General discussion


Can you learn security in the classroom?

By debate ·
Do you agree with Jonathan Yarden that you can't learn security in the classroom? How have your amassed your security knowledge--through classes, books, Web sites, experience, or a combination? Share your comments about bolstering your security knowledge, as discussed in the May 17 Internet Security Focus e-newsletter.

If you haven't subscribed to our free Internet Security Focus e-newsletter, sign up today!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Curiosity is primary

by gralfus In reply to Can you learn security in ...

If you have an active interest in learning security, you can find tidbits everywhere. I had an AIX teacher that was a seasoned sysadmin. I learned a lot from his tales of dealing with tracking down naughty people and dealing with police investigations, and how those things changed the way he did business. I also learn from online discussions, magazines, usenet, and other techs.

Basic concepts can definitely be taught in the classroom, and real world examples help to make the concepts more real to the students. Almost everyone enjoys anecdotes that have real application, and it helps cement the often dry concepts of security methods.

Collapse -

Sure you can

by Aldanatech In reply to Can you learn security in ...

If you are not very proficient in network security than a Security+ or a CISSP course in the classroom is a good place to start. Even a small workshop from Microsoft and Cisco can start to build some foundation. This of course does not mean it is all it takes to be truly considered a security specialist. You need to explore further, get more hands on experience, and go through any related material you can get your hands on. Learning network security is a never-ending quest, the classroom is a good starting point.

Collapse -

A Possible Yet Unlikely Solution To Security Flaws.....

by Budokan In reply to Sure you can

First I must agree that security can't be learned in the classroom, nowadays you virtually have to be up to hour informed of major security events which happen daily or every two days, and Universities just can't keep up with this pace, they are almost always behind the times due to budget and bureaucracy, and I know the one I went to was way ahead of most but still behind. The professor actually asked us what way we wanted to go in the class, and the class decided to go with a newly released programming language instead of the one that was in the curriculum. And still we were behind. When I left there I thought I knew A LOT. Know I look back and realize I knew virtually nothing compared to what I know now, ESPECIALLY security issues in programming and networking, both of which I concentrated heavily on. I would say I know at least 50 times as much at least about programming and networking now due to experience and a huge drive to self-teach myself good programming practices and good security practices. Nothing at all was discussed about security in my classes on programming in all the major software languages at the time. Only my networking classes discussed security, and I still refer back to a book my professor wrote from time to time to refresh myself on a few things. But I feel the only way to really learn is through experience, that can be sitting at home as I am now reading through security bulletins, or at work doing something similar. Yes you can learn in the classroom, but it just isn't good enough. I have always professed to everyone in my neighbourhood who all come to me for computer advice that if they ever hear a computer professional tell them they know everything or they'll fix anything, they're lying because THERE IS TOO MUCH TO KNOW FOR ONE BRAIN in the world. You can only do your best and be diligent. You have to keep up to date and if it means spending two hours at work in the morning after meetings going through the days security bulletins, employers should be thanking you rather than what usually happens and some dip manager thinks you're just "surfing the web" not doing anything important. I think security is the most important issue in IT Industry right now, things are going to **** real quick, whole ISP's going down from a DoS attack, crazy things that shouldn't be able to occur. Now to my solution.....
Ask yourself who has the most vested true interest in breaking into computers right now in the world ?? That I feel is the NSA. Crazy you think ? Well think about it, they have been tasked to battle terrorism and consider encryption software a weapon of mass destruction(or something close that is illegal for export) in case it's used by terrorists to organize and communicate covertly. I think it would be fair to say that Windows is running on more computers than any other single operating system, what the percentage is, who knows. Microsoft also has Visual Studio and it's suite of languages, which are some of the dominant languages in the market. Now, if this is true, and the NSA need to gather intelligence for the purposes of anti-terrorism measures, then they would have a LIST A MILE LONG of exploits and security vulnerabilities for all versions of Windows, Visual Basic programs, C++, C#, J#, ASP, as well as I'm sure Java. They would need to use these to get into "suspicious" peoples computers to see if they are terrorists, and if the target is connected to the internet and has say a personal firewall program running, they would need to know how to get through that as well. Does anybody think that they don't have an entire division probably devoted to discovering every flaw in Microsoft's OS's and languages and all other security or communication software ?? I bet they do, and if they know the flaws they could fix the flaws. The question is, is there any way through the freedom of information act that anyone could get that information, also, would Microsoft even WANT that information ? Would they want to see on paper the flaws of their ways, do they care ? Microsoft has been made to look very bad lately, but they are still dominant, there is no question about it. Maybe Microsoft built vulnerabilities into their OS's on purpose, who knows ? If you look into the TCPA (Trusted Computer Platform Alliance) you might find you are a bit disturbed by their plans for the future of operating systems, hardware, and software. All the big companies are signed up already, look into it, and post back your thoughts on what I've said. I know some people will think this sounds crazy, but the people who would know the most about security exploits are the ones who have been pressed into action to defend the U.S. against terrorism and especially cyber-terrorism, cyber-terrorism is going to come, I have no doubt about it, and they are constantly fighting it I'm sure. These are the people to talk to about fixing security flaws, the ones who use them.....

Collapse -

No I think your wrong

by HAL 9000 Moderator In reply to A Possible Yet Unlikely S ...

