1Y0-403 learner - Citrix Virtual Apps and Desktops 7 Assessment, Design and Advanced Configurations Updated: 2023

A proof-of-concept (PoC) exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances.

CVE-2023-4966 is a critical-severity remotely exploitable information disclosure flaw Citrix fixed on October 10 without providing many details.

On October 17, Mandiant revealed that the flaw was abused as a zero-day in limited attacks since late August 2023.

This Monday, Citrix issued a subsequent warning to administrators of NetScaler ADC and Gateway appliances, urging them to patch the flaw immediately, as the rate of exploitation has started to pick up.

Today, researchers at Assetnote shared more details about the exploitation method of CVE-2023-4966 and published a PoC exploit on GitHub to demonstrate their findings and help those who want to test for exposure.

The Citrix Bleed flaw

The CVE-2023-4966 Citrix Bleed flaw is an unauthenticated buffer-related vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway, network devices used for load balancing, firewall implementation, traffic management, VPN, and user authentication.

By analyzing the unpatched (13.1-48.47) and patched versions (13.1-49.15) of NetScaler, Assetnote found 50 function changes.

Among these functions, the researchers found two ('ns_aaa_oauth_send_openid_config' and 'ns_aaa_oauthrp_send_openid_config') that featured additional bounds checks preceding the generation of a response.

These functions use 'snprintf' to insert the appropriate data into the generated JSON payload for the OpenID configuration. In the pre-patch version, the response is sent immediately without checks.

The vulnerability emerges from the return value of the snprintf function, which can lead to a buffer over-read if exploited.

The patched version ensures that a response will only be sent if snprintf returns a value lower than 0x20000.

Snatching session tokens

Armed with that knowledge, Assetnote's analysts attempted to exploit vulnerable NetScaler endpoints.

During that process, they found that the hostname value used for generating the payload comes from the HTTP Host header, so one does not need administrator rights to access it.

Furthermore, the hostname is inserted into the payload six times. Hence, its exploitation makes it possible to exceed the buffer limit, forcing the endpoint to respond with the buffer's contents and adjacent memory.

"We could clearly see a lot of leaked memory immediately following the JSON payload," explains Assetnote in the report.

"While a lot of it was null bytes, there was some suspicious-looking information in the response."

By exploiting the vulnerability thousands of times for testing, the analysts consistently located a 32-65 byte long hex string that is a session cookie.

Retrieving that cookie makes it possible for attackers to hijack accounts and gain unrestricted access to vulnerable appliances.

Now that a CVE-2023-4966 exploit is publicly available, it is expected that threat actors will increase their targeting of Citrix Netscaler devices to gain initial access to corporate networks.

Threat monitoring service Shadowserver reports spikes of exploitation attempts following the publication of Assetnote's PoC, so the malicious activity has already started.

As these types of vulnerabilities are commonly used for ransomware and data theft attacks, it is strongly advised that system administrators immediately deploy patches to resolve the flaw.

A critical vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices has been actively exploited as a zero-day since late August, security researchers announced.

The security issue is an information disclosure and received a fix last week. It allows attackers to access secrets in appliances configured as gateways of authentication, authorization, and accounting (AAA) virtual servers.

In a security bulletin on October 10 with few technical details, Citrix strongly urged customers to install the available update without delay.

A report from Mandiant disclosed that it found signs of CVE-2023-4966 being exploited in the wild since August for stealing authentication sessions and hijacking accounts.

"Mandiant has identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023," says the cybersecurity company.

The company also warns that hijacked sessions persist even after installing the security update. Depending on the permissions of the hijacked account, the attackers may leverage the method to move laterally or to breach more accounts.

Security researchers observed CVE-2023-4966 being exploited for access on infrastructure belonging to government organizations and technology companies.

Apart from applying the patch from Citrix, Mandiant published a document with additional remediation recommendations for NetScaler ADC/Gateway administrators with the following suggestions:

1. Restrict ingress IP addresses if immediate patching isn't feasible.
2. Terminate all sessions post-upgrade and run the CLI command: clear lb persistentSessions <vServer>.
3. Rotate credentials for identities accessing vulnerable appliances.
4. If suspicious activity is detected, especially with single-factor authentication, rotate a broader scope of credentials.
5. For detected web shells or backdoors, rebuild appliances with the latest clean-source image.
6. If restoring from backup, ensure no backdoors are in the backup configuration.
7. Limit external attack exposure by restricting ingress to trusted IPs.

Also, upgrading the appliances to the following firmware versions should be prioritized:

• NetScaler ADC and NetScaler Gateway 14.1-8.50 and later
• NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 
• NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS 
• NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS 
• NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NdcPP

This is the second zero-day flaw Citrix fixes in its products this year. A previous one, identified as CVE-2023-3519, was exploited in the wild in early July and received a fix a few of weeks later.

Earlier this month another vulnerability was found in Citrix Systems Inc.’s NetScaler and NetGateway product lines. This time around, the Citrix Bleed exploit is a lot more dangerous and harder to snuff out.

In July and August, about 2,000 NetScalers were exploited by a threat actor to get persistent access. NetScaler and NetGateway perform a variety of network security functions, including load balancing, application firewalls and proxy services.

The Citrix Bleed exploit allows attackers to retrieve session cookies to gain unauthorized access. The company announced patches on Oct. 10 for several versions, with the exception of v12.1, which is still vulnerable and considered past its end of life. But then other issues were discovered.

Last week saw further definition of the scope of the problem. Google LLC’s Mandiant research group found another vulnerability that wasn’t fixed with these patches. Other researchers, including Assetnote, found the exploit happening in their telemetry since August and issued a proof-of-concept example. This can be used as a demonstration, as well as a mechanism for network administrators to test their systems. Assetnote had further technical details that show how the exploit works.

Mandiant found instances where the exploit was used to infiltrate the infrastructure of government entities and technology corporations, and the Cybersecurity and Infrastructure Security Agency added the exploit and warnings to federal agencies. Mandiant and Citrix both issued warnings to those that haven’t yet patched their systems to do so as soon as possible. Greynoise, another security researcher, indicated that more than a dozen unique IP addresses were still unpatched as of the weekend, according to data they extracted from their own telemetry.

Session cookie-based attacks have been in the news most recently, because they make it easier for hackers to breech systems without having to find and steal login credentials. They’re also useful because the cookies are designed to persist after any reboots of the equipment, and in some cases the initial patches offered by the vendors don’t take this into account. A similar set of session cookie attacks were behind a series aimed at Cisco Systems Inc. IOS devices earlier in the month.

Photo: Citrix

A critical security vulnerability in Citrix NetScaler patched last week is under active attack — and has been since at least August.

Making matters worse, the bug (CVE-2023-4966, CVSS score 9.4), can't be fully remediated by simply applying the patch, Mandiant warns.

To that point, "organizations should ... terminate all active sessions," Mandiant CTO Charles Carmakal explained in a LinkedIn post on the active Citrix exploitation this week. "These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed. Therefore, even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated."

Technically an information-disclosure vulnerability, the flaw allows cyberattackers to hijack existing authenticated sessions and potentially bypass multifactor authentication (MFA). The result is full control over NetScaler environments, which control and manage application delivery within enterprises.

Mandiant has traced attacks exploiting the bug back to late summer, carried out by an unknown threat actor. Carmakal said that the ongoing exploitation appears focused on cyberespionage, with professional services, technology, and government organizations so far in the unknown attackers' sights.

"We anticipate other threat actors with financial motivations will exploit this over time," he added.

That's a likely prediction given that organizations have a poor track record when it comes to mitigating known threats against Citrix gear. For instance, earlier in the month it came to light that legions of attackers are still targeting CVE-2023-3519 (CVSS score of 9.8), a critical pre-authentication remote code-execution (RCE) vulnerability in Citrix NetScaler gateways that was addressed in July (but exploited as a zero-day for a month before that).

Thousands of credential-theft attacks ensued after the disclosure, cresting in August as patching lagged. As of early October, according to the Shadowserver Foundation, more than 1,300 backdoored NetScaler instances were still appearing in scans.

As far as the latest critical security bug goes, customer-managed Citrix NetScaler ADC and NetScaler Gateway installations are affected; cloud instances are not, as outlined in the Citrix bug advisory, which also includes information about patched versions. Mandiant on Wednesday also offered updated, detailed remediation guidance for CVE-2023-4966.

Immerse yourself in a world of critical analysis and intensive scholarship that will help you change your career path or Strengthen your employment opportunities. 

