Giving Students Access to Technology Security Professionals
By Keith Allison
While modern information technology changes rapidly, modern information technology security moves at a pace that can seem almost impossible to keep up with. Before a major new piece of software or hardware is even released to the public, hackers around the world are experimenting with how to bypass its security – sometimes for malicious purposes, often times as a means of detecting and patching vulnerabilities before they become an issue. In the classroom, the pace of change is even more acutely felt because curriculums for teaching IT security have to be developed, instructors hired – and by the time all of that’s accomplished, the nature of the game might have changed. Enter into this trying-to-keep-up classroom the Hacker in Residence, who curates some of the classes in the NYU Tandon School of Engineering‘s Offensive Security, Incident Response, and Internet Security Lab (OSIRIS). The Hacker in Residence gives students at the School of Engineering (SoE) access to experts from the computer security profession. Those experts then bring in other experts in the field to teach classes, design challenges, and expose students to the day-to-day reality of what is happening in the IT security field, both from a technological as well as public policy standpoint. This gives students in the program unparalleled direct access to in-the-trenches security professionals.
From 2008-2012, Dan Guido was an adjunct faculty member at NYU Tandon. In 2012, he became its founding Hacker in Residence. A former SoE student himself, and co-founder with Alexander Sotirov of a computer security firm called Trail of Bits, Dan saw that students needed access to professionals on the ground, and that being in New York afforded a unique opportunity to provide that. The community of information security experts is small, and most of those experts are centered in Washington, DC, with smaller enclaves located primarily in New York, Boston, and San Francisco. “Originally, New York had like eight or ten security experts,” says Guido, and everyone knew (and still knows) everyone else. This small group has since grown substantially, but it still only numbers around a hundred or so by Guido’s estimates. These experts would periodically come together and pass the time by doing things like figuring out how to forge EV certificates – one of the most crucial ways of authenticating a website is what it says it is – thus exposing a major security risk that can be patched. It occurred to Guido that exposure to this circle of minds would greatly benefit students.
The Best Defense…
The “attack’ approach is what came to define the Hacker in Residence curriculum, though not without some controversy. Universities are often hesitant to teach or encourage “offensive” hacking, securing a system or a piece of software by relentlessly probing it for weaknesses. But for Guido, teaching computer security without teaching things like network penetration testing was akin to “teaching someone how to build a bridge but not teaching them what causes bridges to collapse.” Working with Professor Nasir Memon, the founder of the SoE’s OSIRIS Laboratory, and drawing upon his own contacts in the industry, Dan has developed a course that teaches students how to search for and fix security flaws while also providing them “access to someone fully embedded in industry.” These security industry experts develop challenges for the students to tackle and problems for them to solve, all based on real-world, current computer security issues.
Among the things being taught is “fuzzing,” a technique used to discover coding errors and security loopholes in software or networks by inputting massive amounts of random data, or fuzz, to the system in an attempt to make it crash. To teach students about this during a previous semester, Guido called on his friend and colleague Mike Zusman, a security consultant and “white hat” hacker then at New York-based Intrepidus Group and now at Carve Systems (white hat hackers use their expertise to expose flaws so that companies can fix them; as opposed to black hat hackers, who discover flaws and exploit them). Among other things he has accomplished, Zusman made news in 2009 when he exposed significant security flaws in the Secure Socket Layer (SSL) protocol meant to keep things like bank websites trusted and secure.
CSAW and Public Policy
One of the highest profile undertakings by students in the program is participation in Cyber Security Awareness Week (CSAW), which Guido organized from 2005-2008 and now serves in the role of advisor, insuring the event has the resources it needs. It’s the largest student-run cyber security event in the nation and which brings hundreds of students to NYU Tandon’s Brooklyn campus to test their skills in hacking, security flaw detection, and security protection. As of the 2014 competition, CSAW introduced a new aspect to its many competitions: public policy, which Guido regards as one of the most important new aspects of a computer security education and one of the least served. The world has a network infrastructure now, and that infrastructure makes a prime target. Protecting that network means relying on military and governmental bodies to make decisions, and the officials who make up these bodies rely on industry experts who advise them. It’s not enough to come up with a brilliant idea; you have to be able to sell that idea to the bureaucracy, and that is a skill too few programs teach their students.
This attention to the public policy aspect of computer security is something that is also stressed in the issues brought up in class by the Hacker in Residence. Among the initiatives Guido and his students have been involved with is promoting the idea of a national “bug bounty,” a program that rewards technology security experts for discovering flaws in major governmental and military systems. He was also recently involved in an effort to prevent the US government from regulating certain types of technology security information. As an example, Guido points out a case in which the US Bureau of Industry and Security (BIS), part of the Department of Commerce, wanted to place export controls on certain types of information security products. Guido and other computer security experts argued that the legislation was inadequately written and could make something as simple as a security expert in the United States mentioning a security flaw to a colleague in Canada a criminal offense. As a result of the mobilization of computer security experts, passage of the new rules has been put on hold pending a period of public review and comment. (More information is available at http://www.responsiblecybersecurity.org)
Computer Security and University Networks
Reflecting not just on how to teach IT security at universities, but how to implement it, Guido says that the sheer size and diversity of a typical university computer network is one of the greatest challenges. NYU-NET (NYU’s global computer network), for example, comprises tens of thousands of users and devices. The need to provide an open avenue to the Internet can expose university networks to attack attempts, like the distributed denial of service (DDoS) attack that recently impacted NYU, Rutgers, and several other university networks. The architecture of NYU-NET provides for targeted monitoring of the network, allowing experts in NYU IT’s Technology Security Services and network engineering groups to pinpoint and respond to exploits. Guido also says the move to Google Apps and Gmail as NYU’s Email service greatly diminishes the threat of phishing and spam thanks to meticulously engineered spam filters and other protections.
Another potential avenue for security issues is illegally downloaded software. In order to avoid the price of purchase, some students may seek out software via torrents or illegal download sites. But these clandestine versions of software often come with viruses, trojan horses, or other malicious software hidden inside them, creating a significant potential security vulnerability. For Mac computers, this threat is mitigated somewhat by Gatekeeper, a feature that tracks malware and blocks its installation on a computer. NYU-NET is also protected by NYU IT’s SafetyNet, which can detect and quarantine machines infected with malware, removing them from the network and alerting the owner so that malware can be removed. NYU IT also provides a number of other suggestions for practicing secure computing and helping to protect the global network of which all NYU community members are a part.
Inside and Outside the Classroom
Outside of the Hacker in Residence program, Dan Guido is developing tools for journalists to tell if they’ve been hacked and protect their personal computers and information as they cross borders and become potential targets. Another of Dan Guido’s recent undertakings is hiring new faculty. Although he intends to remain active as Hacker in Residence, and as part of CSAW, Guido is stepping aside as an adjunct faculty member and has been working with Professor Memon to onboard new faculty for the program. Most recently, The CSE Department hired two new professors for the Lab: Damon McCoy, formerly an Assistant Professor in the Computer Science Department at George Mason University, and Brendan Dolan-Gavitt, who holds a Ph.D. in computer science from Georgia Tech and a BA in Math and Computer Science from Wesleyan University.
Guido is proud of what he and the students have accomplished. As a testament to the efficacy of the approach, Dan cites that just about every security firm in New York employs at least one NYU Tandon graduate, and in the downtown office of Trail of Bits, he’s not the only one… the SoE runs a program to teach computer security to high school women—a group that has historically been somewhat shut out of the industry—and one of the participants in that program proved so adept in the field that Trail of Bits hired her as an intern. As a high school student, she is already taking security courses at NYU Tandon.