From: Pete Herzog (lists@isecom.org)
Date: Sun Jul 22 2007 - 05:24:49 EDT
Hi Ken,
Sorry for the delay. I'm in the middle of research so I mostly avoid the
distractions of e-mail until the weekend and play catch-up.
> I'm working with universities across the country and I think the faculty buy
> into this idea. The best programs are trying to find experiential learning
> opportunities. The academics know that even at the masters level, there's a
> huge gap between theory and practice. At the same time, the basic
> understanding of vulnerabilities such as buffer overflows are not adequately
> addressed on the academic or the pragmatic side.
ISECOM has projects in place to help Universities get the right stuff into
student's heads. Unfortunately, now only European colleges and
Universities are using it. Too much politics I guess to get a smart program
in place when the garbage stuff has more glamor. As it stands now, many
schools are purely businesses competing for resources and delivering to the
students what they want and that's rarely the right foundation. Too many
schools are a great metric for the hottest trends 6 years ago.
>
> Buffer overflows make virtually all of our systems untrustworthy and most IT
> management still don't understand this basic issue.
Actually, anywhere there is an interaction with a program you have
potential trouble whether it be injection, overflow, DoS, or integrity
compromises. Buffer overflows are so basic and so 6 years ago that any
CompSci class not teaching programmers how to avoid them are really doing a
disservice to computer science.
The big problem we see is the amount of spoon-feeding students expect in a
course. They don't want teachers- they want actors- who can entertain them
through an enjoyable syllabus showing them canned exploits against canned
server configurations (many which just don't exist anymore like that). But
that does not make students able to expand their knowledge themselves to
keep up with trends. It does not make them self sufficient. Do we really
need more zombies?
>
> On the issue of certification - if we test for the right knowledge-base,
> like how does 802.1x authenticate, how are digital certificates safeguarded
> on typical pc's or how do buffer overflows work and then use this knowledge
> for better pen-testing, we would have a safer world.
It's a start but in every subject matter there are those who can "read and
repeat" and those who can "understand and do". The latter are needed for
fast-moving science fields. If you want to be a vacuum tube engineer then
it's okay today to just have knowledge. But if you go into any of the
rapidly changing sciences, you're going to be unable to do the job. This is
also the problem with all these knowledge-based certifications out there
with "Bodies of Knowledge" that focus on book content published yearly.
>
> How do we engage new members of the profession and of these forums to help
> take up the cause of education? I get tired of reading of the security
> failures - we need to promote and showcase the successes, which are always
We can't without fixing the system. People naturally gravitate to what
they find most interesting which is generally not the foundation. An
architect needs to calculate the strength of a foundation and the location
of the pillars but it's usually not why they want to be an architect.
Security classes need to have that core which you then do with the cooler
stuff. That's what we did in making the OPST and OPSA.
> based on strong human competencies. The trade journals need to sell
> protective technologies, so they amplify the failures - which we all know
> are rampant. But the good guys do win, most of the time, so maybe by
> profiling the good guys who are winning, we'll draw more attention to how
> they got to where they are, how they trained, how they stay current, etc.
> You were actually starting down this road in your posting.
What you'll find is that most of the people doing their jobs as
professionals, with a plan and change control, are the ones are generally
not originally security people. Their experience is in I.T. whether it be
routing, network administration, or some other part of computer science.
Now people say, I want to be in security and jump into it at the college
level without really having a strong background in all the things they are
securing. You see it on this list when people ask questions that show they
have no clue how DNS works or how a service daemon works. There is a huge
gap between what they know and what they do. Any moron can fire a gun but
only someone with the right training can hit the middle of the target
consistently.
> In any case, I offer my strongest support for your efforts. We just need a
> lot more focus on human capital in the security space!
Thanks! But let me say, students and recent grads out there right now who
are interested in security: PLEASE get a good foundation in security like
with the OPST or OPSA, both professional security certifications that focus
on walking the walk. Tools are interesting now, I know, it's a phase we
all go through, but REALLY know what those tools are doing and how they
work first! The only way you can do that is by learning what you need to
do to have security and controls before you learn which tools are for which
problems. Otherwise you'll be medicating symptoms instead of treating the
disease.
Sincerely,
-pete.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:58 EDT