The Value of a Masters Degree in InfoSec

I was up extra early this morning and decided to comb through the twitters.  I came across a tweet from Troy Hunt asking our opinion for a comment made on one of his blog posts:

Is it just me, or is this an odd question for someone doing their "masters in cyber security" to ask? http://t.co/r7FbR7H9t4
— Troy Hunt (@troyhunt) August 2, 2014

So of course I had to see for my own eyes.  I suggest you should to...  right now, I'll wait...  Done?  Good, now this is the sort of thing that just makes me sad for the future of InfoSec.  Do I think Master's degrees are good?  Sure, any education is usually not bad.  It makes us all a little more knowledgeable, and sparks new ideas.  That is, of course,  if we already have a bit of experience in our field of study.

So most of us in the profession have probably obtained at least a BS in some Computer Science or Information Systems degree.  We then worked to get an internship and eventually some job in our field of study.  Somewhere down the line we learned a whole lot about how to break stuff as well as fix said broken stuff.  And after many long nights of figuring out why MS Exchange decided to throw up all over the datacenter, we got good at our job.  So good, we figured out how to prevent others from breaking our stuff.  After years begging management to give us more budget, or recommending to customers to implement new security measures, we decided to move on (that is a story all its own).

Somewhere in during our early careers,  we decided to build our own home labs using spare parts or inexpensive E-bay hardware.  We did this because, like most other important things, training wasn't in the budget.  So we stood up our own Exchange servers or Web servers in order to prepare for inevitable migrations.  Then we discovered other benefits of these labs. We could break things here and no one cares.  So we did it on purpose and learned that we could make the computers and software due our bidding.  Now, in the age of the breach, we are being paid pretty well to break stuff for a living.  Hell those same managers and customers from before are now paying us double or triple our previous salaries, just to tell them the same things we told them 15 years ago.

But there is a reason for that, we know what we are talking about.  We have always worked to educate ourselves on our profession (and sometimes hobby).  This means we studied on our own time, sometimes took training on our own dime, and kept up on the cyber crime (I couldn't resist).  We take jobs to keep the mortgage/rent paid (my last job).  And sometimes we get lucky and fall into something awesome (my current job) that allows us to possibly shape the future in our field. Do I get to do everything I want right now at work?  No, but that is OK.  I am working in technologies that I never thought I would 15 years ago.  We adapt to the situations that we find ourselves in.  That is what makes us good at our jobs.

Now back to this guy asking about SQLi when going for a Masters in Cyber Security...  So I was poking around at some local programs here in Connecticut.  Sacred Heart University (SHU) has one such program.  Besides the obvious  requirement of a bachelor's degree, you need to have taken CS 504 Intro to Programming Using Scripting, and CS 505 or 339 Computer Networks.  You can view the full outline here.  Now granted those pre-reqs are not bad.  CS 504 teaches you about Python, Perl, Ruby, etc... And CS 505 teaches you about networking, which is pretty valuable knowledge. Then you get thrown into things like digital forensics, Crypto, Securing the Cloud, Vulnerability Management...  You have the link, you can look at the rest.   My point is, by the time you decided to go for a Masters, hopefully you have been working a little in the related field.  Information Technology, as well as Information Security, is not a profession you go into just for the paycheck.  Granted it is a very nice bonus, but to succeed here, you need to keep sharp!  If you are wondering what SQLi is all about?  Go download one of the many vulnerable web app distros and find out!  Go to Security Tube and watch videos on the topic.  There are a ton of resources out on the web that will help you to your goal.  Google is the InfoSec Pro's best tool as well as some type of desktop virtualization platform like VirtualBox or VMware Player (both free).

So why does this irk me so much, well I feel that these programs will create a pool of very useless managers.  They may know all the buzz words, but not have any real life experience with it.  It takes years to build a solid base on just regular IT material.  If you have never stood up your own mini-datacenter, or wrote an advanced web or desktop application, then you will never truly understand the topics in InfoSec.  There are over 94000 holders of the CISSP in the world.  Of those that I have met, only a very small fraction actually know, and have applied the controls covered in the certification.  The rest got it because their company said they had to, and bought up all the seats in the class.  Over the next few years we will probably see a similar growth spurt of newly decorated "Masters" of Cyber Security.  If they are of the caliber seen in Troy's blob post, then I am just going to stop all this and become hermit.  Or move somewhere tropical and spend my remaining days on the beach.

