Studying the art of white hat hacking
HUNTINGTON, W.Va. -- It took a bit of convincing with the powers-that-be.
They wanted to train students to think and act like hackers to better understand their methods, said Marshall University assistant professor Bill Gardner.
"The administration had to be talked into it in some aspect. We had to explain we weren't trying to make better criminals, we're trying to make better defenders. So, once we explained it to them they understood," he said.
The end result is a new degree launched last spring in digital forensics and information assurance.
Digital forensics is what happens when someone has broken into a computer and you have to figure out how they got in, where they are and what they took, all of which can help make a legal case.
Information assurance -- the hacker side of things, you might say -- "is more of a proactive role to find the vulnerabilities and fix them before they actually get in," Gardner said.
"I always say that I'm the fire marshal and they're the fire department. Digital forensics is more of a reactive security measure, where after someone has broken in you figure out what was taken, what was the value of what was taken, how it was taken. Information assurance is looking at the flaws in an application or network that can be fixed before someone breaks in."
So, in order to do that students are taught some popular hacking "exploits."
"We teach how you clone a website so you can put up a website that looks just like Bank of America.com or whatever website you want to clone and then put exploits on it that then direct people to that website through spearfishing."
Spearfishing refers to any of a number of means of requesting confidential information over the Internet to fraudulently obtain credit card numbers, passwords, or other personal data.
"Actually, we're showing the exploits that hackers use so that they know what they look for when they're defending against those exploits," Gardner said. "Information assurance is very much like information security -- cyber defense, whatever you want to call it. We're basically teaching students how hackers break in so they can better defend digital assets."
The program also teaches a career path known as penetration testing, he said. "People get paid very good money to fly around the United States and the world and break into people's networks with permission. And that's one of the career opportunities that we have."
Aaron Logan has exactly that career in his sights.
"My career goal is to be a penetration tester. A penetration tester is actually attacking a service and trying to find a vulnerability within that service. It's basically what security professionals do to strengthen their systems, their firewalls. They're finding flaws that they are unaware about.
"So they hire penetration testers to find these flaws for them by attacking them anyway they can. They'll use multiple attack vectors, different exploits to break into the system and they make the security professionals aware of the flaws and vulnerabilities within their systems."
Logan has long had a fascination with hacking. Did he do some on his own? "Yep," he answers. Was he good at it, "Uh, yes."
"I just like hacking things. I want to be able to do it legally."
In other words, he wants to wear the white hat of hacking.
"A black hat hacker is a criminal," Gardner said. "They're somebody who is stealing your information or breaking into websites and making off with money. A white hat hacker is someone who tries to figure out those attack vectors before the black hat hackers get there so they can be fixed.
"This includes things like looking for vulnerabilities in common products that people use and then reporting them to the vendors so they can be patched. We call it disclosure and we disclose these things. Sometimes we publish them to push the vendor to patch them. Some people call it ethical hacking is another name for it.
"That's what we do. We're the good guys, not the bad guys. I always say I'm a hacker but I'm the good kind, not the bad kind."
Gardner is also adviser to Marshall's new 10-member Cyber Defense Team, a student group that will compete against other colleges in the nation as part of the Mid-Atlantic section of the Collegiate Cyber Defense Competition.
"It's kind of a difficult competition. You're given a network to defend and you have to keep the services on that network up and running," Gardner said. "The attackers are world-class -- they basically bring in people who are paid to assess networks around the world. So in many ways it's like pitting a high school football team against a professional football team. The whole idea is not just to win but to learn a lot."
Whichever way the learning comes, the need for white hat hackers is high.
"There is a great demand," Gardner said. "At this point in information security we have basically a zero percent unemployment rate. Three-letter agencies and private industry both are begging us for students who have certain skill sets. Digital forensics and information assurance teaches those skill sets."
Reach Douglas Imbrogno at firstname.lastname@example.org or 304-348-3017.