The New School offers unique degree programs specifically designed for students seeking an alternative to the traditional four-year college experience, as well adult career changers. Parsons’ Associate in Applied Science (AAS) degree program provides a challenging academic curriculum, a community of design practitioners, internship opportunities and professional development counseling. The Bachelor’s Program for Adults and Transfer Students benefit from The New School’s student success offerings, flexible study options (including part- and full-time study; and online, on-campus, and hybrid options), a curriculum tailored to individual goals, and credit for your work/life experience. 

Below, find more information about our bachelor’s and associate’s degree programs. Looking for information about transferring as a undergraduate student? Visit Transfer Students page to learn more. 

Bachelor’s Program for Adults and Transfer Students

Bachelor's and associate degrees for adult students seeking an alternative to the traditional four-year experience

• Option to self-design your degree in the Liberal Arts major
• Transfer up to 84 credits, including credit for college-level learning received from work and life experience
• Study online or on campus, part- or full-time (it is possible to complete a degree entirely online)
• Evening and day classes available
• Receive support from a faculty advisor
• Take advantage of our bachelor's/master's pathway

Learn more about continuing your education in the Bachelor's Program for Adults and Transfer Students

Parsons School of Design

Associate in Applied Science professional programs in communication design, fashion design, fashion marketing and communication, and interior design

• Study part-time or full-time
  
• Take classes scheduled in the evening for students’ convenience
• Change careers in a focused, professionally-oriented program

Learn more about continuing your education at Parsons

Not sure which program is right for you? 

The Office of Admission will help you find the program that suits you by reviewing your education, interests, and academic goals. You can reach our admission counselors by email at [email protected] or by phone at 800.292.3040.

WRITTEN BY: John Hagel III, John Seely Brown, Roy Mathew, Maggie Wooll & Wendy Tsu

A new business landscape is emerging wherein a multitude of small entities will bring products and services to market using the infrastructure and platforms of large, concentrated players. The forces driving this are putting new and mounting pressures on organizations and individuals while also opening up new opportunities. But traditional postsecondary educational institutions are not supporting individuals in successfully navigating this not-too-distant future, nor are the educational institutions immune to these forces. Perhaps more than any other sector, postsecondary education is being affected by changing demand as the learning needs and preferences of the individual consumer rapidly evolve. Increasingly, individuals need both lifelong learning and accelerated, on-demand learning, largely as a response to the pressures of the broader evolving economic landscape.

Rarely seen amid gross national statistics on the skills gap, employability, completion rates, and tuition hikes is a serious discussion of the unmet, and increasingly disparate, needs and expectations of individual learners. The costs to the individual are increasing, and the payoff is less certain. Students of all ages are more comfortable with technology and are less tied to traditional notions of the academy as fewer American adults between the ages of 18 and 22 achieve a four-year, full-time, campus-based degree.¹ At the same time, technological advances reduce the lifespan of specific skills, and an increasingly globalized and automated workforce needs to continuously learn and retrain.

As a result of a growing set of unmet needs and lower barriers to entry and commercialization, a new ecosystem of educational players is emerging, largely independent of the traditional educational landscape. This rich ecosystem of semi-structured, unorthodox learning providers is emerging at the edges of the current postsecondary world, with innovations that challenge the structure and even existence of traditional education institutions. These challengers are extending the education space beyond grades, degrees, and certificates to provide lifelong learning in a variety of formats and levels of effectiveness.

What does this mean for traditional players and the educational landscape? Similar to what is occurring more broadly, the emerging landscape will consist of a few large, concentrated players that will provide infrastructure, platforms, and services to support a wide array of fragmented niche providers of content, formats, environments, and experiences. Existing institutions—educational institutions, educational publishers, and corporate training departments—would do well to understand the diversity of the emerging landscape and the needs and preferences they reflect in order to help define sustainable roles in this new landscape. Existing institutions will likely have to choose what roles they can play sustainably and where they should be integrating emerging players and tools to support the learning needs of the future.

THE SHIFTING FOUNDATIONS OF THE EDUCATIONAL LANDSCAPE

In the book A More Beautiful Question, Warren Berger suggests that the true focus of education should be on encouraging students to question and explore rather than on delivering a canon of knowledge to students.² This stands in stark contrast to the current pressure on traditional educational institutions to provide job-driven curricula to better meet the needs of the economy. With skyrocketing costs, a growing student-debt crisis, and the perception of a widening gap between institutional curricula and employer needs, more attention is being focused on the value provided by different types of traditional educational institutions, specifically four-year universities, two-year community colleges, and trade or vocational schools. Yet, as undersecretary of education Ted Mitchell explains, the value of education can be thought of in several ways: “There is economic value for the individual, economic value for society, but there is also civic value for society and having good, engaged citizens.”³

Unfortunately, the conversations revolving around skill-based training, financing reform, and improved access in many ways ignore the broader shift occurring in the global business environment. As detailed in The hero’s journey to the business landscape of the future,⁴ rapid advances in technology and a trend toward public policies that allow labor, resources, and capital to flow more easily across borders are shaping a future economic landscape in which a relatively few large, concentrated players will provide infrastructure, platforms, and services that support many fragmented, niche players. Individuals and institutions alike will have to chart a path through this future (figure 1).

This emerging landscape, and the underlying forces driving it, can have direct implications for education, learning, and other aspects of society. First, exponential advances in the core digital technologies that permeate all industries are leading to exponential, cumulative innovations that are blurring boundaries between once-separate domains and industries, disrupting business and the workforce in ways that are difficult to imagine or predict.⁵ In such an environment, greater collaboration between industry and academia alone cannot ensure a well-trained, well-targeted workforce. Second, in this global and networked environment, fixed knowledge stocks have decreasing value, while more fluid knowledge, specifically participation in diverse information flows that lead to the creation of new knowledge, becomes more important. As such, education as a one-way transfer of a canon of knowledge is inadequate, and the characteristics that defined education in the 20th century—bound by time and place, with a fixed curriculum—cannot keep up with the rapid rate of change or the new demands on knowledge and learning.⁶

Most traditional institutions—educational institutions, educational publishers, and corporate training departments—have not yet made the shift from knowledge stocks to knowledge flows. As a result, the traditional learning pathways for acquiring skills and credentials and securing employment are in flux. The institutions that have defined those pathways (see figure 2) are being challenged by a growing array of unorthodox learning providers who are experimenting not only with delivering educational content faster, cheaper, and on demand but also with entirely new learning experiences.

The underlying forces putting pressure on institutions and opening the door for new opportunities and entrants are unlikely to subside. This will drive changes in the postsecondary educational landscape as in most other industries, and it will also continue to increase demand for a richer, more diverse learning ecosystem to help individuals navigate the future landscape.

THE NEEDS OF THE INDIVIDUAL LEARNER IN THE 21ST CENTURY

Individuals increasingly face the prospect of not just multiple jobs but multiple careers over a lifetime, and of constantly changing technology and environments within a job. As Robin Chase, former CEO and founder of ZipCar, puts it, “Our parents had one job, I will have seven jobs, and our children will do seven jobs at one time.”⁷ As the expectations for employment and fulfillment change, continuous and lifelong learning becomes increasingly important. Individuals are looking for not just learning but guidance in navigating the changing world to find the best learning and career opportunities. The growth in life coaching and self-help books, now $2 billion and $11 billion industries respectively, is an early signal of this need.⁸

Individuals are also challenged by an accelerating cycle of skill obsolescence in a period of unprecedented transition from skill set to skill set. The rapidly changing business landscape demands constant learning of new skills and domains, retraining, and applying existing capabilities in new contexts. It also demands a greater fluency in digital tools and comfort in virtual environments. It rewards those with greater capacity to seek and access resources and to build social capital through personal networks and participation in communities. While globalization has opened opportunities for new jobs and careers internationally, it has also in some cases narrowed opportunities as certain types of employment migrate to nations with lower labor costs. In manufacturing and IT, for example, 53 percent and 43 percent of US companies, respectively, engage in offshore outsourcing, displacing as many as 2.6 million jobs.⁹ What happens, then, to the individuals who must recalibrate their careers for options that their education may not have equipped them for?

