Ira Winkler posted an interesting article a month or so ago (yes, I’ve had this post in the hopper for a while) over at Computer World entitled “Let’s scuttle cybersecurity bachelor’s degree programs.” What really caught my attention were some of the tweets surrounding it, especially how they seemed to imply this statement was for ALL infosec degrees.

weldpond: Ira Winkler: Let’s scuttle cybersec bachelors degree programs. Shld incorporate sec into regular CS prog https://www.computerworld.com/s/article/9221668/Let_s_scuttle_cybersecurity_bachelor_s_degree_programs

0xcharlie: @WeldPond I think infosec should be in a trade school with apprenticeships and such, not in a degree program.

weldpond: @0xcharlie Your idea is not mutually exclusive with teaching CS majors secure coding concepts. We probably need both.

The suggestion that we should not have infosec degrees totally caught me off guard and went counter to the way I’ve been thinking for a while. Even our new blogger judykavuo, who is currently getting her masters in infosec, felt the need to write about it and counter a few points.

In the past I’ve given presentations and we have blogged here about how getting an infosec degree is an excellent starting point for those entering our field. We’ve found that most infosec degrees or certificates were at the graduate level and have been exploring some of the newer undergrad degrees as well and were thinking of recommending some of those.

I guess a lot of people were confused about the article and Ira later added the following note.

(And please note that I am talking about undergraduate cybersecurity programs, not graduate-level programs.)

Well after the initial confusion wavered off I found that the more I read Ira’s article, the more I tended to agree with his suggestion. I think it’s important to establish a strong technical foundation with a traditional undergrad degree and several years of real world IT experience. And then maybe at that point you are ready for a full-time infosec gig. You need to secure “something” … and … if you don’t know what “something” is how can you secure it? In hindsight I realized this is actually how I did it!

Now I’m not saying don’t do any infosec activities in undergrad or that initial job … it’s just that it shouldn’t be the focus. So feel free take two or three infosec classess as part of your undergrad or attend traditional classes that are known to incorporate security. In the first few years out in the real world, focus on learning your trade … just try to sprinkle in some infosec here and there. There’s a whole list of things you could do to spray security onto your non-infosec job. I’ve often found that teaching or leading others is a great way to learn and strengthen your knowledge. Here are a few suggestions.

• Blog about the security aspects of it.
• Attend meetups and conferences and present on the security aspects your trade.
• Join or start a technology specific security mailing list on it.

But the whole point is just to NOT make security the focus during these years…

via ComputerWorld.com

It may sound counterintuitive, but the way to increase the number of cybersecurity professionals is not to start granting degrees in cybersecurity. I suppose it sounds logical. We’re hearing that the best way to deal with the shortage of cybersecurity professionals is to funnel students into cybersecurity degree programs. And while we’re at it, let’s address the problem of all those hackers who are thinking outside of the box by recruiting them for these degree programs. Unfortunately, the logic of these statements is about a micron thick.

Continued here.

#####

What do you think? Should universities abandon infosec undergrad degrees? Today post image is from NewsOne.com.

After taking a few months off the folks over at NoVA CTF just released a new challenge to the NoVA Hackers list. They gave me permission to republish the challenge here for the rest of the community to enjoy.

A terrible “cyber” attack has taken place but fortunately network sensors captured a pcap of all network activity during this time. Your job, should you choose to accept it, is to examine the pcap and answer the following questions.

1. Who was the attacker and victim?
2. What went on before/during/after the attack?
3. How was the machine exploited?

Here is the pcap file to examine. No prizes or anything but feel free to post your answers in the comments below.

#####

Today’s post image is from KidzWorld.com.

I’ve talked about compliance before however @carnal0wnage recently tweeted a great link to a video explaining the difference between compliance and security. I think this video makes it much more clear than any write-up could possibly do. And no … it isn’t for those of us in the echo chamber but rather something you might want to bring up when explaining it to a layman (e.g., that CIO that just cut your budget to only meet the relevant compliance standard).

But first here is my Venn diagram where I try to depict the intricate relationship between compliance and security.

Any questions? … Oh,  and here’s that video…

#####

Mmmm? I think that CIO would probably go for the Venn diagram more than the video … but I still like the video better. See ya!

A new site has surface called NoVA CTF as an offshoot of the NoVA Hackers Association. They plan to put out a variety of monthly CTF challenges. Although prizes are only available to NoVA Hacker Association members, anyone can visit the site and participate. Anyway, here is a snippet of their first monthly challenge:

Your mission if you choose to accept is to successfully exploit a windows service provided to you. Somewhere in this application, there is a bug. Your goal is to find it, create a PoC exploit, and then port this exploit into a working Metasploit module.

Please also see their corrections post for some updates. Hope everyone enjoys this new learning resource. See ya!

#####

Keep up to date with local news, events, and resources by subscribing to our RSS feed, following @novainfosec, or subscribing to our email alerts.

As many of you probably already know SANS will be running the SANSFIRE infosec conference event later this month. Here are the logistics for this year’ conference:

• Who: SANS
• What: SANSFIRE
• When: 7/22 – 7/31/2008
• Where: Wardman Park Marriott Hotel (2660 Woodley Road, NW; Washington, DC 20008; 202-328-2000)

For more information on SANSFIRE, see its description in our Infosec Conferences section. See SANS’s conference page for more information.

I came across the “Hack” part of the “Hack-or-Halo” challenge for this year’s ShmooCon on White Wolf Security’s web site. The contest page contains clue and answer sheets as well as the main VM used in the game. See our ShmooCon 2008 Infosec Conference Event – Friday post for this contest’s original description.

Learn Security Online has released an infosec hacking challenge event titled “CrackMe 0×03.” In this contest there are no specific questions to answer. All that is required is you detail how you solved the challenge. For more information on Learn Security Online, see its description in our Training resource section. Here is a link to their original post about this hacking challenge.

Ed Skoudis’s Monthly Challenges has released an infosec hacking challenge event titled “It Happened One Friday.”In this contest you are given a series of UNIX-style commands and asked what happened and why. For more information on Ed Skoudis’s Monthly Challenges, see its description in our Training resource section. Here is a link to Ed Skoudis’s Monthly Challenges original post about this hacking challenge.

We’ve added a new training resource section that will provide an in-depth look into hacking challenges, courses, conferences, and formal university education options for infosec professionals based in or around the Northern Virginia (NoVA) area.