U.S. Army and Air Force Cybersecurity Careers: Information for Students by Michael Erbschloe - HTML preview

College Education for Cyber Operations Careers

The National Security Agency's (NSA) National Centers of Academic Excellence (CAE) in Cyber Operations Program supports the President's National Initiative for Cybersecurity Education (NICE): Building a Digital Nation and furthers the goal to broaden the pool of skilled workers capable of supporting a cyber-secure nation.(16)

The CAE-Cyber Operations program is intended to be a deeply technical, inter-disciplinary, higher education program firmly grounded in the computer science (CS), computer engineering (CE), and/or electrical engineering (EE) disciplines, with extensive opportunities for hands-on applications via labs/exercises.

The CAE-Cyber Operations program complements the existing Centers of Academic Excellence (CAE) in Cyber Defense (CAE-CD) programs, providing a particular emphasis on technologies and techniques related to specialized cyber operations (e.g., collection, exploitation, and response), to enhance the national security posture of our Nation. These technologies and techniques are critical to intelligence, military and law enforcement organizations authorized to perform these specialized operations. Below is a list of the current Centers of Academic Excellence in Cyber Operations, the academic years for the designation, and the level of study that has met the criteria:

• Air Force Institute of Technology (Ohio) 2013-2018 (Graduate) M.S. in Cyber Operations
• Auburn University (Alabama) 2013-2018 (Undergraduate and Graduate) B.S or M.S. in Software Engineering/ B.S. or M.S. in Computer Science/ B.S. of Wireless Engineering (Software Option), with Cyber Operations Certificate
• Carnegie Mellon University (Pennsylvania) 2013-2018 (Graduate) M.S. in Information Security, Specialization in Cyber Operations
• Dakota State University (South Dakota) 2012-2017 (Undergraduate) B.S. in Cyber Operations
• Mississippi State University (Mississippi) 2013-2018 (Graduate) M.S. in Computer Science with Cyber Operations Certificate
• Naval Postgraduate School (California) 2012-2017 (Graduate) M.S. in Computer Science, Cyber Systems and Operations Specialization
• Northeastern University (Massachusetts) 2012-2017 (Undergraduate) B.S. in Computer Science, Concentration in Cyber Operations
• New York University Tandon School of Engineering (New York) 2014-2019 (Graduate) M.S. in Cybersecurity, Cyber Operations Specialization
• Towson University (Maryland) 2014-2019 (Undergraduate) B.S. in Computer Science with a Track in Computer Security
• United States Air Force Academy (Colorado) 2016-2021 (Undergraduate) B.S. in Computer and Network Security
• United States Military Academy at West Point (New York) 2014-2019 (Undergraduate) B.S. in Computer Science, Cyber Operations Track
• University of Cincinnati (Ohio) 2014-2019 (Graduate) M.S. of Computer Science/M.S. of Computer Engineering, Graduate Certificate of Proficiency in Cyber Operations
• University of New Orleans (Louisiana) 2014-2019 (Undergraduate and Graduate) B.S., M.S. or Ph.D. in Computer Science with a Specialization in Cyber Operations
• University of Texas at Dallas (Texas) 2015-2020 (Graduate) M.S. or Ph.D. in Computer Science with a Certification in Cyber Operations
• University of Texas at El Paso (Texas) 2016-2021 (Undergraduate) B.S. in Computer Science Secure Cyber-Systems (SCS) Track
• University of Tulsa (Oklahoma) 2012-2017 (Undergraduate and Graduate) B.S. /M.S./Ph.D. in Computer Science, Specialization in Cyber Operations (a.k.a. Tulsa Cyber Corps Program)(17)

The Academic Requirements for Designation as a Center of Academic Excellence in Cyber Operations are very rigorous. The academic content requirements provide insight to what students will learn and experience in pursuing a degree in cyber operations. The Outcomes listed in each Knowledge Units (KU) description are examples of the level of depth cyber operations students must demonstrate to meet the requirement. To qualify for designation as a CAE in Cyber Operations, the institution/program must demonstrate that their curriculum satisfactorily covers all ten Mandatory KUs to the desired breadth and depth.(18)