Well that is enough ranting for a Saturday, need to get back to loading up the newest addition to the home lab and break stuff!

Edumacation and Training: Who's responsible? You or your employer?

If you consciously decide to take a career in information technology, then you should have realized that school and training doesn't stop after you receive your degree.  The same goes for you if you decide to move into an information security position.  This realm is constantly evolving and you need to be willing to evolve with it, or find a new career.

Your goals may not align with your employer's...

If you are lucky enough to land a job with a company that will pay for training, then take advantage of it.  Just be ready to accept that what they are willing to train you on may not be in line with your personal career goals.  For example, if you work for a consulting company, they may want you certified with their primary vendors' products.  If it is a Microsoft Gold partner shop, then they need to maintain a certain number of MCSE/MCSA certified individuals to keep that partnership.  If you sell Cisco or Juniper products, the company may need those certificates as well.  They may not want to send you to SANS or Blackhat for training on the latest security topics.  Unless, of course, they are a security consulting company and they would rather your pen testing skills be honed.  If you are in a large enterprise, the training may be more open, as long as it fits in with your development plan, then it can be justified.  In any event take whatever training you can get, it will never be wasted and you might learn something interesting.

It may not be in the budget....

Be ready to hear that if you want an employer to pick up the bill for a conference.  Although it may benefit them that you receive some cutting edge knowledge, they may prefer you attend online webinars or local events, rather than sending you to San Francisco for RSA or Vegas for DEFCON and Blackhat.  If that is the case, don't be afraid to spend some of your own cash and use your personal time to hit up some of the smaller cons like DerbyCon (Louisville), ShmooCon (Washington D.C.), Thotcon (Chicago), and of course any of the many Security BSides events happening all over the world.  Most of these are pretty affordable, and all you need to do is come up with the means to get there.  If you can't afford a room, there is usually someone willing to split one.

Don't pass up excellent networking opportunities...

Back to the topic of the conferences, not only do you get exposed to some excellent talks, but these are also great opportunities to meet some interesting people.  Again, your goals may not align with your company's, but that doesn't mean you should ignore them.  Invest in yourself a little and get out to these cons.  Who knows, you might have a conversation with someone who may want you to come out the next year and speak at the con.  If it is a vendor, they may even pay for it.  Also, when at the conference, don't worry about getting to every talk on the schedule.  Take the time to participate in the "HallwayCon", grab coffee with some attendees, and don't be afraid to join a public dinner invite.  You never know who you will meet out there, they could lead you to the next stage of your career.

"I'm going as long as work approves..."

So something along those lines was said to me when talking about a BSides event that was in the next state.  They person was hoping work would pay for the single night at the hotel.  Since BSides are relatively cheap, and usually in driving distance, I will cough up the 100-200 bucks for a single night at the hotel.  Again, back to the networking opportunities and the education factor of these events, it is worth spending some of your own cash for it.  In some cases, you can claim these trips as a business expense, but check with your tax guy first.

Anyhoo....

Ultimately you are responsible for your own training and education.  If you want to succeed in your career, you will make it happen.  Whether you get work to pay for it, or not, you should still do it.  If work wants to get you trained on something not necessarily related to your goals, take it!  It is knowledge you did not have before.  So good luck out there and keep up the learning!  Maybe we will bump into each other at the next HallwayCon.  Otherwise see you at DerbyCon 2013 in Louisville this year!

DerbyCon 2.0 review and other ramblings

Yes this is another DerbyCon review.  I'll try not to write the same stuff as the other 1500 blog reviews already out there.  I will say that it was awesome, and I think those of us that attended will agree on that fact.    First and foremost, if you are interested in pursuing a career in Information Security, you must attend a conference such as this.  The setup makes it very accessible for attendees to engage in great discussions around hacking, InfoSec and just about anything else.  Don't worry, you don't need to be a traditional hacker to get something out of this Con.  I met a programmer who currently does nothing with InfoSec.  He wants to learn more about the threats as well as why secure coding is important.  Even though you don't need to hack to enjoy yourself, you may find yourself attempting to pop a lock in the LockPick Village, or maybe picking up a soldering gun in the hardware village.  After you leave this Con, you may even look at picking up a Raspberry Pi to play around with.  This is a true community event where one is surrounded by people willing to share their knowledge.

