CYBER SECURITY - Cloudinary€¦ · Advanced Cyber Security Skills Cyber Hygiene and Awareness Social and Business Risks Proposed Skill Sets for Cyber Security Non-Technical Technical

December 2018

CYBERSECURITY

in VET

Submission to PwC Skills for Australia

Coder Academy is a part of the Academy of Information Technology

www.coderacademy.edu.au

Coder Academy Submission - Cyber Security Cross Sector Project December 2018

Submission Contacts: [email protected] [email protected] 1 of 12

Coder Academy Submission on Cross Sector CyberSecurity Project

Table of Contents

Introduction

What is Coder Academy?

Executive Summary

Written Responses to Consultation QuestionsGeneral Feedback on Consultations

Advanced Cyber Security Skills

Cyber Hygiene and Awareness

Social and Business Risks

Proposed Skill Sets for Cyber SecurityNon-Technical

Technical

Useful Skills and Knowledge for Cyber Security Workers



Introduction

Thank you for the opportunity to participate in the consultation process for PwC Skills for Australia's CyberSecurity Cross Sector Project. We enjoyed the opportunity to hear the perspectives of other stakeholdersin the VET sector, as well as from the range of experts from other sectors about bringing cyber securityknowledge to all sectors.

We make the following submission to clarify some of the statements we made in the consultations, toprovide additional information on implementation with regard to VET units, and propose Skill Sets.

What is Coder Academy?

Coder Academy is a tertiary education provider that works in the VET and higher education spaces byproviding agile, industry focused accredited courses in a bootcamp mode. We operate in Sydney,Melbourne and Brisbane, and offer the following courses:

Fast Track: a full-time higher education Graduate Diploma in IT for career changes

GenTech: a part-time higher education Graduate Diploma in IT for school leavers

Cyber Security: a full-time VET Diploma of Software Development, for people with IT experience orqualifications who want a pathway into cyber security

Coder Academy is part of the RedHill Education family, and is a brand of the Academy of InformationTechnology.

Executive Summary

Coder Academy was pleased to participate in the consultations between the 7th and 15th of November.Five of our staff members made contributions: Nick Clark, Dan Adler, James Holman, Aleks Budzynowski,and James Lane. All our staff are educators, and work in industry. They collectively have a range oftechnical expertise and knowledge relating to cyber security and software development.

We have provided detailed written responses to a number of the consultation questions, and forconvenience provide the recommendations from these below:

Recommendation 1: the context of training is the most important factor in ensuring training leads toimproved security practice. Units of competency must be written so they can be adapted to sector ororganisation specific contexts or they will not lead to outcomes that are relevant to organisational needs.

Recommendation 2: there should be a risk assessment Skill Set for decision-makers so they canunderstand the process of risk assessment and make decisions which empower IT workers to implementbest practice with regard to cyber security. This will also assist decision-makers to identify the areas andskills required by their workers.

Recommendation 3: elements and units relating to cyber security should be able to be contextualised forthe work context. The performance evidence required should mandate that cyber security best practice bedelivered in the context of the learner's workplace.



Recommendation 4: units of competency must include an aspect that develops skills and knowledge sonon-ICT workers know where and when to seek support in dealing with a potential cyber security risk orincident.

Recommendation 5: training provided to non-ICT workers should have a focus on dealing withworkplace risks as a whole. Often risks for a particular workplace will involve many different risks - to lookat cyber security in isolation to other risks may limit the contextualisation of any cyber skills training for theworkplace.

Recommendation 6: training should focus on principles of information security that are not exclusivelyrelated to IT. Workplace practice, while dominated by use of IT systems, cannot be developed withreference only to these systems, and arguably can only be effective if developed with the needs of humansystems in mind.

Recommendation 7: Basic information and physical security principles must form the basis for training.Unless there is a broader approach to security practice in training workers it will be difficult to approachand contextualise the skills and knowledge for a specific area such as cyber security.

Recommendation 8: there needs to be a distinction between training for non-ICT workers and ICTworkers. ICT Workers need appropriate units, at the Certificate IV and above levels, to prepare them forparticular roles that incorporate responsibilitity for dealing with cyber security. While it is important to futureproof units of competency, it is also important that units provide distinct expressions of knowledge andskills required for particular job roles that exist now, and will exist 5-10 years into the future. See thesection on Cyber Security Skill Sets for more detail on job roles.

Recommendation 9: training provided to workers must revolve around security practices as a whole andcontextualise cyber security within a workplace context.

Recommendation 10: use of a nationally recognised set of principles to protect privacy, such as TheAustralian Privacy Principles, may provide a framework for training that can be made sector or organisationspecific. It is important for workers to engage with the information security issues relevant to their job roleor sector.



