'' ' SECURITY CYBER STUDENTS ' ''
THINKING Like Criminals : It's not a coincidence that someone good at cybercrime would also be good at cybersecurity.
After all, many cybersecurity jobs involve trying to think like a criminal to test security of a software program, computer network or hardware devices.
Many of students go on to work for red-teaming or penetration testing firms, where they try probe and attack computer systems from the outside to identify potential vulnerabilities.
Some of these skills can be taught in the classroom through checklists of where to look for possible weaknesses and tools that can be used to help conduct those assessments.
But the most effective teams like the most effective attackers, find vulnerabilities that no one has ever thought of before - much less included on a course syllabus.
The security technologist Bruce Schneier wrote an essay a decade ago about what he called the ''the security mind-set,'' or the ability to instinctively identify ways of subverting or compromising systems by using them in unexpected ways.
''It's far easier to teach someone domain expertise - cryptography or software security or safe-cracking or document forgery - than it is to teach someone a security mindset,'' he wrote.
Almost by definition, college class room settings and the students who thrive in them are not a natural fit for the kinds of disruptive, rebellious and troublemaking instincts that lend themselves to finding new ways to compromise computers.
It can be hard to reward those skills - much less teach them - in a college course where there are supposed to be clear expectations and learning objectives, well-defined grading rubrics and set schedules.
There are efforts to try to introduce these skills to the classroom, but they are few and far between.
For example, the security researchers Gregory Conti and James Caroland published an article on what they called ''Kobayashi Maru'' assignments, named for a ''Star Trek'' training exercise, designed to force students to figure out creative ways to cheat.
The example they used in their own class was an exam which students were required to write down the first 100 digits of pi with very little notice.
The students were expected [and encouraged] to cheat on the test but told that if they were caught, they would fail the exam.
Of the 20 students in the class where this exercise was tested all succeeded in cheating without being caught, much to their professors' delight.
There is plenty of useful and important material being taught in cybersecurity classes besides how to cheat, from programming and networks to cryptography, and my own area of economics and policy.
But the students who graduate from our degree program in security often report that they got more out of their extracurricular security clubs and competitions than their coursework.
This may not necessarily be bad, or even unique in cybersecurity [don't get me started on the topic how much I learned writing for my college newspaper], but it does suggest that we we race forward trying to train million more people in cybersecurity to fill all the looming vacant jobs, there maybe real gaps in the skills we know how to teach.
We should think carefully about the skills we need, about the rules and principles that we we know how to teach and also about how to encourage students to break those rules and find ways around those principles.
With respectful dedication to the Students, Professors and Teachers of the world.
See Ya all prepare for Great Global Elections and ''register'' on : wssciw.blogspot.com - The World Students Society for every subject in the world and Twitter - E-!WOW! - the Ecosystem 2011:
''' Cyber Meme '''
Good Night and God Bless
SAM Daily Times - the Voice of the Voiceless
0 comments:
Post a Comment
Grace A Comment!