
designed for student work in the computer networking
laboratory environment (Herbert & Wigley, 2015).
• Cisco Packet Tracer: A simulated environment. Cisco Packet
Tracer is a common tool used by students in computer
networking and security courses. Emulation tools often have
limited commands and lack the realism of a true network, but
are good to use to practice networking skills.

13
Simulators may be inadequate
• Herbert and Wigley (2015) further suggested that simulation tools,
like Cisco’s Packet Tracer is a viable option, but simulation tools may
lead the student to a mis-perception that all networks and security
scenarios will behave as does Packet Tracer, since simulators lack
real-world functionality.
• The risk of using simulators exclusively for education and training
can have the effect of degrading a student’s learning experience
(Herbert & Wigley, 2015).
• Further, other researchers noted that the use of a simulation
environment alone in networking education is inadequate unless
students have developed a way to understand conceptual aspects of
networking technology (Frezzo, Behrens, & Mislevy, 2010).

14
General Virtualized Lab Environments
• Decentralized: The deployment of a VDI (Virtual Desktop Integration) image, which is a
decentralized lab approach, can be implemented where students can install and run
desktop virtualization software on their personal computers using tools like VMWare
Workstation or Oracle VM Virtualbox (Son, Irrechukwu, & Fitzgibbons, 2012). In a
decentralized lab setup, students use their own equipment (computer) to practice
computer networking and security skills. A limitation of the decentralized approach is that
each student will need to lease or purchase their own equipment for use, which may be a
barrier for some financially-strapped students.

• Centralized: Researchers agree that server virtualization, as a centralized server

approach, is more suitable to deploy cyber security-related virtual labs, which often
require high-end equipment and resources, in contrast to client virtualization, which often
does not scale well for cyber security courses (Son, Irrechukwu, & Fitzgibbons, 2012).
Students can connect directly to a centralized physical lab (and equipment) at their
educational institution to practice computer networking and security skills. Physical labs
contain high costs associated with the maintenance and repair of the hardware and
software. Further, researchers noted that the cost limitations for a physical lab should
include electricity and physical environmental costs.

15
Cloud-based service options
• The use of cloud-based services is an additional option for some
cybersecurity training, with limitations (Padhy, 2012).
• Padhy (2012) notes that virtualization is software that separates physical
infrastructures to create various dedicated resources (ex. virtualizing a
Windows 10 computer on a MacOS computer). Virtualization software
makes it possible to run multiple operating systems and multiple
applications on the same server at the same time.
• In contrast, cloud computing is the delivery of shared computing
resources, software or data as a service and on-demand through the
Internet (Padhy, 2012).
• As a general distinction - virtualization is software that manipulates
hardware, while cloud computing refers to a service that results from that
manipulation.

16
Emerging Cloud-based offerings
• EDURange is a cloud-based platform that implements
cybersecurity exercises to assist undergraduates develop
analytical abilities and a security mindset (Weiss, Turbak,
Mache, and Locasto, 2017).
• However, Sohal, Sandhu, Sood and Chang (2018) discuss the
use of cloud-based services as a cybersecurity training
framework to identify edge device in fog computer and in the
cloud-of-things (CoT) environments, which presently has a
narrow training and educational reach.

17
Efficacy and situated cognition theory
• Virtualitization can provide the opportunity for educational efficacy
through the use of the theory of situated cognition theory that
includes, “the problem’s physical and conceptual structure as well as
the purpose of the activity and the social milieu in which it is
embedded.”
• More specifically, situated cognition theory focuses on the cognitive
ability for students to transfer learned knowledge, skills and abilities
(KSAs) to real-life scenarios through problem solving, which was
noted in seminal research by Rogoff (1984).
• Moreover, Rogoff (1984) noted that situated cognition theory defines
the details for thinking and how thinking evolves, which impacts the
understanding of real-life contexts, as it can be applied in a
virtualized environment.

18
Efficacy of Virtualization for learning
• Accessibility: The virtual lab must provide seamless access to the virtual remote learner. The
authors recommend that students will not have to reserve time and will have access to a 24x7x365
virtual lab environment (Son, Irrechukwu, & Fitzgibbons, 2012).