Predicting which skills and jobs are vulnerable to obsolescence is no longer straightforward, either. Beyond globalization, the 21st-century work environment is what Michael Gove, former UK secretary of state for education, termed a “new machine age,” where breakthroughs in automation, robotics, and even artificial intelligence have begun replacing jobs once thought to be the domain of human workers.¹⁰ Fujitsu, Canon, and Amazon are but a few examples of organizations that have automated significant portions of the assembly and fulfillment processes.¹¹

Changing preferences for autonomy, and the ability to find meaningful work that satisfies those preferences, are also starting to redefine traditional career paths. Many individuals have left large companies for smaller firms or become self-employed as the traditional promises of stability, income and career progression, health care, and training and development opportunities once tied to large companies have been broken. In addition, retirement-age workers who do not retire, either because of financial needs or a desire to continue to make an impact, are also moving from large companies with retirement programs to smaller businesses or self-employment. While the average worker today switches jobs every 4.4 years, the independent workforce has grown from 16.1 million in 2011 to 17.7 million in 2013.¹² The switch from large to small or independent often requires a new skill set even when the occupation builds off of experiences in a former job or role. Independent workers, as much as their employed peers, continue to need professional development and learning opportunities to maintain and refresh skills, but they have to seek it from external sources. Most small companies, if they offer training at all, also turn to outside sources for professional development, and even larger companies have reduced investment in internal training and development opportunities for employees.

The shelf life and relevance of skills are decreasing, while new occupations, roles, titles, and functions are being created at a rapidly accelerating pace. In an oDesk survey asking hiring employers to rank the criteria for their hiring decisions, a college degree ranked last. The No. 1 criterion was a person’s previous performance on a similar or related task.¹³ Moreover, by 2020, it is estimated that the work-related knowledge a college student acquires will have an expected shelf life of less than five years.¹⁴ Fabio Rosati, the CEO of Elance (which recently merged with oDesk), states, “The technologies that were relevant even two to three years ago are different than the technologies that are going to be relevant in the next two to three years, [and that’s moving] at increased speed.”¹⁵ From an occupational perspective, according to career networking platform LinkedIn, the top 10 job titles used by employees today (including iOS developer, social media analyst, big data architect, cloud services specialist, and digital marketing specialist) did not even exist five years ago.¹⁶ What are the options for the approximately 16.4 million students who graduated from higher education institutions just 10 years ago and now want to pursue a career in one of these jobs that didn’t exist then?¹⁷

In addition to the pressure to continuously adapt to the forces that are reshaping the business landscape, the cost-benefit equation for individuals considering any form of traditional education has changed. Tuition costs have grown in absolute terms and are part of a long-term trend of state and federal governments shifting the cost burden to students and their families. In fact, 71 percent of students graduating from four-year universities have debt averaging $30,000, a 20 percent increase since the recession. Even 88 percent of Pell Grant recipients had student loan debt greater than the national average of $25,550 for public universities.¹⁸ While tuition costs have gone up, job placement rates from four-year institutions have decreased, with 40 percent of latest college graduates unemployed in the first year, and others underemployed.¹⁹ This changes the equation for individuals as they consider their options, and alternative learning pathways become more appealing.

Add to this equation a potential student, very much a consumer, who is comfortable with technology and accustomed to getting information from a variety of online sources. This description isn’t limited to Millennials, who have undeniably grown up with a different expectation for the pace and engagement of their learning environments, are fluent in social media, and easily transition to new platforms. Across virtually all generations, people turn more readily to the Internet as a resource for entertainment and information; education and learning aren’t such a leap. Some of these learners are the same latest students who didn’t complete degree programs, who graduated but failed to find employment, or who saw friends or family members sink under runaway student debt. In addition, with more visibility into options, as with other aspects of their lives, consumers are seeking out those that match their preferences for faster, more flexible, or more experiential formats.

Finding new ways to empower learners and support their unmet lifelong learning needs is an attractive opportunity for new entrants. But with a shifting student profile—currently the “modal student is 36 years old and doing school on the side”—traditional educational institutions, if they want to stay relevant and viable, must also find new ways to better address the unmet needs of a variety of learners.²⁰ It is no surprise that new forms and institutions are emerging and gaining credibility, in part as a consequence of the slow response and inability of traditional institutions—not just educational but government and corporate as well—to keep up with these evolving needs.

AN EMERGING ECOSYSTEM SERVING LEARNERS AT THE EDGES

Much has been written about “the higher education crisis” and the multilayered organizational inertia, policies, and practices that hinder innovation and change within traditional educational institutions. Those arguments are valid, but we would suggest that by focusing internally they miss the competition coming from the “edges,” from unexpected places and sectors. These new entrants in education are unlikely to look like the incumbents; lowered barriers allow competitors to offer individual components of what traditional institutions (four- and two-year colleges, vocational schools, and corporate training) provide.

New entrants are innovating all along the learning spectrum. A rich ecosystem of unorthodox learning providers is emerging at the edges to experiment with technologies and approaches—in some cases to try to deliver a component of traditional education in new ways that reduce costs, Strengthen effectiveness, or increase accessibility (faster, on demand); and in some cases to offer something entirely new with different goals that cannot necessarily be judged by traditional metrics of time-in-seat, completion, or assessment scores.

The eroding barriers to innovation in learning

In The hero’s journey through the landscape of the future, we examine, across industries, how the barriers to entry, commercialization, and learning are being dramatically impacted by technological advances, ubiquitous connectivity, and more empowered and digitally savvy consumers. In particular, we study the way these forces have shifted consumer power and preferences, how they have lowered barriers to new entrants in education and opened the doors to innovation in learning, and the platforms that have come out of these forces.

One potent example is the availability of financing for education technology.²¹ What began as a trickle—$64 million of investment in 2009—has swollen into a flood, with $1.25 billion, an increase of 35 percent, invested in the education technology market in 2013.²² Much of the growth has been in informal, lifelong learning: MOOCs, professional development, and professional skills were the education categories most funded by venture capitalists in Q2 2014. San Francisco-based Udemy, a MOOC platform specializing in helping individuals Strengthen skills related to career and life, raised $32 million in series C funding of new ventures.²³

The growth of venture funding in this space is allowing more entrants with potentially disruptive technologies in content creation, access, tools, and formats to directly impact lifelong learning. Platforms such as Udemy and Udacity have opened a content creation ecosystem that was originally restricted to academics, administrators, and publishers to include new entrants such as engineers, designers, data scientists, coaches, and others with a desire to share their expertise. While the offerings in education technology are still nascent, and many will fail to either become viable business models or provide long-term value to learning, the increased investment in the informal learning space signals consumer and market appetite for learning experiences that extend beyond an education bound by time or location.

While access to financing has become relatively less of a hurdle, other barriers remain, not impassable but not yet negligible. The desirability and superiority of a four-year college education is deeply embedded in American culture and policy, with the consequence that even the best alternative forms of education are viewed as inferior compromises. As a result, and with the notion of meritocracy, the higher education conversation tends to revolve around access and outcomes. Ted Mitchell, US undersecretary of education, summarizes the administration’s agenda as “access, affordability, quality, and completion,” with the goal of providing the highest level of education for which people qualify.²⁴ The assumption is that the ranking of options remains unchanged. For new entrants to gain traction, they will have to overcome the barriers around brand, acceptance by employers, and comfort with non-authoritative sources of learning and warranting. While these barriers may be slower to fall, emerging players will likely gain momentum from the increasing desire for participation in learning, relative affordability (particularly if new entrants gain acceptance by federal/state funding sources), and flexibility (which reflects the increasing diversity of learners, for example, transitioning/reentering workers such as veterans and senior citizens).

Where are the edges?

