Many people who’ve read posts or been to my talks know my current opinion on Higher Education degrees related to Computer Security. They aren’t that great. And there are others that who have also expressed their opinions:

 

Screen Shot 2013-02-20 at 22.19.56

 

You can also read this: http://www.securityninja.co.uk/application-security/random-thoughts-on-education-learning-from-markofu/

So when this week I received an email from a Student asking me for some help ( students from his university had been complaining about the degree and lecturers asked them to go and re-write the degree as they saw fit and that they would consider doing it), I felt like I should do this blogpost which I had prepared for a while.

In my opinion, what follows is what ideally should be a BSc and a MSc degree that prepares students for “the real world”:

Click image to see bigger size.

Timeline-BSc

BSc Computer Security -

Year 1 – This year would be commonly shared with other Computing degrees.

  • First Semester
    • Introduction to programming – Java, and general development.
    • Networking – Teach Networking 101, TCP/IP basic of protocols, switches, hubs, OSI,etc…
    • Operating Systems – Different operating systems, linux, windows server, History of operating systems and architectures.
    • Databases – Access AND mySQL teach students how to use databases.
  • Second semester
    • Programming 2 – Give the students free reign. Each student picks a language and has to do multiple assignments with it. Lecturer can still do his part in Java and student needs to see how to best adapt onto the different assignments and use different technologies – Also algorithms.
    • Networking 2 – More advanced stuff – BGP, MPLS, VPN’s, Tunneling, etc…
    • Distributed Systems – Master/slave systems, RMI, RPC, Distribution protocols..
    • Databases 2 – Oracle, NOSQL Databases….

Year 2 – The beginning….

  • First Semester
    • Introduction to cryptography and security mechanisms – Intro do basics of crypto, history of crypto ROT, caesar, on the security mechanisms part, encoding / hashing/ encrypt , TLS/SSL, etc..
    • Network Security – Network secure protocols, SSH, SFTP vs insecure TELNET, FTP , basics of network attacks MITM, SPOOFING , device misconfiguration- Lots of lab time
    • Secure software development – SDLC and security integration on the SDLC, finding vulnerabilities in code, common code development mistakes lots of the security ninja materials would fit in here. teach about software vulnerabilities and at same time how to fix them (buffer overflows, stack, heap all those parts etc…)
    • Programming 3 – Programming focused on security, developing quick pocs teach a scripting language (python for example) make students create pocs for stuff that is commonly done, finding stuff in multiple logs, and socketing etc…
  • Second Semester
    • Web application security – Web app sec, SQLi, XSS, OWASP TOP 10, proxying (burp/zap/wtv…) to find vulnerabilities, WAF’s
    • Operating system security – Linux and windows hardening, patching, file changes monitoring…
    • Network Security 2 – Cisco, Hardware firewalls, IDS, Network monitoring, more advanced attacks, messing with VLAN’s, voip security, sniffing, and packet analysis – more lab time.
    • Security management and best practices – PCI DSS, ISO 27001, Compliance… I know many would find this boring but I truly believe this could be an important module.

Third Year – go to work.

  • Placement – As a requirement to “pass” your placement, do something practical like a project – Develop metasploit modules, implement snort rules, just make sure u do something on the security department where you’re doing your placement at.

Fourth Year – Big boys year

  • First Semester
    • Advanced Cryptography – Public key / Priv key – deep down protocol knowledge, how they work, how have cryptographic protocolos previously been attacked etc, RSA, AES, DES etc… even throw a bit  of mathematics in here on the protocols.
    • Software Security – ASLR, DEP, Fuzzing, vulnerability and exploit development.
    • Writing development – teach you how to write stuff for non techies and reports.This is very important and many times overlooked.
    • Business and security – Dealing with customers, and business, and policies. Understand security budgeting, how return on investment works etc…
  • Second Semester
    • Digital Forensics – Learn how to collect evidence, guarantee evidence integrity, and analyse it.
    • Mobile Security – Securing mobile phones, android, BYOD in companies how to implement correct policies etc, apps sandboxing, mobile malware….
    • Security Defense and Hardening – Correct device deployment and hardening, advanced IDS (creating custom rules etc) same for WAF’s, VLAN’s , secure network architectures….
    • Security law – Well you need to know the law part for pentesting aswell, computer abuse act etc…
    • Thesis project – Big project related to security.

 

This, in my opinion is what a BSc degree that prepares you for job interviews and real world work should be. What is your opinion? What would you change?

 

Now onto the MSc, please take into account that not all students that enroll into a MSc Security aren’t going to have as background BSc Security.

click image to increase size.

