Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
6 Top Nontechnical Degrees for Cybersecurity
Newest First  |  Oldest First  |  Threaded View
kvonhard
50%
50%
kvonhard,
User Rank: Apprentice
12/19/2019 | 9:48:13 AM
Law Degree
With all the new regulatory requirements impacting the cyber space, I think that law degrees and/or compliance backgrounds provide new value. For example, the NY Privacy act that didn't get passed and the India privacy law update both include the term "data fiduciary" which would lead to a strict liability standard for organizations in the event of a data breach.

The shifting focus requires people who better understand the new legal landscape as well as the technical landscape.
JeffreyG750
50%
50%
JeffreyG750,
User Rank: Apprentice
12/4/2019 | 9:32:49 AM
Speaking linguistically
I am a PhD drop out in Linguistics (from a very long time ago). And for the past nine and a half years I've been at 1Password, where I am now the Chief Defender Against the Dark Arts. I'm not going to actually recommend my career path to anyone, as it really was a sequence of being at the right place at the right time. But I can talk about what my unusual background helps bring to the job.

First of all, any academic is trained to look for (and attempt to rule out) alternative explanations for some phenomenon. If you notice a pattern, the first thing to do is to see whether it is real or not. Someone else mentioned Statistics which ramps of this way of thinking to 11. But in general, academics are trained to question (and test) their assumptions.
To be honest, I don't know to what extent this is a result of our training or whether it is a characteristic of those seeking academic careers. I'm sure there is research on that, but I'm too lazy to look for it.

The study Linguistics brings together a number of different ways of thinking and specific knowledge that can really be helpful when dealing with information security. First of all, we, like Computer Scientists, spend a lot of time developing formal methods for representing and manipulating information. Some of the specific notions overlap. The Chomsky Hierarchy (important theorems in Formal Language Theory and Automata theories) are things that I learned about studying Linguistics. I learned lambda calculus as an undergraduate as part studying the relationship between natural language syntax and semantics.

But more important than those sorts of overlapping skills, we learn to think rigourously and carefully about a very human activity. Linguistics is, to some extent, a cognitive science. This latter point has been enormous help in thinking about usable security. What sorts of mental models will people construct about the systems that they interact with, and where those mental models don't match the underlying reality, are those mismatches likely to them astray in ways that go against their own security and privacy interests?

Linguistics is also very closely tied to Anthropology. Learning to understand how systems differ and how the same construct can play different roles in different systems helps avoid errors. It also helps me understand that risks of taking something that works in one system and dropping it into another.

Linguistics is also about interaction among agents. Sure, I talk to myself, but we are really trying to reverse engineer communication protocols. Different parties have different motive and different information states when talking to each other. This does not mean that the mechanims for one domain can be directly applied to the other, but we get a layer of abstraction that allows us to think clearly about each.

Again, my career path is a series of accidents, and it isn't going to be something replicable. But I do advocate trying to bring in people with the linguist's way of thinking into information security.
CharlotteWiggins
50%
50%
CharlotteWiggins,
User Rank: Apprentice
11/27/2019 | 8:02:29 AM
Re: Add Anthropology to the list
Big thumbs up to you Curtis!
afpjr
100%
0%
afpjr,
User Rank: Apprentice
11/22/2019 | 8:00:20 AM
Add Anthropology to the list
Although closely related to Sociology (my minor) as and Anthropology major, I learned to assess and understand other cultures, how to identify and address personal biases when interacting with individuals of a different cultural background, and how to study and document other cultures as objectively as possible.

IMHO, this has direct application when vetting threat intel and researching adversaries. It has helped me bridge the gap between various cultures or silos within an enterprise. It has taught me to understand the different motivations behind attackers, and (sometimes) how to set the bar high enough to encourage them to look elsewhere for their "resources".

Gaming and e-sports teams, social media tribes, corporate entites and nations/states all can be viewed through the lens of an anthropologist to glean greater understanding of the realities we face in cybersecurity today. Over 20 years in the rearview, and my undergrad experience is still relevant, even in this quickly changing environment we work in.


When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...