Friday, June 24, 2005

Thoughts on Security Degrees

Since our CISSP discussion has been thought-provoking, I imagine this might be interesting too. Last night I taught a lesson on network security monitoring to a graduate level forensics class at George Washington University. Earlier this week my friend Kevin Mandia asked me to step in when he was unavailable to teach. I spent 2 1/2 hours describing NSM theory, techniques, and tools, and concluded with a Sguil demo.

I do not have any formal degree involving computer security. I have considered pursuing an advanced degree. It would be incredible to work with Vern Paxson, for example. I am not sure how useful another degree would be for me, at this point.

Computer security practitioners are often self-taught. This morning while perusing The Economist I came across the ultimate story of a successful self-taught technician. Those in the medical community may know the story that "Professor Christiaan Barnard performed the first human heart transplant." I learned in The Economist that Hamilton Naki, a self-trained and non-degree holder, performed half of the operation.

According to The Guardian, Mr. Naki led a team that spent 48 hours removing the donor's heart, and then placed it in Dr. Barnard's hands. Mr Naki learned to transplant organs by watching, then doing. He surpassed the technical skill of the trained physicians at his hospital, and Dr. Barnyard enlisted his help for the ground-breaking 1967 transplant operation.

A search for "Naki" at the South African hospital Web site that speaks glowingly of Dr. Barnard yields zero hits. It seems the same secrecy that kept Mr. Naki from receiving any credit inside his native country still persists, at least at the hospital where he worked for nearly 40 years on minimal pay and with no formal recognition.

What do you think about security degrees? Can you recommend any programs?

Update: It turns out that Hamilton Naki did not work with Dr. Barnard on the first human transplant. The 16 July 2005 issue of the Economist states:

"A source close to Mr Naki once asked him where he was when he first heard about the transplant. He replied that he had heard of it on the radio. Later, he apparently changed his story...

[H]is role was gradually embellished in post-apartheid, black-ruled South Africa. By the end, he himself came to believe it."

That's a shame.

6 comments:

Axel Eble said...

Being from a very different cultural and educational background, I don't think a security degree is very helpful in your position.

I am very much in favor of a very broad but not necessarily deep knowledge. That's for a couple of reasons.

For one, security is about interconnected problems and systemic thinking (cf. Peter Senge's "The Fifth Discipline"). It is not helpful to have a very in-depth knowledge about one specific topic when all it takes is a hole in a separate part of your system to breach it.

Second, and related to the first reason, is the fact that a degree in a generic science like physics, chemistry, computer science seems more sensible to pursue because it gives the basics for the more specialized disciplines like information security. Information Security has a lot to do with computer science anyway. YMMV, as usual :)

Chris Walsh said...

The field of information security has no broadly-accepted definition yet. Therefore, it is not a discipline in the academic sense anyway. Dan Geer talks about this frequently by highlighting the positive -- we have the opportunity to benefit from hybrid vigor. The downside is anyone can claim to have definitive infosec knowledge (and promulgate a body thereof, even).

Anyway, there are some efforts at explicit speciation. I have no direct experience with any of them, but maybe you should check out:

* the Center for Applied Cybersecurity Research @ Indiana University
* Ross Anderson's group @ Cambridge
* Citi @ Michigan
* CERIAS @ Purdue (not sure of it's current status)
* ISTS @ Dartmouth

Depending on your intellectual orientation, you may also want to see what various business schools have to offer. Given the situation with audit and reporting requirements, and the focus on governance issues, it'd surprise me if nobody has stepped up and created a focussed program addressing these things. Whether it is information security is an open question (speciation has yet to occur, recall).

There is a strong argument to be made against formal study of infosec as a discipline. That none of the major players has studied it as such proves that you don't need an "Infosec Degree" (whatever that is) to know your stuff. However, I personally think that formal study for someone who already has substantial training in another related field or who is an accomplished practitioner with the appropriate mindset (to wit: an academic one) makes a good deal of sense.

I hope it goes without saying that there is plenty of room for autodidacts. An infosec degree, I personally hope, does not become a credential. We have the CISSP, after all ;^).

Chris said...

I'm in the Information Security and Assurance Masters program at George Mason University. They have a decent selection of courses and are a NSA designated Center of Academic Excellence in Information Assurance Education. The first two courses in the program are Networking and Operating Systems with emphasis in Java programming. The in-state tuition price isn't bad ($380 a semester hour). The courses are in the late afternoon and evening, which helps since I work full time. I'm only on my second class, but both professors have been really good. I'm looking forward to the fall semester when I'll take the first two security related courses. GMU also offers a PhD in IT with a concentration in Information Security. They are starting an Intrusion Detection course this fall too, it will be interesting to see if your book is used or referenced in that course or any other courses in the program. GMU also sponsors several computer security related research centers including the Center for Secure Information Systems.

