SlideShare uma empresa Scribd logo

Deep sec talk - Addressing the skills gap

Transferir como PPT, PDF
Colin McLean
Colin McLean
Educação
1 de 65
Experiences of actually trying to fill the gap... Colin McLean, DeepSec, November 2014.
 Colin McLean ◦ Abertay University, Dundee, Scotland. ◦ Lecturer for 24 years. ◦ Developer of the 1st Undergrad Degree in Ethical Hacking (started 2006).  Abertay? ◦ Small University. ◦ Vocational courses.
 Far away from most of the action. Normal people live here someplace
 Since 2010, our graduates have been employed by.... ◦ KPMG, Qinetiq, NCC Group, Cigital, PWC, RBS, HSBC, MWR Labs, GCHQ, Tesco Bank, West point security, NCR, NTA Monitor, Mandalorian, Context IS, GFI Software, Firstbase, White Stratos......  Many of these companies have more than one graduate. ◦ NCC employ TEN of our graduates.
 Abertay has a good reputation amongst security companies in the UK for producing graduates with (roughly) the correct attributes.  Something has gone right at Abertay. ◦ Room for improvement.
 The extent of the problem.  Academic courses. ◦ Producing the right course. ◦ Things that have happened (knock on effects)  Attracting people on to the course.
When you think he is going to tell us how wonderful he is...
 8 years....  Luck.  Some good judgement.  Timing?  Some awesome people.  Much of this talk is based around the experiences of this course.
What is the scale?
 The DoHS can’t find enough people to hire.” Mark Weatherford DoHS, USA  “This shortage of ICT skills hampers the UK’s ability to protect itself UK National Audit Office.   "The demand for cyber security experts is growing at 12 times the rate of the overall job market." Hord Tipton, managing director of (ISC)2.
2012 2017 Americas 1.181 2.081 EMEA .797 1.363 APAC .894 1.463 Total 2.872 4.908 EMEA = Europe, Middle East & Africa APAC = Asia PACific  (ISC)2 report..people working in the industry (now and estimated required in millions).  Europe needs ~>200K in the next 2 – 3 years.
 “By 2017, there will be a global shortage of no less than two million cyber security professionals” http://www.itproportal.com/2014/11/03/house-of-lords-warning-uk-faces-devastating-cyber-security-skills-crisis-/#ixzz3IOQyyxlC
Options for a company?
 In the UK alone, 98 degrees have a cyber security element...  40 to 50 MSc’s....  We are on our way ..right?
 “Part of this problem, seemingly, is down to courses which are too steeped in academia and not in keeping with the true demands of the cyber security field.”   “the right practical skills aren't being taught, such as configuring and reconfiguring systems, trying out exploits, compromising the security of boxes and hardening defences.” Sean Smyth, director at CyberSecurityJobsite http://www.scmagazineuk.com/more-jobs-but-cyber-security-skills-gap- widens/article/340103/
 “The courses aren't right…they're great but not quite who the employer is looking for”.  “too many of graduates have learnt reactive skills not the stuff that comes up in real life”  “some professors say that these are often taught on industry placements”.
 Academics traditionally produce theoretical courses. ◦ That’s what we do. ◦ It’s not our fault.  Companies are blaming academics for producing the wrong product. ◦ You aren’t giving us graduates with the 1337 skillz. ◦ It’s not our fault.
What do we need to fix?
 Web App Problems (SQLi, XSS etc)  Poor coding etc, etc.  Malware Attacks  Bad configuration/ setups, unpatched software.  Weak Authentication - bad passwords?  DOS  Known or unknown vulnerabilities  Educating staff  ...........
 Networking.  Systems.  Developers.  Offensive.  Forensic.  Responders.....etc...  Also “softer skills” will be required ◦ intellectual property, internal security policies, HR Job writers, lawyers etc... ◦ Academia/Business must work to solve this.
 Mathematical / theoretical courses are required (largely being addressed?)  Theoretical can (?) save the world.  But...more vocational graduates are required. ◦ Theoretical solutions are not being adopted.  More and better vocational courses required. ◦ Is this being addressed?
Requirements analysis...
 Some of the attributes are unusual for a degree (especially a technical subject).  This is perhaps a problem?  These CAN be catered for during a degree. ◦ Teaching/Tutorials/Assessments/Extra-curricular activities ◦ External speakers etc.
Features. Points of interest that could help.
 2005 – A two year UK government funded project – Abertay Uni & NCR R&D ◦ Employed a full-time researcher.  “Risk analysis of an NCR Automated Telling Machine (ATM).”  Jim Kirkhope of NCR “it would be great to be able to employ graduates who knew this stuff..”  Industry driven
 NCR Student projects ◦ Covered by NDA..  Firstbase Techies. ◦ Guidance, talks, free training. ◦ Firstbase employ two Abertay graduates.  Cigital ◦ Talks, workshops, sponsorship, free software ◦ Cigital have employed 2 of our graduates.  NCC ◦ Talks, workshops, sponsorship, guidance etc. ◦ NCC employ 10 of our graduates.
 Now, I have contact with many companies.  It's moulded the content.  Ethical Hacking “company contact week” for students in their final year. ◦ NCC Group, MWR, KPMG, NTA Monitor etc have given training/advice etc...
 Other people have played a major role in our success. ◦ “Free" knowledge.  Our graduates are better equipped for the real-world because of this.  These companies are now getting a better product......
 Let them do things. ◦ Build their own specialisms. ◦ Build their own brand. ◦ Builds community spirit. ◦ Publicity.  An example... ◦ Abertay Ethical Hacking society. ◦ Students meet every week.
 Ethical Hacking Society. •Greg Scott: Fuzzing: Brute Force Vulnerability Discovery •Milo Farkner: Time for some Crypto •Rorie Hood: The Kernel, an int and the Null Pointer Dereference •Andy Redfield: Lockpicking •Georgi Boiko: XORing and Cryptography •Paul Dalton: Ping of Death revisited •Erden Eren: New ATMs: Secure? •Rorie Hood: The Gifar Attack •Jack Graham: Breaking the Boundaries with ToBmuD •Ian Soutar: You've Found a Vulnerability, Now What? Tony Roper: Reverse Engineering 32-bit Windows Executables Andrew Macdonald: Hacking for Homebrew: How to build your own PS2 Linux Kit Ian Soutar: Web Applications: Securing a Broken Website Jack Graham: The Power of TIFF, Screens and META Christopher Donnelly: Google Hacking Blair Dick: I2P - The Anonymous Network Rorie Hood: Rootkit Development Paul Dalton: USB Autorun on Windows Daniel Forse: Exploiting the Inherent Trust of Human Input Devices
 BruCon Security Conference 2011 ◦ “Smart Phones – The Weak Link in the Security Chain, Hacking a network through an Android device” by Nick Walker and Werner Nel  BruCon Security Conference 2011 ◦ “Script Kiddie Hacking Techniques by Ellen Moar  BSides London Security Conference 2011 ◦ “DNS Tunnelling: It's all in the name!”, Arron Finnon  GrrCon (Grand Rapids, Michigan) Security Conference 2012 ◦ I’m the guy your CEO warned you about by Gavin Ewan  BSides London Security Conference 2013 ◦ The evolution of Rootkits into the mobile ecosystems Rorie Hood ◦ Seven students have spoken at the rookie track.  BSides Lisbon Security Conference 2013 ◦ NoSQL – No Security..Gavin Holt  BSides Manchester 2014 ◦ Gavin Holt & rookie track... Our students talking at cons.
