As I had mentioned previously, this year, I’m going back to school. Not to take classes, but to teach a course at my alma mater, Fanshawe College. I did this about a decade ago and thought it was interesting, so I was excited to give it another go. Additionally, after a friend mentioned that their kid wanted to learn Python, I developed an Intro to Python aimed at high school students that I’m teaching weekly. I thought that this would be good fodder for the State of Security. So, whenever I have something interesting to discuss, expect to find it here.

We have a lot of idioms in English that involve jumping – “leap of faith”, “jump in the deep end”, “jump at the opportunity”, “jump in with both feet.” We don’t seem to have any similar involving small, incremental wins. I guess there’s a reason we say “Go Big or Go Home!” The question is… why is there all this jumping? Who has a step stool when you need one?

Information Overload

The world is full of information.  According to stats from Omnicore Agency, new content, regardless of validity, is constantly created. Their October 2020 data includes the following stats:

  • 4,000 photos are uploaded to Facebook every second.
  • Almost 35,000 snaps are sent on Snapchat every second.
  • There are 20 million open job postings on LinkedIn, which see 55 new applications every second.
  • There are over 5,000 tweets every second on Twitter.  
  • Over 8 hours of video footage is uploaded to YouTube every second.
  • 995 photos are uploaded to Instagram every second.

That’s a lot of information, a lot of noise, and a lot of data to process. Maybe not everything that is posted is informative to you, but it may be to others. My primary interaction with social media these days is posting movie reviews on Twitter and food photos on Facebook. I’d like to hope that someone benefits from my movie reviews or finds a new recipe because of me, but I’m not sure how many people care that I pan roasted mushrooms and put them in taco shells.

My point, however, is not that I’m an amazing cook, but rather that there is so much to learn and absorb, that it is impossible to learn everything. As much as I entertain myself in the kitchen, I am not, and will never be, a chef. I can’t recite a cookie recipe. I can, however, tell you about the 1, 2, 3 rule – every good cookie starts with the basis of 1 part sugar, 2 parts fat, and 3 parts flour. I’ll never memorize the millions of cookie recipes you can find online and I can’t tell you how good a cookie will be by looking at the ingredients, but I have the foundations of cookie making knowledge in that 1, 2, 3 rule.

Building a Solid Foundation

I saw a Twitter thread the other day about memorizing port numbers and the validity of it.

The majority of people said that it was useless because you have access to Google. I think there are prime examples of where that information may be required when you don’t have access to Google (air gapped networks for instance), but even if you have Google, I disagree with the bulk of people in that thread. For tons of people memorizing port numbers may be useless, but there are definitely areas, and cybersecurity is one of them, where you should know the basics.

You will not be effective at your job if you have to constantly stop looking at your Wireshark instance to figure out what a port is used for or to look at a protocol spec. If you can’t tell me the ports used for HTTP, SSH, RDP, and a few others in an interview, I’m probably very unimpressed. If you can’t tell me why FTP uses two ports and how they are used, I’ll likely be unimpressed as well… I feel that these are basics that you should understand if you work in networking or cybersecurity. They are pieces of foundational knowledge that you can build on. Do I expect you to know every port? Definitely not… but I definitely expect the basics.

As I designed the two courses I’m teaching, one targeted at high school students looking to learn basic programming and one for college students in their final semester, I tackled them from the standpoint of laying a foundation. The goal of each week was to build on the previous week. There are no leaps and bounds in the course. There’s no need to jump in the deep end. It is a simple stepping stool from concept to concept. The topics are not taught at an incredibly complex level, but enough so that in the future the students have the knowledge to build their foundation. I gave them the 1, 2, 3 cookie dough rule and how they use that is up to them.

I did, however, make a mistake. In the Python course, I had to get from programming to network programming. I started with a simple script to pull down a webpage via HTTP and then, because I wanted to get into a bit more complexity with socket.py and introduce a binary protocol, I introduced them to NTP. I thought that this was a logical step when I was designing the course, but it turns out I was asking them to suddenly jump in the deep end. These are high school students, they aren’t in a dedicated computer program. They didn’t get binary protocols, flags represented by bits, static data structures in the packet format, and so many other aspects. I forgot that key rule, build on a solid foundation.

Supporting Foundation Building

For employers, it is critical that we support foundation building. One of the systems my team works with involves a lot of manual input, but it also has an API. I always get complaints from new employees when they find out they don’t immediately get access to the API. I feel like the API is a barrier to building a solid foundation. You don’t become as familiar with the process and the system if you haven’t gone through it step by step. I know that the team member will have lower output than their peers initially and I accept that. When they start using the API, they’ll have a stronger foundation that they would have had and I’m willing to accept that initial reduced output because I expect it to pay dividends down the road.

It is important when new employees are starting out, particularly during a pandemic when they are more likely to be remote, that they get the support they need. If you are hiring for an entry level position or bringing on an intern, make sure they get those foundational skills. In my younger days, and even in the first courses I designed over a decade ago, I was a firm believer in tossing people in the deep end and letting them figure it out. I was a big fan of sink or swim and self-development. Perhaps I’ve just softened in my middle age, but I think I’ve become wiser instead. I don’t think that education and training should be about stressful. I think it should be about encouraging that foundation and helping to build it.

So, let senior employees jump in the deep end, people who have already developed those foundational skills and are prepared to struggle because they have that base to build on. Instead, you should take the plunge… take a leap of faith that your new hires will get to where they need to if you provide them with a step stool instead of a shove.

More Reading

Helping Inspire the Next Generation of Cybersecurity Professionals

Back to School – Lessons From Teaching Cybersecurity: Week 1

Developing Confidence – Lessons From Teaching Cybersecurity: Week 2

Asking Questions – Lessons From Teaching Cybersecurity: Week 3

Problem Solving – Lessons From Teaching Cybersecurity: Week 4

Obfuscation – Lessons from Teaching Cybersecurity: Week 5

Picking the Right Tool – Lessons from Teaching Cybersecurity: Week 6

Feedback Acceptance – Lessons from Teaching Cybersecurity: Week 7