• Reliability: The remote virtual server(s) must support a significant number of concurrent users with
limited dedicated resources. In addition, there should be no significant delay with a large number of
concurrent users (Son, Irrechukwu, & Fitzgibbons, 2012).

• Virtual Machine (VM) configuration: The appropriate operating systems(s) and related system
images that support the cyber security labs must be ready and available for students. To further
support student course requirements, the researchers dissuaded the additional time and effort
necessary to configure or install software, unless that task was necessary for the given lab (Son,
Irrechukwu, & Fitzgibbons, 2012).

• Privilege rights: Both privilege rights and access rights on virtual machines must be significantly
open to students so that they can accomplish network and security modifications without restrictions
on the virtual machines, as related to the given lab assignment(s) (Son, Irrechukwu, & Fitzgibbons,
2012).

19
Changes are pushing forward the need for
virtualized education/training
• Demographic trends: enrollments will soften until at least 2020, necessitating
institutions to seek creative ways to ensure courses ‘make’ at institutions by using
online and virtualized environments.
• Tuition cost: students cannot afford higher tuition and will become more resistant
to increased tuition costs. As a result, students will become smarter shoppers for
relevant education, which will have an impact on how colleges offer courses to
students, including online and virtualized courses.
• Continued proliferation of Internet-technologies: Accelerating and converging
technology trends will provide new student training opportunities that students will
progressively be required by employers, especially in the Information Technology
fields.
• Trend towards Competency-based education: CBE will allow students to leverage
their prior experiences to attain their desired certificate and degree goals in an
adaptive manner, suggesting that courses must offer real-life case scenarios.
•

20
Building forward
• Institutions must consistently provide training and education in ways
that students demand in order to be viable in the near future. This
can be accomplished by predictive analysis (Cini & Krause, 2014).
• Predictive analysis: Institutions will progressively use predictive
analysis to determine the most suitable design to create successful
student experiences, which can be gathered from online and
virtualized learning environments.
• Predictive analysis will assist in determining suitable educational
technologies, curriculum design, adaptive institutional policies, and
can assist in understanding and adapting to emerging student
behaviors (Cini & Krause, 2014).

21
Concerns
• Herbert and Wigley (2015) emphasize that the development of a student’s
experience (related to computer networking skills, including networking
security) must address both problem-solving and soft skills (such as
teamwork).
• Further, the researchers noted the high-cost for physical labs, which may
not be economically feasible for all colleges.
• Moreover, virtualization environments can virtualized desktops and servers
quite well, the virtualization of networking equipment including routers and
switches is done poorly (Herbert & Wigley, 2015).
• However, both researchers noted that the “Laboratory-As-A-Service”
(LaaS) is evolving with NDG’s NetLab and Cisco’s vSphere, which
increasingly provides students with full virtualization of Cisco routers and
switches (Herbert & Wigley, 2015).

22
User discussions needed (e.g. faculty)
• Understand, inform and discuss for areas considering
Cybersecurity (virtual/mixed-mode) education:
• Virtualization and Cloud-based services between and among
partners
• Virtualization and Cloud-based security concerns and mitigation
strategies
• Discussion about a design that leverages existing processes
and controls (and potential enhancements)
• Additional robust security controls offered by given virtualization
and cloud services platforms

23
Architectural Conversations
• Scaffold requirements for each partner that determines what is
organizationally appropriate (processes, procedures, risk
appetite, maintenance and support).
• Investigate and discuss the technical aspects that tie to the
educational drivers including server consolidation,
administration, server to administrative ratio, provisioning of
instances, reconfiguration, and agility across schools.

24
Authentic Conversations about Concerns
• Manageability of the environment and who is responsible,
• Security of management infrastructure, change management, capacity planning and SLA
(service level agreements)/planning,
• Physical access (including location, access, security, etc.),
• VM sprawl (and contingency plans to manage the sprawl),
• Licensing compliance issues,
• Degree of resource utilization (bandwidth, servers, physical space, human resources),
• Cost to acquire and operate (initial & fixed costs vs. marginal cost),
• Complexity of design (provisioning multiple courses, multiple instructors, multiple
colleges),
• Reliance on virtualization (in contrast to physical environment),
• Reliance on the organization’s/school’s/consortium capabilities and risk management
approach.

