Sunday, September 29, 2013

What I Wish I Knew Before Studying Computer Security in College

In twelve short weeks I am going to be graduating from college with a degree in Computer Networking with a focus in Computer Security. Over the past three and a half years, I have studied security in class, become involved in security-related extra-curriculars and in the industry, interned for a combined full year of full-time work at three different companies, and developed countless personal projects. Now that my time in college is almost over, I want to reflect on some of the things I've learned as a student of Computer Security with the hope that some incoming security students can learn from my experiences. If you are currently in the industry or have any other advice, feel free to leave a comment and start a discussion.

Update: There are some great discussions happening over at Hacker News and /r/netsec. Just to clarify some things that people have pointed out in those comments, this post is aimed primarily at new students who are considering this field. Obviously not every aspect is relevant for every person, but I tried to summarize the points most applicable to the largest number of students. Keep the comments coming, though - it's starting a great discussion about the state of security in academia.

Update 2: Thanks to Ünlü Ağyol for translating this post into Turkish. You can read it here.

1. This field is larger than you might think.

When I first started out as a freshman, I thought computer science as a general discipline was huge. There were so many sub-fields and focuses. Now that I've been studying one of those sub-fields, security, for almost four years, it seems huge in its own right. Cryptography, malware, reversing, mobile, forensics, web, mainframe, application, and networking are just a few of the topics in security (and that is barely scratching the surface).

Because of this, you will never learn everything. You will learn concepts and overarching principles along with a few details here and there. But the real experience comes from internships. Jump at internship opportunities the first chance you get. If you have no plans for the summer after freshman year, you are likely going to be behind.

2. You're not going to escape computer science.

The college that I am attending has distinct majors for Computer Security and Computer Networking that are in an entirely different department from Computer Science. Some schools have Computer Science as the major and Security as the minor or concentration. Regardless, I've heard countless peers say that the reason they chose security over computer science was to avoid all the programming. While you can certainly avoid some of the more concept-heavy principles of computer science by studying security, it's not going to do you many favors in the long-run. I haven't had a single internship that didn't require moderate to heavy amounts of programming. As a security student, I often wished that I had spent more time understanding the core elements of computer science. Additionally, many security challenges require a vast understanding of both the security and the programming concepts behind them.

3. Involvement and personal projects matter.

This is more relevant to the tech field in general, but is still extremely applicable to security. I know a number of students who are ready to graduate and don't have a single repo on GitHub, have never published a blog post, don't read any blogs online, and couldn't begin to list something on their resume that wasn't part of a class project. Getting good grades in class is not enough to sell your skills to an employer. The security field is full of conferences, challenges (Capture the Flags), and project opportunities. Getting involved in a security club (starting one if one doesn't exist), completing online challenges (there are hundreds of them), maintaining a blog, and pushing some personal projects to GitHub every once in a while are great ways to show that you actually care about the work you're studying.

4. You need to love this field to make it a career.

The rate at which technology is changing is absolutely insane. With every new program, technology, language, or feature that is developed comes a host of security challenges. New discoveries are made every day, if not every hour. A career in security is not one that can be performed at the office and separated from the rest of your life. To be successful, you need to be involved in the industry, reading blogs by security researchers, and even doing research yourself. You will never learn everything (see point number one), but at least you will be informed.

5. Learn to spell and use proper grammar.

I would often spend an extra ten or twenty minutes after every group project to go back through my peer's work and correct "then" to "than," "your" to "you're," and so on. I also repeatedly catch myself misspelling some words. Many students think that being in a tech career excuses them from the requirements of good spelling and proper grammar. However, security still requires reports, letters, emails, and other documentation along with written communication with bosses, clients, and coworkers. You are not going to be taken seriously if spelling mistakes are prevalent throughout your work.

6. Break things.

I spent the better part of my first year of college carefully completing every lab report, following the steps verbatim, and starting over when things went wrong. I relied entirely too heavily on virtual machine snapshots. What I should have been doing instead of pressing "restore" was Googling for my problem and fixing it. Thankfully, I recognized this early on and was able to start treating my labs as real-world scenarios. It's not very easy to simply hit "restore" on a production server because you accidentally deleted a set of files. So it shouldn't be possible in labs. Plus, while Googling for the problem, you just might learn a few other things as well.

