I often get asked by younger students (early college) how to get into security. I figured I’d give my answer here for everyone to see. Not that this is the only route into security, but it’s how I got here.

I did both an undergraduate and a graduate education in the US. For my undergraduate degree, I studied Computer Science with a minor in Electrical Engineering. I can’t say that it focused much on security, but at the same time, I was working as a system administrator on campus. And I learned the “other” side of security – that of the people that have to implement your suggestions and policies. I also met faculty that were interested in security, and I was fortunate enough to be able to assist in some of the very early “red team” exercises that the NSA sponsored. I wasn’t able to participate since I graduated, but I was able to help set up the lab environment and learn a lot that way. My education certainly didn’t focus on security, but there was a lot of math that helped me understand cryptography later – I didn’t understand it at the time, but now that I understand cryptography better, the math makes perfect sense.

My graduate education was in “Information Networking”, which is a combination of computer science, electrical engineering, and business classes. It was here that I got my first formal educational experience in security – and I promptly dropped the class. It was “Internet Security” taught at Carnegie Mellon. However, the first two classes were mathematical proofs surrounding Kerberos – and I realized that my math skills weren’t strong enough to handle it. Now, I could probably at least understand the class, but I don’t think I’d enjoy it.

I kept working as a system administrator throughout my grad school program. This time, the campus network didn’t have a perimeter firewall, so all of my machines were left to defend themselves. And let me tell you the 128.2 IP address space gets more attacks than you would realize. I learned in the school of hard knocks. Luckily, I wasn’t dealing with any sensitive data that would cause problems if leaked. The worst information that could have gotten out would be the local password file. All of the users used CMU’s Kerberos system.

I became interested in security, and I started to read and practice. I was lucky enough to have friends that also enjoyed security, and we practiced on each other’s systems. We cobbled together “labs” out of old hardware to play with multiple operating systems, and tried exploits against those. In short, we experimented in a controlled environment.

Now, there are several degree programs in Information Security and Information Assurance. Perdue has one (CERIAS), George Mason University in VA has one, James Madison University in VA has one, CMU has a formal one now. I’ve seen some of the students coming out of these programs, and while they may provide a solid theoretical ground for security, the ones that have really shone have been those that experimented – either in a class, or on their own.

If I had to tell you what education to take to end up in security, I’d tell you do either computer science or math (for the crypto tracks), and experiment, experiment, experiment. You’ll learn so much more by doing than by sitting in a classroom. And make sure you’re in a controlled environment so that any of your experiments don’t get away from you!

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

This entry was posted on Tuesday, December 16th, 2008 at 10:28 am by Laura Raderman and is filed under Tutorial Tuesday. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.