Recently in Teaching Category

I have recently been invited to teach my introductory computer and network security class in the Spring semester. The class is a "high 300"-class, and I'm looking forward to refreshing my material.

For as many years as I have been active in this field, I have observed a serious disconnect between technical information security practitioners and the material that is taught at colleges and universities.

As it happens to be, I will be heading out to Las Vegas at the end of this month (July) to attend the Black Hat Briefings and some of Defcon 18. At the risk of launching is understatement of the year, I am fairly sure that it should not be too hard to find security practitioners with an opinion at those venues,

So, consider this post as a call to action.

If you want to help me out by sharing your thoughts on what a full-semester 3 credit undergraduate class on computer and network security should look like, please hit me up and tell me exactly how you feel. The class is targeting a mix of computer science majors and management of information systems majors.

You can reach me via the feedback option at the bottom of each page on this site, but using the comments fields, or by contacting me on Twitter. My handle is @leune. I look forward to hearing anything from technical skills that should be taught, reading materials that I should review, or even conferences that I should send people to. Any feedback is good feedback!

I was recently asked to prepare a 30-40 minute lecture for high school students. The point of the lecture is to explain what we try to accomplish in information security, and to convince them to enroll in our Computer Science program. After thinking this over for a bit, I realized that presenting to high school kids is not that much different than presenting to c-level management. Here is my rationale:

• Short attention span
• Little or no interest in details
• Focus on outcome, rather than on how the outcome is created
  
• Think they already know all there is to know
  

So, taking these observations into account, I must divide my presentation in two or three subtopics, each of which does not exceed 10-15 minutes. I must focus primarily on the show effect (what vs. how) and I must work around the fact that they think they know everything, yet they do not.

When presenting, always ending with that one catch-phrase that you want the audience to remember is good practice. Whether that catch phrase is "give infosec more money" or "enroll in the program" is irrelevant.

Initially, I thought that a nice Metasploit demo might be just want we needed to end the presentation. What is cooler than showing how to own a networked box in under five minutes? Not much, right? Well; true as that may be, high school kids do not live in the world of complex command-line invocations and text-based output. Running a Metasploit demo is one thing, but explaining what it actually means is another. Would the audience, that is used to living in world that predominantly consists of Facebook, Twitter and text messaging, understand the coolness of complete pwnage via a text-based interface? Doubtful.

So, taking it from there, I moved to browser-based stuff. Everyone will be used to having a browser at their fingertips and demonstrating a SQL-injection attack that can be used to retrieve private information would be something they understand. Oh wait-- private information is mostly worthless for most teenagers. They'll pretty much tell you everything you want to know right on their public profiles. While the attack would be successful, and I would show how to list out people's home addresses and/or credit card numbers, that would be of little or no value to them.

Clearly, I need to spend more time on this. Password cracking? Maybe, if that password can be used to do stuff with their Facebook accounts. Denial-of-service? Now, there is an interesting one. Taking away their access may be one thing, but showing how to DoS an individual's cable modem may not be necessarily the wisest move to do.

Any suggestions among my readers? I'd love to hear your thoughts on this. What can you tell a 17-year old that would capture their interest in a way that would be sufficient to at least let them consider to enroll in your program?

Yesterday was the last mentoring session of my current SANS class. I was pleased to see the feedback that my students gave me, and I am definitely planning to do this again somewhere this Fall. Mentoring a class is very rewarding; not only does it allow you to rise above the course material in a way that is almost impossible to do when you are 'just' a student, it will also expand your professional network and expose you to different environments.

Just a quick reminder: I will be starting a new SANS mentor session for Security 504: Hacker Techniques, Exploits and Incident Handling on January 7 out of Garden City, NY (Long Island). Some spots are still available, so please sign up if you are interested. We'll convene once a week on Wednesday evening from 7.30pm-9.30pm.

More information at: http://www.sans.org/mentor/details.php?nid=14803