To complement this point, don't be afraid to experiment on your own, either. Labs and homework are only going to teach you so much. As I mentioned in point one, it is impossible to teach every aspect of security in four years. You need to do your own work and break your own things. Virtual machines are perhaps the easiest way to do this. Want to learn how to secure a web server? Set one up and Google how to break it. Then, actually try. Download an insecure VM (De-ICE, WebGoat, etc.) and go through the challenges. As a professor of mine has said many times in class, "you're not learning unless your body is between the screen and the chair and your hands are on a keyboard."

7. Learn to use Google.

I mean really use Google. Learn how to find the most obscure problems and the most practical solutions. You will be amazed at how many other people have had the exact same problem.

8. You sometimes have to ask to find security internships.

When I first started looking for internships, the most common issue I ran into was what seemed like a lack of openings for security positions. Almost all the openings were for "Software Engineer," "IT," or "Help Desk." However, after I started sending out emails to companies, I found that many of them were extremely willing to take on an intern in their security department. All I had to do was ask.

9. Awesome security electives exist. Take them!

Obviously there is no way to fit every possible security concept into a four year degree program. Many schools offer security electives that supplement existing courses with new material. Two that I remember vividly were "Cyber Defense Techniques" (basically a team-based hack and defend course) and "Pentesting." These were very hands-on classes and required a lot of outside work. But they're also the classes in which I got the most time behind the keyboard and learned by doing. Many professors who are interested in security are willing to teach these courses because they want to learn as well. Sometimes, all it takes to get a course developed is to talk to a professor.

10. Vary your experience.

While it's certainly an option to intern at a company during your freshman year, come back every year after, get a job with them after graduation, and work for them the rest of your life, reality doesn't always pan out that way. You will never be able to predict where your career will take you in ten, twenty, or thirty years, so getting varied experience now might be the key to accepting or rejecting a future job offer. There are so many places that security experience can take you. You can work in the government, for a consulting firm, a startup, a bank, a typical business, a non-profit, and in practically almost any other environment you can imagine. If you have three summers between freshman and senior year, work in three different places. Vary your physical location (try a city vs a rural area), the size of the company (a startup may only have ten people whereas a multinational bank might have 10,000), and other factors.

11. You're still a college student.

Last, but not least, remember that you're a college student. Again, this is not solely applicable to security, but join organizations, make friends, and create experiences for yourself. Study abroad if you can. While coursework is certainly important, there is so much more to experience in college than just going to class and returning home. Take advantage of the discounts and offers you get as a college student (including many security conferences). You have just about four years to shape the rest of your life; remember to shape it evenly.

34 comments:

  1. Thanks. As a CS student myself (graduating in 10 weeks) these are some very good tips.

    ReplyDelete
  2. I took computer systems engineering. Engineers are higher pecking order than liberal arts computer science people. The engineering core is differential equations, statics, mechanics, 3 physics semesters, chemistry, electrical networks, electrical devices, electrical properties of materials, bunch of other core engineering courses.

    ReplyDelete
    Replies
    1. Good boy, i give you a cookie.

      Delete
    2. awesome reply...and he really wanted to learn the field, he should have skipped college entirely.

      Delete
  3. Excellent post ! Thank you

    ReplyDelete
  4. Screw internships, they're for the birds. Find yourself a paid position.

    ReplyDelete
    Replies
    1. See Pranjal's comment, but there are absolutely paid internships in security. In fact, I haven't (thankfully) seen too many unpaid ones.

      Delete
    2. RIT's co-op program requires that all positions be paid unless you are working for a nonprofit organization.

      (Source: I just graduated from RIT as an info-sec major)

      Delete
  5. Great post! And you can find paid security internships.

    ReplyDelete
  6. Great post. As a programmer interested in security, I wish I could redo college and take advantage of your suggestions! Also, I noticed a very monitor typo. Under the fifth bullet point, I think you meant to use an apostrophe after the "s" in "peers" (unless you were referring to just one peer).

    ReplyDelete
    Replies
    1. | Also, I noticed a very monitor typo.
      Not a big deal, I just thought it amusing that you made a typo in your post pointing out a typo

      Delete
    2. It's almost a requirement to make at least one typo in a post correcting someone's typo.

      Delete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. As someone who helps run a computer security-focused internship program, I can say that this is a great list of recommendations. Extracurriculars are especially important in security. You'll do well if you know how to figure things out on your own and are driven to learn. Attaching yourself to a mentor is also a great way to pick up practical security skills quickly.
    And a shameless plug - anyone looking for a paid computer security internship with an emphasis on education for summer '14, check out the Center for Cyber Defenders at Sandia National Labs. Our program recruits high school through PhD students.

