Re: University plan

[Todd Haverkos <infosec () haverkos com>]

kalgecin <kalgecin () gmail com> writes:

> hey guys,
> I'm in my final year of high school and I'm planning to go to
> university. As all people, I have trouble finding the right one ( or a
> good one ). So I'm asking you people to recommend any nice
> universities that teach good computer security, that is more practical
> than theoretical. Please also tell me to which university you attended
> and how was it? and any other general advice

First, I entirely disagree with the "college vs university" comment made
by another poster.  The theory vs practicality of a given program varies
WAY too much by individual institution/program to make such
generalizations of much use in narrowing down your search for a school
that's right for you.  

I'll start with a specific recommendation: I've been impressed with
DePaul's program in information security, or at least the many many
excellent people I've met who are recent graduates.  Had I known in HS
that there was a market for the field I'm now in many years later, I'd
definitely put that one on my short list to check out.  Depaul is in
Chicago, IL USA (you don't mention where you're looking to go to
school).

Myself, I have electrical and computer engineering degrees that
(sometimes indirectly) led to my multi-platform computing with many
flavors of unix, DOS, windows and specialized embedded OS's, as well as
networking experience, knowledge of how integrated circuits, CPU's,
systems, RF technologies, and computer architectures work both
theoretically and from the transistor level all the way up to the system
level.  I've programmed in C, C++, Verilog, and written microcode and
can visualize how it does its magic because in my computer engineering
work, I've had to implement a microsequecer.  From my EE work, I know
the pointy end of a soldering iron and how to get around an
oscilloscope.  It's all excellent background to understand hacking and
security and more generally to think in a manner that takes a methodical
approach to solving problems and inventing solutions.   

But what's cool about infosec is our diversity--I've met top shelf
infosec folks from all sorts of backgrounds.  I've got a coworker that
works professionally as an excellent penetration tester with a Theology
degree, for example. So as Larry Wall says about Perl, "there's more
than one way to do it."  It'll be your desire and self teaching that's
likely to propel you the most, and allow you to get the most out of
whatever education you pursue.

It's also worth mentioning the contribution of employers and future
coworkers to your training.  I've been fortunate to have worked for
companies that (at least initially) had excellent commitments to
employee development and provided focused industry training on skills
directly needed for the job.  The most relevant and current techniques
are not something you're likely to learn in a University/College
setting, but industry training, having the opportunity to work with
Really Smart People, and keeping current with infosec via podcasts,
twitter, mailing lists like this are what will keep you closer to the
leading edge.  This may be worth keeping in mind when you choose your
first employer.  Also think about universities that have good intern and
co-op programs with companies that do work you're interested in doing.

Finally, no discussion of this level of education juxtaposed into
security would be complete without acknowledging that this industry --
more than most-- has a very large number of outstanding practitioners in
it who don't have a college degree.  I'm still a strong advocate of
pursuing a degree as it's a prerequisite to employment at so many
organizations, but if you hear folks who say "you don't need a degree to
be great at security" or "you won't learn current attacks and defenses
in school" well, there is something to what they say.  All the same, the
discipline and the credentialing of a quality university program is
education that no one can ever take away from you, and will remain a
differentiator for you among those who didn't choose that path.  And for
better or worse, the folks in human resources making hiring decisions in
many cases will often take an easy road in sending resumes to the trash.

Good luck in your decision, and kudos on having a strong idea of what
you want to do! 

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------