Written Responses to Consultation Questions

General Feedback on Consultations

We have the following feedback about the consultations:

The consultations were productive, however, there was a clear disconnect between the technicaland non-technical stakeholders. We feel at an organisational level this can only be solved by peoplein technical job roles being trained in cyber security, with the expectation that trained professionalsare then responsible for assisting non-technical people to understand and manage risks as part of abroader information security approach.

The questions asked during the consultations were somewhat repetitive and did not addresspractical considerations relating to the training and assessment of skills or models that would assistnon-technical individuals to become cyber-aware. The development of units relevant to cybersecurity for non-technical workers should be accessible enough that they can be contextualised fora particular sector or organisation, and should focus on legal obligations, incident response, andfinding the right assistance to deal with a potential cyber issue.

We reject the idea that a non-technical person can develop a limited degree of technical knowledgeor skill that will be useful to deal effectively with a cyber security risk. The culture and processes fordealing with technology in the workplace needs to change, and the developed units shouldemphasise how non-technical and technical workers can support each other. One particular area isthe education of managerial and executive level staff in risk assessment and cyber threats, so theywill not be a barrier to the development of policy, processes and practices within the organisationthat can support a healthy security posture.



Advanced Cyber Security Skills

1. To what extent are advanced cyber security skills needed by non-ICT workers acrossvarious industries?

We reject the idea that non-ICT workers should develop advanced cyber security skills or technical skillsrelating to ICT that are beyond the scope of their job role. A worker should learn ICT skills in the context oftheir role, or any training would be so broad as to be of negligible benefit in the long term.

For example: a person working in an office in an administrative role preparing written documents,managing email communications, and handling phone calls will not benefit from technical knowledgeabout cyber security, they will benefit from learning about specific strategies to avoid risks that are based on their own practice in theworkplace.

Recommendation 1: the context of training is the most important factor in ensuring trainingleads to improved security practice. Units of competency must be written so they can beadapted to sector or organisation specific contexts or they will not lead to outcomes that arerelevant to organisational needs.

2. Is there a business need for advanced cyber security skills? If so, why? If not, why not?

Yes. All ICT Workers should have relevant technical and soft skills relating to cyber security. ICT workersneed to promote and model good practice in workplaces relating to cyber security. This involves themanagerial and executive level workers in organisations having a basic understanding of cyber risks, andhaving confidence that appropriately trained IT workers can put in place systems to mitigate them.

Recommendation 2: there should be a risk assessment Skill Set for decision-makers so theycan understand the process of risk assessment and make decisions which empower ITworkers to implement best practice with regard to cyber security. This will also assist decision-makers to identify the areas and skills required by their workers.

3. Why are the skills currently being taught not meeting business needs?

Qualifications that are available do not equip ICT workers with the appropriate skills to be aware and ableto implement cyber security best practices.

General cyber security awareness training would likely be too general in nature to give a worker the abilityto deal with risks that arise in their work context.

Training for non-ICT workers should be limited to developing knowledge of practices related to their jobrole (see response to Question 1). If job roles in a workplace are not distinct, then training should be doneon the basis of the work or organisational context.



Recommendation 3: elements and units relating to cyber security should be able to becontextualised for the work context. The performance evidence required should mandate thatcyber security best practice be delivered in the context of the learner's workplace.

Cyber Hygiene and Awareness

1. What does basic cyber security awareness look like in the workplace?

Cyber security awareness must be tied to particular risks that arise in the context of a job role. The idealsituation for a workplace would be to have people aware of the risks that relate to their particular job role,with trained ICT workers to assist with any significant issues. Small businesses, which may not havededicated ICT workers, should be able to access training for their workers to gain confidence in terms ofwhere to seek advice regarding cyber security and risks.

Recommendation 4: units of competency must include an aspect that develops skills andknowledge so non-ICT workers know where and when to seek support in dealing with apotential cyber security risk or incident.

2. Which industries and occupations require an awareness of basic cyber securityprinciples? Why do they need to understand cyber security?

All industries and occupations require an awareness of basic cyber security practices that are relevant tothe tasks they perform. All job roles involve the need to maintain an appropriate standard of informationsecurity and a need for physical security practices that extends beyond the use of IT systems.

There is a nexus between information security and physical security - while this project has an emphasison cyber security, it is important to understand that you cannot necessarily isolate physical and informationsecuity risks as sepearate issues in many workplaces. These matters overlap and should be requiredknowledge for all workers.