The speakers made themselves pretty accessible, you did not need to wait in long lines to get seat for a talk, and you didn't need to leave a talk early to get to another talk.  Speaking of talks... well they had such a large volume of CFP entries, that they had 4 main tracks, they were separated into: Break Me, Fix Me, Teach Me, and The 3-way (a mix of the other 3) and opened a 5th track called "Stable Talks."  There were so many great topics, it was very difficult to determine which ones to attend.  Luckily they captured the 4 main tracks on video and most of them are posted to YouTube.  You can get to the full list at IronGeek's (Adrian Crenshaw) page: DerbyCon Videos.  Although the Stable Talks were shorter, that didn't affect the quality.  I think some of these talks will move into the main tracks next year.

So I arrived Thursday afternoon. Unfortunately, I was not there early for the training, which was going on Thursday and Friday morning.  They had a number of quality training opportunities which covered everything from Social Engineering to Reverse Engineering.  Thursday evening I was able to grab some dinner with a fellow EH netter (ethicalhacker.net member).  We discussed some of the finer points of working in a large organization and trying to push proper security procedures.  We were later joined by two more members and continued the discussion over Ethiopian food (which was mighty tasty).  Later that evening I was able to experience my first SlideShare Roulette at "Whose Slide Is It?".  For those that don't know, this is basically a test of one's presentation skills.  The moderator will pick a random slide deck from the slideshare.net site based on topic suggestions from the audience.  The presenter then must use his/her skills and work with the given slides.  It got interesting when the hotel staff arrived with 100 shots of bourbon courtesy of HD Moore (CSO/Chief Architect @ Rapid7).

Friday morning was pretty much just hanging out and waiting for the opening ceremonies.  There were some great discussions going on in the hallways and main lobby of the Hyatt.  Some of the best talks can be found in these "hallway cons" so I highly recommend getting involved in these sorts of discussions.  You will learn something and you may even have a different point of view to add that could benefit the group.  Eventually 1:00 pm rolled around and the talks began!  They kicked it off with keynotes from HD Moore's The Wild West, Dan Kaminsky's Black Ops, and Mudge's talk about the Cyber Fast Track program from DARPA.  After dinner the 5 tracks began and continued through the weekend.  I will not do a review of the talks I attended since I was pretty much in absorption mode and I am still catching up on the ones I missed as well as re-watching those I attended.

As I touched upon earlier, there were a number of events going on during and after the talks.  The big one was the CTF (Capture The Flag) competition.  Your mission is to use your skills in hacking to find all the flags on the CTF network.  I attempted but never got on long enough to even find the "beginner" flags.  This was in part due to the WiFi network for the event being unavailable and the bouncing in and out of talks.  These competitions are best handled by teams since the expertise needed to find the flags will vary.  You may have to write an exploit or use some forensic skills to find the various flags.  Hackers For Charity (HFC) held both a silent and regular auction throughout the weekend.  They raised over $33,000 thanks to the very generous community.  If you wanted to just wind down you can head over to the theater for the Hacker Movie Marathon.  Maybe you want to know if you should get your CISSP, but you aren't sure if you have the right knowledge, then you could have headed over to "Are You Smarter Than a CISSP?" held on Friday night.  You were given questions from each of the 10 CISSP domains, you can choose to answer them yourself or discuss it with the panel of actual CISSPs.  They were also available to save you if you got a question wrong.

Sadly Sunday morning came and it was time for me to leave the land of bourbon and horses.  Unfortunately there were still a slew of talks and the closing ceremonies to attend but I will catch them on video.  Next year I will plan on taking the training and staying until the closing ceremonies!  One more thing specific to the conference, a big THANKS! to the organizers and volunteers.  They made this such a great experience that I am still missing it a week later.