Why Cybersecurity
From a data security perspective, studying Information Security offers essential knowledge in network security beyond programming skills. In this era of data proliferation, safeguarding data privacy and communication confidentiality has become increasingly crucial. As vulnerabilities in existing network protocols and service frameworks are continuously exposed, the importance of protecting data and communication privacy has grown significantly. Profound expertise in Information Security ensures the integrity of user privacy and the uninterrupted operation of businesses.
1 Personal experience
I studied in the Information Security program at Harbin Engineering University. Our School of Computer Science and Technology offers three majors: Computer Science, Software Engineering, and Information Security. Among these, both the Information Security and Computer Science majors share a similar curriculum, including courses such as Data Structures, Discrete Mathematics, Computer Networks, Computer Organization Principles, and Database Principles, which form the foundation of computer studies. However, the Information Security curriculum is more extensive, encompassing additional knowledge related to information security within the realm of computer science.
In addition to the fundamental principles of computer science and their applications, we also delved deeper into various aspects of computer information security. For instance, we studied cryptography, network and system security, and penetration testing. In the cryptography courses, we focused on cryptographic encoding and analysis, covering classical substitution and transposition ciphers, modern block ciphers, stream ciphers, public-key cryptography, key distribution algorithms, and their characteristic analyses. In the network and system security courses, we learned about the security of the TCP/IP protocol suite, digital certificates and Public Key Infrastructure (PKI), network encryption and key management, principles and design of firewalls, intrusion detection systems, VPN technology, identity authentication, and more. In the penetration testing course, we studied the methodologies of penetration testing and the principles behind common vulnerabilities found in web applications, akin to the knowledge required for solving web-related challenges in Capture The Flag (CTF) competitions.
Throughout our studies, the university encouraged us to engage in research pertaining to security knowledge. For instance, during the sophomore year’s computer network course, I conducted research on the historical development and evolution of VPN technology. In discussions related to network and system security, I explored side-channel attacks and presented my findings, proposing a cost-effective identity authentication scheme for secure big data transmission during the research process. Whether pursuing an in-depth exploration of computer security or engaging in development-related work, graduates of the Information Security program possess a superior awareness of security and the ability to implement security measures effectively.
I believe that, when compared to the Computer Science major, the Information Security major doesn’t significantly differ in terms of grasping the fundamental aspects of computer technology. Both majors share identical foundational courses in computer technology, and we can similarly choose hardware-focused courses such as Microcomputer System Interfaces. From the perspective of web development, the Information Security major not only enables us to master frontend and backend development technologies, as found in the Computer Science and Technology major, but also provides a deeper understanding and mastery of security in communication protocols, code robustness, and software development processes.
For instance, studying Information Security has made me particularly attentive to programming security issues when writing interfaces in backend development. I consider potential security risks stemming from HTTP requests, as capable attackers might employ man-in-the-middle attacks to intercept or modify insecure communication protocol request packets at certain node gateways. Attackers might also carefully craft request packet content to probe the workings and structure of servers through server responses, paving the way for further malicious activities targeting the server itself. Poorly constructed backend routes might expose vulnerabilities like directory traversal attacks, or exploit traditional cookie-based authentication mechanisms to gain unauthorized access or tamper with server resources. Insecure backend frameworks could be susceptible to Server-Side Template Injection (SSTI) attacks, allowing attackers to overwrite source files and achieve full remote control of the server. Careless file upload strategies or input data reception strategies may open avenues for attackers to exploit file upload vulnerabilities or Cross-Site Scripting (XSS) vulnerabilities.
Studying Information Security has made me especially cautious about potential security threats arising from improper strategies during program development. To an experienced peer, discovering and exploiting these vulnerabilities is relatively effortless.
2 Conclusion
Gaining an in-depth understanding of information security is a long process of experience accumulation, requiring a broad accumulation of specialized knowledge. For network security, only by understanding the principles and usage of various service frameworks, the underlying principles of various programming languages, and the mechanisms triggering various security vulnerabilities, can valuable information be obtained in code auditing and vulnerability discovery, preventing security risks in programming.
In general, you won’t feel regret choosing to study cybersecurity. The knowledge gained from studying cybersecurity is worth its tuition. Besides, CTF is really fun!