FranceLondon LisbonCardiff
 2012 -20 people, 2013 – 110 people, 2014 – 150+people http://securi-tay.co.uk/
 As well as the obvious...  Contacts & knowledge exchange between Universities. ◦ Leeds Beckett Uni, Sheffield Hallam, Dublin etc...  Publicity. ◦ TV/Radio/Newspapers..  School children have come to Securi-Tay
 Largely untapped.  Initiatives. ◦ Students visit Schools. ◦ Women in science days. ◦ Publicity..  Increase in female students.
 Schools visits.  School trips to Univerities.  School teachers training.  Planned awareness talks for the “elderly".
 To (some) academics ◦ We are not producing the right product. ◦ Our courses need to change. ◦ We don’t have the skills to teach our students. ◦ We need to ask for them.  To (some) companies ◦ You need academia to make your product better. ◦ You need our product to be better. ◦ You are not helping academics get these skills. ◦ You need to give out these skills.
 To some academics. ◦ Vocational CAN be academic. ◦ My student work has included..  Methodology, Taxonomy, Crypto, Risk analysis, Software development...  To some companies. ◦ “Look at this great deal that your graduates will get”. ◦ Moaning about academia will get you no place!
 Don’t expect GRADUATES to be experts the day they start. ◦ A degree MUST be generic. ◦ It’s about lifelong learning and no other discipline expects this so ....don’t you. ◦ A University degree is not TRAINING.  Academia. ◦ We must make an attempt to make graduates “billable” as early as possible.
 Fear of teaching the offensive.  What’s in a name?? Cyber-Hacking!  More specialist degrees.
 Thanks for having me & for listening..  Questions?
 Knowledge Transfer diagram  Colleges.  What’s in a name? ◦ Cyber/Ethical hacking  Fear of teaching offensive  Competitions – must be knowledge
 Vocational is becoming important.  Must be investment in resources.  Education must be driven by the Industry.  Industry must invest time & effort in academia.  More specialist degrees.
 If a company requires graduates then approach academia. ◦ Influence content. ◦ Influence graduate attributes. ◦ Influence assessment.  Student project work. ◦ it gives the company an indication of the skills of the student in question & the University.
 Realise. The content MUST be requirement driven.  Some Universities are offering degrees. ◦ They teach what they know how to do. ◦ Uni’s jumping on the bandwagon is pointless.  Must be a breadth of topics. ◦ Graduates must be flexible.
 Lack of practical security knowledge in Universities.  Companies need to encourage academics. Work alongside a security person?  In house training? ◦ Why not invite an academic.  Academics must also undertake difficult modules.
 “Too steeped in academia” ◦ We are vocational  practical skills aren't being taught ◦ Our students practical skills have been developed with the assistance of companies.  not the stuff that comes up in real life ◦ Case study based and guided with the assistance of companies.  The courses aren’t right. ◦ Industry has guided our course.  These are often taught on industry placements. ◦ Many of ours are taught on the course.
 Currently producing ~20 graduates per year who have a choice of job. ◦ Becoming more popular every year.  We also run an M Sc in Ethical Hacking (~10 grads per year).  No magic formula.  More programmes like ours required.
How to tackle the problem?
 “Governments, business and the IT security industry need to work together to make cyber security more visible and attractive as a career” Mark Weatherford DoHS.  “Industry and academia should ...raising awareness of the growing demand for cyber security professionals.”  Industry and government should invest in cyber security professionals who can address cyber threats “ Canadian ICTC Report. http://www.ictc-ctic.ca/wp-content/uploads/2012/10/ICTC_CyberSecurityReport1.pdf
What is actually happening? Will it benefit business?
 National security is highlighted and being addressed.  USA - Comprehensive National security initiatives.  Cybersecurity Strategy of the European Union. ◦ UK £650M investment. ◦ Most countries seem to be acting on this.
 NSA & DoHS sponsor National Centers of Academic Excellence ◦ Identify excellence in Research & Education. ◦ Largely National defence related. ◦ Some community colleges (vocational).  UK heading down this same route  More vocational cyber security degrees in the USA than Europe. ◦ Still not producing nearly enough suitably qualified people. California 38M pop, 8 edu establishments Ohio 12M pop, 4 In the UK, similar scheme for research est.
 Competitions  Boot camps  Scholarships.
 Meetings to raise awareness.  Other awareness events/promotions  Certifications are also an avenue for business...
 These help to raise awareness but.... ◦ Competitions.  Largely test existing knowledge. No great fundamental learning. ◦ Boot camps.  Two days training turns someone into a specialist? ◦ Certification  A 4 day course then a multiple choice exam? ◦ Scholarships to where?  To one of the very few specialist educational centres.
 Europe need 100K’s of people!  Specialist centres and short courses are not enough. ◦ Bolt on security?  Every region in every country:- ◦ Will require people. ◦ Universities / Colleges must act. ◦ Business must act. A fundamental education review is required.
◦ Firm grasp of fundamentals. ◦ Have a security mindset. ◦ Experience of real attacks. ◦ Practical skills & technical knowledge. ◦ Research skills. ◦ Analysis skills. ◦ “Think outside the box.” ◦ Communication skills. .............
 More vocational grads. ◦ Mathematical / theoretical still required but this is largely being addressed.  More vocational courses required. ◦ Is this being addressed? ◦ Colleges? Largely untapped.  However, not just any old vocational course.
 Themed:- ◦ Programming, Computer Networking, Ethical Hacking.  Four year honours degree in Scotland. ◦ Year 1 and 2 – Basics & concepts. ◦ Year 3 and 4 - Research and self-learn.  General security, Penetration testing, Web Application testing, Exploit Development, Reverse Engineering, Malware analysis The syllabus (briefly!)
 Culture of project work as assessments:- ◦ Year 1 Ethical Hacking – Project ◦ Year 2 Ethical Hacking – Project ◦ Year 2 Smart Programming – Programming Project ◦ Year 3 Ethical Hacking - Web security project ◦ Year 3 Ethical Hacking – Mini-project ◦ Year 3 Ethical Hacking – Exploit development ◦ Year 3 Group Project - Student chosen ◦ Year 4 Network Management – Network Security project ◦ Year 4 Honours project Student centred learning. RESEARCH & DOCUMENTATION ARE IMPORTANT

