Several years ago I read Stephen Ambrose’s book, D Day: June 6, 1944: The Climactic Battle of World War II, and I’ve never forgotten it. I am amazed by these men.

While reading, I imagined myself approaching Omaha beach on those Higgins boats, bobbing around, exhausted and hungry, standing in puke and seawater. Jumping off in water that was too deep. Clawing my way back above the water, trying to get to shore, only to face concentrated gun fire in volumes that may have never been seen before or since.

The plan fell apart before dawn. The pill boxes were supposed to be knocked out by the preceding Allied bombing raid, but all the planes overflew their targets, as did the airborne drops. Those landing at Omaha landed a mile away from their target. The water was deeper than expected, the enemy fire heavier, so the Higgins boats didn’t go in shore far enough and many soldiers drowned.

No place was safe. Rommel and the Germans had years to prepare for the landing and they employed every manner of defense. Every inch of that beach was covered by multiple guns. The Allied soldiers had the sea at their back and machine guns in front of them. They lost most of their gear when they got off the boats.

Yet these guys moved forward. They moved forward under constant, overwhelming and accurate enemy fire. The enemy fire and resultant carnage must have been beyond what a human mind can process in real-time. One of Ambrose’s sources told him of a soldier being ordered to carry out a task and replied, “OK, but what do I do with this” as he held up his amputated arm.

They had no reason to think they would survive, but they moved forward knowing others depended on them. They adapted even though it looked hopeless. Some of the naval destroyers provided artillery cover. The soldiers found a way to establish a beachhead and break through enemy defenses. They turned a disaster into victory.

These were men who had hopes, dreams, desires, and flaws just like men today or men of any day. But how many people today are that unselfish? How many people do the right thing knowing that there’s a chance there will be a price to pay – even a little price? How many do the right thing simply because it’s the right thing and the next guy is depending on him?

Is it easier to give your life for your buddy than it is to speak up when you see something wrong?

I don’t think so. I think if you can’t do the right thing when it’s a little price, you can’t do the right thing when it’s a big price.

There are a whole lot of opportunities to do the right thing these days. There are a lot of people in need. There is injustice needing exposure. Heck, there are elections coming up that matter. Are you willing to pay at least a small price or will you walk on by?

Yesterday (June 11, 2010), I walked across the dais at the Norwich Field House and received my diploma for Master of Science in Information Assurance (MSIA), and I thought I would share my review of the degree program for anyone who is interested.

Feel free to comment or email me if you have questions about the Norwich MSIA.

The Norwich University MSIA Program Explained

Note: much of the information in this section is taken from this paper by Dr. Kabay.

Norwich University

Before discussing the specifics of the MSIA program, it is important to understand the Norwich University values. Norwich University has a long tradition of developing leaders dedicated to the service of our country and they take that tradition very seriously. Norwich was founded in 1819 by a former superintendent of West Point Military Academy, Captain Alden Partridge. Capt. Partridge believed in a strong militia and opposed a professional officer class. Consequently, he developed a system of learning that was experiential and focused on liberal arts, sciences, and military training. He created a system of learning that developed leaders who were able to think and apply what they learned in the classroom, as well as to act ethically and with courage. Norwich expects the same of its current graduates whether they are in the Corps of Cadets or not.

Norwich MSIA

The Norwich University MSIA program, now eight years old, is considered to be one of the best MSIA programs in the country, and is accredited as a National Center of Academic Excellence by the NSA and DHS. “The goal of these programs is to reduce vulnerability in our national information infrastructure by promoting higher education and research in IA and producing a growing number of professionals with IA expertise in various disciplines.[1]“

Who Should Consider the Norwich MSIA

The Norwich MSIA is a management focused degree. This program is targeted at the decision makers, or those who want to become decision makers such as CISOs, CIOs, and CTOs.

Do not consider this degree if you are looking to learn about configuring firewalls, IDS/IPS, or network devices. Do consider this degree if you are interested in learning about management topics such as how and where to use technical and administrative controls, privacy laws, governance, compliance, hiring, risk assessments, business continuity and disaster recovery, audits, and project management.

Personally, I think the most important thing that I learned is how to do a better job of translating between the technical and the business sides of the house. This is a supremely important skill that is sorely lacking in IT and information security, and I think that having this skill gives us a competitive advantage over those who do not have it. Those of us who can speak the business language are far more likely to be able to be effective and get what we need to improve our organization’s security and reduce its risk. Obviously, this skill is critically important for anyone working at or with the C-suite.

