Dr. Michael Ruth, Associate Professor of Computer Science at Roosevelt University. He earned an MS in computer science and a PhD in Engineering & Applied Science from the University of New Orleans.
His teaching interests are focused on introductory/intermediate programming, networking, system administration, and security courses. His research interests lie on the intersection of distributed systems and software engineering, more specifically, designing regression test selection techniques for web service-based systems.
Listen to the full episode
Key takeaways from the interview
- Dr. Michael Ruth’s background: He is an Associate Professor of Computer Science at Roosevelt University with an MS in Computer Science and a Ph.D. in Engineering and Applied Science from the University of New Orleans. His teaching focuses on introductory or intermediate programming, networking, system administration, and security courses. His research intersects distributed systems and software engineering, particularly in regression test selection techniques for web service-based systems.
- Interest in cybersecurity: Ruth’s interest in cybersecurity sparked during his time as a network analyst at a bank, where he witnessed firsthand the early stages of cyber attacks on banks. This experience influenced his teaching approach, integrating practical IT and cybersecurity concepts, and emphasizing the importance of understanding how systems can be misused, such as through denial of service attacks.
- Recent research and teaching focus: His recent research includes developing privacy-preserving techniques in regression test selection. Ruth also focuses on the challenges of teaching forensics and cybersecurity in hybrid learning environments, aiming to provide equal resources and experiences for both in-person and remote students.
- Teaching philosophy and methodology: Ruth emphasizes teaching the basics of network security, such as firewalls and honeypots, and keeping up with industry developments to update his courses. While tools may change, the core concepts remain similar, ensuring students understand fundamental security principles.
- Cybersecurity education at Roosevelt University: The university offers a Bachelor’s in Cybersecurity and Information Assurance, accredited by the NSA as a center of academic excellence. The curriculum includes programming, system administration, network courses, and an overview of cybersecurity, along with electives in areas like ethical hacking and cyber defense.
Here is a full transcript of the episode
Steve Bowcut: Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
On today’s show, our guest is Dr. Michael Ruth, associate professor of computer science at Roosevelt University. We’re going to be discussing cybersecurity educational opportunities at Roosevelt.
Let me tell you a little bit about Dr. Ruth. Dr. Ruth earned an MS in computer science and a PhD in engineering and applied science from the University of New Orleans.
His teaching interests are focused on introductory to intermediate programming, networking systems administration and security courses. His research interests lie on the intersection of distributed systems and software engineering, more specifically designing regression test selection techniques for web service-based systems.
With that, welcome, Michael. Thank you for joining me today.
Michael Ruth: Thank you for having me.
All right. This is going to be fun and interesting and I’m sure it’s going to be a great resource for any students in your area who are thinking about cybersecurity as a direction that they may want to go in their academic career.
So let’s find out a little bit about you to begin with. I think it’ll be interesting for our audience to learn how you became interested in cybersecurity. Was that your at the very beginning or was that you stumbled across it later?
Michael Ruth:
So my interest actually began when I was sort of earning my degree, if you will. I worked at a bank for five to six years as a network analyst and we got to see firsthand a lot of the problems that were encountered by this is really in ’99, in 2000 where we’re seeing the first onset of attacks being directed at banks and what you call it and looking at how these attacks come in and so forth.
Now I have a very traditional computer science background and I took the computer science courses, I took PhD, my dissertations in computer science. However, because of my experience working at the bank, I worked with all these different IT sort of things. So that’s how I got into teaching the IT courses to begin with. Cybersecurity though, you cannot teach IT anymore and you really haven’t been able to for a long period of time.
When we talk about how things are used, we can’t talk about them without talking about how they can be misused, denial of service attacks and those type of things. We can’t just talk about generic networking anymore. So even in my first years of teaching, we started talking about, okay, when we talk about network of protocols, this is how the network protocol lays out and these are attacks on that network protocol.
So cybersecurity, at least in my experience because of my experience, it’s not something you can sort of, even in 2008, 2009, even back then, we still need to worry about how things can be misused because we’ve seen them misused in real life. I used to work at Hybrid International Bank, it’s now Capital One, but as a result of that we’ve seen firsthand how things can be misused and so forth. We have to include that in our basic discussion including software engineering as well.