Mandatory KUs area number one: Low Level Programming Languages (must include programming assignments to demonstrate that students are capable of the desired outcomes). Low level programming allows programmers to construct programs that interact with a system without the layers of abstraction that are provided by many high level languages. Proficiency in low-level programming languages is required to perform key roles in the cyber operations field (e.g., forensics, malware analysis, exploit development). Specific languages required to satisfy this knowledge unit are C programming and Assembly Language programming (for x86, ARM, MIPS or PowerPC).

After completing the course content mapped to this knowledge unit, students will be able to develop programs that can be embedded into an OS kernel, such as a device driver, with the required complexity and sophistication to implement exploits for discovered vulnerabilities. In the C Language programming students will be able to write a program that implements a network stack to manage network communications. In Assembly Language programming students will be able to write a functional, stand-alone assembly language program such as a basic telnet client with no help from external libraries. In addition to course syllabi, applications must include examples of hands-on low level programming assignments in both C and assembly language to demonstrate that students have achieved mastery of this KU.

Mandatory KUs area number two: Software Reverse Engineering (must include hands-on lab exercises). The discipline of reverse engineering provides the ability to deduce the design of a software component, to determine how something works (i.e., recover the software specification), discover data used by software, and to aid in the analysis of software via disassembly and/or de-compilation. The ability to understand software of unknown origin or software for which source code is unavailable is a critical skill within the cyber operations field. Use cases include malware analysis and auditing of closed source software. Specific topics to be covered in this knowledge unit include:

• Reverse engineering techniques
• Reverse engineering for software specification recovery
• Reverse engineering for malware analysis
• Reverse engineering communications (to uncover communications protocols)
• Deobfuscation of obfuscated code
• Common tools for reverse engineering including but not limited to: Disassemblers (e.g., IdaPro); Debuggers (e.g., gdb, OllyDbg, WinDbg); Virtualization-based sandbox environments (e.g., VMware, Xen); Process and file activity monitors (e.g., ProcMon); Network activity monitors (e.g., Wireshark, tcpdump, TcpView).

Students must be able to use the tools mentioned above to safely perform static and dynamic analysis of software (or malware) of potentially unknown origin, including obfuscated malware, to fully understand the software's functionality. In addition to course syllabi, applications must include examples of hands-on lab exercises to demonstrate that students have achieved mastery of this KU.

Mandatory KUs area number three: Operating System Theory. Operating systems (OS) provide the platform on which running software acquires and uses computing resources. Operating systems are responsible for working with the underlying hardware to provide the baseline security capabilities of a system. Understanding the underlying theory of operating system design is critical to cyber operations as operating systems control the operation of a computer and the allocation of associated resources. Specific topics to be covered in this knowledge unit include:

• Privileged vs. non-privileged states; and transitions between them (domain switching)
• Concurrency and synchronization (e.g., semaphores and locks)
• Processes and threads, process/thread management, synchronization, inter-process communications
• Memory management, virtual memory, hierarchical memory schemes
• Uni-processor and multi-processor interface and support
• CPU Scheduling
• File Systems
• IO issues (e.g., buffering, queuing, sharing, management)
• Distributed OS issues (client/server, message passing, remote procedure calls, clustering)

Students must have a thorough understanding of operating systems theory and implementation. They will be able to understand operating system internals to the level that they could design and implement significant architectural changes to an existing OS.

