[HN Gopher] Teaching Information Security
___________________________________________________________________
Teaching Information Security
Author : zdw
Score : 33 points
Date : 2021-12-28 02:13 UTC (1 days ago)
(HTM) web link (philip.greenspun.com)
(TXT) w3m dump (philip.greenspun.com)
| tptacek wrote:
| This seems pretty dreadful. Most shops have the kind of
| documentation that Greenspun has students generating here, but
| few of them ever actually consult it; in the real world,
| especially in elite shops, security is an engineering problem
| more than a management problem.
| [deleted]
| motohagiography wrote:
| The case study approach is MBA school level good, and to treat
| security seriously, you need to do case studies and those
| engagements. The students the author writes about don't seem to
| understand how good that course is. Sort of a relief blank slate
| students can't just learn this stuff in a single course, but it
| also makes me angry that people coming into the field seem this
| stupid and lazy. When you imagine _not_ ever having been any sort
| of interested hacker and working in security, without actual tech
| and architecture skills, it 's a checkbox filling job, typically
| when you are young enough to accept risk you cannot understand.
|
| I recently saw this in a certain big-n consulting firm's security
| risk assessment, which was clearly done by a young grad, and it
| had been filled out to specifically lie about the controls and
| levels of assurance in a system that was part of a massive health
| initiative. If anyone discovered it (we did), the consulting firm
| could fire the person who was too inexperienced to have had the
| integrity to present the real findings to a client who was also
| engaged in what was essentially risk fraud, if there were such a
| thing. But it was obviously on purpose.
|
| For older experts working with this new cohort, I'd recommend
| that you understand that incompetence is a strategy for them, as
| if you present as knowledgable, you can be held accountable for
| errors and omissions, where if you are obviously ignorant, you
| can just shrug and fail upwards and let the nerds take the fall.
| If it's not explicitly illegal with consequences to misrepresent
| something, expect it. The reason many milennials seem so feckless
| is because being useless is how they get others to do things for
| them, and this is an actual life strategy. In security
| consulting, you deal with IT project managers like this all the
| time. Professional values like competence, integrity, and polish
| that I think many senior technologists value have been replaced
| with a kind of formlessness and repulsive avoidance of percieved
| conflict, and addressing it directly is an unforgivable
| humiliation. Non-technologists (people who don't do or make)
| mostly exist in an infinite game of musical chairs, so the
| students in this case may have been exercising a conscientiously
| cultivated and refined ability to avoid responsibility.
|
| This course material is precisely what I would expect someone in
| the field to understand, though I think the only way to
| understand it is to develop tools the students don't have, which
| is an emphasis on physical domain competence. The good news is
| they create a lot of additional work for the competent, but the
| bad news is, they will rot the organizations they attach
| themselves to. :)
| watwut wrote:
| > that people coming into the field seem this stupid and lazy.
| When you imagine not ever having been any sort of interested
| hacker and working in security, without actual tech and
| architecture skills,
|
| That is not being lazy or stupid. That is signing to a course
| with expectation you will learn something new.
|
| It is fairly normal in anything. Hardworking smart people sign
| for language lessons, trade school, accounting course, driving
| lessons and what not without knowing anything and then learning
| it.
| jrm4 wrote:
| This is _excellent._ I one-time taught a college level
| cybersecurity course and definitely tilted my syllabus away from
| the typical stuff you see in favor of things like this.
|
| It's all good to play around with John-the-ripper and whatnot,
| but more like this is needed.
| GartzenDeHaes wrote:
| This is what a NIST implementation looks like:
| https://www.irs.gov/privacy-disclosure/safeguards-program . IMHO,
| the SANS 20 critical security controls would be more useful:
| https://en.wikipedia.org/wiki/The_CIS_Critical_Security_Cont...
| 1cvmask wrote:
| This is the rating that the famous blogger Philip Greenspun got
| as a professor at Florida Atlantic University:
|
| https://www.ratemyprofessors.com/ShowRatings.jsp?tid=2741982
|
| Maybe he should stick to blogging or teaching statistics at
| Harvard Medical School or flying planes. Readers what do you
| think?
|
| https://en.wikipedia.org/wiki/Philip_Greenspun
|
| His wisdom on investing and money:
|
| https://philip.greenspun.com/materialism/money
| easterncalculus wrote:
| There's two ratings here, 5 stars and 1 star. Not exactly the
| kind of statistically relevant sample he would teach about,
| right?
| 1cvmask wrote:
| Ideally there would be 30 or over students randomly chosen.
| The class probably has less than 30 students to begin with.
| And the bias and friction for students to set up an account
| and review makes these results spurious to begin with.
| tialaramex wrote:
| Still, _three hour lectures_ ? I don 't need my
| University's School of Education to tell me that's not an
| effective way to teach humans anything.
|
| We know in a safety critical environment, where giving
| something your full attention is vital to the survival of
| yourself and others you care about, human watch keepers are
| not effective for the 4-8 hours they are often given this
| task, even though they know that becoming ineffective will
| get somebody killed.
|
| For lab work, where setting up and shutting down are time-
| consuming, and a mix of activities may help improve focus,
| a double (2 hour slot) might be reasonable anyway but if
| you're planning three hours of standing at the front
| talking, your students are not going to benefit anything
| close to how much they would from three separate one hour
| lectures.
| watwut wrote:
| That sort of thing is usually not decided by the teacher.
___________________________________________________________________
(page generated 2021-12-29 23:01 UTC)