Click to Play

WebProNews Week in Review
WebProNews takes a look back at some of the more interesting headlines and stories of the past week. Some topics covered are a few new Google features, lots of...

Recent Articles

ISPs Tracking Everything You’re Doing Online
A controversial company in Britain is out to see everything you're doing online. And they are going straight to the source to find out - your ISP. They are about to partner with Britian's top ISPs (BT, Virgin and Talk Talk)...

Microsoft Will Prevail Over Open Source Software
An aspect of the open source software nirvana has been the end of Microsoft's dominance. Well, anyone who sees Linux, OpenOffice or another OSS project/product as the death nail in Microsoft's coffin is not living in reality.

Net Stalker's N-Stealth
If you need yet another tool in your tool box, and you want a good web site application level scanner, then you might want to check out N-Stealth from Net Stalker. Nstealth is a small footprint scanner that in the free...

A Recent Security Horror Story
This will teach folks to put out help wanted ads, seems a receptionist in Florida read a help wanted ad that her employer put on, and thought that she was going to be replaced. Rather than asking, and thinking that her...

The Un-Server: Using A MacBook
I started following through with some of my 2008 resolutions. First thing was to finally take the time to program our thermostat. I set it to 59 degrees at 10:00 PM, then to turn up to 64 at 7:00 AM, down to 62 again...

2007's Biggest Problem - The Trusted Insider
This has not been a banner year for insider hacks, and insider data loss across the board. In many ways we can most likely call this the year of the insider. Either through actual hacking, or through actual not compliance...

Security Around Social Initiatives
Read Write Web has a great digest of the entire last round of social applications, from open social to Facebook, android, Bebo and box.net. Understanding these applications from a security viewpoint is...



04.14.08

Information Security Programs

By Dan Morrill

If you ever have the chance, it is well worth your time to go through the information provided about the Masters of Information security programs at various colleges.

If you take a very good look at them, and work on trying to figure out what they are actually trying to teach, you might just walk away either disappointed that there are not more real world information, or that these programs are doing the right thing.

Realistically what I would like to see in an information security program are those things that make sense in a real world situation. The closest program is the SANS Masters of Information Security degree, but most of the degree program is based on the individual SANS classes, and there is no mention of accreditation on their web site. If they are not accredited, (and I could have missed this, if they are accredited let me know), then this falls into the "junk degree" program. It might look good on a resume, but the program has not been vetted and approved by any of the national education accreditation processes. This can leave the student in Limbo when it comes to using the degree to advance their career.

What would make a real world information security degree?

There are limitations on time, usually a masters program runs for 2 years, for a grand total of 8 classes over 4 terms per year, so there are 16 classes to play with. 15 if you give credit for a masters thesis, which is generally a good idea to write to demonstrate learning.

Of all the skills out there, with terrorism, war fare, hacking, disaster recovery, web 2.0, hacking, and all the rest of it, the idea of working within a time limitation becomes difficult to work out what makes a great information security degree program. The more emphasis areas, the more expense to the school, the more over head, the less likely that the school will be successful. That is a very real issue, schools even no-profits or not for profit need to make enough money to run their programs, and some programs will be more popular than others. Money goes into a general pool, where popular programs help subsidize less popular programs.

What I would like to see.

I would like to see at least one track that covers auditing, real auditing, one class each in network, database, web servers, and operating systems. That would take up 2 terms (assuming 2 classes per term), but is desperately needed in the commercial market. We have many people running around running scanning systems on networks, but they have no idea how to interpret the results. They have no idea how to take the results and provide solutions, tell fact from fiction, or test the results to see if they really are an "oh my god" kind of issue that must be fixed. Rather we are presented with a dull bland report telling us how insecure we are, but offers no solutions, no way to tie back to regulation specific to the industry, nor the risks that are presented by a verified exploit.

Become An Inbox Favorite -
Download The Free White Paper

I would like to see at least a series of classes that covers secure code writing for the Internet. PHP, Java, Ruby on Rails, C#, C++, stored procedures that interact with the web service, the manifest file and how to limit the number of calls, the dangers, liabilities, and limitations of each code set. That would be 7 classes in total, or about 1 year of class alone.

I would like to see hacking following along right after the secure code for web services, tearing apart bad bank, or bad store. Looking at other web applications, learning how to debug them, knowing what the information is telling the programmer and the security engineer. Using common tools to find out problems like SpiDynamics tools, browser plugins, and generally learning what happens when you do not write good software for a dangerous environment. That would be at least 4 classes, or of a year.

I would like to see a series on policies, HIPAA, SOX, IT ethics (separate from the random and meaningless ethics classes seen lately), privacy, intellectual property issues, management, information security policies at the local level that need to reflect the legal and regulatory landscape we live in. This alone could take a year of class, but need to cram it into 4 classes to even hope to meet the 2 year limit on a masters degree.

I am over the 2 year limit already, but we still have not touched on enough. We don't have time for IPS systems, disaster recovery, backups, cyber warfare, terrorism, malware, crime, identity theft, IDS systems, management systems, budget, managing information security, and a whole host of other things that a security engineer or manager needs to know about. There is no room for leadership, managing difficult employees, managing developers, working with anything to do with project management.

In other words, there is not enough time to teach in a masters program (or even a bachelors program) all the things that a good security engineer needs to know to make a real difference in their organization. That is a distinct limitation in the educational program, it also means that the good security engineer needs to be a life long learner, and willing to pick up learning when and where it is available to them.

Comments


About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.
About NetworkNewz
NetworkNewz editors, writers and contributors focus on both the big picture and the details of networking. At NetworkNewz our goal is to deliver to you The Key To Network Management.





NetworkNewz is brought to you by:

SecurityConfig.com NetworkingFiles.com
ITmanagementNews.com WebProASP.com
DatabaseProNews.com SQLProNews.com
ITcertificationNews.com SysAdminNews.com
LinuxProNews.com WirelessProNews.com
CProgrammingTrends.com ITmanagementNews.com





-- NetworkNewzis an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2008 iEntry, Inc. All Rights Reserved Privacy Policy Legal

archives | advertising info | news headlines | newsletters | comments/feedback | submit article


The Keys To Network Management Ask Questions in the Networking Forum NetworkNewz News Archives About Us Feedback NetworkNewz Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact