Information Security For College Students

I've thought about this off and on over the last few years.  Today I noticed that Kees Leune (http://www.leune.org/blog/kees/2010/07/teaching-agai.html) is going to be teaching a class this school year.  He was asking for comments and so here's mine....

I'd like to see a threefold class system.  The first class would entail an overview of the 10 Domains.  The second would be Offensive Security and the third would be Defensive Security.

There is a reason for that ordering.  Without a good understanding of the fundamentals of security (10 domains) the second two classes will have less value.  Understanding the idea of physical security as well as separation of duties and such really support defensive and offensive security.  Defenders are better when they understand the threats.  Therefore, I place Offensive Security before Defensive Security.  But that's preference.  You could teach them together and make it a two-part class (firewall defense/offense; Linux offense/defense and so forth).

Let's get back to class 1: Information Security Fundamentals.  Here are my general thoughts on how such a class could be arranged if I were to teach it.

I'd assign Shaun Harris' CISSP book.  Each week we would cover the 1 of the 10 domains.  On a MWF schedule, Monday would be the overview of the domain and a discussion of the critical questions that need to be asked about each domain.  Wednesday and Friday would be in depth discussion of the domain.

Because this is an overview class, each Monday the student would be required to have read the chapter covering the domain to be discussed that week.  The student would also write a two-page paper explaining the critical point of the domain discussed the week before.

In this manner, the goal would be to instill into the student a working understanding about the critical ideas of the domain.

I wouldn't make this a CS only class though.  One struggle IT faces is that the business units often purchase software or services that are poorly designed.  IT is then faced with the prospect and demand of fixing/defending dumb apps.  So, I'd make this course a business elective.

Business students would get 1-2 credits and attend Mondays only.  They would get the high level overview.  My pie-in-the-sky hope is that it would start to create an environment in which the business teams would ask generic security questions to sales guys and/or see through marketing lies.

A business student would write their two-page paper for the benefit of an IT staff.  This will hopefully help them improve communication with IT people.  As such the paper would be graded by an CS teacher.

The CS student would write their paper explaining the domain to a business person who doesn't really understand IT.  That paper would be graded by a business teacher.

At least the CS/Business teachers would give a grade and I would give a grade.  Hopefully, (again pie-in-the-sky) this improves ever so slightly the ability to communicate between specialties.

I might even require students to sign up for SANS alert emails and to find recent articles that discuss pro/con the domains we are discussing.  This idea is to keep students learning to read/research in a lifelong way and to encourage them to learn to see how the domains interact with real life.

Maybe in the future we can discuss more in depth the other classes, but for now, I'm leaving this here.  Maybe someone can tweak the general idea and improve it or just use it as is.

Do you have thoughts?

13 thoughts on “Information Security For College Students

  1. Reply

    Yaggi

    Hi Ron,

    Im not sure of the universities/colleges in some countries in terms of Information Security subject. In our case, somewhere in AsiaPacific, some universities are not ready for such topic, infact pushing for TCP/IP understanding and Ethical usage would fit compare to defense and offense topic.

    Im glad there are subjects offering such advance topics (offense/defense), how i wish it was available during our time. Enjoy studying guys.... Its cool to know in-depth in security

  2. Reply

    Matt Gardenghi Post author

    Yaggi,

    I'm not sure how many schools in North America actually teach this stuff. There has been resistance historically as its perceived as "training hackers."

    Still, I think that is changing.

    Anyway, there are enough other topics to cover that it is difficult to include this. There needs to be an IT concentration on security alone.

  3. Reply

    Darrell

    Just my opinion...

    I think universities feel they may be above this coursework. They feel it is the job of ITT or some other institution to teach how to do a job. Of course as security practitioners we feel otherwise.

    But if you think about it, most universities do a poor job of teaching any technical classes. Sure they have a programming curriculum and some even have intros to database or networking, but few have an in-depth administration curriculum.

    I feel like, and I do not mean to sound like I am picking on developers (without them we would not be needed - however you read that), but that is the most important place to have a theoretical security class. Teach them about XSS, injections, overflows, validation, etc.. Let SANS and other training handle administrators.

  4. Reply

    Matt Gardenghi Post author

    Personally, I vote for at least an introductory course to the 10 domains. That will help them understand the foundational principles of implementing good security.

    If a marketing drone attempts to sell a whizbang new biometric ID gunk, and the client starts asking about the accuracy rates, this is good. Or if a client starts to object to the choice of a specific piece of software due to improper account management with the application, we've done our job.