Mandatory KUs area number four: Networking (must include hands-on lab exercises). Computer and communications networks are the very environment in which cyber operations are conducted. An understanding of these networks is essential to any discussion of cyber operations activities. Specific topics to be covered in this knowledge unit include:

• Routing, network, and application protocols including: TCP/IP (versions 4 and 6); ARP, BGP, SSL/TLS; DNS; SMTP; HTTP/
• Network architectures
• Network security
• Wireless network technologies
• Network traffic analysis
• Protocol analysis (examining component-to-component communication to determine the protocol being used and what it is doing)
• Network mapping techniques (active and passive)

Students must have a thorough understanding of how networks work at the infrastructure, network and applications layers; how they transfer data; how network protocols work to enable communication; and how the lower-level network layers support the upper ones. They will have a thorough knowledge of the major network protocols that enable communications and data transfer.

Mandatory KUs area number five: Cellular and Mobile Technologies. As more communications are conducted via mobile and cellular technologies, these technologies have become critical (and continue to become more critical) to cyber operations. It is important for those involved in cyber operations to understand how data is processed and transmitted using these ubiquitous devices. Specific topics to be covered in this knowledge unit include:

• Overview of smart phone technologies
• Overview of embedded operating systems (e.g., iOS, Android)
• Wireless technologies (mobile: GSM, WCDMA, CDMA2000, LTE; and Internet: 802.11b/g/n)
• Infrastructure components (e.g., fiber optic network, evolved packet core, PLMN)
• Mobile protocols (SS7, RR, MM, CC)
• Mobile logical channel descriptions (BCCH, SDCCH, RACH, AGCH, etc.)
• Mobile registration procedures
• Mobile encryptions standards
• Mobile identifiers (IMSI, IMEI, MSISDN, ESN, Global Title, E.164)
• Mobile and Location-based Services

Students must be able to describe user associations and routing in a cellular/mobile network, interaction of elements within the cellular/mobile core, and end-to-end delivery of a packet and/or signal and what happens with the hand-off at each step along the communications path. They will be able to explain differences in core architecture between different generations of cellular and mobile network technologies.

Mandatory KUs area number six: Discrete Math and Algorithms. In order for cyber operators to make educated choices when provided with an array of algorithms and approaches to solving a particular problem, there are essential underlying concepts drawn from discrete mathematics, algorithms analysis, and finite automaton with which they should be familiar. Specific topics to be covered in this knowledge unit include:

• Searching and sorting algorithms
• Complexity theory
• Regular expressions
• Computability
• Mathematical foundations for cryptography
• Entropy

Given an algorithm, a student must be able to determine the complexity of the algorithm and cases in which the algorithm would/would not provide a reasonable approach for solving a problem. Students must also understand how variability affects outcomes, how to identify anomalous events, and how to identify the meaning of anomalous events. In addition students must understand how automata are used to describe computing machines and computation, and the notion that some things are computable and some are not. They will understand the connection between automata and computer languages and describe the hierarchy of language from regular expression to context file.

Mandatory KUs area number seven: Overview of Cyber Defense (must include hands-on lab exercises). Cyber operations encompass both offensive and defensive operations. Defensive operations are essential in protecting our systems and associated digital assets. Understanding how defense compliments offense is essential in a well-rounded cyber operations program. Specific topics to be covered in this knowledge unit include:

• Identification of reconnaissance operations
• Anomaly/intrusion detection
• Anomaly identification
• Identification of command and control operations
• Identification of data exfiltration activities
• Identifying malicious code based on signatures, behavior and artifacts
• Network security techniques and components (e.g., firewalls, IDS, etc.)
• Cryptography (include PKI cryptography) and its uses in cybersecurity
• Malicious activity detection
• System security architectures and concepts
• Defense in depth
• Trust relationships
• Distributed/Cloud
• Virtualization

Students must have a sound understanding of the technologies and methods utilized to defend systems and networks. They will be able to describe, evaluate, and operate a defensive network architecture employing multiple layers of protection using technologies appropriate to meet mission security goals. In addition to course syllabi, applications must include examples of hands-on lab exercises to demonstrate that students have achieved mastery of this KU.