And I love that perspective because I know people on the cybersecurity side are sometimes lamenting that they wish people coming out of school with an IT background would be more security focused. And so I love that perspective that yeah, that’s the way you’ve been doing it and probably others as well.
But I know that more and more that’s necessary in industry for IT folks understand security. So that’s awesome. So is there anything that you’re currently working on or researching that you can share with us?
Michael Ruth:
So the most recent technique that I published is a little bit a while ago, unfortunately. It was 2014 and it was privacy-preserving. So take the approaches to, I’m going to give a really short intro to this. You get to take the approaches to regression test selection, these two entities are not necessarily in the same domain and as a result, they’re unlikely to share details to help make that regression test selection process work.
So I developed a privacy-preserving approach to this so that the two parties can share only what they need to share and not internal details, but I’m also interested in thinking about the way we teach forensics.
We have forensics labs, center of academic excellence, we’re center of academic excellence. And so they give us resources to teach various courses, but within restrained cost environment with students being remote and being in person in a hybrid class, how can we best support students in these types of classes? And we’ve been running into all sorts of issues. It’s very hard to have a very, very well-equipped lab that only some students are getting because some students are remote.
So that’s an area we call it computer science education or cybersecurity education that we’re really focused on. Then the sort of evening out the experience of these students has been very important to me and that’s the area I’ve been really focused in on the last couple of years.
Wow, interesting. And has that been … well, probably not, but is there kind of a through thread, something that has been consistent throughout your academic career that has kept your attention?
Michael Ruth:
So one of the most important things, so I haven’t recently because we do have another professor teaching some of the cybersecurity courses, but I used to teach network security and firewalls and those type of things and how do we create honeypots and those type of things. But when I do that, I typically do … a lot of what we do is that low-level sort of teach you how the basics work so that when you go into a corporation you can do [inaudible 00:06:20] but that changes so much. So we really try to interact with how do we expand that knowledge.
An example, I’m just going to give you an example of this, this has been something I’ve been really working on is that in my web development course, web development is no longer, you creating a web server and all the data runs through this type of thing when we have front end and backend.
How do we know that though?
As researchers and as educators, we’re focused on getting that information from the industry as much as possible then. So we can do that to update our classes. So generally, I focus on updating the classes, but a lot of that core network security stuff as relative, the same things I taught in 2008 are still relative today for the most part.
I mean we might use a different tool. We have lab setups that we can actually implement computers and things and not just have actual computers in the room, but the core knowledge that we focus on is relatively the same. Keep everything together, separate things that don’t need to be together and so forth. Some of those same concepts have run through the thread throughout the thing.
We also, I mean, obviously we teach honeypots, we teach all sorts of things as well, but like I said, those core networking things have been, the tools might change a little bit, but the core networking things are relatively similar.
Excellent. Thank you. I appreciate that. All right, so let’s kind of get into the meat of it here.
So can you tell our audience, if you would please, what cybersecurity educational opportunities they’ll find at Roosevelt University? What degree programs or certificates or what do you offer for cybersecurity education?
Michael Ruth:
So we are a center of academic excellence and cybersecurity, NSA accredited. Now, what that actually means is they approve our curriculum for the purposes of cybersecurity education and then okay, but that’s a bachelor’s in cybersecurity and information assurance. And so what the typical students would learn is you have your intro to programming courses. Students often wonder, “What do I need to …” Because they still actually do a lot of programming.
You still actually do a lot of system administration is still a lot of programming. So we do that. We take assist administration courses, network courses, and that’s the more or less the core with a few other intro to security courses thrown in where they learn about the broad overview of cybersecurity. And then we have some, what we call, electives. And these electives are really focused in on certain elements. So like ethical hacking and cyber defense.
And another one we have is … well, forensics is another example, and all these are focuses on what’s kind of cool about cybersecurity and computer science is sometimes we have courses that are focused on different job areas, whereas a cyber professional might do a little bit of all of these things in their actual job. There are forensics people. You can get certified in Illinois as a computer forensic scientist. So there is a actual certification you can get in Illinois for that.