Recomendados

Prime83 at IITKanpur
Prime83 at IITKanpurPrime83 at IITKanpur
Prime83 at IITKanpurSanjeev Maddila
 
Creating abundance in the global innovation econ Curtis Carlson
Creating abundance in the global innovation econ Curtis CarlsonCreating abundance in the global innovation econ Curtis Carlson
Creating abundance in the global innovation econ Curtis Carlson3helix
 
New Digital Media Ecosystems for Learning
New Digital Media Ecosystems for LearningNew Digital Media Ecosystems for Learning
New Digital Media Ecosystems for LearningJISC Digital Media
 
Computer science Engineering
Computer science EngineeringComputer science Engineering
Computer science EngineeringM. Raja Reddy
 
Microsoft Power Point Lg Pro Presentation (Slideshare)
Microsoft Power Point Lg Pro Presentation (Slideshare)Microsoft Power Point Lg Pro Presentation (Slideshare)
Microsoft Power Point Lg Pro Presentation (Slideshare)Ann_Quach
 
Skolkovo 2013 Japan
Skolkovo 2013 JapanSkolkovo 2013 Japan
Skolkovo 2013 JapanAlbert Yefimov
 
Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierThe Lorenzi Group
 
Data-X-v3.1
Data-X-v3.1Data-X-v3.1
Data-X-v3.1Ikhlaq Sidhu
 

Recomendados

Prime83 at IITKanpur
Prime83 at IITKanpurPrime83 at IITKanpur
Prime83 at IITKanpurSanjeev Maddila
 
Creating abundance in the global innovation econ Curtis Carlson
Creating abundance in the global innovation econ Curtis CarlsonCreating abundance in the global innovation econ Curtis Carlson
Creating abundance in the global innovation econ Curtis Carlson3helix
 
New Digital Media Ecosystems for Learning
New Digital Media Ecosystems for LearningNew Digital Media Ecosystems for Learning
New Digital Media Ecosystems for LearningJISC Digital Media
 
Computer science Engineering
Computer science EngineeringComputer science Engineering
Computer science EngineeringM. Raja Reddy
 
Microsoft Power Point Lg Pro Presentation (Slideshare)
Microsoft Power Point Lg Pro Presentation (Slideshare)Microsoft Power Point Lg Pro Presentation (Slideshare)
Microsoft Power Point Lg Pro Presentation (Slideshare)Ann_Quach
 
Skolkovo 2013 Japan
Skolkovo 2013 JapanSkolkovo 2013 Japan
Skolkovo 2013 JapanAlbert Yefimov
 
Digital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierDigital Forensics: Yesterday, Today, and the Next Frontier
Digital Forensics: Yesterday, Today, and the Next FrontierThe Lorenzi Group
 
Data-X-v3.1
Data-X-v3.1Data-X-v3.1
Data-X-v3.1Ikhlaq Sidhu
 
Catalogo ociplana Internacional
Catalogo ociplana InternacionalCatalogo ociplana Internacional
Catalogo ociplana InternacionalCAPITAL INTELECTUAL CREATIVO S.L.
 
Kachniewska M. - podsumowanie dyskusji bloku tematycznego na Kongresie Turyst...
Kachniewska M. - podsumowanie dyskusji bloku tematycznego na Kongresie Turyst...Kachniewska M. - podsumowanie dyskusji bloku tematycznego na Kongresie Turyst...
Kachniewska M. - podsumowanie dyskusji bloku tematycznego na Kongresie Turyst...Magdalena Kachniewska
 
Winnaar #watishijmooi-prijs
Winnaar #watishijmooi-prijsWinnaar #watishijmooi-prijs
Winnaar #watishijmooi-prijsWebredactie_Zwijsen
 
Pernambuco
PernambucoPernambuco
Pernambucocepmaio
 
Gabythaa
GabythaaGabythaa
GabythaaGabriela Lozano
 
Curso de idiomas globo inglês livro002
Curso de idiomas globo inglês livro002Curso de idiomas globo inglês livro002
Curso de idiomas globo inglês livro002rosemere12
 
Partnermogelijkheden wbtm day
Partnermogelijkheden wbtm dayPartnermogelijkheden wbtm day
Partnermogelijkheden wbtm dayHan Hendriks
 
Inchiesta risparmiare-in-tempo-di-crisi (1)
Inchiesta risparmiare-in-tempo-di-crisi (1)Inchiesta risparmiare-in-tempo-di-crisi (1)
Inchiesta risparmiare-in-tempo-di-crisi (1)Cagliostro Puntodue
 
