I’ve done it. I’ve found what’s missing from cyber security education. I have the triangle that all trashy systems have (no offense if your trashy system has a triangle). Get ready.
I present to you the cyber security education triangle (aptly named if I do say so myself).
*insert picture*
The three key points, I believe, to a successful cyber course (like uni, I don’t know about certs, but I’m sure it couldn’t hurt) are that it should be: holistic, systematic and pragmatic. I’ll go into a paragraph about what each of those mean in a second, but I’d like to point out that I’ve never been in a course that has all three of those points, and I go to UNSW, whose security department considers itself to be ahead of the curve. (No hate to any of them or the lecturers though, they’re doing a great job, and most of them have never lectured a course before, and just by teaching they’re leagues ahead of anyone else.) I do also think that there are a few pitfalls in the security community when it comes to education that need to be avoided, but I might save those for another day.
To begin, I think that courses being holistic is the highest priority and something that is the most lacking (but I am bias to the big picture). (Also, I have no idea to to conjugate holistic, but I’ve also found holism, which wordpress is flagging as misspelled (although so is the word wordpress, yes, even with a capital), so you’ll have to bear with me as I navigate English.) Holism is looking at something from the bigger picture, seeing that all the parts are connected and need to be thought of as so.
What do I mean in practice? At the beginning of every security course is an exercise where we come up with ideas on how to “hack” something, like say a vending machine, and everyone will come up with ways to get what’s inside without putting money into it, and then we all decide how we’d secure it against attack. That’s great, that’s security on a large scale (well the idea’s are, unless you actually work with vending machines), but that’s where it ends. The next thing is usually an ad hoc transition into the haphazard world of “did you know you can brute force subdomains?” or “here’s how you got root in the 80s.”
What we need is the big picture, not just the attacks and the trivia (but labeled as the “attacker mindset”). How does all of this fit into our goals? Why are we doing what we’re doing? What even is the end goal?
Now, maybe the big picture is the overall “hacker methodology,” and having an actual road map of the course would be useful to that end, but I think a better bigger picture is a secure tomorrow. We can’t look for the bigger picture in “hacking” and different sorts of attacks, because that’s just finding the weakness in the actual bigger picture (which is what the red team side of security actually is). We need to learn what the goal is, and what’s going wrong when my name has an “‘” in it, and why that’s a problem, as opposed to “hey look, it’s cool if I do this because then I just logged in without a password” and calling it a day. We need the bigger picture because without it security is just throwing an “‘” into every form field and collecting a paycheck. We need to emphasize the “cleverness” of security for more than the first half an hour of the course.
It may sound like a subtle difference in theory, but compared to the haphazard, isolated “techniques” it’s a massive difference in practice. Looking at the bigger picture gives you something to go off when there’s a gap between the dots, it gives you a direction when you feel lost and it gives you a goal to work towards, using tools to that end, instead of just throwing random things at a problem until a flag falls out.
(Other points in the triangle coming soon, this is already long, and I have other stuff to do today.)
My Portfolio 