Timeline-MSc

 

 

First Year

  • First Semester
    • Introduction to cryptography and security mechanisms – Intro do basics of crypto, history of crypto ROT, caesar, on the security mechanisms part, encoding / hashing/ encrypt , TLS/SSL, etc..
    • Software Security – SDLC and security integration on the SDLC, finding vulnerabilities in code, common code development mistakes lots of the security ninja materials would fit in here. teach about software vulnerabilities and at same time how to fix them (buffer overflows, stack, heap all those parts etc…)
    • Security Research – Learn how to do research, create a lab, research methodology, integrate this with Final year project, getting ideas etc… teach about known security researchers and how they work…
  • Second Semester
    • Advanced Cryptography - Public key / Priv key – deep down protocol knowledge, how they work, how have cryptographic protocolos previously been attacked etc, RSA, AES, DES etc… even throw a bit  of mathematics in here on the protocols.
    • Team management – Learn how to manage a team, assign personel to projects, project management etc…
    • Network Security  - Network secure protocols, SSH, SFTP vs insecure TELNET, FTP , basics of network attacks MITM, SPOOFING , device misconfiguration- Lots of lab time
    • Web application security - Web app sec, SQLi, XSS, OWASP TOP 10, proxying (burp/zap/wtv…) to find vulnerabilities, WAF’s

Second Year

  • First semester
    • Advanced Cryptography 2 – Cryptographic flaws, attacking cryptographic protocols, learning how to break WEP (not automated but by hand), learn differences between different protocols and which ones are secure or broken. 
    • Advanced software Security - ASLR, DEP, Fuzzing, Debugging, decompiling vulnerability and exploit development.
    • Security Management and Business - Dealing with customers, and business, and policies. Understand security budgeting, how return on investment works, compliance, PCI DSS, selling security…
  • Second semester
    • Security, politics and economics – Learn about economics and politics influence on security, state sponsored attacks, also learn about what is important to protect within different types of organizations.
    • Forensics and Malware analysis – Collecting evidence, finding malware and analysing malware.
    • Defence Security – IDS, sniffing, packet analysis, firewalling , networking monitoring and hardening
    • Project – Big project

Other things universities could do to further help their students:

  • Organize in-university CTF events
  • Create a security group, have your students give weekly/monthly talks
  • Make them engage with the industry, if something big happens do an analysis in lectures (at the time of this writing, the mandiant report is a great example of something could be analysed, or the UPNP research released by @HDMoore a couple of days ago… When a new critical vulnerability comes out, analyse it, make students understand how it works.
  • Get them to submit to conferences, students on a 3rd year BSC onwards should be able to do some research and submit to some conferences, BSides has a rookie track, local OWASP event, etc…
  • Get in contact with your OWASP group, sometimes they need places to organize conferences and universities usually have pretty good lecture rooms!

As a student:

  • Go and meet the people of your OWASP group.
  • Go and check all the free conferences in your area, if you’re a student there is a good chance you are poor and have to count your cents/pences/dimes, there is probably some BSides event near you. On these events there are lots of people from industry who are willing to talk to you and help you get into the business…
  • Participate on discussions, either on twitter or  the community at dissecting the hack  or even /r/netsec make sure ur engaging with the community, you’re gonna be working with those people in a few years might as well starting to get to know them. Go through the c0relan website, they have great tutorials.
  • IRC – even though its old school, #metasploit channel, #backtrack-linux channel are great places to read about what others are doing and learning new stuff.
  • Twitter – make sure you are following security researchers and security people in general, lots to learn from them.
  • CTF events – join a team, or if u dont want to participate make sure you go to http://ctftime.org/ and read old write ups of challenges.
  • Podcasts – Listen to them! Pauldotcom, Exoticliability, etc…
    •  http://www.google.com/reader/bundle/user%2F00260808275175314331%2Fbundle%2FPODCASTS
    • exoticliability.com

 

  • Make sure to read security news these are some random websites where I read some stuff:
    • http://www.reddit.com/r/blackhat/
    • http://www.h-online.com/open/
    • http://news.ycombinator.com/
    • http://www.darknet.org.uk/
    • http://feed.c22.cc/
    • https://www.infosecisland.com/security-alerts/1.html
    • Steve Goldsby Feed (HUGE) 1000+ - http://www.google.com/reader/bundle/user%2F00260808275175314331%2Fbundle%2FSteve%20Goldsby’s%20Security%20Feeds
    • http://www.sickurity.com/

So yeah, this is what in my opinion would be the degrees that could easily prepare students to do real world work. Many security companies can’t hire recent grads because most of them can’t even pass the interview questions.

The 2 last pieces of advice I can give you is:

  • Don’t think you can master everything. Infosec has a HUGE range of subjects. Make sure you choose one and learn every little thing you can about it, and go out there and improve it. 
  • Have fun and don’t do it JUST for the money! In this industry you will have lots of nights where you don’t sleep, where you are trying to break something and it just won’t break, and u will only be able to cope with all this, if you have FUN doing it. I’m meant to be a 9-5/10-6 worker, but sometimes I do from 10AM till 3AM and ask for no extra payment, I do free talks and pay for the travel expenses out of my own pocket, I try to make this team @PTCoreSec to do some cool work with our ISP’s in Portugal and I do it all for free not for the money. I do it for the love I have for the type of work I do.

A bit out of topic but still “on topic”, when am bored or don’t feel like doing anything infosec research there are a couple of talks that really pump me up and I feel you guys can benefit from them a  student don’t just “watch” them, actually WATCH them. Take notes make sure you understand what the speakers are talking about etc…: