2. Colin McLean
◦ Abertay University, Dundee, Scotland.
◦ Lecturer for 24 years.
◦ Developer of the 1st
Undergrad Degree in Ethical
Hacking (started 2006).
Abertay?
◦ Small University.
◦ Vocational courses.
3. Far away from most
of the action.
Normal people live
here someplace
4. Since 2010, our graduates have been employed
by....
◦ KPMG, Qinetiq, NCC Group, Cigital, PWC, RBS, HSBC,
MWR Labs, GCHQ, Tesco Bank, West point security, NCR, NTA Monitor,
Mandalorian, Context IS, GFI Software, Firstbase, White Stratos......
Many of these companies have more than one
graduate.
◦ NCC employ TEN of our graduates.
5. Abertay has a good reputation amongst
security companies in the UK for producing
graduates with (roughly) the correct attributes.
Something has gone right at Abertay.
◦ Room for improvement.
6. The extent of the problem.
Academic courses.
◦ Producing the right course.
◦ Things that have happened (knock on effects)
Attracting people on to the course.
10. The DoHS can’t find enough people to hire.”
Mark Weatherford DoHS, USA
“This shortage of ICT skills hampers the
UK’s ability to protect itself
UK National Audit Office.
"The demand for cyber security experts is
growing at 12 times the rate of the overall
job market."
Hord Tipton, managing director of (ISC)2.
11. 2012 2017
Americas 1.181 2.081
EMEA .797 1.363
APAC .894 1.463
Total 2.872 4.908
EMEA = Europe, Middle East &
Africa
APAC = Asia PACific
(ISC)2 report..people working in the industry (now
and estimated required in millions).
Europe needs ~>200K in the next 2 – 3 years.
12. “By 2017, there will be a global shortage of no less than
two million cyber security professionals”
http://www.itproportal.com/2014/11/03/house-of-lords-warning-uk-faces-devastating-cyber-security-skills-crisis-/#ixzz3IOQyyxlC
15. In the UK alone, 98 degrees have a cyber security
element...
40 to 50 MSc’s....
We are on our way
..right?
16. “Part of this problem, seemingly, is down to courses
which are too steeped in academia and not in
keeping with the true demands of the cyber security
field.”
“the right practical skills aren't being taught, such
as configuring and reconfiguring systems, trying out
exploits, compromising the security of boxes and
hardening defences.”
Sean Smyth, director at CyberSecurityJobsite
http://www.scmagazineuk.com/more-jobs-but-cyber-security-skills-gap-
widens/article/340103/
17. “The courses aren't right…they're great but
not quite who the employer is looking for”.
“too many of graduates have learnt reactive skills
not the stuff that comes up in real life”
“some professors say that these are often
taught on industry placements”.
18. Academics traditionally produce
theoretical courses.
◦ That’s what we do.
◦ It’s not our fault.
Companies are blaming academics for
producing the wrong product.
◦ You aren’t giving us graduates with the 1337
skillz.
◦ It’s not our fault.
20. Web App Problems (SQLi, XSS etc)
Poor coding etc, etc.
Malware Attacks
Bad configuration/ setups, unpatched software.
Weak Authentication - bad passwords?
DOS
Known or unknown vulnerabilities
Educating staff
...........
21. Networking.
Systems.
Developers.
Offensive.
Forensic.
Responders.....etc...
Also “softer skills” will be required
◦ intellectual property, internal security policies, HR Job
writers, lawyers etc...
◦ Academia/Business must work to solve this.
22. Mathematical / theoretical courses are required (largely
being addressed?)
Theoretical can (?) save the world.
But...more vocational graduates are required.
◦ Theoretical solutions are not being adopted.
More and better vocational courses required.
◦ Is this being addressed?
25. Some of the attributes are unusual for a degree
(especially a technical subject).
This is perhaps a problem?
These CAN be catered for during a degree.
◦ Teaching/Tutorials/Assessments/Extra-curricular
activities
◦ External speakers etc.
27. 2005 – A two year UK government funded project
– Abertay Uni & NCR R&D
◦ Employed a full-time researcher.
“Risk analysis of an NCR Automated Telling
Machine (ATM).”
Jim Kirkhope of NCR “it would be great to be
able to employ graduates who knew this
stuff..”
Industry driven
28. NCR Student projects
◦ Covered by NDA..
Firstbase Techies.
◦ Guidance, talks, free training.
◦ Firstbase employ two Abertay graduates.
Cigital
◦ Talks, workshops, sponsorship, free software
◦ Cigital have employed 2 of our graduates.
NCC
◦ Talks, workshops, sponsorship, guidance etc.
◦ NCC employ 10 of our graduates.
29. Now, I have contact with many companies.
It's moulded the content.
Ethical Hacking “company contact week” for
students in their final year.
◦ NCC Group, MWR, KPMG, NTA Monitor etc have given
training/advice etc...
30.
31. Other people have played a major role in
our success.
◦ “Free" knowledge.
Our graduates are better equipped for the
real-world because of this.
These companies are now getting a better
product......
32.
33. Let them do things.
◦ Build their own specialisms.
◦ Build their own brand.
◦ Builds community spirit.
◦ Publicity.
An example...
◦ Abertay Ethical Hacking society.
◦ Students meet every week.
34. Ethical Hacking Society.
•Greg Scott: Fuzzing: Brute Force Vulnerability Discovery
•Milo Farkner: Time for some Crypto
•Rorie Hood: The Kernel, an int and the Null Pointer Dereference
•Andy Redfield: Lockpicking
•Georgi Boiko: XORing and Cryptography
•Paul Dalton: Ping of Death revisited
•Erden Eren: New ATMs: Secure?
•Rorie Hood: The Gifar Attack
•Jack Graham: Breaking the Boundaries with ToBmuD
•Ian Soutar: You've Found a Vulnerability, Now What?
Tony Roper: Reverse Engineering 32-bit Windows Executables
Andrew Macdonald: Hacking for Homebrew: How to build your own PS2 Linux Kit
Ian Soutar: Web Applications: Securing a Broken Website
Jack Graham: The Power of TIFF, Screens and META
Christopher Donnelly: Google Hacking
Blair Dick: I2P - The Anonymous Network
Rorie Hood: Rootkit Development
Paul Dalton: USB Autorun on Windows
Daniel Forse: Exploiting the Inherent Trust of Human Input Devices
35. BruCon Security Conference 2011
◦ “Smart Phones – The Weak Link in the Security Chain, Hacking a network
through an Android device” by Nick Walker and Werner Nel
BruCon Security Conference 2011
◦ “Script Kiddie Hacking Techniques by Ellen Moar
BSides London Security Conference 2011
◦ “DNS Tunnelling: It's all in the name!”, Arron Finnon
GrrCon (Grand Rapids, Michigan) Security Conference 2012
◦ I’m the guy your CEO warned you about by Gavin Ewan
BSides London Security Conference 2013
◦ The evolution of Rootkits into the mobile ecosystems Rorie Hood
◦ Seven students have spoken at the rookie track.
BSides Lisbon Security Conference 2013
◦ NoSQL – No Security..Gavin Holt
BSides Manchester 2014
◦ Gavin Holt & rookie track...
Our students talking at cons.
38. As well as the obvious...
Contacts & knowledge exchange between Universities.
◦ Leeds Beckett Uni, Sheffield Hallam, Dublin etc...
Publicity.
◦ TV/Radio/Newspapers..
School children have come to Securi-Tay
39. Largely untapped.
Initiatives.
◦ Students visit Schools.
◦ Women in science days.
◦ Publicity..
Increase in female students.
40. Schools visits.
School trips to Univerities.
School teachers training.
Planned awareness talks for the “elderly".
41. To (some) academics
◦ We are not producing the right product.
◦ Our courses need to change.
◦ We don’t have the skills to teach our students.
◦ We need to ask for them.
To (some) companies
◦ You need academia to make your product better.
◦ You need our product to be better.
◦ You are not helping academics get these skills.
◦ You need to give out these skills.
42. To some academics.
◦ Vocational CAN be academic.
◦ My student work has included..
Methodology, Taxonomy, Crypto, Risk analysis, Software
development...
To some companies.
◦ “Look at this great deal that your graduates will get”.
◦ Moaning about academia will get you no place!
43. Don’t expect GRADUATES to be experts
the day they start.
◦ A degree MUST be generic.
◦ It’s about lifelong learning and no other discipline expects
this so ....don’t you.
◦ A University degree is not TRAINING.
Academia.
◦ We must make an attempt to make graduates “billable”
as early as possible.
44. Fear of teaching the offensive.
What’s in a name?? Cyber-Hacking!
More specialist degrees.
45. Thanks for having me & for listening..
Questions?
46. Knowledge Transfer diagram
Colleges.
What’s in a name?
◦ Cyber/Ethical hacking
Fear of teaching offensive
Competitions – must be knowledge
47. Vocational is becoming important.
Must be investment in resources.