Currently, new entrants primarily exist in parallel to traditional postsecondary education institutions, but they are beginning to compete with traditional paths. New entrants are emerging in five arenas, mostly centered around the individual:

1. The workforce: As workers recognize the importance of continuous learning, they are more actively seeking learning opportunities. In 2013, 23 percent of employees left their jobs citing the lack of opportunities for professional development and training.²⁵ Companies are starting to realize the need to provide more and different training opportunities that better suit each unique worker, allowing workers to develop relevant and marketable skills. Companies such as SAP have started to create their own MOOC-based platforms, like openSAP, to allow subject matter experts within the workforce to create relevant and timely content for others. Rather than fund expensive training departments, others are turning to outside providers such as Udemy for flexible, relevant content.
2. Independent agents: The growth in the independent workforce, together with the lack of formal training and development programs in small companies, leaves a large population of individuals who are accustomed to managing their own careers looking for external solutions so that they can continue to learn and retrain. This is where specialized programs such as coding-intensive boot camps (for example, Dev Bootcamp, Hack Reactor, and Codeacademy), Meetups, and MOOCs are emerging.²⁶
3. Passion arenas: Passionate workers, specifically those who embrace challenges as opportunities to learn and who connect with others to find solutions and make a meaningful impact on an area of interest, want to share that passion with others. As a result, the need to share and connect with other passionate individuals manifests itself as social communities and creation spaces where learning and connection can blossom around significant challenges.²⁷
4. Emerging countries: Access to education is a necessary element for economic prosperity, particularly in developing countries. The global demand for learning through more inexpensive, pull-based, flexible models is leading to experiments with new platforms and environments to make learning accessible to a rapidly changing world. Free MOOCs are one example, but so is the global network of institutions owned by Laureate Education, or New York University’s global academic centers that have a mission to provide access within a country.
5. K-12: The learning habits and preferences of students move with them, and experiments that began in the K-12 space might translate into the postsecondary world. For example, AltSchool, a new network of K-8 schools in the Bay area, is experimenting with ways to make the experience of learning more flow-based and immersive. AltSchool focuses learning around microschools where the neighborhood playground serves as the gym and the science class on liquid nitrogen takes place at the local ice cream shop.²⁸ Consider, also, the example of Khan Academy. In providing short, modular, on-demand, self-paced math instruction to the K-12 audience for the past seven years, Khan Academy has been refining the platform and techniques for engaging learners in personalized curricula focused on skills mastery.²⁹ As its target audience moves beyond secondary school, the lessons learned by Khan Academy may prove extensible into higher-level material or into other subjects or curricula, whether that will be carried forward by Khan Academy or others. This format is already migrating into other K-12 flipped classroom³⁰ ventures and will likely prove applicable to a variety of other learning needs.

What types of innovations are emerging?

As the barriers to innovation have been lowered, new entrants and incumbents have innovated in four different areas, each of which transforms learning into more of a flow-oriented activity (figure 3). None of these emerging innovations is likely to supplant traditional education on its own. Collectively, however, they represent a rich and growing ecosystem of providers and learning opportunities that have the potential to disrupt education.

Innovation 1: Accessibility

The Internet has democratized learning by increasing access to content for a growing population of learners. This accessible content, structured both as formal educational content and informal informational content (which is ever growing and includes platforms such as YouTube and discussion boards), is the basis of virtual knowledge flows. In a networked era, learning can be more flow-oriented, opening both content and content creation to a larger pool of people. For example, the Open Educational Resources (OER) movement, spearheaded by MIT’s OpenCourseWare initiative in 2001, encourages providing access to teaching, learning, research, and assessment materials under open licenses that permit free use and modification for a variety of educational purposes. OER is part of a global movement toward increasing access to content, enabling knowledge to flow and be built upon rather than commoditized.³¹ The movement has spawned other OER platforms, from iTunes U®, a feature of the online store that allows users to organize course lectures, notes, and books for an entire course, to Connexions, a platform that provides authors and learners with an open space to share and freely adapt education materials.³² The OER movement changes not only the way professors engage with content, but also how the learner engages with content so that the learning experience is more personalized, adaptable, and affordable. In 2012, in an effort to reduce costs to students, the University of Minnesota created a tool to help faculty find more affordable textbook options. The resulting Open Academics textbook catalog lists “open textbooks,” which are under a license that enables students to get free or low-cost versions of textbooks while being able to adapt and distribute the material as well. The Open Academics catalog, with over 84 open textbooks, is the first of its kind and is available to faculty worldwide.³³

While OER is primarily focused on materials, which can be mixed and modified but are not, in and of themselves, developed as full courses, MOOCs are full courses or mini-courses developed and guided by an instructor and designed for large-scale participation. The OER movement has largely focused on improving access to content for instructors, while MOOCs expand access to an educational experience through digital learning platforms. For example, a course on machine learning, taught by Professor Andrew Ng of the Stanford Artificial Intelligence Lab, is now available for free to 4.5 million users rather than only to Stanford students.³⁴ MOOC platforms such as Udacity, EdX, and Udemy democratize access to educational content, allowing individuals to participate in knowledge flows regardless of geographic borders and organizational boundaries.

OER still needs to find answers to the problems of credibility and validation (such as peer review) while maintaining timeliness, diversity, and quality of content. MOOCs also, rather than replacing instruction, are coming to be understood as a tool for delivering certain types and levels of content in the most cost-effective way and as a supplement to in-person, expert-guided learning and practice.

OER and MOOCs serve as stepping stones for rethinking how content can be developed, structured, and delivered to the global masses. In some parts of the world, they represent convenience—learning on demand—while in others, they are revolutionary. By democratizing accessibility to content, in terms of both the number of learners and number of courses available, learning shifts from being a protected stock-based resource to a flow where learners from the broader ecosystem can engage with previously unavailable information.

Innovation 2: Social learning

One of the most profound effects of learning in a networked age is the importance of social learning.³⁵ Social learning, according to the Educause Review, is based on the premise that our understanding of content is socially constructed through conversations about the content rather than on the content itself. As such, learning institutions should focus less on what the individual is learning than on how the individual is learning.

From physical collaboration settings (such as libraries and coworking spaces) to virtual collaboration settings (forums, blogs, online communities), the ability for the individual to interact with others through multiple channels is expanding. Increasingly, we see a movement toward communities of social learning that focus on interaction and engagement beyond the four walls of a traditional learning institution. For example, at events such as Meetups, learners can interact with others from different backgrounds, getting exposed to serendipitous learning opportunities and, potentially, new collaborators with whom they can take on challenges.

Social communities, combined with online content and resources such as the Meetups, are a step forward in providing social context for lifelong learning in non-traditional settings. The drawback with social communities is that some lack content or structures to use the community effectively as a mechanism for collaboration. The next step lies in creating communities of discovery where new content is created through collaboration. To some extent, this is emerging in shared workspaces, incubators, and accelerators that target specific technologies or skillsets, such as the various “hacker” spaces for making (tinkering), biohacking, and social/civic entrepreneurs.³⁷

Innovation 3: Creation spaces

A real opportunity for learning institutions to amplify learning is to build deliberately constructed environments, “creation spaces,” that combine the advantages of tightly knit teams with the ability to involve an ever-increasing number of participants. This is where the “power of pull”—the ability to attract people and resources around a challenge or interest—comes in. Creation spaces are intended to bring learners together in the creation of new knowledge. Rather than focusing a discussion on content, learners within the creation space work together to create their own content and gain new insights, while the creation space connects individuals to a richer learning environment that encourages interactions. Creation spaces require three key ingredients: a critical mass of participants, the co-evolution of interactions within the team and with a broader set of participants, and an environment that supports various layers of activities.³⁸

Looking back to the game World of Warcraft (WoW) and how it revolutionized gaming, one of the game’s enduring innovations was its ability to foster creation spaces. In WoW, performance is measured in terms of experience, while the degree of complexity and challenge increases with advancement through the game. WoW created a platform for learning where players innovated together and developed new knowledge. While the new knowledge pertained to advancing to new levels in the game, players across different backgrounds worked together to overcome new experiences and learn. Beyond these tightly knit teams or “guilds,” a rich learning platform evolved that helped participants in individual guilds to reach beyond their own teammates and learn from others through discussion forums, video archives, and communities of interest. What traditional learning institutions can learn from WoW is how to construct an environment that continually challenges its participants.

Innovation 4: Warranting

As education technology investments have increased, so have new ways to warrant the quality of learning beyond grades, certificates, and degrees. Traditionally, the validity of a learning experience was based on the credibility of the institution, as determined by nationally recognized accreditation agencies.³⁹

In the emerging learner-centric landscape, learning is more utility-oriented than authority-based. With the recognition that even latest college graduates are often not employed in their fields of study (if employed at all), and the widespread sentiment of employers that students are ill prepared for the demands of the workforce, the grade or degree as a symbol or accurate assessment of achievement is losing ground. Instead, innovators are experimenting with portfolio-based models that allow learners to incorporate learning and mastery from informal and non-textbook, non-classroom experiences. For example, learners using the Mozilla Development Network can be recognized for skills they learn both offline and online, and beyond their time at a formal learning institution. From Purdue University with its Passport badging platform to Mozilla with its Open Badge platform, the spectrum of what warranted learning looks like is expanding; so, too, are the people and organizations that can warrant learning. For example, corporations, new online accreditation organizations (such as Degreed and Accredible)⁴⁰ and individuals themselves can now carry weight in validating learning experiences.