F 3-2011-1-110623082754-phpapp01
F 3-2011-1-110623082754-phpapp01F 3-2011-1-110623082754-phpapp01
F 3-2011-1-110623082754-phpapp01cepmaio
 
Veilig leren lezen - Digiregie, Leerkrachtassistent en Leerlingsoftware voor ...
Veilig leren lezen - Digiregie, Leerkrachtassistent en Leerlingsoftware voor ...Veilig leren lezen - Digiregie, Leerkrachtassistent en Leerlingsoftware voor ...
Veilig leren lezen - Digiregie, Leerkrachtassistent en Leerlingsoftware voor ...Webredactie_Zwijsen
 
Bluebeauty
BluebeautyBluebeauty
BluebeautyShweta Chaturvedi
 
Beautiful
BeautifulBeautiful
Beautifulvinod kumar
 
сравнительный анализ умк артикли
сравнительный анализ умк артиклисравнительный анализ умк артикли
сравнительный анализ умк артиклиAlisha_Rum
 
UNIVERSIDAD ESTATAL DE BOLIVAR
UNIVERSIDAD ESTATAL DE BOLIVARUNIVERSIDAD ESTATAL DE BOLIVAR
UNIVERSIDAD ESTATAL DE BOLIVARJhonnatan Freire Quinatoa
 
TRUSTLESS Inc Long Term View
TRUSTLESS Inc Long Term ViewTRUSTLESS Inc Long Term View
TRUSTLESS Inc Long Term ViewMd. Khairul Hasan Sujan
 
The Team Workshop Method
The Team Workshop MethodThe Team Workshop Method
The Team Workshop MethodJD Graffam
 
Thanh toan-quoc-te
Thanh toan-quoc-teThanh toan-quoc-te
Thanh toan-quoc-teHải Thành
 
Jessica Resume
Jessica ResumeJessica Resume
Jessica Resumejlwill12
 
Lcf building life
Lcf building lifeLcf building life
Lcf building lifevinod kumar
 
Tp1 collector pipes in siphonic roof drainage systems to incline or not to in...
Tp1 collector pipes in siphonic roof drainage systems to incline or not to in...Tp1 collector pipes in siphonic roof drainage systems to incline or not to in...
Tp1 collector pipes in siphonic roof drainage systems to incline or not to in...Marc Buitenhuis
 
Presentation
PresentationPresentation
PresentationColin McLean
 
Issue4
Issue4Issue4
Issue4Sriram Suruliandi
 

Mais conteúdo relacionado

Destaque

Kachniewska M. - podsumowanie dyskusji bloku tematycznego na Kongresie Turyst...
Kachniewska M. - podsumowanie dyskusji bloku tematycznego na Kongresie Turyst...Kachniewska M. - podsumowanie dyskusji bloku tematycznego na Kongresie Turyst...
Kachniewska M. - podsumowanie dyskusji bloku tematycznego na Kongresie Turyst...Magdalena Kachniewska
 
Pernambuco
PernambucoPernambuco
Pernambucocepmaio
 
Curso de idiomas globo inglês livro002
Curso de idiomas globo inglês livro002Curso de idiomas globo inglês livro002
Curso de idiomas globo inglês livro002rosemere12
 
Partnermogelijkheden wbtm day
Partnermogelijkheden wbtm dayPartnermogelijkheden wbtm day
Partnermogelijkheden wbtm dayHan Hendriks
 
Inchiesta risparmiare-in-tempo-di-crisi (1)
Inchiesta risparmiare-in-tempo-di-crisi (1)Inchiesta risparmiare-in-tempo-di-crisi (1)
Inchiesta risparmiare-in-tempo-di-crisi (1)Cagliostro Puntodue
 
F 3-2011-1-110623082754-phpapp01
F 3-2011-1-110623082754-phpapp01F 3-2011-1-110623082754-phpapp01
F 3-2011-1-110623082754-phpapp01cepmaio
 
Veilig leren lezen - Digiregie, Leerkrachtassistent en Leerlingsoftware voor ...
Veilig leren lezen - Digiregie, Leerkrachtassistent en Leerlingsoftware voor ...Veilig leren lezen - Digiregie, Leerkrachtassistent en Leerlingsoftware voor ...
Veilig leren lezen - Digiregie, Leerkrachtassistent en Leerlingsoftware voor ...Webredactie_Zwijsen
 
сравнительный анализ умк артикли
сравнительный анализ умк артиклисравнительный анализ умк артикли
сравнительный анализ умк артиклиAlisha_Rum
 
The Team Workshop Method
The Team Workshop MethodThe Team Workshop Method
The Team Workshop MethodJD Graffam
 
Thanh toan-quoc-te
Thanh toan-quoc-teThanh toan-quoc-te
Thanh toan-quoc-teHải Thành
 
Jessica Resume
Jessica ResumeJessica Resume
Jessica Resumejlwill12
 
Lcf building life
Lcf building lifeLcf building life
Lcf building lifevinod kumar
 
Tp1 collector pipes in siphonic roof drainage systems to incline or not to in...
Tp1 collector pipes in siphonic roof drainage systems to incline or not to in...Tp1 collector pipes in siphonic roof drainage systems to incline or not to in...
Tp1 collector pipes in siphonic roof drainage systems to incline or not to in...Marc Buitenhuis
 

Destaque (20)

Catalogo ociplana Internacional
Catalogo ociplana InternacionalCatalogo ociplana Internacional
Catalogo ociplana Internacional
 
Kachniewska M. - podsumowanie dyskusji bloku tematycznego na Kongresie Turyst...
Kachniewska M. - podsumowanie dyskusji bloku tematycznego na Kongresie Turyst...Kachniewska M. - podsumowanie dyskusji bloku tematycznego na Kongresie Turyst...
Kachniewska M. - podsumowanie dyskusji bloku tematycznego na Kongresie Turyst...
 
