The More We Understand About How the Bad Guys Operate, The Better off We Will Be…
I recently had the opportunity to visit Singapore and speak at a variety of IT security events, both big and small, on the subject of modern malware and network-based attacks. The subject matter was fairly dense and the audience was primarily made up of researchers, government policy makers and network security specialists. However, one thing that I noticed was that all of these events included significant numbers of high-school and college students in the audience. This struck me as a particularly smart strategy, even if some of the details went beyond their level of education.
Singapore has recognized that cyber-security skills in particular will be highly strategic for the foreseeable future, and they are taking the effort to teach students about the very real-world challenges in the security landscape. This goes beyond simply teaching students how to be safe on-line; it is also preparing a new generation of cyber-security specialists that will be on the front lines fighting future information attacks. I think this is a good start that could even be extended. I believe teaching offensive approaches to security (a.k.a hacking) is going to become increasingly important for all levels of IT security students and professionals in order to be prepared for modern attacks.
Of course the idea of teaching someone how to hack almost always generates a negative visceral reaction, because the assumption is that you intend to teach someone how to become a criminal. I’m certainly NOT arguing that we raise a generation of cyber-criminals.
However, an understanding of hacking no more makes a criminal than an understanding of karate makes someone use the discipline maliciously. Either skill has the potential to be misused for bad things, but likewise, each skill can also make the student better prepared if and when bad things happen. IT security threats certainly aren’t going away. However, even more important than simply being prepared for the bad-guys, a hacking methodology is simply one of the best ways to learn about technology. Great scientists, inventors and thinkers have always been tinkerers – the people who if given a radio, are apt to take it apart to find out how it works. This is what a great deal of hacking boils down to – learning how a thing actually works based on how it breaks, and how it can be repurposed. In this sense, hacking is simply applied critical thinking about technology and security. Unfortunately, the overwhelming trend is toward less understanding and critical thinking about technology, even while the use and dependence on that technology is increasing.
The past two decades have seen the rise of “consumerization” where technology has evolved to suit the needs of a non-technical consumer and obscure the underlying nature of how it works. The end-user is presumed to be dumb and any technical details should be hidden whenever possible. All that an end-user needs is a basic understanding of what features are available and how to drive the user interface, and in many cases this qualifies as being technical.
A hacker’s mentality is needed in order to provide good security. When the next great product, app or widget pops up that purports to solve a problem and of course claims to be “safe”, a healthy portion of society needs to be able to ask the critical questions about that product. How could it break? How is the data stored? What technologies and protocols does it use? How does it depend on the browser? What information does it need to share? And how could that ultimately be used against me? Without such skills and experience it’s hard for security teams, much less a consumer, to be anything more than a foil for marketing departments… and one more sitting duck for the bad guys to hit.
Along those lines, I’m pleased to see that DEFCON Kids is scheduled to be back again at this year’s upcoming DEFCON event. DEFCON Kids is all about teaching kids about the importance of white-hat hacking – why you need to look for and disclose vulnerabilities, and what you can learn about technology in the process. While this is a good start, it’s also probably pretty limited in scope (it is, after all, a kids event scheduled in Las Vegas in the midst a very non-kids event). However, I think a broad application of this type of education is increasingly important, and one that can be started early. The more that we understand about how the bad-guys operate, the better off we will be.