    ReplyDelete
    Replies
    1. How would you find a mentor as a professional not working in security (and not at school with professors to mentor you)?

      Delete
  9. There are tons of paid internships if you guys are looking around. There is a thread on reddit itself - http://www.reddit.com/r/netsec/comments/1hisg6/rnetsecs_q3_2013_information_security_hiring/ where you can browse through all the job postings. I am a Security Consultant with the biggest software security firm, Cigital. We always are on the lookout of good security interns. If interested, email me your resumes - anshuman dot bhartiya at gmail dot com

    ReplyDelete
  10. this is incredibly helpful, thanks for posting!

    ReplyDelete
  11. This is exactly what I wanted to read this morning! I am currently a Sophomore in CS at Purdue University going toward securities. Thanks for your insight!

    ReplyDelete
  12. As a graduate and past-student going back after time in the industry. Please take number 7 seriously. I guarantee you, you can find the answer with Google, if you know how to use it.

    ReplyDelete
  13. Very interesting. When I got my junior web dev gig, I stopped doing college where I was because I was learning more at work than at school.
    Actually working with code 10 hours a day, 5 days a week made me love coding, so when I got some free time on my hands, I put my newly found l337 web-dev skills to use by implementing basic data structures in C helping myself with a Java datastructures book. It came out pretty well.
    Then I took part in my first ctf a few days ago and I'm hooked.

    ReplyDelete
  14. Very helpful post.

    Which college you graduating from?

    ReplyDelete
  15. This is a great post. It is amazing to an old geezer like myself to realize that there are probably thousands of students studying security right now. I would add one piece of advice to your excellent list. Learn tools. Get to know the major commercial security products. You may have to do this through an internship. Learn RSA Security Analytics for packet capture. Fortinet or Palo Alto for gateway security. Use code review products. Learn McAFee EPO. Every tool you learn is a keyword on your resume that recruiters will search on and find.

    ReplyDelete
  16. Wow! Well said. Great advise for anyone in the field. I have been in security for 15 years and could not agree more with everything you said. Specifically the programming. Unless your working strictly with policy, you must understand programming; this is where hacking begins. Check out security tube's python class.... no link (tip 7) Google it!

    ReplyDelete
  17. Great post!!! Thanks! I did my B.E in EEE and worked for 2+ years as an hardware design engineer... now am about to do M.S in network security and your post serves as an great eye opener!!! Thanks again and All the Best!!!

    ReplyDelete
  18. Great article! So it's really OK to use Google for your answers. These tips are good for actually any field of study you choose.

    ReplyDelete
    Replies
    1. Google's fine to use for anything, all it does is take you to the best pages if you use it right. Even in an IT service company everyone Googles anything they don't know before they search the professional publications and such.

      Delete
  19. Nice article, except for 3 and 4. Having been in this field for quite some time, I can tell you with reasonable confidence that companies don't care if you're in a "security club," are into blogging, etc...my grandmother can blog; so what? You also don't need to eat, live and breathe this and yes, you CAN leave it at the office. In fact, I make it a point to do so. I work to live, I don't live to work. Don't get me wrong, if you love it so much and are so geeked out on this you spend every waking moment with it, more power to you. But it's not a requirement.

    ReplyDelete
  20. As the technology is Learning getting advanced, there are more products that are created to make life easier.With the help of modern technology, people's standard of living also changes. Most of the people do not realize the importance of technology and how it has changed the day to day life.

    ReplyDelete
  21. I am very thankful to the author to write this fruitful information.It is worth sharing for other users.Thanks once again

    IT management service Chicago

    ReplyDelete
  22. Here in Brazil in our company we have several students who before joining the faculty had done some online specializations technologies courses (such as programming and design, for example). This has helped a lot in class and here in the company. Gaeta, Sergio - ERP Software Consultant at http://www.sbg.com.br

    ReplyDelete
  23. we are software development company in delhi offering Software Development, Outsourcing Web Development, Offshoring Software Development, seo services.

    ReplyDelete
  24. I am a Cyber Security Graduate student looking for internships, and haven't found any yet.
    Any comments ?
    Also, I find point that 'to find internship, you need to ask'
    any suggestions ?

    ReplyDelete
  25. Thanks for such a nice blog post....i was searching for something like that. voip phone system

    ReplyDelete