Update on DSU MSIA

philz1982

I figured I would make a post around my journey through my DSU MSIA.
So far I have taken:
INFA 721 Computer Forensics

I am taking (right now Fall 14)
INFA 713 Managing Security Risks
INFA 734 Web Software Security
INFA 736 Offensive Network Security

I have these courses coming up:
INFA 701 Principles of Information Assurance
INFA 715 Data Privacy
INFA 725 Adv Network Hacking
INFA 729 Adv Web Hacking
INFA 743 Information Security Mgmt Systems
INFA 745 Compliance and Audit
INFA 751 Wireless Security
INFS 754 Network Security & Intrusion Detection

I will make a separate post discussing my MSIS , which I am also doing at DSU.

I will follow this post later tonight with a review of INFA 721 and will continue to review courses as I finish them and answer any questions you may have.

-Phil

da_vato

How is the quality of the courses, are you learning a lot of new concepts? How are the courses delivered? Definitely keep us updated.

the_Grinch

Definitely interested to hear about the quality of the courses and the lab setup. I'm applying for their MS in Applied Computer Science just need the recs and I'm good to go.

philz1982

da_vato wrote: »

How is the quality of the courses, are you learning a lot of new concepts? How are the courses delivered? Definitely keep us updated.

Very hands on, very much a Socratic method of teaching. A LOT of research, if you are not self-motivated do not apply.

I am learning a lot, currently in my Risk Mgmt, we are dissecting the Home Depot hack and my semester project is to perform a security audit on a software solution my company produces. I am learning quite a bit, and maybe its serendipity but what I am learning directly corresponds with what is going on in my organization.

The courses are asynchronous 1080P video (2x1.5 hrs per course per week), discussion boards, papers, and labs.

I will be more detailed in my course by course analysis.

philz1982

the_Grinch wrote: »

Definitely interested to hear about the quality of the courses and the lab setup. I'm applying for their MS in Applied Computer Science just need the recs and I'm good to go.

Lab setup, at least for cyber is quite well. I've got a Metasploitable 2 and Kali lab combo and a Pablo and BackTrack lab combo.

Here is some code I built for Week 1's homework in the Web App Hacking lab. Cool thing is there is literally as near to zero direction on the programming labs as there can be. The instructions were basically iterate through the URL and find other URL's or defeat the Captcha.

imgur: the simple image sharer

imgur: the simple image sharer

Just python scripting in this course, the adv hacking should be a fair bit of shell and expanded python.

the_Grinch

Thanks for this information! Definitely glad I decided to apply there! Keep us up to date on your progress!

philz1982

So, INFA 721 Computer Forensics.

Overview: This course is focused on Computer Forensics, hence the name. There were no text books for the course. Each week however we were given an article on computer forensics either from a current Peer-Reviewed Journal or from in regards to a recent hack. We would be required to read the article and then write an essay on the discussion board of how this applies to computer forensics as well as the industry as a whole.

Our Professor, was one of 5 people in the Nation who specializes on Video Game console forensics. Apparently a fair amount of crime is committed via video game consoles (drug trade, s#x crimes, ect).

The first two weeks were focused on the laws, how to collect evidence, how to handle evidence, how to keep a chain of custody.

The rest of course was primarily focused on tool usage. We used FTK imager for the beginning of the course and did a full forensics analysis of a hard-drive including (stenography, encryption/decryption, reconstructing partial data). We then built a case around the things we found on a drive. We then proceeded to perform mobile forensics, I performed a forensic scan of my Galaxy S4.

Next we moved onto, how SSD's work and how they effect forensics. We went in-depth into the Trim function and which drives have which recovery ratios. Next we moved into cloud forensics.

Strengths: You will leave understanding the process of forensics from start to finish. You will understand how to keep a custody record. You will understand the legalities of Forensics. You will also leave understanding how to use a forensics tool, how to use John the Ripper, and other Rainbow Hash crackers, how to use mobile forensics tools.

