Computer Security - what to study to work in this field?
Robert Chao
I would like to work one day in the computer security field though
I don't know many specifics of what to study. I am an undergrad in
CS. For this field, should I take as much math as possible? If so,
which ones? I would guess Numerical Analysis but am not sure.
Should I take as much CS theory as possible?
--
Robert Chao
Oakland, California
Daniel P. Faigin
> I would like to work one day in the computer security field though I don't
> know many specifics of what to study. I am an undergrad in CS. For this
> field, should I take as much math as possible? If so, which ones? I would
> guess Numerical Analysis but am not sure. Should I take as much CS theory
> as possible?
Well, it really depends on what you want to do. I work in the trusted systems
arena as an evaluator, so here's what I would suggest:
First, a strong fundamental CS background. Learn operating systems well, as
well as data structures. Learn hardware to a reasonable extent, especially the
concepts of how virtual memory and protected modes are implemented in
hardware.
Next, some topical areas: study networks, databases, etc. If you can get some
courses on trusted systems, do so (look at schools like UC Santa Barbara,
George Mason University, etc.).
Math? If you plan on doing anything with formal methods, it's a necessity.
Also, logic, as well as any formal proof courses. Some formal methods shops
like people with a philosophy background.
I'd also read the literature and try and attend whatever conferences in the
field you can.
I hope this helps,
Daniel Faigin
Chair, ACM Special Interest Group on Security, Audit, and Control
--
[W]:The Aerospace Corp. M1/055 * POB 92957 * LA, CA 90009-2957 * 310/336-8228
[Email]:fai...@aerospace.aero.org [Vmail]:310/336-5454 Box#13149
"You can't be a rationalist in an irrational world. It isn't rational!"
Dr. Rance, in Joe Orton's "What the Butler Saw"
Wee Win
:
: I would like to work one day in the computer security field though
Take none of those courses for computer security. In fact, don't take any
courses and spend all your time on the computer ;)
Seriously, you have to learn to break the computer so you can fix it. And the
only way I know how to do that is to sit at the computer for an undetermined
amount of time before something breaks.
--
-------------------------------------------------------------------------------
Huy Nguyen | It is not merely enough to survive,
h...@regentdb.uoknor.edu | But to Live. - M. Musashi
-------------------------------------------------------------------------------
Warner Losh
(Wee Win) writes:
>Take none of those courses for computer security. In fact, don't take any
>courses and spend all your time on the computer ;)
Well, this is good as far as it goes. You also need to network with
other people doing the same thing. They will tell you of holes which
might teach you, over the long haul, how to look for holes in systems
yourself. Or better yet, how to not have those same sorts of holes in
systems that you write.
--
Warner Losh i...@Solbourne.COM
i...@Solbourne.COM: "I should be OK, I'm basically doing the speed limit"
dwo...@rootgroup.com: "That's why BASIC is so slow. It has a speed limit"
Brian Harvey
1. What should I study to be a security guy?
2. [List of things to study.]
3. Break into people's computers!
4. Yeah, break into people's computers!
When I saw the original posting I was sorely tempted to reply, "DON'T work
in computer security -- everyone will hate you for the rest of your life."
But I was afraid people might take that as immature. But I see that I was
right the first time.
Contrary to popular opinion, the world isn't divided into Good Guys (who
promote system security) and Bad Guys (who try to break it); the real
division is into Security Freaks (who are equally happy on either the
offensive or the defensive team) and Normal Human Beings (who have real
work to do on computers and wish the damn security freaks would just
go away).
Posting #2 seems like evidence against my position, but #3 and #4 support
it. So the preponderance of the evidence is on my side... :-)
My advice is, do something socially useful for a living.
David Lemson
>In article <Bsnq...@regentdb.uoknor.edu> w...@regentdb.uoknor.edu
>(Wee Win) writes:
>>Take none of those courses for computer security. In fact, don't take any
>>courses and spend all your time on the computer ;)
>Well, this is good as far as it goes. You also need to network with
>other people doing the same thing. They will tell you of holes which
>might teach you, over the long haul, how to look for holes in systems
>yourself. Or better yet, how to not have those same sorts of holes in
>systems that you write.
Yep. Experience, experience. If you're going to read anything,
check out Garfinkel and Spafford's book on security from O'Reilly
(part of the Nutshell series). I think their number is
800-ORA-NUTS, or in...@ora.com. It's pretty good for a beginner.
Also ftp to cert.sei.cmu.edu and get all the text you can find and
read it. There is one called "Improving the security of your UNIX
system" written by SRI Int'l. (sorry, I don't remember who wrote it
there)
The best way to learn is to manage a network and have people try to
break into it!