While badging has served as an innovative solution for capturing more skill-based learning, the impact that it will have on traditional learning institutions is unclear. According to Peter Stokes, executive director of postsecondary innovation in the College of Professional Studies at Northeastern University, one of the biggest challenges will be the normalization of badging, or the ability to create a learning currency.⁴¹While the adoption and recognition of badging by higher education is important, the greater impact will be felt as companies start recognizing and even issuing or accrediting badges. In addition, if companies start investing in building their own badges, it begins to change the relationship between corporate HR and the academy, shifting power away from the academy.

THE FUTURE LEARNING LANDSCAPE

With barriers to entry and commercialization diminishing and an array of new entrants challenging traditional forms and institutions with innovations to make learning more accessible, flexible, and personalized, what are the implications for existing institutions, from higher education to educational publishing to corporate training?

The education/learning landscape is simultaneously becoming both fragmented and concentrated. Figure 4 shows the emerging landscape of unorthodox providers at the edges. Concentration will exist in the functions that operate on scale and scope, particularly with aggregation platforms, whereas fragmentation will exist within the content creation space as warranting and accrediting content becomes easier.

Fragmentation in content creation

The establishment of informal and more formal learning aggregation platforms (Udacity, EdX, Khan Academy, Udemy, and even YouTube) has led to an explosion of content creators. Online service tools (such as SchoolKeep, Fedora, and Skilljar) provide guidance to instructors on how to create their own online learning videos, lowering the costs of producing and distributing content to serve diverse and highly specific learning needs. Combined with more liberalized warranting, the pool of content creators will likely continue to increase beyond those with a professional degree and institutional affiliation.

For example, over half of Udacity’s courses are created by people who aren’t traditional professors but are experienced industry leaders.⁴⁴ With 4,000-plus independent content creators, Udemy maintains an open platform, meaning that anyone regardless of credentials can log on and create a course available to all its users, including such courses as Java for Complete Beginners, created by software development trainer John Purcell with 209,000 enrolled students, or Become a Startup Founder, created by the Founder Institute with more than 600 enrolled students. According to Dan Chou, director of business development at Udemy, the courses offered on the platform are filtered for quality as determined by the learners themselves. The best-rated courses appear at the front of search queries, and others drop to the bottom.⁴⁵

Meanwhile, other emerging providers offer “white label” and hosted solutions rather than a marketplace model. Companies such as SchoolKeep, Fedora, and Skilljar make it easy for individuals to build and operate courses at their own Web domain,⁴⁶ resulting in a blurring of the line between education and e-commerce. Online service tools enable individual instructors of all backgrounds to not just build great lectures but also develop a sales funnel for the product that is independently owned by the content creator.

As fragmentation continues in the content creation space, the individual has more opportunities to continue learning beyond a traditional school setting across an increased array of subjects with timely and updated content. Technology and the liberalization of warranting content allows business to move from traditional teacher-centered models to new models that shift the current focus on the transfer of expert-generated knowledge toward scalable learning.

Concentration in learning content aggregation

Investments in education technology have financed the creation of online learning platforms, which in turn have opened the doors for all types of individuals to create, distribute, and share learning content. YouTube can be thought of as an early-stage learning aggregation platform. Anyone can learn almost anything on YouTube because it has lowered the barriers of entry for anyone to easily upload, organize, and distribute content on the Internet for free. While YouTube may not have the same sophistication in warranting its content as MOOCs, its equivalent measure of relevancy can be seen through the number of likes, views, and real-time comments a video receives.

Rather than trying to provide all content to all people, learning aggregation platforms are beginning to carve out niches in the market, shedding unnecessary costs and better differentiating themselves from their peers. The learning content aggregation platforms that support fragmented content creators will become concentrated, as any given end user’s participation on many platforms delivers little value and carries high convenience and attention costs, if not financial.

Already, the prominent names related to MOOCs each serve a particular genre and learning type (figure 5). Udacity provides STEM content and mostly targets computer programmers and engineers; NovoEd provides entrepreneurial content, mostly to individuals starting businesses; and Khan Academy mostly targets those who seek competency mastery through practicing problems.

The way some learning content aggregation platforms have gone about partnering with corporations is targeted and reflective of the genre in which they serve. In 2013, Udacity formed the Open Education Alliance by partnering with Google, AT&T, Nvidia, and Intuit to create courses that would help bridge the technology skills gap in today’s workforce, moving away from direct partnerships with universities.⁴⁷ While the real effectiveness of these courses is still to be measured, by partnering with leading tech companies, Udacity is able to brand itself as the learning content aggregation platform for STEM topics.

Much as Napster was not the final word in the music industry, these learning aggregation platforms are not the end-all solution to innovation in learning. However, they can be the catalyst for change aligned with supporting lifelong learning. While MOOCs have reported low average completion rates of around 7 percent, completion may not be the definitive success metric of this new format, as learners may dip into courses for a specific purpose or content that may not require completion. Success for an aggregation platform might be better measured by a net promoter score (the likelihood of a learner recommending the course to someone else) or even a retention score (the likelihood of a learner returning for another course). While only 23 percent of academic leaders believe MOOCs to be a sustainable method of education, their value comes from opening the learning ecosystem to a broader set of creators, distributors, and learners in support of continuous learning.⁴⁸

Mobilizers and learning agents

Aggregation, of course, doesn’t provide the support or social and experiential environment that accelerates learning. Aggregation is also not the same as skillfully sequencing courses within a collection, or across collections, to resemble a coherent curriculum. This is where mobilizers and agents come in.

Lifelong learners seek coursework not just to learn but to Strengthen their performance, and that type of learning comes from moving beyond hearing and practicing to doing—alone and as a member of a group. To get better and faster requires the support of a broad set of resources and platforms that enable people to come together to create and absorb knowledge. MOOCs and other early technology offerings generally aren’t designed to facilitate individuals coming together with a goal of dramatically improving performance, something that traditional learning institutions are better able to provide within the existing physical infrastructure for collaboration.

But with the help of emerging mobilizers (players focused on orchestrating collaboration and learning within the ecosystem), first steps have been taken to foster the coming together. By partnering with Meetup, for example, online content aggregators can create an initial environment for the individual learner to connect with other students and engage with the content, share feedback, ask questions, and, hopefully, create sustained relationships.

Some traditional institutions for learning, such as Arizona State University (ASU), have realized the power of mobilizers such as TechShop as a means of facilitating collaboration among not just students, but a diverse array of community members and corporate partners. In 2013, ASU, the US public university with the highest enrollment, partnered with TechShop, a membership-based, do-it-yourself workshop and fabrication studio and coworking space, to provide all the 60,000-plus ASU students with free access to a wide range of machinery and tools. According to Mitzi Montaya, dean of ASU’s College of Technology and Innovation, TechShop has enriched students’ learning experience.⁴⁹ TechShop allows students to apply knowledge they have learned in projects that are meaningful to them, regardless of major or coursework.

As fragmentation leads to a proliferation of information and content options through learning aggregation platforms, and lower barriers and unmet needs attract an ever-richer array of learning options, individuals will likely need help navigating not just MOOCs and digital resources, but the whole ecosystem of learning. The role of the agent, an entity that thoroughly understands the individual’s learning and career goals, becomes increasingly important. Britney Van Valkenburg, passionate about programming, sought online courses to learn how to code, but she found it difficult to navigate a career path in programming because of all the content that existed. What courses should she take, and in what order? What communities should she engage with, and where could she learn fastest? Should she enroll in a degree program or join a hackerspace? The role of the agent is to provide holistic career coaching that is personalized to the individual based on a deep understanding of his or her needs, skills, and goals. More and more, individuals are seeking out such agents; in fact, the life coaching industry grew to a $2 billion industry in 2013.⁵⁰ A pure-play agent is brand-agnostic, anticipates individual needs with proactive recommendations, and is widely accessible, whether in person or virtually. A scalable, widely accessible, and affordable type of agent is still very much nascent, although companies such as Eddefy are trying to create a scalable solution for navigating a learning path, and LinkedIn also fulfills some of the goals of an agent.

ENTRANTS FROM THE EDGES GAINING CREDIBILITY

As the business environment becomes more globalized and automated, and individuals begin to recognize that a four-year degree is neither an automatic ticket to employment nor the last milestone in their learning careers, more individuals are traveling alternative learning pathways (figure 6).

