“We hack everything.”
These are the words of Brian Paige, associate vice president for information technology at Calvin University.
That’s right—the words of Calvin’s chief information officer.
At 3:30 p.m. on Mondays and Thursdays, he and his students are busy at work.
“This is a hacking class,” said Paige.
Hitting the range
Information Security (CS364) is co-taught by Paige and his colleague Adam Vedra, the university’s chief information security officer.
The two spend a lot of time with their students in the U.S. Cyber Range, a virtual computer security lab built specifically for practicing hacking and counter-hacking techniques in a controlled environment.
“The Cyber Range provides an environment to explore legally and safely some of the tools related to cyber security,” said Enoch Mwesigwa, a senior computer science major. “This helped me to better understand the hacker mindset as well as how to thwart and detect them.”
It’s the reason Vedra and Paige want their students to not only learn the concepts, but practice them in a lab.
“We have the opportunity in the range to setup environments that mimic real-world situations,” said Vedra. “They are walking through the steps an attacker would go through to get information and passwords. It opens their eyes to see in some sense how easy it can be if you are properly trained … and it gives them the skills to know how to defend against those sorts of attacks.”
Making timely and historical connections
The labs mimic real-world situations, but so do the concepts discussed in class.
“Every one of our classes could be ripped from the headlines. We often take the daily headline literally from the Wall Street Journal or New York Times or Wired, whatever about nation state cyber war or hacks of credit card companies,” said Paige. “The reason it is so engaging is because you can find the same topics we are talking about reported in the daily news.”
And while the relevancy of the concepts appeal to students, so too does situating the topics in an historical context.
“One aspect of this course that stood out to me is how the professors talked about cybersecurity being a product of ‘evolution’ not ‘revolution,’… that hacking isn’t a radically new method of compromising a system, rather is an evolution of previous methods of espionage or sabotage,” said Mwesigwa. “It’s fascinating how true that is. Malware is introduced to a system in a similar way the Trojan Horse breached the walls of Troy. Hackers evaluate the vulnerabilities of networks in a similar way scouts would evaluate the vulnerabilities on a castle in medieval times.”
And Paige says it even goes back further than that.
“The bible doesn’t talk a lot about computer security, but the whole idea of wars and seasons of war and Shibboleth and to be able to transfer encoded messages, we also find that biblically,” said Paige. “We surprise our students by going all the way back to there actually.”
“Knowledge of this demystifies some of the jargon and methodology in cyber security,” said Mwesigwa. “This will both help me explain technical aspects of security to someone less technologically inclined (which is a valuable skill in software development) and aid in the way I approach evaluating and securing a system.”
Prepared to lead
It’s an important skill for Enoch to have learned as he is stepping into a software development position at Bloomberg after graduation this May.
“This class has already changed the way I approach software development,” said Mwesigwa. “I’m more conscious of and educated on various industry security standards.”
It’s the reason the chief information officer and the chief information security officer at Calvin are teaching students how to hack.
“We give students a tool kit so they can use different measures or countermeasures. We have a tool that breaks passwords, that can take control of someone’s machine, that can turn on and off a webcam,” said Paige. “Once the students realize how prevalent these tools are, how easy to use, once they are trained on how to do the countermeasures, they are moved from fear to informed suspicion, and they start to think about how do I defend against it.”
In essence, they start to develop a playbook.
“In order for a football team to develop a good defense, they need to understand how the offense is done, all the positions, the players, how it all works,” said Vedra. “So, that’s what we are doing here. We are simply showing students this is how the offense works and asking them: how will you develop a defense?”