Mandatory KUs area number eight: Security Fundamental Principles (i.e., First Principles). The first fundamental security design principles are the foundation upon which security mechanisms (e.g., access control) can be reliably built. They are also the foundation upon which security policies can be reliably implemented. When followed, the first principles enable the implementation of sound security mechanisms and systems. When not completely followed, the risk that an exploitable vulnerability may exist is increased. A solid understanding of these principles is critical to successful performance in the cyber operations domain. Specific topics to be covered in this knowledge unit include:

• General Fundamental design principles including: Simplicity; Open Design; Design for Iteration; Least Astonishment.
• Security Design Principles including: Minimize Secrets; Complete Mediation; Fail-safe Defaults; Least Privilege; Economy of Mechanism; Minimize Common Mechanism; Isolation, Separation and Encapsulation.
• Methods for Reducing Complexity including: Abstraction; Modularity; Layering; Hierarchy.

Students must possess a thorough understanding of the fundamental principles underlying cyber security, how these principles interrelate and are typically employed to achieve assured solutions, the mechanisms that may be built from or due to these principles. Given a particular scenario, students will be able to identify which fundamental security design principles are in play, how they interrelate and methods in which they should be applied to develop systems worthy of trust. Students will also understand how failures in fundamental security design principles can lead to system vulnerabilities that can be exploited as part of an offensive cyber operation.

Mandatory KUs area number nine: Vulnerabilities. Vulnerabilities are not random events, but follow a pattern. Understanding the pattern of vulnerabilities and attacks can allow one to better understand protection, risk mitigation, and identify vulnerabilities in new contexts. Vulnerability analysis and it's relation to exploit development are core skills for one involved in cyber operations. Specific topics to be covered in this knowledge unit include:

• Vulnerability taxonomies such as CVE, CWE, OSVDB, and CAPEC
• Buffer overflows
• Privilege escalation attacks
• Input validation issues
• Password weaknesses
• Trust relationships
• Race conditions
• Numeric over/underflows
• User-space vs. kernel-space vulnerabilities
• Local vs. remote access

Students must possess a thorough understanding of the various types of vulnerabilities (design and/or implementation weaknesses), their underlying causes, their identifying characteristics, the ways in which they are exploited, and potential mitigation strategies. They will also know how to apply fundamental security design principles during system design, development and implementation to minimize vulnerabilities. Students must also understand how a vulnerability in a given context may be applied to alternative contexts and to adapt vulnerabilities so that lessons from them can be applied to alternative contexts.

Mandatory KUs area number ten: Legal. People working in cyber operations must comply with many laws, regulations, directives and policies. Cyber operations professionals should fully understand the extent and limitations of their authorities to ensure operations in cyberspace are in compliance with U.S. law. Specific topics to be covered in this knowledge unit include:

• International Law: Jus ad bellum; United Nations Charter; Jus in bello; Hague Conventions; Geneva Conventions.
• U.S. Laws: Constitution Article I (Legislative Branch); Article II (Presidency); Article III (Judiciary); Amendment 4 (Search and Seizure); Article 14 (Due Process).
• Statutory Laws: Title 10 (Armed Forces); Title 50 (War and National Defense); Title 18 (Crimes) 18 USC 1030 (Computer Fraud and Abuse Act); 18 USC 2510-22 Electronic Communications Privacy Act; 18 USC 2701-12 Stored Communications Act[ 18 USC 1831-32 Economic Espionage Acts.

Given a cyber operations scenario, students must be able to explain the authorities applicable to the scenario. Students will also be able to provide a high-level explanation of the legal issues governing the authorized conduct of cyber operations and the use of related tools, techniques, technology and data.

Optional Program Content: (Knowledge Units). At least 10 of the following 17 optional knowledge units must exist in the institutions curriculum and be available to all students during their required course of study. For students to qualify for recognition of completing the Cyber Operations program they must take courses that meet at least 4 of the institutions mapped 10+ Optional KUs.