    My goal would be to see people educated at least enough to understand what questions to ask.

  5. Reply

    Darrell

    I agree to an extent, but how is this different than any other business purchase (technology or otherwise)? I think what will be easier to teach is that business units need to incorporate appropriate staff into decision making rather than having them try to understand security themselves. If we can teach them just enough to ask for help, that is in my opinion doing our job.

    If security personnel were included in decision-making in general (SDLC step, technology purchasing reviews, etc) they would have a better handle on things.

  6. Reply

    Kees Leune

    I like your suggestions. As a matter of fact, I only have one class to teach (15 weeks) and the breakdown right now is as follows:

    - intro to infosec (4 wks)
    - intro to offensive concepts (5 wks)
    - intro to defensive concepts (5 wks)
    - CTF (1 wk)

    I'm glad to see that this is in line with your suggestion. I'm hoping to develop each of the three main categories listed above in a course in its own respect.

    Once I have it hammered out, I'll post again.

  7. Reply

    Matt Gardenghi Post author

    To true.... I've been fighting some of that lately. They buy/decide/dictate without communication. Not helpful.

    But why focus on one and not the other? Go for a two prong strategy.

    /me likes your point though.

  8. Reply

    Andrew

    I don't really like the idea of following a CISSP book. CISSP is outdated and being outdated is one of the major drawbacks of most of the computer science courses I have taken. Things change so fast in computer science, and even more so in computer security, and the CISSP is kind of a joke among those who actually care about current security.

    I do like the idea of having business students attend the overview class and generally how the classes are broken up (except again the CISSP stuff).

    I guess what I want is something like SANS 560 as a university course :P I know that will never happen but I think that designing a course more like SANS560 than CISSP is the way to go (and a course I would want to take!). This might not work in practice however (I can dream).

  9. Reply

    Matt Gardenghi Post author

    Andrew,

    This isn't a question of approving the CISSP. I have the CISSP and I understand the values it holds. Frankly, the 10 Domains are a good foundation for security.

    I'm not pushing for CISSP or ISC2. I'm pushing for a foundational classwork. If you have a better overview of security, I'd appreciate hearing about it. This is just me taking the shortest path: premade lecture material in the book and the textbook for the class. Further the book I had in mind qualifies as a decent reference volume....

    Still, I'm always open to suggestions.

  10. Reply

    Richard

    Kees: I really like your class outline. I would love to actually see how it plays out.

  11. Reply

    Damian

    @matt - I love the idea of doing the 10 domains and then following them up with an offense/defense point of view. When I was in college we never had anything like this and the closest we got to infosec was some club lectures. Hell even being an Information Systems major, I got stuck in every Computer Science course the school offered even though the two majors are different. I think that many universities don't do a good job preparing people for the real world and that they are completely out of touch with skills and objectives that students should meet in order to survive in the real world. My school was bent on the fact that obtaining a BS was all you needed and that no internship or certification would get you anywhere...just a degree alone. Then we wonder why kids are so unprepared when they look for a job.

  12. Reply

    Samuel

    In the second semester of 2010 my university offered a course in which one of the modules was infosec. If I remember correctly it was a 5 week module and could only be taken by final year (under-graduate) computer science students. We covered the 10 domains of security, of course we had to water down some of the chapters and go into a bit more detail in others. Ethics was very light as was telecommunications and network security, the later had already been covered in the previous year as part of a networking course.

    I thoroughly enjoyed the course and it opened me up to the security industry. As for offensive security, one of our practical’s was based on completing various tasks on Damn Vulnerable Web App and eventually rooting the box. Acquiring the specific knowledge to achieve this was left to the students to do in their own time. With regards to all the offensive “tasks” we had to explain the defensive measures that could be used to mitigate some of the threats.

    Throughout the course we had to complete various short (2page) write ups and some very practical cryptographic exercises, ending it off with a short paper on an infosec subject of our choice (I choose an investigation of honeypots and tarpitting).

    The structure you have outlined above makes allot of sense, giving the different fields the type of experience and knowledge they will need. As added reference material for the offensive section I would definitely recommend “Gray hat hacking, the ethical hacker’s handbook, 2nd edition” after covering the initial 10 domains it could be very useful and complementing to the offensive section.

    1. Reply

      Matt Gardenghi Post author

      Very nice. We need more of this sort of thing. One can't properly defend against that which one doesn't understand.

      Sounds like a good program if they work you through these pieces.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>