Recommendation 5: training provided to non-ICT workers should have a focus on dealingwith workplace risks as a whole. Often risks for a particular workplace will involve manydifferent risks - to look at cyber security in isolation to other risks may limit thecontextualisation of any cyber skills training for the workplace.

3. What workplace responsibilities and tasks require basic cyber security practices? Andwhat do workers require to carry out their duties?

Non-ICT workers need to be aware of core principles of information security which can be partiallyresolved by cyber security training that is relevant to their work context. However, training workers inspecific information security risks raises an awareness of cyber security needs. The concepts ofauthentication, authorisation, confidentiality, appropriate disposal of confidential information are conceptsthat should be taught across all contexts, not just in relation to the use of IT systems.



Recommendation 6: training should focus on principles of information security that are notexclusively related to IT. Workplace practice, while dominated by use of IT systems, cannot bedeveloped with reference only to these systems, and arguably can only be effective ifdeveloped with the needs of human systems in mind.

4. What are the key skills gaps that exist between what learners are being taught and whatbusinesses require from current and future workers?

Recommendation 7: Basic information and physical security principles must form the basisfor training. Unless there is a broader approach to security practice in training workers it will bedifficult to approach and contextualise the skills and knowledge for a specific area such ascyber security.

5. What skills need to be taught to ensure the workforce is able to upskill and reskill in thegrowing field of cyber security?

Recommendation 8: there needs to be a distinction between training for non-ICT workersand ICT workers. ICT Workers need appropriate units, at the Certificate IV and above levels, toprepare them for particular roles that incorporate responsibility for dealing with cyber security.While it is important to future proof units of competency, it is also important that units providedistinct expressions of knowledge and skills required for particular job roles that exist now, andwill exist 5-10 years into the future. See the section on Proposed Skill Sets for CyberSecurity for more detail on job roles.



Social and Business Risks

1. What is social engineering and what does it look like in a workplace context?

This question assumes that social engineering will be utilised to gather information or to attack systems aspart of a larger cyber attack. Social engineering can take many forms including physical, face-to-faceattacks, and online phishing scams. This question highlights the importance of a holistic view of teachingsecurity practices in general, not just restricted to cyber security.

Recommendation 9: training provided to workers must revolve around security practices asa whole and contextualise cyber security within a workplace context.

2. What sort of skills are relevant social engineering?

Defending against social engineering attacks on an organisation requires workers to have sufficientawareness of security requirements, organisational, legislative or otherwise, regarding the information heldby the business. There is not a strong culture of information security in the Australian workforce, except inroles and organisations where information security and privacy laws are enforced by legislation - such as inmedical, financial or government organisations.

Awareness of the Australian Privacy Principles would be a good requirement for workers who have accessto personal information. Similar to other VET units which focus on copyright, ethics and work, health andsafety, there should be a general requirement to examine and apply principles relating to privacy andinformation security that are developed with relevance to a particular sector. If there are no relevantmandated principles then organisational principles should be used - indeed, it may be best that a unitrequires a worker to collect information about their own organisation's policies or research howorganisations in the sector handle information security.

Recommendation 10: use of a nationally recognised set of principles to protect privacy, suchas The Australian Privacy Principles, may provide a framework for training that can be madesector or organisation specific. It is important for workers to engage with the informationsecurity issues relevant to their job role or sector.



Proposed Skill Sets for Cyber Security

Coder Academy is interested in the development of Skill Sets and units that allow for education providersto offer flexible, relevant and agile training for ICT workers. Currently there is a lack of flexibility inqualifications, and few Skill Sets that enable an already skilled worker to develop competency in cybersecurity.

We provide the following proposals for Skill Sets that would fit within the parameters of currentqualifications and roles in the IT sector, and that would be compatible with frameworks for offeringqualifications and micro-credentials (Skill Sets) that enable an ICT worker to follow a pathway into aspecialised cyber security role.

Non-Technical

Risk Assessment and Information Security

A Skill Set which provides the skills and knowledge to a non-technical worker to understand IT systems,cyber security risks, and to plan and contribute to a system security plan. A person with this Skill Set mayhave responsibility for a team of IT workers, or act as an intermediary between technical and non-technicalstakeholders in an organisation.

ICTICT514 - Identify and manage the implementation of current industry specifictechnologies

ICTSAS505 - Review and update disaster recovery and contingency plans

Cyber Security Awareness 1 & 2

Technical

Systems Penetration

A Skill Set that provides the skills and knowledge for workers who have networking or programmingqualifications to commence a pathway to becoming a penetration tester or other technical role involvingthe auditing of IT systems.

Prerequisites: Certificate IV or Diploma level qualification or higher in Networks or Programming.

