>Today I want to talk to you about my reasoning why the Security Industry is desperate for staff, and explain a little bit about my self as I’m trying to break into the security industry as a network penetration tester, I also have a solid dig at universities, and i’m probably going to offend a lot of people with this, but it needs to be said and this is what freedom of speech is all about.
The State Of The Industry
The UK IT Security Industry is reported to be about 50,000 people short, why is this? In my opinion it’s because there is no where for security professionals to practice legitimate hacking techniques outside of spending thousands on various different systems and building networks. This results in there being a large amount of Security staff that don’t know how to think like an attacker and a business wondering why their network keeps getting broken into. This in turn creates fear and a greater demand for more security staff creating a vacuum
The Blame Game
I personally blame the state of security education for this shortage. In short you can’t teach someone how to hack and how to audit networks without them at some point auditing a real, secure servers in the wild. Even if you could create an environment to train security staff in attack methods, it would no way be as diverse as the array of internet connected business that they will be presented with in the field. The person in training could only ever leave education with a very narrow skill set based on the budget size of the institute where they learnt.
Universities – The Root Of All Evil?
So what happens is Universities pump out thousands of ‘security’ students that don’t know anything about the real security practices or attack methods they will be expected to defend against. I have done my security degree for 2 years now, and I can tell you, I haven’t learn a thing about security that I didn’t know before I went or that i have learnt in my spare time, and that’s not an exaggeration.
Universities in the UK work at the speed of the worst student on the course, so all security students get is repetitious explanations of the basics of computing causing long drawn out tutorials that leave no time for more in depth security concepts.
If your a prospective security student reading this you might think that you’ll be challenged with all this useful information that is relevant to your career. Instead all you get for your £9000 a year is watered down and censored horse sh*t. The closest I have come to real security talk is chatting to lecturers outside of lessons because they’re not under pressure of talking about “taboo” subjects.
To be blunt universities just don’t have the time or balls to teach security students REAL security that they can actually use in the field, they can’t talk about things like buffer overflows in detail, they can’t step by step explain concepts like SQL injection. This is for two reasons, firstly its like giving students a loaded shotgun, they can’t control what you do with that information, and they don’t want to be liable. Secondly they don’t want it to go over anyone’s heads, god forbid a student might actually have to do some extra reading at home to understand something, even worse god forbid a student actually fail! So instead students come out with a piece of paper that says they are qualified to work in IT Security when in fact they have been taught very little about it, instead we have been repetitively spoon fed the basics of computing with a light glance at how one might approach the topic of security, because its less likely to cause a fuss and to go over students heads.
These students then hit the field knowing very little about real security, and it falls to business owners to spend time and money training them from the ground up, or they simply get jobs securing business without a clue about what there doing from an attackers perspective. So what did we just spend 9000 a year on?
Here is what you get for your 9000 a year on a security course each week in the UK
3 Hours of Cisco – Cisco fund a large portion of my University so we don’t have a free choice like other courses and are forced to spend 3 years learning a qualification that expires in 3 years (CCNA), oh and did I mention we have to pay them to actually take the certification test ontop of our fees and the end of the 3 years?
1.5 Hours of business studies – Group work making a marketing plan for a product I will never make that isn’t really anything to do with my course.
3 Hours of Open systems (linux technologies) quite interesting but I have used linux for 3 years and the things explained are basic even5 months into the module, 90% talking about licensing, 10% actually using linux.
3 Hours of watered down and heavily censored security, for example one way hashing, key exchanges, file systems.
2.5 Hours of Visual Basic programming RFID tags because the Uni is backed by Micro$oft so we have no choice about learning anything other than VB.Net .
(This also assumes the lecturers show up and your lecturer knows what he is talking about. Which isn’t always the case)
Now does that sound like someone you want to hire for a network penetration tester position? How about if I told you that these people are being hired to secure databases with your credit card details in ? Scared now – you should be.
Me as a Hacker
I don’t hesitate to say I have dabbled in the less legal sides of hacking and security, but ONLY to learn and explore. I don’t think you can work in security unless you have done at some point, if you haven’t, how do you know if the things you have read about actually work? You haven’t practiced anything to do with real auditing, you have just read the books. If you are working in penetration testing and have never dabbled, then at some point your company hired you for a job you were unequipped to do, and it probably cost them more to train you than if they hired someone with a greater skill set.
I’ll put this to you, If I turned up to a job interview for a penetration tester ‘year in industry’ tomorrow and there was an equally qualified person applying at the same time for the same position. The person standing next to me has the same degree and the same qualifications, but he has never looked into hacking because he never had the equipment or outlet to practice the skills he could only read about in his spare time.
Then there is me who could root a corporate file server in minutes, social engineer my way through you’re companies head quarters with a smile on my face and read your CEO’s emails from the coffee shop across the road. Does the interviewer ask me where I learnt these things? Would he even ask if i possessed them as a skill? Or does he look at the piece of paper in front of him and go by the fact that Joe Blogs next to me gets the job because his suit is shinier and he can talk the talk? Then 6 months later the company wonders why they are struggling to explain simple port scanning and network mapping to Joe Blogs and wonders why there is no good quality security staff to be had.
If Kevin Mitnick showed up at your door asking for a job at your network security company, would you turn him down because the origin of his skills is a little dubious? Of course you wouldn’t, he is one of the greatest minds in the security (in my opinion) and he doesn’t have an LPT or a CEH and his degree is a little out dated, but he has the skills and the mind set.
Security is an industry where you can’t just recruit someone because of the papers they hold, anyone can revise and memorize information to pass a course, you need to put the skills they say they have to the test. I’d kill to show up to an interview and the company have an easily compromisable server running in the room to test their applicants. I bet half of the applicants wouldn’t know where to start, despite there Security Degree and CCNA emblazoned all over their CV.
Here Is My Challenge
I have learnt all my skill security/penetration skill base on my own, I’m doing my degree because I do need the piece of paper for Penetration Testing firms to even look twice at my CV.
If there is one thing I can tell you, and I tell people time and time again is this: I eat sleep and breath this, I don’t stop, Computer Security isn’t just a career for me, its a way of life (avoiding cliches). That’s not something I can get across on 2 sides of A4 and not something anyone can get with a 3 year course and a light dusting of certifications.
I challenge any UK Penetration Testing Firm or (companies that need an in house penetration tester), If you call me in for an interview for a year in industry placement (September 2011 – 2012), give me 30 minutes of your time with a my laptop, I will show you more penetration testing related skill than any applicant you have seen, and that is a promise. My email is firstname.lastname@example.org if you want to take me up on that.