There are pen testers, there are cybersecurity defense people, and there are people that go out and try and attack, they call them white hat hackers that go out and try to attack networks on demand so that we can see how secure our system is. So it’s kind of interesting that we have that we give a nice overlay. The program starts off kind of not say relatively slow, but as sort of a intro to computer science.
This is a network, this is what cybersecurity is, this is how to program, this is a network, this is system, this is a network. And then we go into these various electives that allow them to experiment with the different types of jobs that are out there. Because that’s really the focus of our program is we want to give you not only the knowledge because you need knowledge.
I know this sounds crazy, but students need the knowledge so that when they go on to their careers that they can continue to work, not just next year, they need to continue to work for 20 years. In some cases, students graduated 25 and worked till they’re 75, so that’s 50 years. And so we want them to have a career, not just the skills that they need for their first job, but we do want to make sure that they have those as well.
So that’s the core computer science undergraduate program, the BS in Computer Cybersecurity. We also have an MS in cybersecurity. The MS in cybersecurity is a little bit different. We don’t teach the intro to programming course. We don’t teach those type of things because we’re expecting you to have a little bit of programming knowledge, a little bit of networking knowledge, a little bit of system administration knowledge.
But this is high-level policy, high-level intro. We do have some intro to cybersecurity courses. We do have a couple electives similar to what we do in cybersecurity, but you enter them almost immediately. But we also talk about cyber ethics and legal concerns. For example, I teach a course right now in cyber ethics and we talk about GOBA and GOBA guidelines. And if you’re not familiar with that, that’s financial institution requirements under law, what legal requirements you have if you hold financial information of consumers.
So we talk about that, we talk about the various elements of that, but that’s what we call about policy driven stuff. We also have a lot of electives in that area. The same idea forensics. We have a cloud computing security course focused on how cloud computing and security have to go together, right? Because cloud computing really just means, and I know I’m going to make some people angry and when I say this, but it really just means somebody else’s computer. But that means we have to think about securing it as well. So we have all those electives as well.
Steve Bowcut:
Okay, excellent. So let’s help our audience kind of … You were going to say something else.
Michael Ruth:
I almost forgot to forgot to add. We also have four plus one opportunities that allows undergraduate cybersecurity students to go right into their master’s degree with a … they take three graduate courses as undergraduates and then they go into graduate things. So that’s useful opportunity for you. I wanted to add also that we have two cybersecurity clubs of interest. One is a, I’m trying to think of the word, Girls Who Code Group.
I don’t know what the … It’s Girls Who Code is the name of the group, but they get together and the female computer scientists, cybersecurity students go and do regular activities about usually monthly. And then we also have a cybersecurity club, which then most of what they do is to get together and they practice for, I’m trying to think of what, competitions, yes, that’s the word I’m looking for. And that’s either a red flag, blue flag where they challenge either defend or attack each other.
Okay, perfect. Thank you for that. That’s exactly where I was going to go. I was going to ask you about any clubs or those kinds of things that students might be involved in.
Are there any other capstone projects or things that you can think of that might be part of the educational experience there for cybersecurity?
Michael Ruth:
Yeah, so every student part of our program, so two parts that we want to talk about, two parts. So every student at Roosevelt is required to take, I want to say the course is ethical hacking, but I’d be wrong, it’s 3:35 and I’m just blanking at the name. But in that, as part of the degree requirement, as part of the course requirement, they have to go and participate in NCL, National Cyber League competition. So you will participate in a security competition is part of our curriculum.
Steve Bowcut:
Very good.
Michael Ruth:
And of course, the club helps you prepare for that, but also that class helps you prepare for that. In addition to that, every student at Roosevelt will also, a cybersecurity student will also take a senior project. Right now as senior project at which I’m teaching, I totally didn’t blank on this as well, I’m teaching this right now.
