BA Computer Science TESC

[ryoder]

Anyone who wants to chat with me offline about this.or other info tech topics can pm me. I worked for a bit for a govt contractor and have been in private sector IT for a long time. I soul love to encourage more Americans to enter this field as.we seem to have a drought of programmers specifically at this point in time. The outsourcing shift scared alot of kids away from programming in college.

[SandraNC]

Such good info....please keep posting here if you think of any other tips for those starting the BACS degree!

Thanks,
Sandra

[skyfall123]

You could also work for an outside agency and run penetration tests for companies for a fee. This is ethical hacking. Most of these hackers use common tools to do the hacking and even get othe phone and try to social engineer their way into a system by tricking the support personnel or a random employee into giving up access.

OK Ryoder you have really raised my curiosity....so does this explain in part why there are "ethical hacking" certifications? ....and would you say that "ethical hackers" are typically excellent programmers, or are the ethical hacking common tools designed in such a way that many people can use them....in other words is this a two step process where you have the front line support person who uses the toolkit to detect vulnerabilities, then you bring in the experts, like yourself to actually fix the security issues, or does one person typically handle both.....and what are the key certs of value that you suggest students work toward....Network+, Security+, CCNA, CISSP???

[ryoder]

Yeah I am the guy that gets the pen test report at my company. We have pen tests yearly and enterprise security wants to go to quarterly but we just don't have time to remediate all the items found on that schedule. Security compliance is an annoyance to most project managers who have other projects they are behind on anyway.

The pen test people start out by doing footprinting. They will determine as much info as possible about the company via whois, google and your own site map and any bios they find on the site. Then they click around your pages, check the html source for telltale signs of technology. You can pretty easily determine if the site or web app was built using java struts, asp.net v 1-4, jsf, coldfusion, php etc or some content management system. If they determine that it was a content management system that is outdated and they go to that content mgmt system's site and find out that the latest version fixed a horrible security hole, they will attempt to exploit that hole.

Things they look for is the ability to cause a denial of service attack on the site, or to deface the site, or to craft a url to send to someone in an email that makes it look like its coming from your trusted site but once you click the url you go to their hacker site. That is a blind redirect.

They come up with all this and put it into a nicely formatted pen test starting with an executive summary and listing the items in order of importance. They describe the problem, the risk, how to reproduce it and sometimes suggest a way to mitigate that risk.

Then someone like me reads the pen test, determines the level of effort to fix the items on the list and sends that to management. Management then bargains with enterprise security on resource allocation.

Finally I get assigned a project to fix the ones under my umbrella and I may have to work with other teams to help them fix their issues.

The pen testers use a toolkit to do this. The same toolkit that hackers use in most cases. These toolkits are free and well documented. The pen testers do need to know how to manage networks, IIS servers, mail servers etc because their goal if possible is to hack into your server and do something bad to it or document that it could be done.

To me the pen tester is basically a network technician with specialized skills. The write no code at all but have to open up tcp dumps, watch traffic, analyze http headers so they need to know how distributed processing works, the ssl handshake, http post protocol etc.

Yes the CEH certification is for professional pen testers. The CISA is a certified auditor and CISSP is a general security certification. I am one of the few CISSPs that has a software development background that I know. Most are either internal IT security people from a networking background or security consultants from RSA etc traveling the country selling their products.

[skyfall123]

Ryoder....thank you very, very much for sharing your knowledge. This explains a lot.

[skyfall123]

Update....my son was accepted by Florida State University into the Masters Computer Science InfoSec program. He will go up to Tallahassee in the next couple of weeks to interview for the SFS Scholarship for Service program. He's beside himself with excitement. This is a big deal. Thanks TESC for having a BA Computer Science degree.

[jmed]

Hi, Geezer. Congrats to your son; he's going into a great field.

I'm a CISSP Info Assurance consultant (with a 10+ year software dev background, so ryoder you are not alone, but I agree it is rare to find), who does a big mix of system admin, programming, secure code review, virtualization admin, database admin, and security nowadays.

I agree with ryoder, but just wanted to point out that the government & IA industry is moving in the direction of more security not just from a systems perspective, but also from a software perspective. So in the future more and more developers will need to understand InfoSec, especially in regard to secure coding.

There are a few certifications now targeting that need
- CSSLP (Certified Secure Software Lifecycle Professional)
- GSSP (GIAC Secure Software Programmer, with separate tests for Java, .NET, and C)

I think, especially if he's looking to work for the government, this is a good way to combine interests in InfoSec/InfoAssurance and programming.

Most IA people I come across are not very technically knowledgable. There are a lot of government and military regulations to keep track of and documentation to write up to show programs are in compliance, and lots of IA people focus on that. I like the technical side personally.

CEH is not too hard to study up for in free time. Neither are Security+, Network+, Linux+. The government actually requires tech folks to have Security+ at a minimum if they do anything security-related, or something more advanced like CISSP.

Check out http://www.hackthissite.org and MetaSploit if he wants to look into learning more about pen testing. There are other good resources, but those are popular with would-be ethical hacker folks.

Side note: I think pen testers make less than software dev folks, so if he has no strong preference either way, have him go software+InfoAssurance or OracleDBA+InfoAssurance, those pay more than straight systems/network stuff often.

[skyfall123]

jmed thank you very very much for adding your comments. I hope that others can read this thread and see that there are options and career paths out there for CS students....and even some programs to help pay for college.

It really helps that you and Ryoder are software developers because it provides real perspective. Even though my son has 3 years of real world experience, he is still just 23. So I am definitely encouraging him to concentrate on developing the technical skills (and frame of mind) that will keep him employed 30 years down the road....and by frame of mind I mean that he has to continually develop his technical skills throughout his career. Everything moves too quickly, either you keep up or you're toast.

I know intuitively that you and Ryoder are being extremely generous in describing the technical abilities of the people you come in contact with. It also means that if my son has the ability to develop software and understand programming that he will have a big advantage over others in the field. He will start FSU in the fall, so he has the next few months to up his programming skills and start knocking off some more certs. Thanks for the tips guys...not only are you helping my son, but I'm sure many others that happen upon this thread.

[ryoder]

Congrats to yous son geezer!
I lnow there are developers focusing on info security but i think a lot of them are working for product companies instead of it departments. I hope this changes but it is my experience that corporate it departments rely on vendors for advanced security solutions since it is not their core competency.
I have worked with some extremely intelligent deveLopers in info sec but all were working for product companies.

[beargins]

@ryoder and @geezer,

the information on this thread is extremely valuable for a CS major. I am leaving Excelsior's BSIT because TESC's BA CS is much more traditional and I believe that [if I do well] it will be my ticket into grad school.

Excelsiors BS IT is concentration based, and they used to have an "Object Oriented Programming" concentration, but they have gotten rid of that and are replacing it with a "Cyber Security" concentration. I had been looking at local universities here, and I was honestly amazed at how much much math is required for the CS programs! By the end of your sophomore year you should have completed Calc VI, and then be moving on to either differential equations or physics w calc, and finally statistics and linear algebra or matrix algebra.

TESC requires calc 1 and 2, Linear algebra or discrete math. TESC's comprehensive plan also seems great for people with less than 1 1/2 remaining in school.