Weaknesses: To short in my opinion. You could have separated the legal aspects of forensics into a course on it's own. If you don't get the chain of custody right evidence could be non-admissible in court so this is a big deal. A reoccurring theme at DSU is that if you are a person who needs step, by step directions then you will not do well. The projects by design are very open.

For the semester project you are given one video of how to use FTK imager, a starter list of 5 passwords, and hard-drive image. You then need to figure out how to turn that into a forensics report with an executive summary. You must also find a way to summarize your findings into two pages in a court admissible format. The end goal of the course is to teach you how to find information via forensics that can provide you with legal standing.

Side Note:The purpose of learning at DSU is stated at the beginning of every course. The professors state explicitly that they want you to "research" and "figure it out" because that is what you will do in the work force. So far every professor I've had is a full-time worker in the industry.

Also, discussion boards, if you post 1 paragraph responses on the discussion board they will give you a failing grade. For having such a low per credit cost you would think DSU would want to get a lot of students but apparently they have no problem failing people as there is a lot of churn from folks not being able to keep up or produce the quality of work required by the course.

ajs1976

Thanks for the info. I'm a couple of years away from starting a Graduate program, but DSU is one that interests me.

You listed 12 courses, but I thought the program required 10. Are you taking extra classes? Also, I saw that you are working on the MSIS. Isn't some overlap possible between the two programs? For example core courses in one count as electives in the other.

Thanks

the_Grinch

I had a professor once tell me that when you enter graduate school it is a different world. At that point you are suppose to be mastering the material and doing some original research so I can see why they operate the way they do.

philz1982

ajs1976 wrote: »

Thanks for the info. I'm a couple of years away from starting a Graduate program, but DSU is one that interests me.

You listed 12 courses, but I thought the program required 10. Are you taking extra classes? Also, I saw that you are working on the MSIS. Isn't some overlap possible between the two programs? For example core courses in one count as electives in the other.

Thanks

So yes, I am taking more then the 10 courses. Technically, I'm going after three degrees the MSIA, MSIS, and the MSA but I haven't applied to the MSA yet. You can't double count courses. You need to have 10 including the core and electives for each degree.

ajs1976

Have you considered the D.Sc?

philz1982

I'm on the fence as to a D.Sc at DSU, a PH.D at Nova, or simply finishing the Masters and going after a OSCE and AWAE from offensive Security.

I'm also on the fence of a Dual MBA/MS Fiance or Strategy from Kelly School of Business. Really on the fence with this one because I have a Business Degree and experience running a $50M P&L and I run the partner/integration program for a $800M business right now.

My end game is to be a CTO or to own my own company not sure which...

philz1982

INFA 713 Managing Security Risks

Overview: This course provides you a very managerial focused education around creating security programs from the ground up. The professor owns his own security consulting business that is focused on providing cyber security services to small banks and credit unions. Because of this the course has a specific focus on the financial sector. In this course you will learn how to create a security program and the associated Policies, Procedures, Standards, and Guidelines. The course consists of 5 (10-12pg heavily referenced papers), multiple discussion board posts on relevant IA news, 2 exams, and a final project that is a full Risk Assessment on an organization. I chose to follow the FIPS/NIST standard to analyze a healthcare web application for my project.

Books

Assessing and Managing Security Risk in IT Systems, John McCumber, Auerbach Publications, 2007, 2^nd edition.ISBN-10: 0849322324, ISBN-13: 978-0849322327.
Information Security Policies, Procedures, and Standards, Thomas R. Peltier, Auerbach Publications, 2002. ISBN 0-8493-1137-3.

