As I had mentioned previously, this year, I’m going back to school. Not to take classes, but to teach a course at my alma mater, Fanshawe College. I did this about a decade ago and thought it was interesting, so I was excited to give it another go. Additionally, after a friend mentioned that their kid wanted to learn Python, I developed an Intro to Python aimed at high school students that I’m teaching weekly. I thought that this would be good fodder for the State of Security. So, whenever I have something interesting to discuss, expect to find it here. This week, I thought that it would be fun to discuss tools of the trade and picking the right tool for the job. Almost everything I’ve done over the years has involved working with tools. Although the tools and jobs have changed, I’m not sure that my approach to selecting the tool has.
Backstory
Before I could drive, I was working in the sheet metal shop with my dad. I had working knowledge of the brake, Pittsburgh machine, and rolls before I knew how to make a bowl of soup (I’m sure my parents would love to tell you about the time I burned tomato soup). I think the most important lesson I learned was working with tin snips (aviation or compound snips). Think of these as heavy duty sheet metal scissors with handles in green, red, and yellow. I’ve seen people fight with these because some people just don’t realize that green snips cut to the right, red snips cut to the left, and yellow snips cut straight. Depending on how you are cutting your metal, you want to pick the correct pair of snips. Later in life as I worked at call centers (headsets and phones), fast food chains (a safe method of getting bagged meat out of boiling water), and building roof trusses (never underestimate the power of a working strapping tools), I continued to see how valuable the proper tool for the job was. When I worked doing sound and lighting for a theatre, we had one safety harness in the catwalks for the front of house lights that was shared across all employees, but sized for our boss and no one else. I think I know now why they only hired students. When I was removing ground beef from boiling water at a Taco Bell, I was told to use my bare hands because they didn’t have tongs and the single silicone glove didn’t fit my hand. Jobs like these show how important the proper tools can be in life. These days, working at a computer, my tools have changed, but they are just as important. I may not have a tin banger’s hammer or a roll of strapping, but tools like Wireshark, Nmap, and more make life easier.
Teaching Tools
As I developed this course, I struggled with which tools to teach. While the concepts may be similar across multiple tools, they all have their strengths and weaknesses. This week, we started to discuss reverse engineering and there are tools that I’ve used in the past and tools that I’ve only started to explore. While the techniques may be the same, the tool you select definitely plays a role. Should the students have to pay for the tool? Will the school purchase the tool? Is the tool so old that they’ll never realistically use it? At the end of the day, while I’ve previously taught the basics using Immunity Debugger and I’m most familiar with IDA Pro, I decide that Ghidra was the right choice. It’s a free, modern tool with plenty of capabilities. In this case, the choice of tool I selected wasn’t really difficult because it gave me most of what I wanted without having to use multiple tools and without costing my students a lot of money. However, we all make these choices each day and I wonder if the lesson I taught included enough information to help my students select the right tool in the future. If we had unlimited time together, I could cover everything but our time is limited and our conversations are impacted by distance learning forced on us by COVID-19. I don’t want to spend 10-15 hours walking through how I selected the tool we’re using, what pros and cons I weighed, and why I got to this specific outcome. I’m sure they don’t want to spend 10-15 hours listening to that lecture series. What it comes down to is that I need to hope I’ve conveyed the value of the tool I selected and the other options available to them to explore.
Picking Your Tools
I spent my days thinking about the Vulnerability Management and Security Configuration Management worlds and I don’t think I’ve ever considered that the pains I had while decided which tools to teach my students are some of the same pains our customer’s experience when they select their tools. Cost, Value, Features, Support, and so on and so forth. The list of considerations can grow relatively long. As you become more experienced in a field it becomes much easier to pick the right tools for the right reasons, but when you’re learning a new field, you need to rely on others. That could be sales people who just want their commission, it could be a vendor wanting their logo in more places, or it could be a professor, hoping they made the right choice. I hope my students realize as they graduate in a couple of months that they’re going to make the wrong choices sometimes… there will be a time when they will pick the wrong tool for the job. I also hope they realize that picking the wrong tool isn’t necessarily a failure, but an opportunity for learning. I wouldn’t want to hammer a nail into a wall with a wrench, but a tin banger’s hammer will work nearly as well as a carpenter’s hammer. The real importance is that you identify the underlying functionality that you need and doing that requires a knowledge of what you are doing. That’s what I’m hoping to impart on my students, enough knowledge that when they have to pick the tools of their trade, they know what those tools are. If they pick the best or worst tool, there’s nothing I can do about that, but if they pick the wrong tool, then I’ve probably failed at my job.
Final Advice
Just as I tend to plea with our industry in my other posts, I’m going to do the same today. Don’t worry if a new hire doesn’t pick the best tool, worry if they pick the wrong tool. If they do, explain to them what they’re doing wrong, but give them that opportunity to learn. My students were given the option of picking their own final project topics and a list of presentation formats. I feel that some formats were better than others and that some topics will make for better learning and possible future interview discussion points, but that was their decision to make. All I can do is evaluate them on the choices they made and the implementation of those choices. For students out there, make sure you know the work you are doing and understand it before you pick a tool. Wireshark won’t help if you need to run a port scan and Nmap won’t help if you need to perform a packet capture. In reality, it all goes back to those tin snips I picked up when I was 10 years old. They all cut metal, I just had to fight my tool in some cases to accomplish my task… at least it wasn’t a pocket knife, that could have taken a while.
More Reading
Helping Inspire the Next Generation of Cybersecurity Professionals Back to School - Lessons From Teaching Cybersecurity: Week 1 Developing Confidence - Lessons From Teaching Cybersecurity: Week 2 Asking Questions - Lessons From Teaching Cybersecurity: Week 3 Problem Solving – Lessons From Teaching Cybersecurity: Week 4 Obfuscation - Lessons from Teaching Cybersecurity: Week 5
