Experiences of actually trying to fill the gap...

Colin McLean, DeepSec, November 2014.

Colin McLean◦Abertay University, Dundee, Scotland.◦Lecturer for 24 years.◦Developer of the 1st Undergrad Degree in

Ethical Hacking (started 2006).

Abertay?◦Small University.◦Vocational courses.

Far away from most of the action.

Normal people live here someplace

Since 2010, our graduates have been employed by.... ◦ KPMG, Qinetiq, NCC Group, Cigital, PWC, RBS, HSBC,

MWR Labs, GCHQ, Tesco Bank, West point security, NCR, NTA Monitor, Mandalorian, Context IS, GFI Software, Firstbase, White Stratos......

Many of these companies have more than one graduate.◦ NCC employ TEN of our graduates.

Abertay has a good reputation amongst security companies in the UK for producing graduates with (roughly) the correct attributes.

Something has gone right at Abertay.◦ Room for improvement.

The extent of the problem. Academic courses.

◦ Producing the right course.◦ Things that have happened (knock on effects)

Attracting people on to the course.

When you think he is going to tell us how wonderful he

is...

8 years.... Luck. Some good judgement. Timing? Some awesome people.

Much of this talk is based around the experiences of this course.

What is the scale?

The DoHS can’t find enough people to hire.”

Mark Weatherford DoHS, USA

“This shortage of ICT skills hampers the UK’s ability to protect itself

UK National Audit Office.

 "The demand for cyber security experts is growing at 12 times the rate of the overall job market."

Hord Tipton, managing director of (ISC)2.

2012 2017Americas 1.181 2.081EMEA .797 1.363APAC .894 1.463Total 2.872 4.908

EMEA = Europe, Middle East & Africa

APAC = Asia PACific

(ISC)2 report..people working in the industry (now and estimated required in millions).

Europe needs ~>200K in the next 2 – 3 years.

“By 2017, there will be a global shortage of no less than two million cyber security professionals”

http://www.itproportal.com/2014/11/03/house-of-lords-warning-uk-faces-devastating-cyber-security-skills-crisis-/#ixzz3IOQyyxlC

Options for a company?

In the UK alone, 98 degrees have a cyber security element...

40 to 50 MSc’s....

We are on our way..right?

“Part of this problem, seemingly, is down to courses which are too steeped in academia and not in keeping with the true demands of the cyber security field.” 

“the right practical skills aren't being taught, such as configuring and reconfiguring systems, trying out exploits, compromising the security of boxes and hardening defences.”

Sean Smyth, director at CyberSecurityJobsite

http://www.scmagazineuk.com/more-jobs-but-cyber-security-skills-gap-widens/article/340103/

“The courses aren't right…they're great but not quite who the employer is looking for”.

“too many of graduates have learnt reactive skills not the stuff that comes up in real life”

“some professors say that these are often taught on industry placements”.

Academics traditionally produce theoretical courses.◦ That’s what we do. ◦ It’s not our fault.

Companies are blaming academics for producing the wrong product.◦ You aren’t giving us graduates with the

1337 skillz. ◦ It’s not our fault.

What do we need to fix?

Web App Problems (SQLi, XSS etc) Poor coding etc, etc. Malware Attacks Bad configuration/ setups, unpatched

software. Weak Authentication - bad passwords? DOS Known or unknown vulnerabilities Educating staff ...........

Networking. Systems. Developers. Offensive. Forensic. Responders.....etc...

Also “softer skills” will be required◦ intellectual property, internal security policies, HR

Job writers, lawyers etc...◦ Academia/Business must work to solve this.

Mathematical / theoretical courses are required (largely being addressed?)

Theoretical can (?) save the world.

But...more vocational graduates are required.

◦ Theoretical solutions are not being adopted.

More and better vocational courses required.◦ Is this being addressed?

Requirements analysis...

Some of the attributes are unusual for a degree (especially a technical subject). This is perhaps a problem?

These CAN be catered for during a degree.◦ Teaching/Tutorials/Assessments/Extra-curricular

activities◦ External speakers etc.

Features. Points of interest that could help.

2005 – A two year UK government funded project – Abertay Uni & NCR R&D◦ Employed a full-time researcher.

“Risk analysis of an NCR Automated Telling Machine (ATM).”

Jim Kirkhope of NCR “it would be great to be able to employ graduates who knew this stuff..”

Industry driven

NCR Student projects◦ Covered by NDA..