Keydet89 said...

Robert,

I'm like you...I don't have a security degree. I do, however, have BSEE and MSEE degrees from accredited universities. I've also given presentations and taught my own, self-developed classes.

I'd like to hear from others here about the process of teaching courses at places like GWU and GMU...particularly GMU. I'd be very interested in something like this.

Thoughts? Comments? Recommendations?

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Anonymous said...

When taking into account formal education, and comparing it against what is considered an "Industry Standard" certification, you can't really compare the two. Let's face it; the CISSP is considered industry standard because it has been 'sold' to organizations as such (in addition to being one of the oldest and most well known in the IT industry). However, we all must really be truthful to ourselves; any organization that forms to back a 'certification' for any aspect, whether it be security, forensics, etc, has a large motivation for MONEY. Even though many claim to be 'non-profit' status, that doesn't necessarily mean they aren't pulling in large sums of money. It really means that they are providing a service that is viewed by the IRS as 'a benefit to society', and allows them to avoid paying federal taxes ('education based corporations' is one of the qualifiers for this). Understandably, your support of obtaining the CISSP stems from the "Code of Ethics" and it's recognition among IT providers. However, how 'up-to-date' is the material, really? The last time I checked, the Rainbow Series, Bell-Lapadula, Biba, and Clark-Wilson don't play in the majority of current technology. Sure, the CISSP exam has incorporated 'wireless' portions in the Telecommunications section of the exam, but the majority of it seems to be based on 'what was' and not really 'what is'. I think this is the largest problem with any company hiring based on 'certifications'; it doesn't necessarily reflect a thorough understanding of information security. I've worked with many a 'CISSP'; some very knowlegeable, and many not. I think that when people take the 'work experience' requirement into account, they don't necessarily understand it either. To be able to 'qualify' for sitting at a CISSP exam, you have to have a particular number of years experience in 'one OR more' of the Ten Domains. This really means that someone who's held a security clearance, or has done anything related to physical security can sit; hint hint...technically, a security guard could qualify, and as long as he has some sort of formal education and can pass the exam...guess what...he can become a CISSP too. If ethics is the focus of obtaining the CISSP, this can be done without having to pay $499 (once or multiple times to pass) for a multiple guess test.

However, when looking at formal education, the 'greed' of MONEY doesn't necessarily drive the train. The only program I've seen and support is the NSA CAEIAE program (http://www.nsa.gov/ia/academia/caeiae.cfm?MenuID=10.1.1.2). Schools must apply, be reviewed, and continue to upkeep their program for semi-annual reviews to maintain their status. This is probably the most 'vendor and greed neutral' forum available to 'judge' and individual's competence. As a manager, I'd be willing to bet that someone who comes from a formalized university CAEIAE program has a more objective understanding of Information Security than a person that can pass a language focused exam with multiple choice questions.

My two cents, but it's sad to see the industry (IT in general) set hiring criteria on what single or multiple tests a person has taken, rather than an individual's work experience and formal education. Let's face it, there may be a 'few' doctors that can perform open-heart surgery without an education, but I truly believe they are in the minority. Society hasn't formed 'medical board' examinations without motivation. I believe security certifications started out with good intentions, but ultimately succumb to the driving factor of MONEY. However, an accredited 'university' holds more credibility in formal 'education'; much more than an organization that simply 'backs' one or two 'industry' security certifications and rakes in multi-millions of dollars each year. I would venture to guess that these 'non-profit organization' financial statements show a much higher revenue than say....George Mason University :-).

Just for grins...ask an officially endorsed training provider how much of their gross income (from training programs focused to these 'security certifications') has to be handed over to the founding 'body'...I think you'll be quite surprised.

mjukr said...

All else being equal, someone with a degree from an accredited, respectable (i.e. not DeVry, ITT Tech, etc.) institution will often--and should--be given priority.

Although the technical skills can be learned entirely on one's own, a university education provides much more. Exposure to research, interaction with experienced professors and scientist, and breadth of study being the most prominent.

Not to mention it shows that you've given up (at least) four years of your life for something you enjoy and find important.

But for someone like you who is well into his career, I don't think it would add much to your resume. You've already proven yourself as a respected infosec professional. Is it really worth your time and money? Maybe if you're interested in doing more academic research. If, however, your focus will be on entrepreneurship for the forseeable future, then probably not.

If you decide to get an advanced degree, put yourself completely into it. Set aside enough money such that you won't have to consult full-time and can focus on your research.

Good luck!