14 DAY TRIAL // The Carnegie Mellon University in Pittsburgh has included an IT security course in its curriculum that trains students to think like hackers in order to fight security threats against systems belonging to businesses and universities.
The idea behind the program has been called “offensive computer security,” and it offers students the opportunity to fight against hackers by finding vulnerabilities across the systems before the malicious actors do.
The decision came as a result of the increased frequency of incidents involving data breaches affecting multiple colleges, where personal information has been at least exposed to unauthorized persons, if not stolen and used for nefarious purposes.
In most cases, the measure taken by the officials was to upgrade the security infrastructure to new standards. This may work against automated data mining applications or insecure locations holding sensitive information, but they do not always ensure resilience against more complex forms of attack.
In a recent event, the officials at Butler University have been notified that a suspect who was in police custody had a flash drive containing information about the employees of the educational institution.
It turned out that the university was the victim of a security incident that exposed personal details of about 163,000 employees, students, applicants and alumni, some of them having graduated 30 years ago, in 1983.
Training students to stop this sort of activities is not easy, because the threatscape is evolving continuously and at a rapid pace, and the bad actors manage to adapt to the new conditions.
David Brumley, assistant professor at Carnegie Mellon University, said for PBS that “you have to be able to anticipate how attackers are going to come after you.” Thinking about defense means that the attackers are one step ahead at all times.
An offensive strategy changes the game and strengthens security, so that intruders have to actually keep up with the new measures, making it more difficult to find breaches.
One of the requirements for students attending the new IT course is to find a zero-day, determine if it can be exploited and then report it in an ethical manner. This is the exact behavior of the white-hats in the security industry.
It appears that government agencies have also recognized the importance of teaching hacking to students, as the National Security Agency (NSA) has contacted the team at Carnegie Mellon to help with the design of curricula for high school students interested in combating hackers.