I get this question a lot and have never been able to come up with decent succinct answer (well, except of course for Internet Site Security ;). Knowledge of computer security requires not only a wide breadth of knowledge about many different aspects of computer science, but practical application as well. So it's not as easy as just saying, "read the Cheswick and Bellovin book, the Stevens books and every Phrack ever written and you'll be fine". That's kind of like giving someone the MIT guide to picking locks and then asking him or her to be a thief or a locksmith. So while the books and papers are incredibly valuable, they aren't worth much unless you also experiment. For anyone interested in security I recommend learning to program in at least C and writing little programs to perform security-related tasks. Start off by trying to write a port scanner. Move up to something that imitates netcat. Then start writing OS-specific tools like a passwd utility for Windows. Just silly little things with a security bent. Even though it may seem useless to duplicate the functionality of programs that already exist, you are gaining insight into how stuff works and obtaining ancillary knowledge along the way.

Do you think that cyber terrorism will be a threat as large as the media is making it today?


That's a bit of a loaded question (since 'Cyber Terrorism' is a term that can be applied to a wide range of activities), but I'll bite. The threat to critical infrastructure is certainly a concern, but I think that computer and network security is, if not easier, at least less complicated than traditional national security. With computer security one has absolute control over almost every aspect of an infrastructure.

For instance, think about borders. By necessity all entrances into a network must be built by humans. There cannot be a way into a network without some person somewhere doing something. There is always a finite number of ways into a network. Even if someone builds an entrance into a network without explicit permission or knowledge of the administrator, it's still a rather simple task to find this entrance and close it. Compare this with national borders; there are infitinte ways into this country. It's impossible to watch every inch of coastline, check every airplane, x-ray every cargo container, etc. If you want to sneak into this country, you can. So with networks the person responsible for security has a much less daunting task when he or she is trying to keep people out.