TaoSecurity Blog

From TaoSecurity Thomas Ricks' post Does the Air Force Academy have ‘the least educated faculty’ in the country? inspired me to write this post. Mr. Ricks cited a story by Jeff Dyche, a former USAFA professor who cited a litany of concerns with the USAFA experience. I graduated from the Air Force Academy in 1994, ranked third in my class of 1024 cadets, and proceeded to complete a master's degree at Harvard in 1996. In my experience, at least in the early 1990s, USAFA faculty were as good, or better, than Harvard faculty. I considered the nature and volume of my graduate courses to be simple compared to my USAFA classes. When several fellow graduate students broke into tears after learning what the Harvard faculty expected of them, I couldn't believe how much easier the classes were going to be! Rather than address points made by Ricks and Dyche, I prefer to focus on a theme that appears every few years: "why does the nation need service academies?" To pr...

Once in a while I get requests from blog readers for recommendations on security education. I am obviously biased because I offer training independently, in private and public forums. However, I've attended or spoken at just about every mainstream security forum, so I thought I would provide a few brief thoughts on the subject. First, decide if you want to attend training , briefings , or classes . I consider training to be an event of at least 1/2 day or longer. Anything less than 1/2 day is a briefing, and is probably part of a conference. Some conferences include training, so the two topics are not mutually exclusive. Classes include courses offered by .edu's. Training events focus on a specific problem set or technology, for an extended period of time. Training is usually a stand-alone affair. For example, when I prepared for my CCNA , took a week-long class by Global Net Training . If I choose to pursue the CCNP I will return to GNT for more training. I seldom a...

I received the following question recently, so I thought I would anonymize the person asking the question but post my response publicly. I have a question regarding programming languages and their relation to computer security research. I would appreciate your input on the following. In order for one to be able to "contribute" to security research, do you feel it is necessary for one to become familiar with programming languages? I am fascinated by computer security and have read several books about stages of attack, malware, and defenses but have not read any books containing any code as I do not understand it. I therefore feel as if I am of no use if I cannot write tools or examine exploits on my own. I would again really appreciate your input on this, and if you recommend learning programming languages, do you believe one can get away with knowing just one or do you feel an understanding of several is necessary (and if so, which one[s] would you suggest)? These are great q...

In January I reviewed Mike Rothman's Pragmatic CSO . Related to that book I saw my name mentioned in a post by Cutaway. He writes: I am, however, more concerned about Mike’s approach to young security professionals. “Buy my book, it is a good approach for dealing with executive management” is not, in my honest opinion, an effective way of approaching our next generation. Sure, he has made the information available to the public, but security professionals are pummeled with literature almost on a daily basis. His book might be on the list of top purchases but where is the actual teacher to help with the interpretation to assist with the evolution of the concepts within an individual? I understand Cutaway's concerns, but I think his request is unrealistic. I have plenty of experience with mentorship, starting as a cadet and continuing during my officer years in the Air Force. In my experience it is difficult for the mentoree to obtain mentorship (of any type) even when mento...

Today I received an email which said in part: I'm brand new to the IT Security world, and I figure you'd be a great person to get career advice from. I'm 30 and in the process of making a career change from executive recruiting to IT Security. I'm enrolled in DeVry's CIS program, and my emphasis will be in either Computer Forensics or Information Systems Security. My question is, knowing that even entry-level IT jobs require some kind of IT experience, how does someone such as myself, who has no prior experience, break into this exciting industry? My plan is to earn some of the basic certifications by the time I graduate (A+, Network+, Security+). What else should I be doing? What introductory books and resources can you recommend? I thought I'd discussed this sort of question before, but all I found was my post on No Shortcuts to Security Knowledge and Thoughts on Military Service . I believe I cover this topic in chapter 13 of Tao . To those who are al...

Today I received a curious email. At first I thought it was spam, since the subject line was "RE: Help!", and I don't send emails with that subject line. Here is an excerpt: I cannot afford nor have the time to take a full collage course on the topic of network security but I would like to be as knowlageable about it as yourself and be able to protect my computer and others regarding this matter. If I was willing to pay you would you take the time to teach me what you know and/or point me in the direction I would need to learn what you know about network security? Please advise what course I would need to take to accomplish your skill of network security? In my opinion, it seems like this question seeks to learn some sort of "hidden truth" that I might possess, and acquire it in record time. The reality is that there are really no shortcuts to learning as complex a topic as digital security. I have been professionally involved with this topic for almost te...

Since our CISSP discussion has been thought-provoking, I imagine this might be interesting too. Last night I taught a lesson on network security monitoring to a graduate level forensics class at George Washington University . Earlier this week my friend Kevin Mandia asked me to step in when he was unavailable to teach. I spent 2 1/2 hours describing NSM theory, techniques, and tools, and concluded with a Sguil demo. I do not have any formal degree involving computer security. I have considered pursuing an advanced degree. It would be incredible to work with Vern Paxson , for example. I am not sure how useful another degree would be for me, at this point. Computer security practitioners are often self-taught. This morning while perusing The Economist I came across the ultimate story of a successful self-taught technician. Those in the medical community may know the story that "Professor Christiaan Barnard performed the first human heart transplant." I learned in T...

Related to my previous post, I decided to see what was happening with the National Security Agency 's National Centers of Academic Excellence in Information Assurance Education (CAEIAE) program. I read that today the NSA and Department of Homeland Security jointly announced severeal new schools had met the criteria to be National Centers of Academic Excellence in Information Assurance Education. One of them is my alma mater, the US Air Force Academy . I am glad to see USAFA join this group, since it was embarassing to see the ground-pounders of West Point already in the CAEIAE program! :)