Education must be driven by the Industry.
Industry must invest time & effort in academia.
More specialist degrees.
48. If a company requires graduates then
approach academia.
◦ Influence content.
◦ Influence graduate attributes.
◦ Influence assessment.
Student project work.
◦ it gives the company an indication of the skills of
the student in question & the University.
49. Realise. The content MUST be requirement
driven.
Some Universities are offering degrees.
◦ They teach what they know how to do.
◦ Uni’s jumping on the bandwagon is pointless.
Must be a breadth of topics.
◦ Graduates must be flexible.
50. Lack of practical security knowledge in Universities.
Companies need to encourage academics. Work
alongside a security person?
In house training?
◦ Why not invite an academic.
Academics must also undertake difficult modules.
51. “Too steeped in academia”
◦ We are vocational
practical skills aren't being taught
◦ Our students practical skills have been
developed with the assistance of companies.
not the stuff that comes up in real life
◦ Case study based and guided with the
assistance of companies.
The courses aren’t right.
◦ Industry has guided our course.
These are often taught on industry placements.
◦ Many of ours are taught on the course.
52. Currently producing ~20 graduates per year
who have a choice of job.
◦ Becoming more popular every year.
We also run an M Sc in Ethical Hacking (~10
grads per year).
No magic formula.
More programmes like ours required.
54. “Governments, business and the IT security industry
need to work together to make cyber security more
visible and attractive as a career”
Mark Weatherford DoHS.
“Industry and academia should ...raising awareness of
the growing demand for cyber security professionals.”
Industry and government should invest in cyber security
professionals who can address cyber threats “
Canadian ICTC Report.
http://www.ictc-ctic.ca/wp-content/uploads/2012/10/ICTC_CyberSecurityReport1.pdf
56. National security is highlighted and being
addressed.
USA - Comprehensive National security
initiatives.
Cybersecurity Strategy of the European Union.
◦ UK £650M investment.
◦ Most countries seem to be acting on this.
57. NSA & DoHS sponsor
National Centers of Academic Excellence
◦ Identify excellence in Research & Education.
◦ Largely National defence related.
◦ Some community colleges (vocational).
UK heading down this same route
More vocational cyber security degrees in
the USA than Europe.
◦ Still not producing nearly enough suitably
qualified people.
California 38M pop, 8 edu establishments
Ohio 12M pop, 4
In the UK, similar scheme for research est.
59. Meetings to raise awareness.
Other awareness events/promotions
Certifications are also an avenue for business...
60. These help to raise awareness but....
◦ Competitions.
Largely test existing knowledge. No great fundamental learning.
◦ Boot camps.
Two days training turns someone into a specialist?
◦ Certification
A 4 day course then a multiple choice exam?
◦ Scholarships to where?
To one of the very few specialist educational centres.
61. Europe need 100K’s of people!
Specialist centres and short courses
are not enough.
◦ Bolt on security?
Every region in every country:-
◦ Will require people.
◦ Universities / Colleges must act.
◦ Business must act.
A fundamental education review is required.
62. ◦ Firm grasp of fundamentals.
◦ Have a security mindset.
◦ Experience of real attacks.
◦ Practical skills & technical knowledge.
◦ Research skills.
◦ Analysis skills.
◦ “Think outside the box.”
◦ Communication skills.
.............
63. More vocational grads.
◦ Mathematical / theoretical still required but this is largely
being addressed.
More vocational courses required.
◦ Is this being addressed?
◦ Colleges? Largely untapped.
However, not just any old vocational course.
64. Themed:-
◦ Programming, Computer Networking, Ethical
Hacking.
Four year honours degree in Scotland.
◦ Year 1 and 2 – Basics & concepts.
◦ Year 3 and 4 - Research and self-learn.
General security, Penetration testing, Web
Application testing, Exploit Development, Reverse
Engineering, Malware analysis
The syllabus (briefly!)
65. Culture of project work as assessments:-
◦ Year 1 Ethical Hacking – Project
◦ Year 2 Ethical Hacking – Project
◦ Year 2 Smart Programming – Programming Project
◦ Year 3 Ethical Hacking - Web security project
◦ Year 3 Ethical Hacking – Mini-project
◦ Year 3 Ethical Hacking – Exploit development
◦ Year 3 Group Project - Student chosen
◦ Year 4 Network Management – Network Security project
◦ Year 4 Honours project
Student centred learning.
RESEARCH & DOCUMENTATION ARE IMPORTANT