Winnaar #watishijmooi-prijs
Winnaar #watishijmooi-prijsWinnaar #watishijmooi-prijs
Winnaar #watishijmooi-prijs
 
Pernambuco
PernambucoPernambuco
Pernambuco
 
Gabythaa
GabythaaGabythaa
Gabythaa
 
Curso de idiomas globo inglês livro002
Curso de idiomas globo inglês livro002Curso de idiomas globo inglês livro002
Curso de idiomas globo inglês livro002
 
Partnermogelijkheden wbtm day
Partnermogelijkheden wbtm dayPartnermogelijkheden wbtm day
Partnermogelijkheden wbtm day
 
Inchiesta risparmiare-in-tempo-di-crisi (1)
Inchiesta risparmiare-in-tempo-di-crisi (1)Inchiesta risparmiare-in-tempo-di-crisi (1)
Inchiesta risparmiare-in-tempo-di-crisi (1)
 
F 3-2011-1-110623082754-phpapp01
F 3-2011-1-110623082754-phpapp01F 3-2011-1-110623082754-phpapp01
F 3-2011-1-110623082754-phpapp01
 
Veilig leren lezen - Digiregie, Leerkrachtassistent en Leerlingsoftware voor ...
Veilig leren lezen - Digiregie, Leerkrachtassistent en Leerlingsoftware voor ...Veilig leren lezen - Digiregie, Leerkrachtassistent en Leerlingsoftware voor ...
Veilig leren lezen - Digiregie, Leerkrachtassistent en Leerlingsoftware voor ...
 
Bluebeauty
BluebeautyBluebeauty
Bluebeauty
 
Beautiful
BeautifulBeautiful
Beautiful
 
сравнительный анализ умк артикли
сравнительный анализ умк артиклисравнительный анализ умк артикли
сравнительный анализ умк артикли
 
UNIVERSIDAD ESTATAL DE BOLIVAR
UNIVERSIDAD ESTATAL DE BOLIVARUNIVERSIDAD ESTATAL DE BOLIVAR
UNIVERSIDAD ESTATAL DE BOLIVAR
 
TRUSTLESS Inc Long Term View
TRUSTLESS Inc Long Term ViewTRUSTLESS Inc Long Term View
TRUSTLESS Inc Long Term View
 
The Team Workshop Method
The Team Workshop MethodThe Team Workshop Method
The Team Workshop Method
 
Thanh toan-quoc-te
Thanh toan-quoc-teThanh toan-quoc-te
Thanh toan-quoc-te
 
Jessica Resume
Jessica ResumeJessica Resume
Jessica Resume
 
Lcf building life
Lcf building lifeLcf building life
Lcf building life
 
Tp1 collector pipes in siphonic roof drainage systems to incline or not to in...
Tp1 collector pipes in siphonic roof drainage systems to incline or not to in...Tp1 collector pipes in siphonic roof drainage systems to incline or not to in...
Tp1 collector pipes in siphonic roof drainage systems to incline or not to in...
 

Semelhante a Deep sec talk - Addressing the skills gap

2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class OneFRSecure
 
Digital Futures: Courses and Careers Workshop 2
Digital Futures: Courses and Careers Workshop 2 Digital Futures: Courses and Careers Workshop 2
Digital Futures: Courses and Careers Workshop 2Western Sydney University
 
ACM ICPC Regional Finals Talk re: drop.io, privacy, entrepreneurship by sam l...
ACM ICPC Regional Finals Talk re: drop.io, privacy, entrepreneurship by sam l...ACM ICPC Regional Finals Talk re: drop.io, privacy, entrepreneurship by sam l...
ACM ICPC Regional Finals Talk re: drop.io, privacy, entrepreneurship by sam l...sam lessin
 
CSR Plan for National Celular Operator - Award Winning CSR
CSR Plan for National Celular Operator - Award Winning CSRCSR Plan for National Celular Operator - Award Winning CSR
CSR Plan for National Celular Operator - Award Winning CSRChristofer Felix
 
Pmd prospective students 2.22.2222
Pmd prospective students 2.22.2222Pmd prospective students 2.22.2222
Pmd prospective students 2.22.2222KevinAlt1
 
Digital Futures: Courses and Careers Workshop 1
Digital Futures: Courses and Careers Workshop 1 Digital Futures: Courses and Careers Workshop 1
Digital Futures: Courses and Careers Workshop 1Western Sydney University
 
What is the Martin Trust Center for MIT Entrepreneurship & Why Is it So Awesome?
What is the Martin Trust Center for MIT Entrepreneurship & Why Is it So Awesome?What is the Martin Trust Center for MIT Entrepreneurship & Why Is it So Awesome?
What is the Martin Trust Center for MIT Entrepreneurship & Why Is it So Awesome?Massachusetts Institute of Technology
 
IIMT Studies Jobs
IIMT Studies Jobs IIMT Studies Jobs
IIMT Studies Jobs IIMT Studies
 
ELH School Tech 2013 - Computational Thinking
ELH School Tech 2013 - Computational ThinkingELH School Tech 2013 - Computational Thinking
ELH School Tech 2013 - Computational ThinkingPaul Herring
 
Digital Technologies in the NZ classroom
Digital Technologies in the NZ classroomDigital Technologies in the NZ classroom
Digital Technologies in the NZ classroomDavid Kinane
 
Reimagining authentic curriculum in the age of AI
Reimagining authentic curriculum in the age of AIReimagining authentic curriculum in the age of AI
Reimagining authentic curriculum in the age of AICharles Darwin University
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureSecurity Innovation
 
Assessment for Learning: Leveraging Technology
Assessment for Learning: Leveraging TechnologyAssessment for Learning: Leveraging Technology
Assessment for Learning: Leveraging TechnologyJeremy Williams
 
Putting Students First in the Academic Integrity Discussion - Keynote Present...
Putting Students First in the Academic Integrity Discussion - Keynote Present...Putting Students First in the Academic Integrity Discussion - Keynote Present...
Putting Students First in the Academic Integrity Discussion - Keynote Present...Thomas Lancaster
 
BEMM129 Flipgrid 2020
BEMM129 Flipgrid 2020BEMM129 Flipgrid 2020
BEMM129 Flipgrid 2020Lisa Harris
 

Semelhante a Deep sec talk - Addressing the skills gap (20)

Presentation
PresentationPresentation
Presentation
 
Issue4
Issue4Issue4
Issue4
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One
 
Digital Futures: Courses and Careers Workshop 2
Digital Futures: Courses and Careers Workshop 2 Digital Futures: Courses and Careers Workshop 2
Digital Futures: Courses and Careers Workshop 2
 
ACM ICPC Regional Finals Talk re: drop.io, privacy, entrepreneurship by sam l...
ACM ICPC Regional Finals Talk re: drop.io, privacy, entrepreneurship by sam l...ACM ICPC Regional Finals Talk re: drop.io, privacy, entrepreneurship by sam l...
ACM ICPC Regional Finals Talk re: drop.io, privacy, entrepreneurship by sam l...
 