With any technology that becomes available there has to be a security breach built in so that the Governments of this world can be able to read what was in this case encrypted. Just like when Digital Ceil phones became available they where deferred from introduction here until the Government had in place the necessary technology to "listen in" the same must apply to encrypted e-mail and any other data transfer.

There are back doors built into these programs that are made available to the necessary Government Departments for our own security after all I do not think that there would be one person on this site who would begrudge the Government this as it is in their own best interests unless of course they are involved in activities that are counter productive to the Countries well being.

As far as Freedom of Information goes this type of thing is very heavily classified and would not be subject to this type of Legislation as it would be a "Security Breach" in itself if it was made freely available. It would be classified at the very least as "TOP SECRET" and held in that manner on a need to know basis only. Granted we may know that it is happening but we do not know how it is happening just that it is.

If you are really interested in this subject you should have a close look at the Singapore Government and its actions as they regularly "Hack" Personal Computers just to make sure that there is nothing that runs counterproductive to that Governments wants transpiring on home computers. It also follows that they would be doing the same thing to Company Computers as well just so that they can trace any money that could be used for things that prove counterproductive to the country.

The first lesson that I learnt when I first started with computers was that there was no "Fool Proof Security" and that we are always playing catchup with those who are only too willing to attempt to breach our systems. But the real security threat comes not from the makers of the Software/Hardware but from the company workers and then outside people who are hell bent on discovering as much as possible about the company involved or just need the resources that that company has available to suit their needs. This could range from pinching a lot of processing time to outright Industrial Espionage and anything in between but the Government doesn't need to have a set list of potential security flaws as they already have their own "Back Door" which is very jealously guarded but if they where to stumble across some weakness in their supporting their own systems they would no doubt report it to in this case Microsoft for the PC market and SCO for the Unix market. After all they above anyone else can not afford any security breaches.


Collapse -

Too Little, Too Late

by Praetorpal In reply to Can you learn security in ...

"The real goal should be to design applications around security, not improve the security of programs that are already full of holes."

While that is sensible, even commendable thinking, what about the security quagmire that we are forced to wade through now? Sure it will be nice to know that future applications coming onstream will not add additional problems to the list, but something that protects against todays problems will likely also do the same for future problems as well.

Many of todays security breaches are the results of not even basic precautions being taken when known remedies for vulnerablities are known and available, for reasons of overwork, complacency and pure lazyness. It is unfortunate that those proactive and alert admins who make the effort are still often vulnerable to some degree.

Collapse -

With no responsibility, who cares?

by zaferus In reply to Can you learn security in ...

You could train all the programmers in the world best security practices, but is that their #1 concern when they are racing a deadline to release software?

Unfortunately, security is barely an afterthought as the boxes ship.

Since the software always comes with the standard "don't blame us no matter what" disclosure, do they even have to care? Do they just "hope" that the software flaws they have will be discovered and reported to them by a friendly source?

The sad part is, which wasn't addressed in this article, is that since the programmers and company take little to no responsibility to their product, all the training or real life experience in the world won't help if they don't care. And in the end once you've bought the product they've gotten what they set out to do, didn't they? Sell product?

And if there are flaws, that just paves the way for the next x.0 release of their product - with improved security and a few more features, and more cash in their pockets.

The lesson to be learned from Microsoft isn't that it pays to have good code, it's that it pays to NOT have good code - and just sell the security with the bug fixes and upgrades later on once the programmers "get around" to that part.

Class dismissed.

Collapse -

Education is valuable

by TheOldProf In reply to With no responsibility, w ...

My experience of over 30 years in education is that, for most people, it takes both education and experience to be accomplished in most fields. There are good and bad courses, just as there are good and bad teachers; the presence of bad ones does not negate the need. As for software quality; how many programmers have had much instruction in really good software testing techniques? How many understand that the goal of testing is *not* just to see if it works? My bet is that most who haven't had much education in programming do not understand this.

Collapse -

No, you can only get building blocks

by mckinneygs In reply to Can you learn security in ...

I agree: Security savvy is not learned in the classroom. Like many other important lessons of experience, security is little understood in academia. Schools are usually behind the technical curve anyway;we must develop our expertise independent of our university educations. Some of the best information I have is in books about hacking. The rest of the good knowledge comes from networking and practice. Just like medicine, another highly technical field that's an art form when practiced well.
Susan McKinney

Collapse -

Just like you can learn to drywall

by wordworker In reply to Can you learn security in ...

I can't add much to the excellent advice given already, except that learning *anything* in I/S - HTML, programming languages, apps, operating system peculiarities - and not just security - takes hands-on experience. So build yourself a little network at home and start hacking away.

I mean, you could theoretically learn how to put up drywall from a Web site like you can learn about security, but until you get some dust up your nose and your hands dirty, you don't REALLY learn how to do it right.

Collapse -

Yes you can

by IT Security Guy In reply to Can you learn security in ...

Yes you can learn security in the classroom. Classroom settings should be used for security basics and ongoing security awareness training. Not every company can afford to have the level of internal training necessary to produce knowledgeable security staff. With new areas of security branching, security staff needs to be kept up-to-date, and sometimes a classroom setting is the best way to do it.
Definately more in depth security training would be better relegated to other areas, but at least an overview of topics like secure software coding can be taught in a classroom, then the attendees should continue from there.

Related Discussions

Related Forums