Firstbase Techies.◦ Guidance, talks, free training.◦ Firstbase employ two Abertay graduates.

Cigital ◦ Talks, workshops, sponsorship, free software◦ Cigital have employed 2 of our graduates.

NCC◦ Talks, workshops, sponsorship, guidance etc.◦ NCC employ 10 of our graduates.

Now, I have contact with many companies.

It's moulded the content.

Ethical Hacking “company contact week” for students in their final year.◦ NCC Group, MWR, KPMG, NTA Monitor etc have

given training/advice etc...

Other people have played a major role in our success.◦ “Free" knowledge.

Our graduates are better equipped for the real-world because of this.

These companies are now getting a better product......

Let them do things. ◦ Build their own specialisms.◦ Build their own brand.◦ Builds community spirit.◦ Publicity.

An example...◦ Abertay Ethical Hacking

society.◦ Students meet every week.

Ethical Hacking Society.

•Greg Scott: Fuzzing: Brute Force Vulnerability Discovery•Milo Farkner: Time for some Crypto•Rorie Hood: The Kernel, an int and the Null Pointer Dereference •Andy Redfield: Lockpicking •Georgi Boiko: XORing and Cryptography •Paul Dalton: Ping of Death revisited •Erden Eren: New ATMs: Secure? •Rorie Hood: The Gifar Attack •Jack Graham: Breaking the Boundaries with ToBmuD •Ian Soutar: You've Found a Vulnerability, Now What?

Tony Roper: Reverse Engineering 32-bit Windows ExecutablesAndrew Macdonald: Hacking for Homebrew: How to build your own PS2 Linux Kit Ian Soutar: Web Applications: Securing a Broken Website Jack Graham: The Power of TIFF, Screens and META Christopher Donnelly: Google Hacking Blair Dick: I2P - The Anonymous Network Rorie Hood: Rootkit Development Paul Dalton: USB Autorun on WindowsDaniel Forse: Exploiting the Inherent Trust of Human Input Devices

BruCon Security Conference 2011 ◦ “Smart Phones – The Weak Link in the Security Chain, Hacking a

network through an Android device” by Nick Walker and Werner Nel BruCon Security Conference 2011

◦ “Script Kiddie Hacking Techniques by Ellen Moar BSides London Security Conference 2011

◦ “DNS Tunnelling: It's all in the name!”, Arron Finnon GrrCon (Grand Rapids, Michigan) Security Conference 2012

◦ I’m the guy your CEO warned you about by Gavin Ewan BSides London Security Conference 2013

◦ The evolution of Rootkits into the mobile ecosystems Rorie Hood ◦ Seven students have spoken at the rookie track.

BSides Lisbon Security Conference 2013◦ NoSQL – No Security..Gavin Holt

BSides Manchester 2014◦ Gavin Holt & rookie track...

Our students talking at cons.

FranceLondon

LisbonCardiff

2012 -20 people, 2013 – 110 people, 2014 – 150+people

http://securi-tay.co.uk/

As well as the obvious... Contacts & knowledge exchange between

Universities.◦ Leeds Beckett Uni, Sheffield Hallam, Dublin etc...

Publicity.◦ TV/Radio/Newspapers..

School children have come to Securi-Tay

Largely untapped.

Initiatives.◦ Students visit Schools.◦ Women in science days.◦ Publicity..

Increase in female students.

Schools visits.

School trips to Univerities. School teachers training. Planned awareness talks for the “elderly".

To (some) academics ◦ We are not producing the right product.◦ Our courses need to change.◦ We don’t have the skills to teach our students.◦ We need to ask for them.

To (some) companies ◦ You need academia to make your product better.◦ You need our product to be better.◦ You are not helping academics get these skills.◦ You need to give out these skills.

To some academics.◦ Vocational CAN be academic.◦ My student work has included..

Methodology, Taxonomy, Crypto, Risk analysis, Software development...

To some companies.◦ “Look at this great deal that your graduates will

get”.◦ Moaning about academia will get you no place!

Don’t expect GRADUATES to be experts the day they start.◦ A degree MUST be generic. ◦ It’s about lifelong learning and no other discipline

expects this so ....don’t you.◦ A University degree is not TRAINING.

Academia.◦ We must make an attempt to make graduates

“billable” as early as possible.

Fear of teaching the offensive. What’s in a name?? Cyber-Hacking! More specialist degrees.

Thanks for having me & for listening..

Questions?

Knowledge Transfer diagram Colleges. What’s in a name?

