Saturday, August 2, 2014

The Value of a Masters Degree in InfoSec

I was up extra early this morning and decided to comb through the twitters.  I came across a tweet from Troy Hunt asking our opinion for a comment made on one of his blog posts:
So of course I had to see for my own eyes.  I suggest you should to...  right now, I'll wait...  Done?  Good, now this is the sort of thing that just makes me sad for the future of InfoSec.  Do I think Master's degrees are good?  Sure, any education is usually not bad.  It makes us all a little more knowledgeable, and sparks new ideas.  That is, of course,  if we already have a bit of experience in our field of study.

So most of us in the profession have probably obtained at least a BS in some Computer Science or Information Systems degree.  We then worked to get an internship and eventually some job in our field of study.  Somewhere down the line we learned a whole lot about how to break stuff as well as fix said broken stuff.  And after many long nights of figuring out why MS Exchange decided to throw up all over the datacenter, we got good at our job.  So good, we figured out how to prevent others from breaking our stuff.  After years begging management to give us more budget, or recommending to customers to implement new security measures, we decided to move on (that is a story all its own).

Somewhere in during our early careers,  we decided to build our own home labs using spare parts or inexpensive E-bay hardware.  We did this because, like most other important things, training wasn't in the budget.  So we stood up our own Exchange servers or Web servers in order to prepare for inevitable migrations.  Then we discovered other benefits of these labs. We could break things here and no one cares.  So we did it on purpose and learned that we could make the computers and software due our bidding.  Now, in the age of the breach, we are being paid pretty well to break stuff for a living.  Hell those same managers and customers from before are now paying us double or triple our previous salaries, just to tell them the same things we told them 15 years ago.

But there is a reason for that, we know what we are talking about.  We have always worked to educate ourselves on our profession (and sometimes hobby).  This means we studied on our own time, sometimes took training on our own dime, and kept up on the cyber crime (I couldn't resist).  We take jobs to keep the mortgage/rent paid (my last job).  And sometimes we get lucky and fall into something awesome (my current job) that allows us to possibly shape the future in our field. Do I get to do everything I want right now at work?  No, but that is OK.  I am working in technologies that I never thought I would 15 years ago.  We adapt to the situations that we find ourselves in.  That is what makes us good at our jobs.

Now back to this guy asking about SQLi when going for a Masters in Cyber Security...  So I was poking around at some local programs here in Connecticut.  Sacred Heart University (SHU) has one such program.  Besides the obvious  requirement of a bachelor's degree, you need to have taken CS 504 Intro to Programming Using Scripting, and CS 505 or 339 Computer Networks.  You can view the full outline here.  Now granted those pre-reqs are not bad.  CS 504 teaches you about Python, Perl, Ruby, etc... And CS 505 teaches you about networking, which is pretty valuable knowledge. Then you get thrown into things like digital forensics, Crypto, Securing the Cloud, Vulnerability Management...  You have the link, you can look at the rest.   My point is, by the time you decided to go for a Masters, hopefully you have been working a little in the related field.  Information Technology, as well as Information Security, is not a profession you go into just for the paycheck.  Granted it is a very nice bonus, but to succeed here, you need to keep sharp!  If you are wondering what SQLi is all about?  Go download one of the many vulnerable web app distros and find out!  Go to Security Tube and watch videos on the topic.  There are a ton of resources out on the web that will help you to your goal.  Google is the InfoSec Pro's best tool as well as some type of desktop virtualization platform like VirtualBox or VMware Player (both free).

So why does this irk me so much, well I feel that these programs will create a pool of very useless managers.  They may know all the buzz words, but not have any real life experience with it.  It takes years to build a solid base on just regular IT material.  If you have never stood up your own mini-datacenter, or wrote an advanced web or desktop application, then you will never truly understand the topics in InfoSec.  There are over 94000 holders of the CISSP in the world.  Of those that I have met, only a very small fraction actually know, and have applied the controls covered in the certification.  The rest got it because their company said they had to, and bought up all the seats in the class.  Over the next few years we will probably see a similar growth spurt of newly decorated "Masters" of Cyber Security.  If they are of the caliber seen in Troy's blob post, then I am just going to stop all this and become hermit.  Or move somewhere tropical and spend my remaining days on the beach.

Well that is enough ranting for a Saturday, need to get back to loading up the newest addition to the home lab and break stuff!