This expanding ecosystem of semi-structured learning fits the model of how learners—or at least a certain type of learner—want to proceed through their learning. The mobilizer serves as a spark or catalyst. This has so far been observed in the programming space but may prove relevant across other domains. Between Meetups, social learning spaces such as Hacker Dojo and TechShop, and on-demand resources such as Codeacademy and GitHub, individuals are exposed to some skills, ideas, and foundational concepts. This initial exposure sparks an interest, which leads the individual to look for opportunities to apply or experience skills in context, and to engage with a community of others pursuing similar interests. At this point, the desire to go deeper and achieve mastery often leads to a need for a more structured setting, a physical presence, guidance, and a coherent curriculum. This is where the emerging, short-term, immersive institutions come in, whether it is the nine-week Dev Bootcamp for coders or entrepreneurial schools such as the new Draper University.

Specialized, short-term, intensive programs such as Draper University, Hack Reactor, Codeacademy, and Dev Bootcamp, while still at the edges and currently confined to entrepreneurship and programming, have gained significant traction with individuals and companies. Coding boot camps alone are poised to reap $59 million in tuition in 2014. The number of graduates from these specialized intensive programs, or vocational schools, has also grown by 175 percent in the past year.⁵¹ In fact, across the existing coding boot camps, 75 percent of graduates report working full time in a job that requires the skills taught in the curriculum, compared with the 5 percent who were working as full-time programmers beforehand.⁵²

While these programs are not intended to replace the four-year institution or the community college for now, they are intended to close the gap between what academia teaches and what modern jobs require. The average computer science major may not graduate with enough coding- or workplace-specific skills to be a professional coder, resulting in an unemployment rate of around 9 percent in 2013 for latest college graduates with computer science degrees.⁵³ These boot camps aim to bridge that deficiency by providing an intensive project-based curriculum relevant to the work environment. Dev Bootcamp touts a 90 percent placement rate for its students at top-tier companies such as Facebook, Pinterest, and Google; Hack Reactor reports 100 percent job placement, saying all of its alumni are software engineers with salaries of over $100,000.⁵⁴ Dave Hoover, cofounder of Dev Bootcamp, agrees that a nine-week intensive program cannot compete with a four-year immersive higher education institution, but it can serve as an alternative pathway in an à la carte model of learning. A student, no matter what age, could attend these intensive boot camps within different disciplines and find work opportunities to apply that knowledge.⁵⁵

Experience Institute (Ei) and Draper University are two other emerging institutions that are repositioning what a traditional learning institution’s structure could look like. Instead of restricting students to the classroom, Ei immerses them in at least three three-month internships at different companies over the course of a year. In between apprenticeships, the students come together as a community to participate in live classes and share and reflect on their experiences. And at Draper University, an intensive entrepreneurship boot camp, students are able to more quickly gain exposure to relevant and new experiences within venture capital than through a four-year institution. This is why aspiring entrepreneur JC Xu decided to apply to Draper University rather than attending another graduate program.⁵⁶ Consider also the success of alternative institutions such as Singularity University and the Minerva Schools at KGI,⁵⁷ both of which adopt a global perspective and focus on creating intense, immersive environments for collaboration and learning. Each is able to be highly selective and charge premium rates for its unique learning offerings, competing with traditional programs in ways that MOOCs cannot. In the case of Singularity and other short-term intensive programs, the network is a critical selling point. These influential networks of financiers, employers, and collaborators, as well as the program’s own active alumni, compete directly with the alumni networks of traditional institutions, one of their historical advantages.

BUILD YOUR OWN FUTURE

The emerging ecosystem of learning tools and providers is ripe with opportunities for both individuals and institutions. But as new entrants gain traction at the edges, they will increasingly threaten components of the traditional learning structure. Traditional institutions must be open to opportunities to leverage and integrate this new learning ecosystem and identify the most appropriate and sustainable roles to play in the new landscape. Individuals have both the need and the capabilities to navigate and benefit from new offerings. Meanwhile, higher education institutions have been hearing about MOOCs and other models for the past several years, yet the threats have not materialized as quickly as some predicted. This makes it that much harder for institutions to understand the future landscape and take action in the face of deep structural obstacles.

Despite having vast physical and human resources that dwarf those of any new entrant, traditional institutions should think of themselves as operating within the broader context of the learning ecosystem. They operate in a world that is more globalized, automated, and networked, where both consumers and providers have greater reach and more options, and where continuous learning will be a fixture of our professional and personal lives. Individuals’ success in learning will depend increasingly on their ability and motivation to navigate a myriad of options to create a personalized, relevant learning pathway. Relevant players in the future learning landscape will need to address not only how they can better help individuals learn faster, but also how they can help them unlearn and be open to truly new ideas. As psychologist Herbert Gerjuoy’s quote in Future Shock is commonly paraphrased, “The illterate of the 21st century will not be those who cannot read and write, but those who cannot learn, unlearn, and relearn.”⁵⁸

We tend to underplay the difficulty of unlearning to make way for new learning, but unlearning is unlikely to happen in a classroom where the same push-based methods of delivering content have been in use for the past century. What types of immersive experiences can help an individual adopt a new lens or change his or her frame of reference? What social support is needed to look at things differently, even at the risk of looking uneducated, along the way to learning? What does it take to get an individual, or an entire organization, out of the comfort zone?

The educational institutions that succeed and remain relevant in the future business landscape will likely be those that foster a learning environment that reflects the networked ecosystem and is meaningful and relevant to the lifelong learner. This means providing learning opportunities that match the learner’s current development and stage of life. In community colleges, we see more experiments in “stackable” credentials that provide short-term skills and employment value while enabling students to return over time and assemble a coherent curriculum that helps them progress toward career and personal goals. Similarly, corporations such as Siemens have worked with high schools and community colleges to create apprenticeship programs that yield immediate skills and employment for young or reentering learners who might lack the resources to effectively benefit from the learning ecosystem. For both vocational and academic education, there is greater recognition of the need for personalized pacing, modularity, and structures to provide continuity across time.

Some universities have started to look at the examples coming from both the edges of education and areas such as gaming and media to imagine and conduct experiments in what that future learning environment could look like:

• ASU has ventured into more experiential, community-oriented, self-directed learning and has leveraged the energy and learning potential of the maker movement⁵⁹ in its partnership with TechShop Chandler.
• Georgetown University, through a series of workshops led by Ann Pendleton-Jullian, director of the Knowlton School of Architecture at Ohio State University, has challenged the organizational and physical boundaries of a campus to reimagine the higher education model of 2033 as a locus for communities of practice.⁶⁰
• Stanford Design School’s 2025 project reimagines the university experience, focusing on experiential learning and examining the value derived from residential learning and colocation with peers.⁶¹

In traditional educational institutions, structural and organizational inertia can hinder thinking about how to offer and support learning in new ways. The requirements of state and federal funding programs, typical fund-accounting models, incentives, hierarchies, and even reputation mechanisms derived from publishing and classroom authority can all stand in the way of traditional educational institutions making the changes needed to remain relevant and sustainable in the context of the future business landscape.

Looking ahead: What can institutions do?

As we have shown above, learning and higher education, while related, are not necessarily following the same trajectory. Learning is evolving rapidly, while the typical institution for postsecondary education is changing more slowly. Traditional institutions and providers that are considering their position in the emerging landscape should adopt a mindset that allows them to see past the obstacles and the “way it’s always been done” to adopt a realistic and optimistic perspective.

Adopt a new mindset

• Change your lens: The pressures institutions are facing also hold the opportunity for making significant changes according to their individual contexts. Rather than focusing on the problem—budget constraints, unsupportive faculty, poor technological infrastructure—or replicating the shiny emerging tool that others are using (such as MOOCs), focus on identifying the learning mechanisms that work within the context of your institution and are meaningful to tomorrow’s learner.
• Move from static to fluid: In a networked world that is rapidly changing, static knowledge stocks delivered at a fixed point in time will be less valuable than knowledge flows created as individuals continually refresh what they learn through experience beyond the four walls of a classroom. Learning institutions have the unique opportunity to enable a physical space and opportunity for tacit knowledge sharing—the knowledge that resides in our heads and cannot easily be codified—which taps into the rich and changing ecosystem around them.
• Identify your competitive strengths: The value of the university, community college, or vocational college is in its ability to function as a community of practice around knowledge. The higher education experience is unique in its ability to surround the learner with a network of individuals from different backgrounds—leverage that. As Pendleton-Jullian suggests, probe deeper into what value the university experience brings that cannot be replicated or virtualized, and identify the specific factors (people, programs, disciplines, and context) compared with other forms of learning that make your institution unique and relevant to the lifelong learner.
• Scale the edges: Antibodies to change and innovation will exist and may stem from misaligned faculty support, lack of a strong technological infrastructure, or lack of funding transparency. Innovation can exist at the edges of every organization, whether in a particular department, set of students, or physical location. Focus on these areas where change is blossoming rather than despair about the immovable core, and leverage external resources from the surrounding ecosystem of tools and organizations for support rather than seeking internal funding and approval. Identify initiatives that are both aligned with your strengths and with agents of change within the organization. Edges can become conduits of transformation, helping the institutions of today tap into the opportunities of tomorrow.