ICTSAS503 - Perform systems tests

ICTPRG529 - Apply testing techniques for software development

ICTNWK511 - Manage Network Security

ICTNWK513 - Manage System Security

Application Security Specialist

A Skill Set that provides skills and knowledge for software developers who need to harden desktop ormobile applications against cyber attacks.

https://training.gov.au/Training/Details/ICTICT514

https://training.gov.au/Training/Details/ICTSAS505

https://s3-ap-southeast-2.amazonaws.com/pwcau.prod.s4aprod.assets/wp-content/uploads/20180503105911/Cyber-Security-Cross-Sector-Project-Case-for-Change1.pdf


https://training.gov.au/Training/Details/ICTPRG529

https://training.gov.au/Training/Details/ICTNWK511

https://training.gov.au/Training/Details/ICTNWK513



Prerequisites: Certificate IV or Diploma level qualification or higher in programming/softwaredevelopment.

ICTPRG507 - Implement security for applications

ICTPRG503 - Debug and monitor applications



Web Security Skill Set

A Skill Set that provides skills and knowledge for a web or software developer who needs to harden webapplications against cyber attacks.

Prerequisites: Certificate IV or Diploma level qualification or higher in programming/softwaredevelopment.



ICTWEB516 - Research and apply emerging web technology trends

ICTICT514 - Identify and manage the implementation of current industry specifictechnologies







https://training.gov.au/Training/Details/ICTWEB516

https://training.gov.au/Training/Details/ICTICT514



Useful Skills and Knowledge for Cyber Security Workers

Cyber security units of competency for IT workers should be technology-agnostic and vendor-neutral.

We strongly believe that units of competency relating to cyber security should not be tied to technologiesor frameworks that are proprietary because this will limit their usefulness and adaptability across sectors,and potentially limit the time they will remain current to the needs of industry if proprietary technologies arenot updated and maintained.

We are passionate as an organisation about training developers and other IT workers who are cyber awareon the basis that you need to know how technology works to break it, and to stop other people frombreaking it. The list of outcomes below describes the skills and knowledge we see as important for cybersecurity worker to have. It may be the case that aspects of this list can be

Familiarity with current industry-relevant low level technologies (such as C, device drivers, operatingsystems, virtual machines)

Familiarity with common attack vectors targeting low level technologies (such as buffer overflows,cold boot attacks, DLL-based attacks) and competency in responding to/defending against suchthreats

Familiarity with current industry-relevant high level technologies (such as web applications, SaaS,third-party authentication and data-sharing technologies, high-level languages, scripting languages,application frameworks, public key infrastructure)

Familiarity with common attack vectors targeting high level technologies (such as SQL injections,cross site scripting), and competency in responding to/defending against such threats

Familiarity with current industry-relevant networking and communications technologies (such asTCP/IP, secure transport protocols, network drives, wireless technologies, VPNs, firewalls)

Familiarity with common attack vectors targeting networking and communications technologies(such as packet sniffing, man-in-the-middle, DDoS, port scanning, spoofing attacks, lateralmovement) and competency in responding to/defending against such threats

Familiarity with current industry-relevant security technologies (such as secure transport protocols,public-key and symmetric cryptography, multi-factor authentication, VPNs, firewalls, monitoring andlogging technologies)

Familiarity with common attack vectors which target or circumvent security technologies (such asbrute force attacks, dictionary attacks, privilege escalation, keyloggers, abuse of privilege byemployees) and competency in responding to/defending against such threats

Familiarity with current industry-relevant infrastructure and service technologies (such as webhosting, cloud storage, cloud computing, message queueing, source code repositories)

Familiarity with common attack vectors targeting infrastructure and service technologies (such asprivilege escalation, theft of API keys or admin credentials) and competency in respondingto/defending against such threats

Familiarity with malware and its various types (such as rootkits, spyware, trojans, keyloggers) andmalicious hardware (such as USB devices, radio scanners, audio capture devices)

Familiarity with emerging technologies (such as mobile, IoT, new payment methods) and threatsassociated with them



Familiarity with emerging threats (such as ransomware, cryptocurrency mining on compromisedmachines, passive listening) and competency in responding to/defending against such threats

Familiarity with the structure of information stored on disk, in memory, and on mobile devices andcompetency in acquiring data from disk, memory, and mobile device sources

Competency in forensic analysis of data from disk, memory, and mobile device sources

CYBER SECURITY - Cloudinary€¦ · Advanced Cyber Security Skills Cyber Hygiene and Awareness Social and Business Risks Proposed Skill Sets for Cyber Security Non-Technical Technical

Documents