The course consists of 6 sections:

1. Overview of Information Assurance- This section covers the history of IA and how IA came to be. Very short 1 week section.
2. Security Strategy- This section discusses creating a ISP and ISMS and the frameworks to do so ISO 27000, COBIT, NIST. There is a heavy amount of PCI, SoX, and HItech.
3. ISO 27000- This is a whole section on ISO 27000 and how it applies to the enterprise. A lot of deep dive into 27001 and 27002 as well as diving into NIST 800 SP and IAM.
4. Policy- Ton's of studying around Policy writing. Prepare to write policy's.
5. SETA- Security Education, Training, and Awareness. How to create a SETA Program from scratch.
6. Procedures- Just like the policy section, study procedures and write procedures.

Strengths

If you didn't know your standards or have never created a security program. You will be well prepared after this program. I seriously was having dreams about security policy and NIST SP 800 no $hi7! Crazy! I have a new found respect for security assessments. The course is very Socratic in the questioning method of the lectures.

Weaknesses

If you don't like or aren't good at papers you will struggle. I wish the professor went deeper on NIST SP 800, but my Risk Assessment project helped fill in the gaps. This class could be split into two classes one focused on strategy and the other on policy. However, you need to understand the policy to understand the strategy and vise-versa.

Side Note

Nothing much to say other then I am doing the Professors Audit class in 2016 spring and you get to take the CISA at the end of that class.

Ask me any questions you have!

-Phil

ajs1976

Thanks for the detailed review of the class.

Why did you choose NIST over the other Risk Management Frameworks?

Did already covering the material for the CISSP help with the class?

I plan to read the books before taking the class. Is there anything else that would help?

philz1982

The company was trying to get DoD certified so i followed the FIPS 199/200 for medium systems. The CISSP really covers different stuff and at a much higher level. This course was at the 1000 ft level whereas CISSP was at the 50k foot level in my opinion.

the_Grinch

Thanks for the update! Question, from you postings it doesn't appear that these is a lot of group work, is that the case?

philz1982

Not on the msia the msis however is a group project funfest.

ajs1976

In terms of overall time commitment and effort, how did INFA 713 Managing Security Risks compare to the other MSIA courses you have completed?

philz1982

Well I am abnormally good at writing papers so each paper took me 3 hours. The two exams where essay exams and took 8 hours each. There were two 1.5 hour videos each week and if you don't watch these you won't be able to pass the exams.

The final project is the variable. My risk assessment took me about (2) 8 hour days.

philz1982

INFA 734 Web Software Security

Overview:

This course covers Security Testing for Web Applications. The course is 16 weeks long and consists of bi-weekly labs, lecture videos, and a fair amount of reading. The format is that you read a chapter from the Web Applications Hackers Handbook V2, watch the corresponding video, and then go to the lab which consists of a series of 8-24 "exercises" in which you practice the skills you just studied. The exercises get progressively hard, and there are bonus exercises for each lab.

The texts for this class were:

• Web Application Hackers Handbook v.2
• The Basics of Web Hacking

There is not a ton to say about this class. The labs in the beginning focus on using scripts to do reconnaissance against a site. I chose to use python some of my classmates used JS, Ruby, and C.

You then stay with BurpSuite for a good 10 weeks. During this time you learn to trap POST/GET, use Burp Repeater, Comparer, Sequencer, ect. By the time you leave the 10 weeks you will know Burp fairly well. Then you finish the class with SQLi and Xss. For these you use SQLMap and regular SQL Expressions. For the XSS, you can use whatever you want, I chose JS. You need to have an understanding of HTML tags in order to exploit some of the XSS.

Strengths:

It was a very hands on course, it moved me through the WAHH book rather well, and I learned some good ways to use BurpSuite. Additionally, it further solidified my comfort with HTTP/HTTPS and HTML.

Weaknesses:

I wish it had been less lab, and more so a series of web applications that you had to exploit, kind of like how the OSCP labs are ran. However, I can see how having web applications would have been challenging due to the variable nature, whereas the labs are more prescriptive. I would have liked to spend more time on custom attacks but that is what the Advanced course is for. Also, I would have liked to have had a semester project where we have to exploit a Web Application VM.

Side Notes:

None