Identify a sustainable role

Today, learning institutions have the unique opportunity to transform the learning environment (physically, virtually, and socially) into a new ecosystem that supports the currently unmet need of lifelong learning. Traditional learning institutions—universities, community colleges, and vocational schools—will need to understand what roles they currently play, where they want to be, and what assets they can leverage to stay relevant in the context of moving from knowledge stocks to flows, identifying dynamic factors, and scaling the edges. With concentration around the scale and scope roles mapped in figure 4 (infrastructure provider, aggregation platform, and agent business), fragmentation with content creation, and mobilizers as the connective tissues between the fragmented and consolidated players, traditional postsecondary institutions have a choice:

• Transform into an infrastructure business. Focus on providing the facilities and locations for a variety of learning experiences. As an infrastructure provider, traditional institutions shed the roles that are not core to providing facilities and learning infrastructure. This helps transform the institution into a recognized space for learning where content can be brought in or accessed from external sources, but students look to the institution to connect with a broader pool of individuals for the purpose of collaborative and social learning. While in this context, the institution amplifies the value of its physical infrastructure. Back-end systems and delivery and warranting systems are also forms of infrastructure that will be valuable in the future. It is more likely that these types of infrastructure will be provided by new entrants, so existing institutions should be realistic about where they can compete sustainably and leverage other providers for the roles they don’t play best.
• Become a platform business and curator. Aggregate resources for knowledge and connect them with appropriate learners rather than act as the vendor of knowledge. As a platform business, institutions become the entities that now pull knowledge from the broader ecosystem to share with learners, rather than holding tightly to the content that is their own. This helps enable the institution to access the most relevant and current knowledge content from an ecosystem of content creation that extends beyond the institution. In the process of becoming a platform business, institutions have the ability to also curate content. Top universities such as Harvard University, University of California, Berkeley, or Massachusetts Institute of Technology can use their current brands to curate quality content. In this case, the institution acts as a platform to identify relevant content in the networked ecosystem.
• Become an agent business. Channel your sector experience to provide lifetime guidance for the learner on his or her learning and career. As an agent business, an institution would help learners navigate a world of exponential change and abundance of information. As a talent agent for the student, the institution would commit to this role for the student throughout his or her career in the pursuit of lifelong learning.

Some traditional learning institutions are already thinking about the new roles they can play. In the Stanford 2025 project, one of the four proposed models of innovation was the Open Loop University. Through Open Loop, students can attend university through a six-year nonlinear timeline, allowing them to learn, work, and return to learn again. Axis Flip is another model that will rework the infrastructure of the university to center around learning hubs, a model most closely tied to the role of the institution as an infrastructure provider for collaborative learning.⁶²

Whatever role they play, institutions will also have to connect and collaborate with mobilizers in order to unlock the collective knowledge of the ecosystem and become part of the transformation. The learning landscape is changing, and traditional institutions and new entrants have the opportunity to participate in and define a rich learning ecosystem that is more personalized and fluid than education has been for at least a century. Institutions will need to decide where to compete and where to cede the floor, but those that succeed will find ways to remain relevant, embrace the forces shifting the broader global environment, and begin building their own futures now, before it gets harder to claim a meaningful space in this emerging landscape.

ABOUT THE AUTHORS

John Hagel

John Hagel (co-chairman, Deloitte Center for the Edge), of Deloitte Consulting LLP, has nearly 30 years of experience as a management consultant, author, speaker, and entrepreneur, and has helped companies Strengthen performance by applying technology to reshape business strategies. In addition to holding significant positions at leading consulting firms and companies throughout his career, Hagel is the author of bestselling business books such as Net Gain, Net Worth, Out of the Box, The Only Sustainable Edge, and The Power of Pull.

John Seely Brown

John Seely Brown (JSB) (independent co-chairman, Deloitte Center for the Edge) is a prolific writer, speaker, and educator. In addition to his work with the Center for the Edge, JSB is adviser to the provost and a visiting scholar at the University of Southern California. This position followed a lengthy tenure at Xerox Corporation, where JSB was chief scientist and director of the Xerox Palo Alto Research Center. JSB has published more than 100 papers in scientific journals and authored or co-authored seven books, including The Social Life of Information, The Only Sustainable Edge, The Power of Pull, and A New Culture of Learning.

Roy Mathew

Roy Mathew (principal, Deloitte Consulting LLP) specializes in IT strategy, transformation, and restructuring to help higher education clients develop innovative services and reduce costs. Roy focuses on helping universities with major transformation and efficiency efforts that include significant process, organization, and governance change. Most recently, he led the shared services operational excellence program at one of the largest and most eminent public universities in California. He is actively involved in developing Deloitte’s capabilities and eminence in innovation, business process reengineering, and operational performance improvement.

Maggie Wooll

Maggie Wooll (senior editor and engagement strategist, Deloitte Center for the Edge), of Deloitte Services LP, combines her experience advising large organizations on strategy and operations with her love of storytelling to share the Center’s research. At the Center, she explores the implications of rapidly changing technologies for individuals and their institutions. In particular, she is interested in learning and personal fulfillment within the shifting business environment.

Wendy Tsu

Wendy Tsu (former research fellow, Deloitte Center for the Edge) is passionate about exploring the edges between learning, social impact, and innovation. As part of Deloitte Consulting LLP’s Strategy & Operations practice, her focus has been in technology and education. Most recently, she has been helping higher education institutions reimagine their operating models. As part of the Center, she conducted research and analysis related to new forms and institutions of education and how they impact the educational journey for the lifelong learner.

Originally published by Deloitte University Press on dupress.com. Copyright 2015 Deloitte Development LLC.

A critical vulnerability that hackers have exploited since August, which allows them to bypass multifactor authentication in Citrix networking hardware, has received a patch from the manufacturer. Unfortunately, applying it isn’t enough to protect affected systems.

The vulnerability, tracked as CVE-2023-4966 and carrying a severity rating of 9.8 out of a possible 10, resides in the NetScaler Application Delivery Controller and NetScaler Gateway, which provide load balancing and single sign-on in enterprise networks, respectively. Stemming from a flaw in a currently unknown function, the information-disclosure vulnerability can be exploited so hackers can intercept encrypted communications passing between devices. The vulnerability can be exploited remotely and with no human action required, even when attackers have no system privileges on a vulnerable system.

Citrix released a patch for the vulnerability last week, along with an advisory that provided few details. On Wednesday, researchers from security firm Mandiant said that the vulnerability has been under active exploitation since August, possibly for espionage against professional services, technology, and government organizations. Mandiant warned that patching the vulnerability wasn’t sufficient to lock down affected networks because any sessions hijacked before the security update would persist afterward.

The company wrote:

Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multi factor authentication or other strong authentication requirements. These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed. Additionally, we have observed session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor.

The authenticated session hijacking could then result in further downstream access based upon the permissions and scope of access that the identity or session was permitted. A threat actor could utilize this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment.

Mandiant provided security guidance that goes well beyond the advice Citrix provided. Specifically:

• Isolate NetScaler ADC and Gateway appliances for testing and preparation of patch deployment.

Note: If the vulnerable appliances cannot be prioritized for patching, Mandiant recommends that the appliances have ingress IP address restrictions enforced to limit the exposure and attack surface until the necessary patches have been applied.

• Upgrade vulnerable NetScaler ADC and Gateway appliances to the latest firmware versions, which mitigate the vulnerability.

• Post upgrading, terminate all active and persistent sessions (per appliance).

– Connect to the NetScaler appliance using the CLI.

• To terminate all active sessions, run the following command: kill aaa session -all

• To clear persistent sessions across NetScaler load balancers, run the following command (where is the name of the virtual server / appliance): clear lb persistentSessions

• To clear existing ICA sessions, run the following command: kill icaconnection -all

• Credential Rotation

– Due to the lack of available log records or other artifacts of exploitation activity, as a precaution, organizations should consider rotating credentials for identities that were provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance.

– If there is evidence of suspicious activity or lateral movement within an environment, organizations should prioritize credential rotation for a larger scope of identities if single factor authentication (SFA) remote access is allowed for any resources from the Internet.