25
General background for any virtual lab
environment design and discussion
• Opportunity to leverage combined resources, reduce
incremental student costs, and possibly, offer expanded
opportunities to a broader base of students and learners.
• Overview of the various modes of instructional delivery that
included lecture, the use of simulators, virtualized
environments, and cloud-based services, each which offers
both benefits and drawbacks.
• Communication with users to define services and service-levels

26
 How the SCCRC is approaching this
(discussion)

• Background
• 8 regional colleges in the California Community College System
• Allan Hancock
• Antelope Valley
• Cuesta College
• Santa Barbara
• Ventura District (Moorpark, Oxnard, Ventura College)
• College of the Canyons

27
 SCCRC General Approach (discussion)

• Consensus-driven approach
• Review of several platforms including:
• Cybrary
• NetLabs (NDG)
• Practice Labs

28
References
Angeles, S. (2014, January 20). Virtualization vs. Cloud Computing: What's the Difference? Retrieved June 26, 2018, from
https://www.businessnewsdaily.com/5791-virtualization-vs-cloud-computing.html

Anisetti, M., Bellandi, V., Colombo, A., Cremonini, M., Damiani, E., Frati, F., & Rebeccani, D. (2007). Learning computer networking on open paravirtual
laboratories. IEEE Transactions on Education, 50(4), 302-311.
Askari, M. M. U. R. (2018). Significance of Ever-evolving Cybersecurity Landscape: Challenges and Possible Pathways. National Journal of Cyber
Security Law, 1(1), 22-37.
Chan, J. (2011). Virtualization: Security and IT Audit Perspectives. Retrieved May 31, 2018, from https://www.slideshare.net/jason_chan/virtualization-
security-and-it-audit-perspectives?utm_source=slideshow02&utm_medium=ssemail&utm_campaign=share_slideshow
Cini, M., & Krause, A. (2017, January 30). Technology Set to Redefine Higher Education. Retrieved June 24, 2018, from
https://evolllution.com/opinions/technology-set-redefine-higher-education/
Cybersecurity Supply And Demand Heat Map. (n.d.). Retrieved June 27, 2018, from https://www.cyberseek.org/heatmap.html Evolve Academy. (2017,
June 12). Is It Time to Learn Cyber Security? Retrieved June 26, 2018, from https://www.switchup.org/blog/is-it-time-to-learn-cyber-security
Drake, G. (2017). Navigating the Atlantic: Understanding EU Data Privacy Compliance Amidst a Sea of Uncertainty. S. Cal. L. Rev., 91, 163.
Fontes, R. D. R., Mahfoudi, M., Dabbous, W., Turletti, T., & Rothenberg, C. (2017). How far can we go? towards realistic software-defined wireless
networking experiments. The Computer Journal, 60(10), 1458-1471.
Frezzo, D., Behrens, J. and Mislevy, R. (2010). Design Patterns for Learning and Assessment: Facilitating the Introduction of a Complex Simulation-
Based Learning Environment into a Community of Instructors. Journal of Science Education and Technology, 19, pp. 105-114.
García, J., & Entrialgo, J. (2015). Using computer virtualization and software tools to implement a low cost laboratory for the teaching of storage area
networks. computer applications in engineering education, 23(5), 715-723.

Goel, D., & Jain, A. K. (2017). Mobile phishing attacks and defence mechanisms: State of art and open research challenges. Computers & Security.

