Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Educating The Cyberwarriors Of The Future
Oldest First  |  Newest First  |  Threaded View
andregironda
andregironda,
User Rank: Strategist
3/24/2015 | 3:05:26 PM
Informal and formal training opportunties
Great article -- great way forward!!!

Personally, I have to balance new kinds of training from a variety of sources. Some academic, such as Coursera and American Public University's Intelligence Studies courses. Some "hands-on" such as the Offensive Security PenTesting with Kali Linux Online course and labs. Some for both on-going and referential treatments, such as Books24x7, SafariBooksOnline, Lynda, and TeamTreeHouse. Others geared towards question and answer forums, such as Security.StackExchange.com, ReverseEngineering.StackExchange.com ServerFault, NetworkEngineer.StackExchange.com, and StackOverflow -- or even Quora. I find that networking with professionals on LinkedIn is also higher order -- there are many groups to start up a conversation or read the daily news (although TechMeme and other sites tend to aggregate these better). My go-to resource for everything tech, for the past decade, has been my full-content searchable RSS feed collection.

There are things that I do not find useful or conducive to learning: Facebook, infosec conferences, colleges and universities (even the ones that cater to netsec, cyber security, forensics, et al), and professional organizations (e.g., SANS, ISACA, ISC2, ISSA, OWASP, etc). Not all of these are quite as unequal as I'd suggest. It requires a balance. For example, I did mention some online formal learning to kick off my previous paragraph (not many undergrad/grad programs measure up to my needs, however). I think some OWASP chapters (e.g., Austin, which also has Austin Hackers Anonymous -- an excellent model to build on a local chapter setting because every attendee must present their ideas to the community) and some certifications (e.g., CISSP and Security+ for resume filtering) can lead to meaningful conversations and good, local networking. Occasionally, I will attend a Toorcon, DerbyCon, or GrrCon. Sometimes I'll even proctor a CISSP exam. Do these activities pop off the top of my priority list? Never, but they can be useful.
Jeff.schilling
Jeff.schilling,
User Rank: Author
3/24/2015 | 3:31:30 PM
Re: Informal and formal training opportunties
Thanks for the feedback and additional discussion.  Great thoughts.  I would say some of the certifications below you mention as not helpful I have found to provide pretty good quality training as long as it is complemented by an in house training program or apprentice/master relationship.  
Jeff Stebelton
Jeff Stebelton,
User Rank: Strategist
3/25/2015 | 10:14:10 AM
Re: Informal and formal training opportunties
SANS and ISC2 don't belong in the same list as ISACA, ISSA and OWASP. Though ISSA and ISACA offer their own certifications, and OWASP does offer training, they are professional organizations. SANS and ISC2 are training orgnaizations. There's no membership in SANS except as an alumni of their training. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/26/2015 | 4:47:57 PM
Apprentice to Master
This seems to me like a great option but wondering can it scale to fill 200,000 jobs? How can  apprentices find  masters and vice versa? 
cprofitt
cprofitt,
User Rank: Apprentice
3/30/2015 | 11:17:51 AM
Employers need to be willing to hire and train talent
First, I agree with adding this to all comp-sci related degrees. I also think that current employers need to bite the bullet and be willing to hire and train talent. There are systems administrators, network professionals, etc that would be willing to make the jump that lack the formal training. If the situation is so dire then hire and train, and stop expecting trained people to fall from the sky.
Jeff.schilling
Jeff.schilling,
User Rank: Author
3/30/2015 | 11:32:03 AM
Re: Apprentice to Master
I think no one strategy will scale to 200,000 open positions.  We have to re-engineer how we build the security professional pipeline in all of the ways I describe in the article.  

However, I think an Apprentice to Master approach will help most of us who are looking to bring in folks with great IT skills who now just need to learn how to apply that knowledge base to security operations.  
JosephD817
JosephD817,
User Rank: Apprentice
3/30/2015 | 12:20:21 PM
Start it early, build success!
One thing that I think would benefit everyone would to incorporate Computer Science in the public school K-12.

As a society, we teach Physical Science, Social Science, and other sciences that, in my opinion, are less used/needed than Computer Science.

I am located near Augusta, GA and with the new US ARMY Cyber Brigade coming to Fort Gordon, the loacl school systems has added cyber classes to the High School curriculum. I would like to see this introduced much earlier to build a lifetime of understanding in Computer Science. Locally, I am involved with some programs that teach young kids, but this needs to be MANDATORY.

 

Joseph Dain, CISSP
bandrews750
bandrews750,
User Rank: Apprentice
3/30/2015 | 6:02:10 PM
Why Not Both?
You make good points that the modern education system has serious flaws, but advocating a switch to only specific skills has longer term dangers.

Some may be able to learn a specific system.  A few of those will be able to transfer skills between systems, but the lack of mastery of the underlying concepts will lead to many dangers in the future.

Which system should a student train on?  What happens when the company shifts its IPS or directory system?  Can someone who knows AD, but not core access control concepts, switch to the new system?

I would fully agree with an apprentice system, but then we would have to admit that some workers are not worth the money we are required to pay them.  That will not happen until something external (read politics) forces it to happen.

I am constantly telling students I teach that getting hands on skill is vital in today's world.  Is encouraging them to completely skip the degree really of value?  Not to the smart ones.  Nothing says they have to only have academic or hands on experience.

No one today has an excuse to not have both!
Chambers
Chambers,
User Rank: Apprentice
3/30/2015 | 11:44:51 PM
Combat Informatics
I'd been looking for a security practitioners tradecraft canon to at least provide me with some idea as to what to master but couldn't find one.  Operational security has a tendency to be very wide and deep so it's tough to nail down what aspects make up a quality operative or analyst.  Over the years I naturally began outlining and organizing my work and acquired training.  I recently started posting things to my homepage. I call it Combat Informatics.  It's a living web document.  
Wolf29
Wolf29,
User Rank: Apprentice
7/6/2015 | 7:59:49 AM
Schools Can't Teach Novelty
I used to be acting chair of a computer networking department in an Atlanta college.  My school was just like every other.  We were all too busy teaching click-paths and memorization to teach troubleshooting and dealing with novelty.  The school had a BS in Info Sec, and it was certainly a lot better than nothing.  Some of the students went very far and are going farther.  They are hitting a wall at company HR departments, however.  Now that they have the diploma, they have to be able to get into something to learn how networks work.  Without the diploma, they are dropped from the search altogether, but even with the diploma, they are not getting useful experience, as part of the course of studies.

I would like to see courses that prepared students for some of the more basic security certs, and that were based on troubleshooting and logical real-world problem solving.  Children are being taught how to use computers at a very young age, but they are generally not being taught how to hack and counter-hack.  That would be a fun class, and promote better thinking.  This would lead to a more useful applicant pool.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...