• If web shells or backdoors are identified on NetScaler appliances, Mandiant recommends rebuilding the appliances using a clean-source image, including the latest firmware.

Note: If a restoration of an appliance is required using a backup image, the backup configuration should be reviewed to ensure that there is no evidence of backdoors.

• If possible, reduce the external attack exposure and attack surface of NetScaler appliances by restricting ingress access to only trusted or predefined source IP address ranges.

The advice is warranted given the track record from previous exploitation of critical Citrix vulnerabilities. For example, Citrix disclosed and released a patch for a separate 9.8 vulnerability on July 18. Three days later, according to Internet scans by security organization Shadowserver, more than 18,000 instances had yet to apply the critical update.

By then, according to the US Cybersecurity and Infrastructure Security Administration, the vulnerability was already under active exploit. In the subsequent weeks,  Shadowserver and security firms F-Secure and IBM Security Intelligence tracked thousands of exploitations used for credential theft.

What Mandiant’s guidance amounts to is this: If your organization uses either NetScaler ADC or NetScaler Gateway that's on-premises, you should assume it has been hacked and follow the guidance provided. And yes, that includes patching first.

A vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using hardware sold by Citrix is under mass exploitation by ransomware hackers despite a patch being available for three weeks.

Repeat: This is not a drill

Attacks have only ramped up recently, prompting security researcher Kevin Beaumont on Saturday to declare: “This vulnerability is now under mass exploitation.” He went on to say, “From talking to multiple organizations, they are seeing widespread exploitation.”

He said that as of Saturday, he had found an estimated 20,000 instances of exploited Citrix devices where session tokens had been stolen. He said his estimate was based on running a honeypot of servers that masquerade as vulnerable Netscaler devices to track opportunistic attacks on the Internet. Beaumont then compared those results with other data, including some provided by Netflow and the Shodan search engine.

Meanwhile, GreyNoise, a security company that also deploys honeypots, was showing exploits for CVE-2023-4966 coming from 135 IP addresses when this post went live on Ars. That’s a 27-fold increase from the five IPs spotted GreyNoise saw five days ago.

The most latest numbers available from security organization Shadowserver showed that there were roughly 5,500 unpatched devices. Beaumont has acknowledged that the estimate is at odds with his estimate of 20,000 compromised devices. It’s not immediately clear what was causing the discrepancy.

The vulnerability is relatively easy for experienced people to exploit. A simple reverse-engineering of the patch Citrix released shows the functions that are vulnerable, and from there, it’s not hard to write code that exploits them. Making attacks even easier, a handful of proof-of-concept exploits are available online.

In a detailed technical analysis, researchers from Assetnote wrote:

We found two functions that stood out ns_aaa_oauth_send_openid_config and ns_aaa_oauthrp_send_openid_config. Both functions perform a similar operation, they implement the OpenID Connect Discovery endpoint. The functions are both accessible unauthenticated via the /oauth/idp/.well-known/openid-configuration and /oauth/rp/.well-known/openid-configuration endpoints respectively.

Both functions also included the same patch, an additional bounds check before sending the response. This can be seen in the snippets below showing the before and after for ns_aaa_oauth_send_openid_config.

Original

iVar3 = snprintf(print_temp_rule,0x20000,
                "{\"issuer\": \"https://%.*s\", \"authorization_endpoint\": \"https://%.*s/oauth/ idp/login\", \"token_endpoint\": \"https://%.*s/oauth/idp/token\", \"jwks_uri\":  \"https://%.*s/oauth/idp/certs\", \"response_types_supported\": [\"code\", \"toke n\", \"id_token\"], \"id_token_signing_alg_values_supported\": [\"RS256\"], \"end _session_endpoint\": \"https://%.*s/oauth/idp/logout\", \"frontchannel_logout_sup ported\": true, \"scopes_supported\": [\"openid\", \"ctxs_cc\"], \"claims_support ed\": [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\", \"auth_time\", \"acr\", \"amr \", \"email\", \"given_name\", \"family_name\", \"nickname\"], \"userinfo_endpoin t\": \"https://%.*s/oauth/idp/userinfo\", \"subject_types_supported\": [\"public\"]}"
                ,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8);
authv2_json_resp = 1;
iVar3 = ns_vpn_send_response(param_1,0x100040,print_temp_rule,iVar3);

Patched

uVar7 = snprintf(print_temp_rule,0x20000,
                "{\"issuer\": \"https://%.*s\", \"authorization_endpoint\": \"https://%.*s/oauth/ idp/login\", \"token_endpoint\": \"https://%.*s/oauth/idp/token\", \"jwks_uri\":  \"https://%.*s/oauth/idp/certs\", \"response_types_supported\": [\"code\", \"toke n\", \"id_token\"], \"id_token_signing_alg_values_supported\": [\"RS256\"], \"end _session_endpoint\": \"https://%.*s/oauth/idp/logout\", \"frontchannel_logout_sup ported\": true, \"scopes_supported\": [\"openid\", \"ctxs_cc\"], \"claims_support ed\": [\"sub\", \"iss\", \"aud\", \"exp\", \"iat\", \"auth_time\", \"acr\", \"amr \", \"email\", \"given_name\", \"family_name\", \"nickname\"], \"userinfo_endpoin t\": \"https://%.*s/oauth/idp/userinfo\", \"subject_types_supported\": [\"public\"]}"
                ,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8,uVar5,pbVar8);
uVar4 = 0x20;
if (uVar7 < 0x20000) {
        authv2_json_resp = 1;
        iVar3 = ns_vpn_send_response(param_1,0x100040,print_temp_rule,uVar7);
        ...
}

The function is pretty simple, it generates a JSON payload for the OpenID configuration and uses snprintf to insert the device's hostname at the appropriate locations in the payload. In the original version, the response is sent immediately. In the patched version, the response is only sent if snprintf returns a value less than 0x20000.

The vulnerability occurs because the return value of snprintf is used to determine how many bytes are sent to the client by ns_vpn_send_response. This is a problem because snprintf does not return how many bytes it did write to the buffer, snprintf returns how many bytes it would have written to the buffer if the buffer was big enough.

To exploit this, all we needed to do was figure out how to get the response to exceed the buffer size of 0x20000 bytes. The application would then respond with the completely filled buffer, plus whatever memory immediately followed the print_temp_rule buffer.

‍Exploiting the Endpoint

Initially we thought the endpoint would probably not be exploitable. The only data that was inserted was the hostname, which is something that needed administrator access to configure. Luckily for us, we were wrong and the value inserted into the payload did not come from the configured hostname. It actually came from the HTTP Host header.

We were also fortunate that NetScaler inserts the hostname into the payload six times, as this meant we could hit the buffer limit of 0x20000 bytes without running into issues because either the Host header or the whole request was too long.

We put together the following request and sent it to our NetScaler instance.

GET /oauth/idp/.well-known/openid-configuration HTTP/1.1
Host: a <repeated 24812 times>
Connection: close

We received the response shown below with the non-printable characters removed.

HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 147441
Cache-control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/json; charset=utf-8
X-Citrix-Application: Receiver for Web

{"issuer": "https://aaaaa ...<omitted>... aaaaaaaaaaaaaaaaí§¡
ð
í§¡-ª¼tÙÌåDx013.1.48.47à
d98cd79972b2637450836d4009793b100c3a01f2245525d5f4f58455e445a4a42HTTP/1.1 200 OK
Content-Length: @@@@@
Encode:@@@
Cache-control: no-cache
Pragma: no-cache
Content-Type: text/html
Set-Cookie: NSC_AAAC=@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;Secure;HttpOnly;Path=/

{"categories":[],"resources":[],"subscriptionsEnabled":false,"username":null}
ð
å
å
PÏÏ
H¡
éÒÏ
eGÁ"RDEFAULT
ò #pack200-gzip
compressdeflategzip
dentity
þÿÿÿÿÿ
©VPN_GLOBALÿÿÿÿÿÿ   è"AAA_PARAMí

We could clearly see a lot of leaked memory immediately following the JSON payload. While a lot of it was null bytes, there was some suspicious looking information in the response.

But Citrix Bleed is still plenty bad. Organizations should consider all Netscaler devices to have been compromised. This means patching any remaining unpatched devices. Then, all credentials should be rotated to ensure any session tokens that might have been leaked are invalidated. Last, organizations should inspect their devices and infrastructure for signs of compromise. Security firm Mandiant has in-depth security guidance here.

Copyright ©2023 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8