--
David Lemson (217) 244-1205
University of Illinois NeXT Campus Consultant / CCSO NeXT Lab System Admin
Internet : lem...@uiuc.edu UUCP :...!uiucuxc!uiucux1!lemson
NeXTMail accepted BITNET : LEMSON@UIUCVMD
Tim Scanlon
It probably ought to be noted that it's better to break into your
own system, and do it yourself, than to either break into others sites,
or have other people break into yours. Allthough, neither of the above
is as exiting as the alternative.
It is useful to try and close holes that someone else is exploiting,
and it provides a wealth of experience that merely doing it all by yourself
doesn't give you. Becasue in many ways, it's like driving blind. You have no
idea what the other guy is up to. Findign a partner and trading off roles
is a good solution. Again, this method offers the virtue of being able to
work at one's home site. Foreign site stuff is good, if you can find a
partner to work with there too. But it's tougher to find understanding
at 2 sites, much less one. The problem is that there are a large amount of
system administrators who are frankly semi-competent at best and definatly
paranoid beyond reason about "security". Mainly, their fear is rooted in
a topic they poorly understand. If you have a competent, balanced sysadmin,
you should feel blessed.
Tim Scanlon
DS/BDS/CMI/ISS/ACD
--
Live Free, Promote Freedom, or you Tim Scanlon
are just selling out. If one ignores t...@gravity.gmu.edu
ones rights, they dissipate. If one gen...@access.digex.com
ignores freedom, it evaporates.
Barry Miracle
>rc...@well.sf.ca.us (Robert Chao) writes:
>:
>: I would like to work one day in the computer security field though
>: I don't know many specifics of what to study. I am an undergrad in
>: CS. For this field, should I take as much math as possible? If so,
>: which ones? I would guess Numerical Analysis but am not sure.
Numerical Analysis is not a big requirement in Computer Security.
>: Should I take as much CS theory as possible?
>: --
>: Robert Chao
>: Oakland, California
>Take none of those courses for computer security. In fact, don't take any
>courses and spend all your time on the computer ;)
>Seriously, you have to learn to break the computer so you can fix it. And the
>only way I know how to do that is to sit at the computer for an undetermined
>amount of time before something breaks.
I would not take this advice if I were you.
>--
>-------------------------------------------------------------------------------
>Huy Nguyen | It is not merely enough to survive,
>h...@regentdb.uoknor.edu | But to Live. - M. Musashi
>-------------------------------------------------------------------------------
I have worked for Secure Computing Corporation for seven years.
Secure Computing is one of the premier companies in the field of
computer security. It develops very high assurance systems including
the LOCK system, which is targetted to exceed the requirements for an
A1 evaluation.
The field of computer security has many branches, cryptography, key
management, operating systems, databases, networks, distributed
systems, etc... Most of the fields of computer science have security
problems that need to be addressed.
The training that you should seek is to develop very strong computer
science and math skills. Secure Computing prefers MS degrees, but BSs
with good grades and an interest in computer security will get you in
the door. If you are interested in the assurance of high integrity
systems, then you would have to have a MS to get a job at Secure
Computing. A strong OS background is required. After that pick a
specialty, networks, distributed systems, ...
As far as breaking into systems and networks, you could not learn in a
year banging on a keyboard, what can be taught in a short time with
Secure Computing. I think that this will be true of any of the real
computer security companies.
Also, unless you own your own network, you will not be able to
experiment without risking someone elses computer resources. I
personally believe that when you are using someone elses network it is
like being in their home. When I am in someone elses home I don't
trash the place and leave. I can trash my own house all I want
though.
If you want a job when you graduate, or just for the summer, then send
me a EMail message. We are always looking for new talent. You would
have to come to MN though.
Barry Miracle
Secure Computing Corp.
mir...@sctc.com
PS. Keep you nose clean so you don't have problems with a security
clearance.
Tim North
> I would like to work one day in the computer security field though
> I don't know many specifics of what to study. I am an undergrad in
> CS. For this field, should I take as much math as possible? If so,
> which ones? I would guess Numerical Analysis but am not sure.
> Should I take as much CS theory as possible?
I would strongly suggest including a good course in operating systems,
particularly if it has a strong Unix bent.
Cheers,
-------------------------------------------------------------------------------
_--_|\ | Dept Computer Engineering, Curtin University of Technology
/ \ | Perth. Western Australia. 6102. Phone: (+61 9) 351 7908
-->\_.--._/ | Internet: Nort...@cc.curtin.edu.au
v | Bitnet: North_TJ%cc.curti...@cunyvm.bitnet
TIM NORTH | UUCP: uunet!munnari.oz!cc.curtin.edu.au!North_TJ
-------------------------------------------------------------------------------
John Nagle
Assuming you want to BUILD secure systems, and not just run them:
Operating systems, and not just one operating system. You need an
understanding of the architecture of different operating systems and how
they deal with security. Some of the better ones (Multics in particular)
are little used today but need to be understood.