CSR Plan for National Celular Operator - Award Winning CSR
CSR Plan for National Celular Operator - Award Winning CSRCSR Plan for National Celular Operator - Award Winning CSR
CSR Plan for National Celular Operator - Award Winning CSR
 
Keynote at Online Learning 2019 Toronto
Keynote at Online Learning 2019 TorontoKeynote at Online Learning 2019 Toronto
Keynote at Online Learning 2019 Toronto
 
Pmd prospective students 2.22.2222
Pmd prospective students 2.22.2222Pmd prospective students 2.22.2222
Pmd prospective students 2.22.2222
 
Digital Futures: Courses and Careers Workshop 1
Digital Futures: Courses and Careers Workshop 1 Digital Futures: Courses and Careers Workshop 1
Digital Futures: Courses and Careers Workshop 1
 
What is the Martin Trust Center for MIT Entrepreneurship & Why Is it So Awesome?
What is the Martin Trust Center for MIT Entrepreneurship & Why Is it So Awesome?What is the Martin Trust Center for MIT Entrepreneurship & Why Is it So Awesome?
What is the Martin Trust Center for MIT Entrepreneurship & Why Is it So Awesome?
 
IIMT Studies Jobs
IIMT Studies Jobs IIMT Studies Jobs
IIMT Studies Jobs
 
ELH School Tech 2013 - Computational Thinking
ELH School Tech 2013 - Computational ThinkingELH School Tech 2013 - Computational Thinking
ELH School Tech 2013 - Computational Thinking
 
So fast, too soon?
So fast, too soon?So fast, too soon?
So fast, too soon?
 
Digital Technologies in the NZ classroom
Digital Technologies in the NZ classroomDigital Technologies in the NZ classroom
Digital Technologies in the NZ classroom
 
Reimagining authentic curriculum in the age of AI
Reimagining authentic curriculum in the age of AIReimagining authentic curriculum in the age of AI
Reimagining authentic curriculum in the age of AI
 
e-magazine(readme.txt)
e-magazine(readme.txt)e-magazine(readme.txt)
e-magazine(readme.txt)
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
 
Assessment for Learning: Leveraging Technology
Assessment for Learning: Leveraging TechnologyAssessment for Learning: Leveraging Technology
Assessment for Learning: Leveraging Technology
 
Putting Students First in the Academic Integrity Discussion - Keynote Present...
Putting Students First in the Academic Integrity Discussion - Keynote Present...Putting Students First in the Academic Integrity Discussion - Keynote Present...
Putting Students First in the Academic Integrity Discussion - Keynote Present...
 
BEMM129 Flipgrid 2020
BEMM129 Flipgrid 2020BEMM129 Flipgrid 2020
BEMM129 Flipgrid 2020
 

Último

Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsKarakKing
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxEsquimalt MFRC
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSCeline George
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxmarlenawright1
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024Elizabeth Walsh
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 

Último (20)

Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 

Deep sec talk - Addressing the skills gap

  • 1. Experiences of actually trying to fill the gap... Colin McLean, DeepSec, November 2014.
  • 2.  Colin McLean ◦ Abertay University, Dundee, Scotland. ◦ Lecturer for 24 years. ◦ Developer of the 1st Undergrad Degree in Ethical Hacking (started 2006).  Abertay? ◦ Small University. ◦ Vocational courses.
  • 3.  Far away from most of the action. Normal people live here someplace
  • 4.  Since 2010, our graduates have been employed by.... ◦ KPMG, Qinetiq, NCC Group, Cigital, PWC, RBS, HSBC, MWR Labs, GCHQ, Tesco Bank, West point security, NCR, NTA Monitor, Mandalorian, Context IS, GFI Software, Firstbase, White Stratos......  Many of these companies have more than one graduate. ◦ NCC employ TEN of our graduates.
  • 5.  Abertay has a good reputation amongst security companies in the UK for producing graduates with (roughly) the correct attributes.  Something has gone right at Abertay. ◦ Room for improvement.
  • 6.  The extent of the problem.  Academic courses. ◦ Producing the right course. ◦ Things that have happened (knock on effects)  Attracting people on to the course.
  • 7. When you think he is going to tell us how wonderful he is...
  • 8.  8 years....  Luck.  Some good judgement.  Timing?  Some awesome people.  Much of this talk is based around the experiences of this course.
  • 9. What is the scale?
  • 10.  The DoHS can’t find enough people to hire.” Mark Weatherford DoHS, USA  “This shortage of ICT skills hampers the UK’s ability to protect itself UK National Audit Office.   "The demand for cyber security experts is growing at 12 times the rate of the overall job market." Hord Tipton, managing director of (ISC)2.
  • 11. 2012 2017 Americas 1.181 2.081 EMEA .797 1.363 APAC .894 1.463 Total 2.872 4.908 EMEA = Europe, Middle East & Africa APAC = Asia PACific  (ISC)2 report..people working in the industry (now and estimated required in millions).  Europe needs ~>200K in the next 2 – 3 years.
  • 12.  “By 2017, there will be a global shortage of no less than two million cyber security professionals” http://www.itproportal.com/2014/11/03/house-of-lords-warning-uk-faces-devastating-cyber-security-skills-crisis-/#ixzz3IOQyyxlC
  • 13. Options for a company?
  • 14.
  • 15.  In the UK alone, 98 degrees have a cyber security element...  40 to 50 MSc’s....  We are on our way ..right?
  • 16.  “Part of this problem, seemingly, is down to courses which are too steeped in academia and not in keeping with the true demands of the cyber security field.”   “the right practical skills aren't being taught, such as configuring and reconfiguring systems, trying out exploits, compromising the security of boxes and hardening defences.” Sean Smyth, director at CyberSecurityJobsite http://www.scmagazineuk.com/more-jobs-but-cyber-security-skills-gap- widens/article/340103/
  • 17.  “The courses aren't right…they're great but not quite who the employer is looking for”.  “too many of graduates have learnt reactive skills not the stuff that comes up in real life”  “some professors say that these are often taught on industry placements”.
  • 18.  Academics traditionally produce theoretical courses. ◦ That’s what we do. ◦ It’s not our fault.  Companies are blaming academics for producing the wrong product. ◦ You aren’t giving us graduates with the 1337 skillz. ◦ It’s not our fault.
  • 19. What do we need to fix?
  • 20.  Web App Problems (SQLi, XSS etc)  Poor coding etc, etc.  Malware Attacks  Bad configuration/ setups, unpatched software.  Weak Authentication - bad passwords?  DOS  Known or unknown vulnerabilities  Educating staff  ...........
  • 21.  Networking.  Systems.  Developers.  Offensive.  Forensic.  Responders.....etc...  Also “softer skills” will be required ◦ intellectual property, internal security policies, HR Job writers, lawyers etc... ◦ Academia/Business must work to solve this.
  • 22.  Mathematical / theoretical courses are required (largely being addressed?)  Theoretical can (?) save the world.  But...more vocational graduates are required. ◦ Theoretical solutions are not being adopted.  More and better vocational courses required. ◦ Is this being addressed?
  • 24.
  • 25.  Some of the attributes are unusual for a degree (especially a technical subject).  This is perhaps a problem?  These CAN be catered for during a degree. ◦ Teaching/Tutorials/Assessments/Extra-curricular activities ◦ External speakers etc.
  • 26. Features. Points of interest that could help.
  • 27.  2005 – A two year UK government funded project – Abertay Uni & NCR R&D ◦ Employed a full-time researcher.  “Risk analysis of an NCR Automated Telling Machine (ATM).”  Jim Kirkhope of NCR “it would be great to be able to employ graduates who knew this stuff..”  Industry driven
  • 28.  NCR Student projects ◦ Covered by NDA..  Firstbase Techies. ◦ Guidance, talks, free training. ◦ Firstbase employ two Abertay graduates.  Cigital ◦ Talks, workshops, sponsorship, free software ◦ Cigital have employed 2 of our graduates.  NCC ◦ Talks, workshops, sponsorship, guidance etc. ◦ NCC employ 10 of our graduates.
  • 29.  Now, I have contact with many companies.  It's moulded the content.  Ethical Hacking “company contact week” for students in their final year. ◦ NCC Group, MWR, KPMG, NTA Monitor etc have given training/advice etc...
  • 30.
  • 31.  Other people have played a major role in our success. ◦ “Free" knowledge.  Our graduates are better equipped for the real-world because of this.  These companies are now getting a better product......
  • 32.
  • 33.  Let them do things. ◦ Build their own specialisms. ◦ Build their own brand. ◦ Builds community spirit. ◦ Publicity.  An example... ◦ Abertay Ethical Hacking society. ◦ Students meet every week.
  • 34.  Ethical Hacking Society. •Greg Scott: Fuzzing: Brute Force Vulnerability Discovery •Milo Farkner: Time for some Crypto •Rorie Hood: The Kernel, an int and the Null Pointer Dereference •Andy Redfield: Lockpicking •Georgi Boiko: XORing and Cryptography •Paul Dalton: Ping of Death revisited •Erden Eren: New ATMs: Secure? •Rorie Hood: The Gifar Attack •Jack Graham: Breaking the Boundaries with ToBmuD •Ian Soutar: You've Found a Vulnerability, Now What? Tony Roper: Reverse Engineering 32-bit Windows Executables Andrew Macdonald: Hacking for Homebrew: How to build your own PS2 Linux Kit Ian Soutar: Web Applications: Securing a Broken Website Jack Graham: The Power of TIFF, Screens and META Christopher Donnelly: Google Hacking Blair Dick: I2P - The Anonymous Network Rorie Hood: Rootkit Development Paul Dalton: USB Autorun on Windows Daniel Forse: Exploiting the Inherent Trust of Human Input Devices
  • 35.  BruCon Security Conference 2011 ◦ “Smart Phones – The Weak Link in the Security Chain, Hacking a network through an Android device” by Nick Walker and Werner Nel  BruCon Security Conference 2011 ◦ “Script Kiddie Hacking Techniques by Ellen Moar  BSides London Security Conference 2011 ◦ “DNS Tunnelling: It's all in the name!”, Arron Finnon  GrrCon (Grand Rapids, Michigan) Security Conference 2012 ◦ I’m the guy your CEO warned you about by Gavin Ewan  BSides London Security Conference 2013 ◦ The evolution of Rootkits into the mobile ecosystems Rorie Hood ◦ Seven students have spoken at the rookie track.  BSides Lisbon Security Conference 2013 ◦ NoSQL – No Security..Gavin Holt  BSides Manchester 2014 ◦ Gavin Holt & rookie track... Our students talking at cons.