Optional KUs area number one: Programmable Logic (must include hands-on lab exercises). In digital electronic systems, logic devices provide specific functions, including device-to-device interfacing, data communication, signal processing, data display, timing and control operations, and several other system functions. Logic devices can be fixed or programmable using a logic language. The advantage of a programmable logic device (PLD) is the ability to use a programmable logic language to implement a design into a PLD and immediately test it in a live circuit. Specific topics to be covered in this knowledge unit include:

• Hardware design/programming languages (e.g. VHSIC Hardware Design Language (VHDL), Verilog, OpenCL)
• Programmable logic devices (Programmable Logic Controllers (PLC), Fully Programmable Gate Arrays (FPGA))

Students must be able to specify digital device behavior using programmable logic language. They will be able to design, synthesize, simulate and implement logic on an actual programmable logic device. For instance, students will be able to perform parallel computational tasks such as taking multiple cipher cores and running them in parallel to perform password cracking attacks.

Optional KUs area number two: Wireless Security (must include hands-on lab exercises). Wireless systems are essential to enabling mobile users. However, a significant impact in security can result from the use of wireless or the improper configuration of wireless security due to the erratic nature of the wireless environment. The dynamic and inconsistent connectivity of wireless requires unique approaches to networking in everything from user identification and authentication to message integrity and cipher synchronization. Specific topics to be covered in this knowledge unit include:

• A comparison of security implementations in different wireless technologies (e.g., 2G/3G/4G/Wi-Fi/Bluetooth/RFID)
• Confidentiality, integrity and availability policy enforcement considerations in wireless networks
• Enumeration issues and methods to limit exposing and identifying cellular, enterprise, device and personal wireless identifiers (e.g. WLAN and cellular beacons, System Information Reports, TMSI)
• Security protocols used in wireless communications and how each addresses issues of authentication, integrity, and confidentiality (e.g. COMP128, UIA, TKIP, CCMP, SSP, E1)
• Availability issues in wireless and nuances in different denial-of-service attacks (e.g. energy jamming, carrier sense exploitation, RACH flooding, access management protocol exploitation)
• Security issues in hardware and software architectures of wireless devices
• Common ciphers, their implementations, advantages and disadvantages for use in securing wireless networks: Stream ciphers (e.g. E0, RC4, A5, SNOW,ZUC); Block ciphers (e.g. Kasumi, SAFER, AES).

Students must be able to describe the unique security and operational attributes in the wireless environment and their effects on network communications. They will be able to identify the unique security implications of these effects and how to mitigate security issues associated with them. Students will be able to describe and demonstrate the vulnerabilities with ineffective mechanisms for securing or hiding 802.11 traffic. Students will also be able to understand, describe, and implement a secure wireless network that uses modern encryption and enforces the proper authentication of users. Students will also be able to compare and contrast mechanisms for association and authentication with a GSM BSC and a UMTS RNC.

Optional KUs area number three: Virtualization (must include hands-on lab exercises). Virtualization technology has rapidly spread to become a core feature of enterprise environments, and is also deeply integrated into many server, client, and mobile platforms. It is also widely used in IT development, research, and testing environments. Virtualization is also a key technology in cyber security. As such a deep technical understanding of the capabilities and limitations of modern approaches to virtualization is critical to cyber operations. Specific topics to be covered in this knowledge unit include:

• Type I and Type II architectures
• Virtualization Principles including efficiency, resource control and equivalence
• Virtualization techniques for code execution, including trap and emulate, binary translation, paravirtualization, and hardware-supported virtualization (e.g., Intel VMX).
• Management of memory in virtualized systems, including hardware supported memory management (e.g. EPT/SLAT), memory deduplication, and isolation of VM hypervisor and memory spaces
• Techniques for allocating storage (e.g., hard drives) to Virtual Machines, and the associated capabilities (e.g., snapshots).
• Techniques for associating hardware (virtual or physical) with virtual machines, including hardware-supported methods (e.g., SR-IOV) and device emulation.
• Techniques for providing advanced virtualization capabilities, such as live-migration and live-failover.
• Internal and External Interfaces provided by virtualized platforms for management, monitoring, and internal communication/synchronization.
• Snapshots, migration, failover

Students must understand and be able to describe the technical a mechanism by which virtualization is implemented in a variety of environments, and their implications for cyber operations. Students will also be able to enumerate and describe the various interfaces between the hypervisors, VMs, physical and virtual hardware, management tools, networking, storage, and external environments.

Optional KUs area number four: Cloud Security/Cloud Computing. Cloud resources are commonly used for a wide variety of use cases, including the provision of enterprise services, data processing and analysis, development and testing, and a wide variety of consumer focused services. As such it is important that the students have a clear understanding of the variety, complexity, and capabilities of modern cloud platforms. Cloud computing has implications for cyber operations not only as a potential target, but also as an extensive resource to bring relatively cheap computing power to solve problems (e.g. cracking passwords) which would have been more difficult pre-cloud. Specific topics to be covered in this knowledge unit include:

• Cloud infrastructure components and the interfaces they expose. This should include public/consumer facing interfaces (such as public management APIs) and internal interfaces (such as those to provide automated backup, failover, and accounting)
• Essential Characteristics of Cloud Platforms and an understanding of the technologies that enable these characteristics
• Common Service models
• Common Deployment Modes (e.g. public cloud, private cloud, hybrid cloud) and the associated tradeoffs (e.g. privacy/scalability/resilience)
• Cloud infrastructure components and the interfaces the expose. This should include public/consumer facing interfaces (such as public management APIs), and internal interfaces (such as those to provide automated backup, failover, and accounting)
• Techniques for deploying and scaling cloud resources (such as Puppet/Chef)
• Security implication of cloud resources, including issues associated with shared resources and multi-tenancy, the extension of trust to include the cloud provider, and approaches to mitigating these issues
• Developing, deploying, and managing applications on cloud resources, which should include hand-on exercises that utilize real cloud services.

Students must understand and be able to describe a variety of cloud service models and deployment modes, and select appropriate service models and delivery modes for a variety of potential workloads, including enumerating the security tradeoffs associated with their selections. Students will also be able to develop and deploy a workload in an appropriate cloud environment, including addressing issues associated with deployment, configuration, management, scalability, and security. The recommended resource for this KU: NIST 800-145.

Optional KUs area number five: Risk Management of Information Systems. Risk Management of Information Systems is a critical topic area which forms the basis for applying information system security principles to an operational environment. Risk Management decisions are the embodiment of the organization's security culture and values as demonstrated through the willingness to commit resources to information system security capabilities. Given the significant and growing danger of cyber security threats, it is imperative that all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks. Specific topics to be covered in this knowledge unit include:

• Risk Models (e.g. NIST SP 800-39 Multitiered Risk Management)
• Risk Processes (e.g. NIST SP 800-37 Risk Management Framework)

Students must be able to identify, measure (quantitative and qualitative), and mitigate key information technology risks. Students will also be able to describe each of the tasks associated with risk framing, assessment, response and monitoring.

Optional KUs area number six: Computer Architecture (includes Logic Design). This knowledge unit ensures students understand the components that comprise a computing system and possess the ability to assess processor design and organization alternatives as they impact functionality and performance of a system. Specific topics to be covered in this knowledge unit include:

• Organization of computer and processor architectures
• Instruction set design alternatives
• Processor implementation
• Memory system hierarchy
• Buses
• I/O systems
• Factors affecting performance

Students must be able to define devices of electronic digital circuits and describe how these components are interconnected. They will be able to integrate individual components into a more complex digital system and understand the data path through a CPU.

Optional KUs area number seven: Microcontroller Design (must include hands-on lab exercises). A microcontroller (or MCU, short for microcontroller unit) is a small, simple computer on a single integrated circuit containing a processor core, limited memory, and programmable input/output peripherals and sensors. Microcontrollers are typically inexpensive and have little or n