Teach IT security at a younger age
Basic IT security skills, such as port scans, should be taught to kids early on so they become automatic, argues CNS Hut3's Edd Hardy
As a penetration tester, one of the things that strikes me when meeting people who are in charge of securing networks or managing the risk, is how many of them are missing a basic level of knowledge about networks and security. We have some very knowledgeable clients, but we also find ourselves having to explain very basic issues, such as FTP (file transfer protocol) and why it is bad. When we dig into it, we find they are using FTP, but only know the specific product they use. They don't understand that there are layers below this. If we could improve the industry's general understanding about how computers, networks and security work, our graduates and professionals would be equipped to use any product and – more importantly – would understand the risks they are creating and how to reduce or manage them.
When we interview graduates from well-respected technical universities, it is not unusual for us to find that students with first-class degrees in an IT subject don't really know how a network works. They know theories about security; if you ask them what SQL Injection is they can give you a response that works on paper, but if you ask them to explain it and how you prevent it, they are stumped. They have been taught to pass exams, but not how to apply their knowledge.
University is perhaps too late to build the skills we need; the best candidates we see are the ones who have been tinkering, dismantling, breaking and building things since they were kids. We need to push education towards a younger audience. Schools have made great strides towards this with projects such as getting kids to program Raspberry Pi computers and develop their own software. It is that level of experimentation and understanding of the basics that we need.
I am not suggesting that everyone who comes into IT should be able to perform a penetration test, but I am suggesting there is a basic level of skill everyone needs, particularly around security. We want people to be able to check which ports are open and to check for basic issues such as default passwords. We make people take a driving test before we let them drive a car because we want to make sure they have the basic skills to keep them safe and to protect other people on the road. We don't think the driving test means they can fix the car, we don't think it means they can race cars, we just think it's a basic level everyone should pass. IT security is the same. If you are going to build, manage or even use IT, you should have a basic set of security skills, to keep yourself and the network safe.
Just like the debate about when children should be given sex education at primary school, as an industry and as a country, we need a debate about when and how we should be teaching people about security and basic IT. IT teaching has long been concerned with teaching people how to use particular IT products, not about understanding computers. On the positive side, I keep reading articles about kids being taught basic programming; that's brilliant because it's teaching kids how computers work, not how to use office applications. We need the same approach to security; we should be teaching them how to keep things safe, how easy it is to break things and how simple, basic steps will protect you. For example, it is not complicated to teach someone to run a port scan and shut down unnecessary ports and services. If we teach them at a young age it just becomes automatic.
IT security should not be seen as a specialist subject; as something you do as a second degree or a special course you go on. It needs to be a fundamental part of any teaching related to technology and information. We need to teach people what security is, how to analyse security and how to be secure; it doesn't need to be complicated. At the moment we are turning out graduates who go on to get security roles, where they are taught security by vendors trying to sell them magic boxes that solve the problem. We need people who understand security, not just the security products. We can solve some of these problems with universities, which are putting in a huge amount of effort by building labs and working with industry, but we need to start attacking the problem earlier on. Equally, as an industry it is disingenuous of us to just complain about graduates; we have to get involved and contribute. People can learn what the industry wants only if we help.
At CNS Hut3, we make an effort to get involved with talent at an early stage. We work with universities to help students understand basic skills. For example, we run pen-testing workshops to get the students breaking things in our lab, so they understand how easy it is for attackers to take control if systems are insecure. However, I was recently standing in front of a room full of students giving a lecture. They were doing a technical IT degree, but when I asked if they knew what SSH was (secure shell), only a few hands went up. And these were not first-year students. For me this is an example of the lack of knowledge some students have. As an IT auditor or risk manager, you might never need to use SSH but you have to know what it is. If we have to teach this at university, we will, but it is worryingly late in the development of individuals to be teaching them such basic information.
Universities and colleges should not be alone in making this happen. IT security and knowledge of how technology works should not be a bolt-on course. It is important that businesses get involved and create alliances with local establishments. If we want to improve the talent pool, we have to offer our time and expertise to help educate students, to show them real-life examples and help prepare them for the working world.
Edd Hardy is head of operations at CNS Hut3.