So the cybersecurity students in that class, we built a web application using spring and angular front end backend and they’re trying to attack it. So I have six students that are trying to attack it and make the developers look silly by breaking it, which it’s a typical thing. And so initially they try to break it. Typically, what I have them do is they try to break the system and then once they break it, they have to make it so you can’t break it anymore.
Steve Bowcut:
Very good.
Michael Ruth:
Cybersecurity is great to break things. That’s the fun part. But then we also have to make sure that no one else can break it after us.
Steve Bowcut:
Very good. I love that. Thank you.
Michael Ruth:
they have fun.
Yeah. All right, so industry seems to be clamoring for trained cybersecurity workers and so it is interesting to me, and I think it’ll be interesting to our audience to hear how is academia responding to that?
What input do you get from industry? What does that input look like and how do you implement that?
Michael Ruth:
Again, I apologize, this sounds overly canned, but we have a center of academic excellence requirements to have an advisory board. And as a result of the advisory board, we have about six to 10 members that regularly meet. They meet twice a semester. They review our curriculum and add and talk about things they can add and remove. What that typically looks like is they actually look over our courses, we give them syllabi.
They don’t really usually ask for course materials, but they do frequently ask about areas of courses that could be improved, could be not improved, could be changed, could not be changed. And so we have that and that’s very, very useful because they’re not necessarily giving us direct, “Hey, you should change this or you should add this,” or, “Hey, did you guys hear about this?” Most of the time it’s not low level, “Hey, make sure you have a unit on cyber ethics or make sure you have …” It’s not like that, but it’s like, “Hey, this type of thing has become really important.”
We really need to see students that graduate that have this skill. Especially when it comes to system administration, that’s been the one course that I feel like they want to break open the most. I don’t know, I feel like sometimes with system administration, can you really teach everything in one course, right? So when they talk about SQL, data mining, elements of SQL that comes into play because frequently we teach our database course generically because you do with have a computer science and cybersecurity program.
So when we talk about SQL injection attacks, we have to talk about this type of attack has become kind of common. Do you include this thing? So they’ll frequently add or provide us feedback with the information, provide us feedback with our curriculum. And typically we do an assessment as well.
So we look at our course objectives because that’s mostly what they’re looking at is course objectives and high level things. We look at our course objectives and we’re required to do this by the center academic excellence. We regularly review our curriculum, regularly review how we’re teaching, regularly review how the students are doing to make sure we’re actually teaching what we’re say we’re teaching. It’s not enough to just say we’re teaching the stuff.
We have to actually prove it. And so we do regular assessment yearly and what is the right word? Semi-annually, so that we verify that we’re actually teaching what we say we’re teaching. So in addition to them going in and looking at our objectives and saying, “This is good, but we need you to also teach this.” We do that and we modify our courses accordingly as much as we can. But then we also regularly review our courses to make sure we’re actually teaching what we say we’re teaching.
That’s interesting to me. Do you find that that varies quite a bit? I guess what I’m thinking here is that threats and vulnerabilities seem to evolve quite rapidly in industry and the focus of cyber defenders seems to change a lot.
So we’re one month we’re looking at supply chain, open source code, right next month we’re looking at something else. So it would be hard for an academic institution to try and react to those things that quickly.
But if you take a step back and take a bigger look at it, have you seen it change quite a bit over the years? What they’re asking for you to teach students that are ready to go to work?
Michael Ruth:
No, I think they give us an overview. When you look at individual like low, so from a 5 feet point of view, you’re looking for way from five feet, typical, what, average height of a human, right? Five feet away, you look at that level, that would change very rapidly all the time. An actual cybersecurity professional.
But if you give it a hundred feet or a thousand foot view, that’s not changing as much. And as a result, that’s kind of what we’re teaching when we do our attacks, when we do our cyber … I’m trying to think of the word. Now, I can’t remember, I still forgot the word. Ethical hacking is 3:35 is our course. When we do that, those types of attacks change drastically from semester to semester, right?
Because you’re following the National Cybersecurity League. So those are following the industry things that we want students to be able to do. Those upper level classes where we have forensic techniques that are relatively new, those keep get added and changed into the course. But very low level things where we’re looking at secure software from a point of view of this type of software that yeah, that’s probably too fine grain for us to really get down into.
