Information Security as a Craft

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

For centuries people learned a trade by becoming an apprentice to a master craftsman. After spending a number of years, typically seven, working under the master they became a journeyman and were able to start their own business. A journeyman was able to become a master only after presenting a "master piece" to his respective guild. Once you became a master, then you were allowed to take on an apprentice and start the process over. If we look at information security as a hands on craft, what would you learn as an apprentice on your way to becoming a journeyman? What would a "master piece" look like?

I think an apprenticeship program would look something like this:

Years 1 and 2 - Networking and System Administration

• Gain a thorough understanding of common network protocols like TCP/IP, Ethernet, ARP, UDP, and ICMP.
• Gain a thorough understanding of DNS, DHCP, Active Directory, SMTP, FTP, and other common network services.
• Gain ability to perform administrative tasks on both Windows and Linux machines.
• Learn to automate common administrative tasks using scripting languages such as bash, perl, python, ruby, vb, and powershell.

Years 3 and 4 - Risk Assessment and Disaster Planning

• Understand the common risks to which your network and systems are exposed.
• Understand how to mitigate those risks.
• Understand how to build redundancy into your network and systems so that a single failure does not take down the entire system.

Years 5 and 6 - Vulnerability Assessment and Exploitation

• Understand common network and system vulnerabilities and how to fix them.
• Understand methods, both automated and manual, of finding vulnerabilities.
• Understand methods, both automated and manual, of exploiting vulnerabilities.
• Understand methods for preventing vulnerabilities in networks, systems and code.

Year 7 - Communication

• Understand how to effectively communicate in written form (ie. documentation and reporting).
• Understand how to effectively communicate in verbal form (ie. presentations, meetings).
• Understand the different "languages" of your audience (ie. IT department, CIO, CEO).

I know there are a lot of details missing from this outline, especially if we are thinking about this as a hands on craft, but I think it is a good place to start. I would like to know what you would add to this outline, particularly what hands on activities would you place under each category. I have a shared Google document here that you can update with your thoughts. I will leave the document open unless people abuse it.