Distributed systems: client/server systems, networks,
distributed databases, LANs. Computer security today involves
multiple systems.
A working knowledge of cryptography is useful. Understanding
cryptographic theory is not essential, but it's very important to
understand the strengths and weaknesses of cryptographic systems,
with key management, not encryption techniques, being the major issue.
Don't get hung up on Galois field theory or other heavy cryptographic
issues unless you plan to become a cryptographer.
Design of reliable systems, from RAID disks to Tandem networks.
A basic knowledge of transaction-processing environments is
valuable. Those are the systems that handle money, and that's where
the real jobs in security are. Many databases have security
controls, and this level of security is important, too.
If you want to work on Orange Book/DoD provably secure systems,
you probably need a MSCS and heavy theory of computation, with an
emphasis on formal methods. But the market for people with these
skills is tiny.
John Nagle
Secure Unix Team KID01
>w...@regentdb.uoknor.edu (Wee Win) writes:
>
>>Take none of those courses for computer security. In fact, don't take any
>>courses and spend all your time on the computer ;)
>>Seriously, you have to learn to break the computer so you can fix it. And the
>>only way I know how to do that is to sit at the computer for an undetermined
>>amount of time before something breaks.
>
>I would not take this advice if I were you.
>
I would *definitely* second this advice.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
| Martyn Amos -- Secure UNIX Team, ICL Kidsgrove, Staffs., ST7 1TL O/ |
| m...@skoda.zen.icl.co.uk -- Tel. (0782) 771000 Ext. 3152 /| |
| >>>>>>>>>>>>>> T E R M I N A L L Y G R O O V Y <<<<<<<<<<<<<<< / > |
| Disclaimer: My mental state is not ICL's fault. |
Cliff Stoll
Robert Chao wants to work in computer security and wonders what
courses to take.
Huy Nguyen sez not to take any courses (say, on numerical analysis)
rather, to spend all your time on the computer and to learn to break
the computer so you can fix it ... to sit at the computer for an
undetermined amount of time before something breaks.
Werner Losh adds that you also need to network with
other people doing the same thing. They will tell you of holes which
might teach you, over the long haul, how to look for holes in systems
yourself.
David Lemson says, "The best way to learn is to manage a network
and have people try to break into it!"
Well, I say: Take all the Computer Science courses you can!
Learn programming, operating systems, networks, and databases.
The field of computer security is far wider than breaking into
computers, looking for operating system holes, or managing networks.
You can pound on an operating system for years and never learn
about public key cryptosystems, formal analysis, ethics, or
non-discretionary controls.
Do research and publish your results -- not postings to Usenet, but
papers at computer security conferences and articles in reviewed
journals. Learn as much about computing as you can: in
operating systems, network topology & protocols, analysis...
Later, if you can't find a job in computer security,
you'll be qualified for plenty of other positions.
Beware: there's a sense that if you can break into computers, you're
somehow qualified in computer security. This is false on several
levels:
1) The techniques of breaking into systems do not teach
protection. Knowing that a particular cryptosystem is
weak doesn't mean you know how to make a strong one.
2) Most who employ computer security specialists are
exquisitely sensitive to trust, confidence, and ethics.
A history of breaking into computers won't get you a job.
Banks don't hire embezzlers. Comsec, a group formed from former
associates of the Legion of Doom, apparently was not a
commercial success.
3) There are very few full time computer security jobs
where you're employed to plug up holes.
Indeed, I know of nobody employed in computer security whose
background is breaking into computers. Yes, there are plenty
of rumors -- friend of a friend & suchnot -- but I've not met any.
Get a good, well rounded education. It'll come in handy.
-Cliff Stoll st...@ocf.berkeley.edu 10 August '92
Paul A. Karger
is in many ways an exercise in making a system really behave as specified.
To do this, you need to understand how to make systems work. Take courses
in operating systems, data base management systems, software development
methodologies, network design, performance measurement, GUIs, human factors,
etc.
To do cryptographic algorithm design, you also need heavy mathematics,
including group theory. To do formal specification and verification,
you need logic courses.
Most important of all - you need hands-on experience in building things
like operating systems. Too many so-called secure systems have been built
that prove to be unusable, because the secure systems designers thought
all about security and formal methods and logic, and forgot to worry about
building a system that end-users would want to use.
Security is an interesting area to work in, because it has impacts in ALL
aspects of a computer system. However, to do computer security well, you
first have to know all those aspects well.
- Paul (20 years in the computer security biz)