But as those upper level classes, I was saying in those upper level electives, those tend to be a little bit more nimble and we do actually include new information as it comes available.
Steve Bowcut:
Interesting.
Michael Ruth:
Our people are researchers.
From the input you get from industry, do you get a sense of where the skills gap holes are at?
Are they at the low end, they can’t find enough people to staff their SOC? Or are they high end? They’re looking for people with nation state threat threat intelligence kind of background or across the board.
Michael Ruth:
So the bad news is it’s across the board. There’re just literally not enough applicants for jobs. Then you can find that when you go to USAjobs.gov, you go to USAjobs.gov and just pick your area. You’re looking for, I don’t know, data analyst, computer scientists, cybersecurity. And you look at the various types of cybersecurity jobs … I was blanking on that.
And then you look at that, penetration testers, system engineers, all those different things. There are a ton of opportunities out there and they just cannot fill them fast enough. And that is the bigger problem. The bigger problem is we’re just not graduating enough people. And the center of Academic Excellence conferences I’ve been to, the gap is very large and it’s really across the board. It’s not just entry level people, which for us, that’s our bread and butter, entry and management level people.
But eventually they’ll go on and become CISO, they’ll become the people that are in charge of security operations. And so Chief Information Security Officer is a CISO, is what that stands for. So they’ll eventually go into those roles, but because the gap is everywhere and they just don’t have enough people, that’s a problem.
And so some of the government organizations are actually fighting over, they’re fighting over people. And because they’re just done enough. Now as it relates to cybersecurity, one of the good news is that we are career and skill focused.
So we do want them to be available for a long-term career. We’re not just getting them through their first six months of the job, right? We want them to work long term. So we do do that base core of knowledge that’s going to serve them well throughout their career. We teach them how to program, we teach them what a system is, we teach them what a network is.
Those things don’t drastically change. We still need networks together and so forth. And then we teach them a lot of skills that allow them to get that first job. And I think that’s very good. I think that’s the best blend because it gives you that opportunity. But as in terms of those last minute skills, that’s really what those electives are designed to.
And I say last minute, I just mean skills for that next six months, right? Because I sometimes struggle with this, and I think we all do as professors, is that we remind our students when we’re teaching our upper level electives that you know can go next week or next month when you graduate and you can get a job doing what I’m doing.
But that doesn’t mean you’re going to be trained on the job. You have to be able to do the job people pay you to do. And so that’s what we’re really focused on.
Excellent. Okay. All right. So a couple more things I wanted to touch on before I let you go. One is if there’s any resources that you want to mention, sometimes I term this as top picks.
If you were building a reading list for somebody who’s thinking about cybersecurity, and it could be books or papers, but it could be lectures, YouTube channels, anything like that, that you would typically point a student towards if they’re trying to learn if cybersecurity is right for them.
Michael Ruth:
If there’s right for them … Actually, not. I thought the question through a different avenue. So I’m going to answer-
Steve Bowcut:
And that’s fine.
Michael Ruth:
… the wrong question.
Steve Bowcut:
That’s fine.
Michael Ruth:
I’m going to answer the wrong question. I’m going to be a bad student and answer the wrong question. But no. So what I would tell a student to do is learn Linux, right? So if you’re going to be assistant administrator, Linux is free, doesn’t require you to do anything.
You can download virtual box and you can have a Linux installation running tomorrow. And then you can learn to secure it by looking at security guides. There’s a million Linux security guides, there’s a … I’m trying to think of it. I will send you a link. There’s Linux system administration guides that are available, freely available. You can go look at anytime. I’ll send you a link for that, I promise.
Steve Bowcut:
Perfect. Okay.
Michael Ruth:
But like I said, and you can just play around and you can be a system administrator or you can be network administrator. Linux gives you that opportunity because you can actually build a firewall using Linux and do a lot of network security concepts just by learning Linux. That’s a huge deal.
And I’m interested, is that … I’m going to interrupt here just for a second, but is Linux what you would recommend only because, well, it could be either, in my mind, I don’t know the answer to this because a student is more likely to end up working on a Linux system?