MSIA Case Study

The program is experiential with the student acting as a consultant writing a case study for their employer, or if that is not possible, they conduct an industry study. For example, one of the members of my cohort was employed as a contractor, so he wrote an industry case study as a guide to a manager in his chosen industry. He is planning to turn his work into a book (which I am anxious to read by the way).

This aspect of the program was terrific. I learned a lot about my business and was able to turn in professional papers that allowed my management to see my ability to perform a critical analysis of the specific topics that we studied. I actually found it fun to be a consultant.

Norwich MSIA Faculty

One of the main reasons that I chose Norwich for my MSIA is the quality of its faculty. The faculty are some of the top people in the information assurance industry, and they continue to work and contribute to the information security fields. Here is a brief list of the faculty:

• Dr. Mich Kaby – author, consultant
• Paul Brusil, PhD – medical informatics security
• Stephen Cobb, CISSP – prolific writer & consultant
• Rebecca Herold, CISSP, CISM, CISA, FLMI
• Don Holden, CISSP-ISSMP – standards organizations
• Jim Maloney, CISSP, CISM, GCIH – former CISO, Amazon
• Tom Peltier, CISM, CISSP – noted author &consultant
• Sanford Sherizen, PhD, CISSP – author, ISSA Hall of Fame
• Peter Stephenson, PhD, CISSP, CISM, FICAF –author and lecturer
• Michael Miora, CISSP, ISSMP, FBCI – expert in incident management and response, and disaster recovery

Residency Week

The Norwich MSIA is an online program, but they do require you to attend a one week residency session on campus. No one that I spoke to was looking forward to going to campus for a week “just to get my diploma“, but almost everyone I spoke to during the week was grateful for the requirement. We all enjoyed visiting the campus and learning about the history and tradition of Norwich University and its distinguished graduates. We also took time out to respect those graduates from the Corps of Cadets that lost their lives in the service of our country. Most of all, we enjoyed meeting our classmates face-to-face and spending one last week focusing on information security topics and debating specifics with our classmates and faculty. I found that I miss that aspect of school more than I realized.

Suggested Improvements

Here are some areas for improvement:

• More specific feedback from instructors that focuses more on the student’s analysis.
• Provide all course material on a USB drive in a format readable by an e-reader so students can more easily take their reading with them.
• Provide an opportunity for synchronous, web-enabled conversations among the cohort. Residency was so valuable because we could discuss topics face-to-face in a free-form format. The technology exists to do the same during the course, but requiring it on a weekly basis would remove some of the advantage of an online program. Perhaps require attendance of one such meeting per seminar.
• Provide a platform for the students to share their papers so they can learn from each other.

Conclusion

I am very happy with my decision to get a MSIA degree from Norwich University. I feel that I am prepared to contribute to my organization’s information assurance program, and to the industry itself. There is much work to do to improve our information systems’ security, and the industry needs trained, knowledgeable, ethical, and effective leaders. Our information security leaders have to be able to keep up with technology and laws. They have to be able to quickly research and assimilate information and then be able to critically think about and apply what they learn. These are skills that must be learned just as we learn anything technical such as configuring routers. I think the Norwich MSIA program provides the skills necessary to be an effective information assurance leader.

Finally, I am also proud to be part of the Norwich family and will always remember Norwich president Dr. Richard W. Schneider’s gift to our class – a quote from Thomas Jefferson, “One man with courage is a majority”.

I’d love to hear from other Norwich grads on what you think about the program, so leave a comment. I’d love to hear from people who think the MSIA might not be relevant or otherwise disagree with the Norwich approach.

Botnets are big news these days and for good reason. They are big business for criminal organizations, and a bane for the average computer user. They are also very interesting to study. This week I read two articles about botnets that really have little to do with botnets themselves, but about ethical decisions made by companies researching botnets.

The first article, from InformationWeek discussed the choice made by the producers of the BBC show, Click. The show attempted to educate their viewers about botnets by demonstrating their power. The producers purchased a botnet from a criminal organization then used it to send spam and to perform a DoS attack against a volunteer website.

The author of the article, Sara Peters, pointed out that what the show’s producers did was both illegal and unethical. They sent unwanted email to thousands of people using the botnet controlling thousands of infected computers. They also used the botnet to control 60 infected computers to perform the DoS attack. As Ms. Peters pointed out, these actions are in clear violation of UK law. It also disrespected people’s rights because it is unlikely that any of the people owning the infected computers were interested in participating in the experiment.