  • 37.  2012 -20 people, 2013 – 110 people, 2014 – 150+people http://securi-tay.co.uk/
  • 38.  As well as the obvious...  Contacts & knowledge exchange between Universities. ◦ Leeds Beckett Uni, Sheffield Hallam, Dublin etc...  Publicity. ◦ TV/Radio/Newspapers..  School children have come to Securi-Tay
  • 39.  Largely untapped.  Initiatives. ◦ Students visit Schools. ◦ Women in science days. ◦ Publicity..  Increase in female students.
  • 40.  Schools visits.  School trips to Univerities.  School teachers training.  Planned awareness talks for the “elderly".
  • 41.  To (some) academics ◦ We are not producing the right product. ◦ Our courses need to change. ◦ We don’t have the skills to teach our students. ◦ We need to ask for them.  To (some) companies ◦ You need academia to make your product better. ◦ You need our product to be better. ◦ You are not helping academics get these skills. ◦ You need to give out these skills.
  • 42.  To some academics. ◦ Vocational CAN be academic. ◦ My student work has included..  Methodology, Taxonomy, Crypto, Risk analysis, Software development...  To some companies. ◦ “Look at this great deal that your graduates will get”. ◦ Moaning about academia will get you no place!
  • 43.  Don’t expect GRADUATES to be experts the day they start. ◦ A degree MUST be generic. ◦ It’s about lifelong learning and no other discipline expects this so ....don’t you. ◦ A University degree is not TRAINING.  Academia. ◦ We must make an attempt to make graduates “billable” as early as possible.
  • 44.  Fear of teaching the offensive.  What’s in a name?? Cyber-Hacking!  More specialist degrees.
  • 45.  Thanks for having me & for listening..  Questions?
  • 46.  Knowledge Transfer diagram  Colleges.  What’s in a name? ◦ Cyber/Ethical hacking  Fear of teaching offensive  Competitions – must be knowledge
  • 47.  Vocational is becoming important.  Must be investment in resources.  Education must be driven by the Industry.  Industry must invest time & effort in academia.  More specialist degrees.
  • 48.  If a company requires graduates then approach academia. ◦ Influence content. ◦ Influence graduate attributes. ◦ Influence assessment.  Student project work. ◦ it gives the company an indication of the skills of the student in question & the University.
  • 49.  Realise. The content MUST be requirement driven.  Some Universities are offering degrees. ◦ They teach what they know how to do. ◦ Uni’s jumping on the bandwagon is pointless.  Must be a breadth of topics. ◦ Graduates must be flexible.
  • 50.  Lack of practical security knowledge in Universities.  Companies need to encourage academics. Work alongside a security person?  In house training? ◦ Why not invite an academic.  Academics must also undertake difficult modules.
  • 51.  “Too steeped in academia” ◦ We are vocational  practical skills aren't being taught ◦ Our students practical skills have been developed with the assistance of companies.  not the stuff that comes up in real life ◦ Case study based and guided with the assistance of companies.  The courses aren’t right. ◦ Industry has guided our course.  These are often taught on industry placements. ◦ Many of ours are taught on the course.
  • 52.  Currently producing ~20 graduates per year who have a choice of job. ◦ Becoming more popular every year.  We also run an M Sc in Ethical Hacking (~10 grads per year).  No magic formula.  More programmes like ours required.
  • 53. How to tackle the problem?
  • 54.  “Governments, business and the IT security industry need to work together to make cyber security more visible and attractive as a career” Mark Weatherford DoHS.  “Industry and academia should ...raising awareness of the growing demand for cyber security professionals.”  Industry and government should invest in cyber security professionals who can address cyber threats “ Canadian ICTC Report. http://www.ictc-ctic.ca/wp-content/uploads/2012/10/ICTC_CyberSecurityReport1.pdf
  • 55. What is actually happening? Will it benefit business?
  • 56.  National security is highlighted and being addressed.  USA - Comprehensive National security initiatives.  Cybersecurity Strategy of the European Union. ◦ UK £650M investment. ◦ Most countries seem to be acting on this.
  • 57.  NSA & DoHS sponsor National Centers of Academic Excellence ◦ Identify excellence in Research & Education. ◦ Largely National defence related. ◦ Some community colleges (vocational).  UK heading down this same route  More vocational cyber security degrees in the USA than Europe. ◦ Still not producing nearly enough suitably qualified people. California 38M pop, 8 edu establishments Ohio 12M pop, 4 In the UK, similar scheme for research est.
  • 58.  Competitions  Boot camps  Scholarships.
  • 59.  Meetings to raise awareness.  Other awareness events/promotions  Certifications are also an avenue for business...
  • 60.  These help to raise awareness but.... ◦ Competitions.  Largely test existing knowledge. No great fundamental learning. ◦ Boot camps.  Two days training turns someone into a specialist? ◦ Certification  A 4 day course then a multiple choice exam? ◦ Scholarships to where?  To one of the very few specialist educational centres.
  • 61.  Europe need 100K’s of people!  Specialist centres and short courses are not enough. ◦ Bolt on security?  Every region in every country:- ◦ Will require people. ◦ Universities / Colleges must act. ◦ Business must act. A fundamental education review is required.
  • 62. ◦ Firm grasp of fundamentals. ◦ Have a security mindset. ◦ Experience of real attacks. ◦ Practical skills & technical knowledge. ◦ Research skills. ◦ Analysis skills. ◦ “Think outside the box.” ◦ Communication skills. .............
  • 63.  More vocational grads. ◦ Mathematical / theoretical still required but this is largely being addressed.  More vocational courses required. ◦ Is this being addressed? ◦ Colleges? Largely untapped.  However, not just any old vocational course.
  • 64.  Themed:- ◦ Programming, Computer Networking, Ethical Hacking.  Four year honours degree in Scotland. ◦ Year 1 and 2 – Basics & concepts. ◦ Year 3 and 4 - Research and self-learn.  General security, Penetration testing, Web Application testing, Exploit Development, Reverse Engineering, Malware analysis The syllabus (briefly!)
  • 65.  Culture of project work as assessments:- ◦ Year 1 Ethical Hacking – Project ◦ Year 2 Ethical Hacking – Project ◦ Year 2 Smart Programming – Programming Project ◦ Year 3 Ethical Hacking - Web security project ◦ Year 3 Ethical Hacking – Mini-project ◦ Year 3 Ethical Hacking – Exploit development ◦ Year 3 Group Project - Student chosen ◦ Year 4 Network Management – Network Security project ◦ Year 4 Honours project Student centred learning. RESEARCH & DOCUMENTATION ARE IMPORTANT