Or is it because you have a better look under the hood? And so if you want to learn what goes on under the hood with an operating system, Linux is the way to go because Microsoft is not going to open the hood for you.
Michael Ruth:
Well, no, there’s two elements to this, and I’m going to lie a little bit because I’m going to simplify. I’m going to oversimplify a little bit. Linux is free, number one, so you can do whatever you want. You can blow it up. You can use any version of Linux. There’s many different versions of Linux. Microsoft will never give you the keys to the universe, they will never.
The other side of things that we talk about sometimes is when we used to teach our system administration class using Windows and Linux and the bad news is that we just couldn’t go deep because we were doing it twice. We couldn’t go very deep to do both. And so that was a problem. But with Linux, you can do virtually anything.
You can have a graphical sort of user interface sometimes and not, and Microsoft allows that option as well. So let’s not pretend that those things aren’t as well. So that’s the first part is it’s free literally. And Microsoft has its tools. I like to think of Microsoft being sort of a separate approach to system administration.
So Microsoft will technically have a tool that does 10 things where Linux might have 10 tools. They each do that, but it’s a different feel. But the thing is they can get their hands very, very dirty very quickly. And if you could do it in Linux, you can learn how to do it in Win. The piece I will add as well, and I think that’s oversimplifying. I mean, my MSCE friends will yell at me, of course, because they’re Linux, you have active directory.
You have a couple things that are very difficult to pretend to do in Linux. So you do need a Microsoft, but you don’t want to get dirty. You want to get your hands dirty initially and you can go as far as you want. Linux is a very good tool to do that because it’s free and you get dirty right away. You can typically look at a security guide and there’s massive numbers of freeware, guides and stuff available online as well. There’s tons of tools about Microsoft as well. I mean, don’t get me wrong, but remember you have to pay for Microsoft licenses.
Steve Bowcut:
Okay. Makes sense.
Michael Ruth:
That’s often an obstruction to some extent.
Okay. All right. So we’re about out of time here, but I want to end with this kind of final question where we ask you to dust off your crystal ball and look into the future and give the audience an idea of what they might be doing to prepare now to meet the needs of five years or 10 years down the road, if that’s even possible.
Michael Ruth:
Okay. So it’s not, but they’re always zero day attacks. There are literally companies that will pay millions of dollars for, if you find a zero day attack that nobody’s seen before, they’ll pay you millions of dollars for it. So literally cybersecurity, you may run into attack that you have never seen before, and that’s just the way it goes, right? It’s a never ending learning experience. But one area I would think is getting more attention is AI.
AI is being used in its learning tool and it exists. Existed in cybersecurity for a long time. If you think about the way mail filters work, we filter out spam. It’s usually learning techniques, so it’s not that strange or that new, but AI techniques aren’t getting more and more prevalent and you’re seeing those things in a lot of different places you may not have seen them before.
Another area I would like to add is machine learning. It’s similar, but machine learning techniques to look at attacks and look at ways in which we can prevent attacks, especially network attacks, machine learning tools and techniques are being used at a greater degree as well.
So those are two areas that I think, and they’re very related. I get it, they’re very related, but they’re actually used slightly differently, but lots and lots of different tools and learning techniques to train systems to do some of the work for them.
When I was assistant administrator many years ago with the bank, one of the things I encountered was dealing with the fact that we had 5,000 servers and you only had 50 people dealing with these servers. We had to automate things quite a bit. And to do that, we had to program, but now we have to train these things to do our bidding for them. And so we call it training because you’re using AI.
And so having some working knowledge of AI, I think going into the five years from now will be very, very important, but also be looking out for that the cybersecurity field as a whole changes drastically. Things change all the time, and you’re constantly staying above the wave, so to speak, so you don’t [inaudible 00:30:52] wash away.
Steve Bowcut:
Okay. Thank you so much. Dr. Ruth, thank you so much. I appreciate your time today. This has been very interesting. It’s been a fascinating conversation.
We appreciate you giving us some time and a big thanks to our listeners for being with us as well. Please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.