Targeting digital skills and bridging the gap to employment

This is my scratch-pad place for outlining a few ideas ... so please excuse the slightly unstructed nature of this article.

It is always an honour to present in my home city, and on something I think we have something to contribute to:

Digital Skills for Graduates on 2 June 2016 [here]

As an academic one of the best things that you can do is to equip your graduates with both the foundation knowledge and the practical skills to equipment them for the first steps in their career.

You shouldn't, though, think that the two are seperate, as they interlinked and show re-enforce each other. These days, in computer science, you need both a foundation knowledge, and the practical skills to understand how to implement things. Unfortunately industry often struggles to properly understand the output from computer science course, as they vary in their content. Few subject areas can have such as variation, and the titles of modules can often hide the core objective of the content.

We have tried to continually innovate in terms of providing a safe, relavent and stimulating environement in which to learn. With this we created our own Cloud, and which now supports malware analysis, Big Data/SIEM setup/analysis, cryptography, digital forensics (with EnCase and open source tools), intrusion detection systems, network forensics, network security (running Cisco devices), penetration testing, and several other things.

After embedding the core environment, we've now moved onto higher-level learning, such as with Red v Blue, and in CTF (Capture The Flag) environments with all integrate with our real-life environments. This allow us to move away from constrained learning within a cognitive domain into areas which require psychomotor skills, such as for "orgination" (eg "an original attack vector"), "adaption" (eg   "the change of an SQL injection vector"), and "complex overt response" (eg "coding of a Python script an script an attack"):

Computer Science, though, is in a strange place just now.

On the one hand the jobs market is overflowing with opportunities around  software development, cyber security, networking, Web development, and in cloud architectures, but official figures show that it has a relatively high unemployment rate.

Something is thus going wrong somewhere, and perhaps the lack of definition of the output of a computer science graduate is the problem. After interviewing of the past few months, it has become apparent that some graduates in areas such as computer security lack  core practical skills, and often lack the basics, such as how to setup networks and services. We've even seen a few computer security graduates struggle to even name one tool that they have used to assess the security of a system.

This is where professional certification certainly wins over academic study, as industry can easily map the skills they require, to the areas covered in the certification. But, the depth of study required for some topics can sometimes be missing, and there's a feeling that professional certification goes wide for its scope, but never really covers the fundementals in an in-depth way (I appreciate that this is a generalisation). The area of cryptography is one example that is never really covered properly within professional certification, but one that is so fundamental to the security of an organisation.

I can thus tell you how a firewall works, and you'll say you understand it, but it's only when you really go ahead and setup some networks and get some services running that you really understand it ...

"it doesn't work!" ... "well debug it ... "

"I can't ping it" ... "well trace it then ..."

"I can't access Google!" ... "well ping 8.8.8.8 ..."

"It pings, but I can't access Google.com" ... "well check your DNS ..."

"I can't access my Web server on the other" ... "well that will be your firewall blocking ..."

... "so how do I get it to work?" ... "unblock your firewall" ...

"how do I do that?" ... "add a rule" ...

"but what port?" ... and so on.

We learn by doing, and at our different levels we should lead with steps that are followed, but at the higher levels we guide and allow for deeper understanding ... such as:

"Go ahead and setup your network architecture, with a firewall, and setup an attack on the public network against your Web server, and use an IDS to detect it, and  create a Splunk console to capture it ... and then get someone in the lab to test against your network, and tell them what their attack vector is ...".

This becomes like real-life, and it becomes interactive, and without constraints.

Academic drive with innovation

So we don't just want to train, we want to create practical environments which re-enforce the core academic principles.

So this year we have really pushed boundaries ... and developed the practical skills to underpin the developments ... 

• We are now one of the first universities in the UK to run a full "student-configured" Splunk architecture with all the associated agents, virtualised instances, network devices, and so on. Can anyone really understand the complexity of a real-life network architecture, with all its interconnections, without actually building and running it?
• We've virtualised Cisco devices, running in GNS3, within our Cloud and have run full VPN connections across complex networks (thanks to Richard Macfarlane). Can anyone really understand a VPN/IPSec tunnel unless they have setup it and had to debug it?
• We run full malware analysis within an isolated virtualised environment (thanks to Charley Celice). Can anyone really understand how malware works unless they have really analysed the binary code and watched it perform it operations?
• We run digital forensics analysis software with evidence contained on drives which are mounted, and accessed within the Cloud environment (and with all the tools that industry would use). We even managed to run a digital forensics course of Apple Mac systems within our Cloud (thanks to Bruce Ramsay and Robert Ludwiniak). Do you really know how a Mac works unless you've go right into the operating system and deeply analysed the files?
• We run full pentration testing labs with the latest tools for vulnerability scanning and in adversorial roles, all done within our cloud environment, and against real-life infastructures (with Richard Macfarlane and Dr Gordon Russell). Can you really learn pentration testing from running a vulnerability scanner?
• We have created cryptography content which is now being used across companies to train them in areas such as digital certificates, secure tunnels and public key encryption, with lots of hands-on material. Do you really understand secure tunnels unless you've seen the handshaking process involved?
• We've integrated a real-life CTF (Capture The Flag) environment, and focused on real-life vulnerabilities (thanks to Charley Celice and Peter Aaby for "British Broadband"). Would you know how to cope if someone hacked your systems with a new type of attack? How would your team react to that?

Our driving force has been our MSc programme, and it there that we want to make sure we are pushing the boundaries of what's possible, but also supporting both our campus-based students and our distance ones. Everything we do, though, filters through on all our teaching and our training. Our labs have become enjoyable to teach, and we have fun setting them up, and in running them.

And now we have so many companies helping us building our virtualised training infrastructure, and in setting up our vSoC - Virtual Security Operations Centre, and it'll be built with all the elements that graduates will find in their workplace.

As I've said before, all of this was built by ourselves ... no external contractors ... no consultants ... we had to wire it up ... and install all the systems ourselves. In doing this, we learnt to. One thing that is important is that academics actually learn from others, and industry is demanding graduates with strong practical skills, and academia must follow. 

Academics also have to show that they have the practical skills to implement the things that they are showing their students to do, as complex systems just doing work as they should, and where debug skills are just as important as design and configuration skills. If we push our students into more complex environment, academics need to be there to help fix problems, and students thus feel they are supported. The simple questions around setting things up will hopefully fade as they progress, and learn at each step.

If you have time on 4 April 2016, why not come along to our jobs showcase: