Becoming a Security Guru Without Breaking the Law
Some universities require students to sign a contract stating they will not use anything learned in class for negative or disruptive functions -- but such precautions are not failsafe.
10/04/03 1:31 AM PT
Corporate demand for computer security experts is growing -- and so are the options available to higher-education students and IT professionals who want to increase their expertise without overstepping legal or ethical boundaries.
At present, financial institutions worldwide allot 6 percent of their total IT budgets to security, according to a report released earlier this year by Deloitte Touche Tohmatsu. Also, despite the poor economy, 47 percent of respondents have increased their security staffing levels.
The good news does not end with financial companies. By the end of this year, Meta Group predicted in a separate study in 2002, 55 percent of companies in multiple vertical markets will dedicate 5 percent of their total IT spending to security.
Colleges and universities are well aware that many computer science graduates are eyeing this comparatively stable and lucrative segment of the IT sector.
Northeastern University, for example, offers a Ph.D. in Computer Science with a specialization in the security area, according to Agnes Chan, associate dean of the university's Graduate School of the College of Computer and Information Science.
In addition, Chan told the E-Commerce Times, the college has been designated a Center of Excellence in information assurance education by the National Security Agency, one of only about 50 higher education institutions in the United States to receive this honor.
"We have several courses that any security person should know. For example, computer operating systems, networks, software design -- because one of the vulnerabilities is people write software very sloppily, and hackers can leverage those vulnerabilities," she said.
Rice University in Houston, Texas, also offers a wide range of security-related courses, including cryptography, viruses, spam, intrusion detection, tamper resistance, wireless security, untrusted platforms, smart cards and modern programming.
And the London School of Economics in Great Britain created the Computer Security Research Centre. The Centre "has developed frameworks for understanding security management, which have attracted the attention of specialist conferences and practitioners," according to its Web site.
Moral High Ground
"We do spend quite a bit of time talking about ethics," said Thomas Algoe, an assistant professor at Hilbert College in Hamburg, New York, during an interview with the E-Commerce Times. For example, in an upcoming lecture, Algoe plans to debate the pros and cons of hiring a "reformed hacker" as an IT staff member.
"Ninety percent of the threats to a company's proprietary information are from the people [who work there]," he said. "I teach information security from a social-engineering point of view, rather than [a] technology [one]. I do teach the technology -- I go over networking and the good, inside basics of the Internet. [But] most of the really 'good' hackers were social engineers rather than real technology people."
Likewise, Northeastern University's classes include forensics, policy issues and risk management in addition to technology courses, Chan said.
Crossing the Line?
However, some professional IT educators and members of the computing world raised their eyebrows earlier this year when the University of Calgary began offering a course designed to teach students how to write viruses and worms. The Canadian university claims the course is intended to promote understanding of how such programs work, thereby improving students' odds of defeating and defending against malware.
However, some in the educational community disagree that actually writing malicious code is a prerequisite of successful defense.
"You have to understand the technology. Do we teach a nuclear scientist how to build a nuclear bomb?" Algoe said. "Any good software developer could write a virus. Any good network person knows where the vulnerabilities in the network are."
There is no need to step into legal gray areas, agreed Dan Wallach, an assistant professor in the computer science department at Rice University.
"You learn about security by doing security. That doesn't require doing anything even slightly illegal," he told the E-Commerce Times. "In the past, I've had students, in small groups, design 'secure' systems during phase one of a project. For phase two, we swap things around and have the students find flaws in other groups' code.
"I'm actually doing a somewhat backward version of that this year," he added. "Phase one is to add Trojan horse hacks into a software voting system (allowing you to arbitrarily choose who will be elected), and phase two is to detect the hacks from other groups' implementations. Doing this sort of thing when it's all in class is entirely legal, quite instructive and often entertaining."
Likewise, at Northeastern, students can enter an annual "Capture the Flag" competition. "It's a network intrusion contest," explained Nora Jemison, cooperative education coordinator, in a conversation with the E-Commerce Times. During the contest, students attempt to break into a preprepared workstation and, literally, capture a flag icon.
Just as technology continues to change, so too do college and university courses. For example, Northeastern plans next year to launch a masters degree in Information Assurance, according to Chan.
"One of the biggest issues is how to teach students to secure a system without teaching them to be hackers," she said. "That is always an issue, not just facing Northeastern, but facing all professors in this area. At this point, we are still in the process of planning experimental courses -- to see where students have hands-on experience and play with software in both attacking and securing."
The university's computer college plans to begin its first trial in this area in Spring 2004 at the graduate level, according to Chan. "Writing viruses is not something we would like to teach our students," she noted. "We are not teaching them anything more than they can get their hands on."
To maintain security and data integrity, any course in this area will run on a separate network, she added. In addition, security-related classes will have a heavy faculty presence.
In fact, some universities require students to sign a contract stating they will not use anything learned in class for negative or disruptive functions. "That's certainly a venue we can follow, [but] it's a very tricky area," Chan noted. "A student may sign it, but they still may break it. Vigilance from instructors is still needed."
In addition to classroom exercises, plenty of open-source resources are available to students and IT professionals who are interested in security. Web sites operated by such organizations as the Computer Security Institute offer classes, online courses, Webcasts and background information about the topic, said Algoe of Hilbert College.
Many colleges and universities also have co-op or internship programs that give students real-world experience that often can translate into a better first job.
Whether would-be information security personnel graduate from one of the top technology learning institutions or garner on-the-job experience, one thing is certain: The field will not remain stagnant. Attackers' ever-evolving attempts to destroy sensitive, proprietary information will translate into a need for lifelong, continuing education on the part of white-hat data guardians. Students had better be prepared to stay prepared.