The second article is authored by M.E. Kabay, who also happens to be the program director for the MSIA program at Norwich University, where I am currently a student. Dr. Kabay wrote about a decision made by the management of Tipping Point.

The Tipping Point management faced the same decision Captian Picard faced in “I Borg“, where the crew found an injured Borg who was separated from the collective mind. Following Picard’s orders, Geordi and Data created an unsolvable geometric puzzle that would act as a virus and destroy the Borg if it were inserted into the collective mind. In the end, Picard found this choice to be unethical and he let the Borg, Hugh, return to the collective without infecting him with the virus.

In much the same way, the Tipping Point scientists discovered a way to take control of the Kraken botnet and use it to destroy itself. Pretty neat if you asked me. This was a chance to destroy a huge botnet consisting of more than 400,000 infected computers. Why wouldn’t they take advantage of this discovery?

Yet, the Tipping Point management found this choice to be unethical. Destroying the botnet involved making changes to infected computers without first gaining their owner’s permission. Additionally, these changes might have unintentional consequences. There was no way to know the cleansing action wouldn’t cause more damage to the infected computers. Unlike the BBC, the Tipping Point management did not presume to have the right to change the configuration of people’s computers without their owner’s permission.

So, we have two companies researching and experimenting with botnets resulting in two very different decisions on how to deal with them. The BBC broke the law while attempting to educate their viewers. Conversly, Tipping Point chose not to break the law even if it meant killing the world’s largest botnet. I think the main point to remember is one cannot do good by breaking  the law and violating people’s rights even if you are trying to help them.

I saw a segment on The Rachel Maddow Show tonight that bothered me a great deal. The segment was about how Adria Richards found and publicized a vulnerability on the Coleman for Senate website.

There are a couple of reasons this segment bothered me. First, the way she exposed the vulnerability was unethical. Ms. Richards obviously does not believe what she did was unethical. She thought that by exposing the security lapses of the Coleman site she was performing a public service, holding it up as what not to do. On her blog, she stated that she treated the discovery as “breaking news”, so she publicized it without making any attempt to contact the site administrator or the Coleman people to warn them. She said that her motivation was to expose the Colman site administrators as negligent and who didn’t protect people’s privacy, yet she put those very people at risk by posting the vulnerability on Flickr. Odd.

The second thing that bothers me about this segment is that Rachel Maddow had Ms. Richards on her show and did not bring up any of these ethical questions. The angle of the story was how the Coleman people claimed their site was hacked with Ms. Richards countering that the site was simply mis-configured, allowing her to gain access (quite easily) to the sensitive information.

I am very disappointed that the ethical questions about Ms. Richards actions were ignored. I understand that Rachel Maddow’s show is primarily political so things will be viewed in that light. I am a technical person with an emphasis on Information Assurance and Security, so I view things in that light. Nevertheless, I believe the more interesting question here is the ethical one, rather than the political one.

I outline the ethical questions in a reply to Ms. Richards on her blog. I copied the reply I posted on Ms. Richards site below:

“I agree with Pixelpusher. You found an unlocked door, walked in, looked around and took pictures. Rather than notify the owner, you chose to put a big sign in the front yard announcing that the door is unlocked and posted pictures of the contents for everyone to see. For a technology professional, this is an ethical question, not a political one.

You said it yourself, you thought it was “news” and that is lens through which you filtered your decisions. Your desire to be part of a news story outweighed your duty to act responsibly, and you helped to expose sensitive personal data that might not have been otherwise. It doesn’t matter that you were not the first on the scene.

Sure, you didn’t unlock the door or store information that isn’t supposed to be stored unencrypted, but you did tell as many people as you could about the vulnerability, and did so before the door was locked. You could have publicized the negligent actions of the site administrator after the vulnerability was dealt with. You would have made your point without unnecessarily exposing people to identity theft or credit card fraud.

It’s an easy mistake to make given the current emphasis on instant communication, Internet fame and the view that data [is] nearly valueless. If nothing else, this incident serves as another case study for Information Assurance and Business Ethics students.”

Update: Please see the article I wrote with Dr. Mich Kabay for Network World about the ethics of this case. Dr. Kabay and I examine ethical choices and how to make them. The intent is to learn, and not to bash Ms. Richards. In fact, Dr. Kabay sent the article to Ms. Richards for her review before he published it.