◦ Cyber/Ethical hacking Fear of teaching offensive Competitions – must be knowledge

Vocational is becoming important. Must be investment in resources. Education must be driven by the Industry. Industry must invest time & effort in

academia. More specialist degrees.

If a company requires graduates then approach academia.◦ Influence content.◦ Influence graduate attributes.◦ Influence assessment.

Student project work.◦ it gives the company an indication of the

skills of the student in question & the University.

Realise. The content MUST be requirement driven.

Some Universities are offering degrees.◦They teach what they know how to do.◦Uni’s jumping on the bandwagon is

pointless.

Must be a breadth of topics. ◦Graduates must be flexible.

Lack of practical security knowledge in Universities.

Companies need to encourage academics. Work alongside a security person?

In house training? ◦ Why not invite an academic.

Academics must also undertake difficult modules.

“Too steeped in academia”◦We are vocational

practical skills aren't being taught◦Our students practical skills have been

developed with the assistance of companies. not the stuff that comes up in real life

◦Case study based and guided with the assistance of companies.

The courses aren’t right.◦ Industry has guided our course.

These are often taught on industry placements.◦Many of ours are taught on the course.

Currently producing ~20 graduates per year who have a choice of job.◦ Becoming more popular every year.

We also run an M Sc in Ethical Hacking (~10 grads per year).

No magic formula.

More programmes like ours required.

How to tackle the problem?

“Governments, business and the IT security industry need to work together to make cyber security more visible and attractive as a career”

Mark Weatherford DoHS.

“Industry and academia should ...raising awareness of the growing demand for cyber security professionals.”

Industry and government should invest in cyber security professionals who can address cyber threats “

Canadian ICTC Report.

http://www.ictc-ctic.ca/wp-content/uploads/2012/10/ICTC_CyberSecurityReport1.pdf

What is actually happening?Will it benefit business?

National security is highlighted and being addressed.

USA - Comprehensive National security initiatives.

Cybersecurity Strategy of the European Union.◦ UK £650M investment.◦ Most countries seem to be acting on this.

NSA & DoHS sponsor National Centers of Academic Excellence

◦ Identify excellence in Research & Education.◦ Largely National defence related.◦ Some community colleges (vocational).

UK heading down this same route

More vocational cyber security degrees in the USA than Europe.◦ Still not producing nearly enough suitably

qualified people.California 38M pop, 8 edu establishmentsOhio 12M pop, 4 In the UK, similar scheme for research est.

Competitions

Boot camps

Scholarships.

Meetings to raise awareness.

Other awareness events/promotions

Certifications are also an avenue for business...

These help to raise awareness but....

◦ Competitions. Largely test existing knowledge. No great fundamental

learning.

◦ Boot camps. Two days training turns someone into a specialist?

◦ Certification A 4 day course then a multiple choice exam?

◦ Scholarships to where? To one of the very few specialist educational centres.

Europe need 100K’s of people!

Specialist centres and short courses are not enough.

◦ Bolt on security?

Every region in every country:- ◦ Will require people.◦ Universities / Colleges must act.◦ Business must act.

A fundamental education review is required.

◦Firm grasp of fundamentals.◦Have a security mindset.◦Experience of real attacks.◦Practical skills & technical knowledge.◦Research skills.◦Analysis skills.◦“Think outside the box.”◦Communication skills..............

More vocational grads.◦ Mathematical / theoretical still required but this is

largely being addressed.

More vocational courses required.◦ Is this being addressed?◦ Colleges? Largely untapped.

However, not just any old vocational course.

Themed:-◦Programming, Computer Networking, Ethical

Hacking.

Four year honours degree in Scotland.◦Year 1 and 2 – Basics & concepts.◦Year 3 and 4 - Research and self-learn.

General security, Penetration testing, Web Application testing, Exploit Development, Reverse Engineering, Malware analysis

The syllabus (briefly!)

Culture of project work as assessments:-

◦ Year 1 Ethical Hacking – Project

◦ Year 2 Ethical Hacking – Project◦ Year 2 Smart Programming – Programming Project

◦ Year 3 Ethical Hacking - Web security project◦ Year 3 Ethical Hacking – Mini-project◦ Year 3 Ethical Hacking – Exploit development◦ Year 3 Group Project - Student chosen

◦ Year 4 Network Management – Network Security project◦ Year 4 Honours project

Student centred learning.

RESEARCH & DOCUMENTATION ARE IMPORTANT