29
References
Goldman, Z. K., Maruyama, E., Rosenberg, E., Saravalle, E., & Solomon-Strauss, J. (2017). Terrorist Use of Virtual Currencies. Washington DC: Center
for a New American Security, May, 3.
Herbert, B. M., & Wigley, G. B. (2015). The Role of Cisco Virtual Internet Routing Lab in network training environments.
Jalali, M., & Kaiser, J. (2018). Cyber Resiliency in Hospitals: A Systematic, Organizational Perspective.
Kam, H. J., Gogolin, G., & Emerick, G. (2014, October). Authentic Learning in Cybersecurity: Learning Opportunities and Pedagogical Challenges. In
2014 IEEE Frontiers in Education Conference (FIE) (pp. 1-4). IEEE.
Krishnamoorthy, S. (2018). Identification of User Behavioural Biometrics for Authentication using Keystroke Dynamics and Machine Learning.
Li, P., Mohammed, T., Toderick, L., Lunsford, P., & Li, C. (2008, June). A portable virtual networking lab for IT security instruction. In Proceedings of 2008
ASEE Annual Conference.
Maurya, A. K., Kumar, N., Agrawal, A., & Khan, R. A. (2018). Ransomware: Evolution, Target and Safety Measures.
Megmittal. (n.d.). 10 Cybersecurity Predictions for 2018. Retrieved June 26, 2018, from https://www.cybrary.it/0p3n/10-cybersecurity-predictions-for-
2018/
Mir, M. S., Suhaimi, B., Adam, M., Ul Islam Kahn, B. U. R. H. A. N., Matoo, U. I., Mueen, M., & Olanrewaju, R. F. (2017). Critical Security Challenges in
Cloud Computing Environment: An Appraisal. Journal of Theoretical & Applied Information Technology, 95(10).
Padhy, R. P. (2012). Virtualization techniques & technologies: state-of-the-art. Journal of Global research in Computer science, 2(12), 29-43.
Padman, V., & Memon, N. (2002). Design of a virtual laboratory for information assurance education and research. In Workshop on Information
Assurance and Security (Vol. 1, p. 1555).
Xu, L., Huang, D. & Tsai, W. (2014). Cloud-based virtual laboratory for network security education. IEEE Transactions in Education, 57, 39-46.

Robinson, M., Jones, K., Janicke, H., & Maglaras, L. (2018). An introduction to cyber peacekeeping. Journal of Network and Computer Applications, 114,
70-87.

30
References
Rogoff, B. (1984). Introduction: Thinking and learning in social context. In B. Rogoff & J. Lave (Eds.). Everyday cognition: Its
development in social-context. Cambridge, MA: Harvard University Press, 1-8.
Sohal, A. S., Sandhu, R., Sood, S. K., & Chang, V. (2018). A cybersecurity framework to identify malicious edge device in fog
computing and cloud-of-things environments. Computers & Security, 74, 340-354.
Son, J., Irrechukwu, C., & Fitzgibbons, P. (2012). Virtual Lab for Online Cyber Security Education. Communications of the IIMA,
12(4), 5.

Turchin, A., & Denkenberger, D. (2018). Classification of global catastrophic risks connected with artificial intelligence. AI &
SOCIETY, 1-17.
Vize, S. (2018, January 08). 6 Highest-Paid Cybersecurity Jobs | Mondo: Tech & IT Staffing. Retrieved June 26, 2018, from
https://www.mondo.com/blog-highest-paid-cybersecurity-jobs/
Veiga, A. P. (2018). Applications of Artificial Intelligence to Network Security. arXiv preprint arXiv:1803.09992.
Wang, C., Jan, S. T., Hu, H., Bossart, D., & Wang, G. (2018, March). The Next Domino to Fall: Empirical Analysis of User
Passwords across Online Services. In Proceedings of the Eighth ACM Conference on Data and Application Security and
Privacy (pp. 196-203). ACM.
Weiss, R. S., Turbak, F., Mache, J., & Locasto, M. E. (2017). Cybersecurity education and assessment in EDURange. IEEE
Security & Privacy, 15(3), 90-95.
Zaki, M., Erman, H., Azman, A., Faizal, A., & Rahayu, S. (2010, June). Virtualization technology in teaching information technology
security. In Proceedings 3rd Regional Conference on Engineering Education and Research in Higher Education, Sarawak, Malaysia.

31