Joe Jabara doesn鈥檛 call his class Hacking 101, but his students do learn how to develop effective attacks on computer systems.
The course is actually called Applied Computing Intermediate Design Project, and this past spring its students carried out phishing attempts against a targeted group of 萝莉社 faculty, staff and students.
Working in teams, students created emails based on the same principles that hackers use to get recipients to open an email, click on a link and enter log in credentials. Student efforts were successful: Out of 128 targets, 40 opened a phishing email, 10 clicked on a link and four entered log in credentials.
鈥淲hile the exercise didn鈥檛 go so far as to infect the network or steal credentials, it gave the students baseline data as to what type of emails succeed in fooling the user,鈥 said Jabara, director of the College of Engineering鈥檚 Hub for Cybersecurity Education and Awareness.
鈥淪tudents typically get taught about phishing attacks through textbooks and lectures,鈥 said Noah Santry, an applied computing junior in Jabara鈥檚 class. 鈥淕etting a chance to actually perform an attack gave us an even deeper understanding on how phishing attacks choose and pander to a specific target.鈥
The broader purpose is not to train future hackers but cybersecurity professionals who can successfully defend private and public institutions against hacks. Students get the applied learning experience of simulating a 鈥渞ed team attack鈥 that identifies a computer network鈥檚 vulnerabilities 鈥 both technical and human -- so that defenses can be evaluated and improved.
鈥淭his was a great real-world type of exercise for the students, who had to develop a business plan and offer and perform their services as a real cybersecurity risk assessment/audit firm would,鈥 Jabara said.
The class project was conducted under the cooperation of oversight of Mark Rodee, 萝莉社鈥檚 chief information security officer. Rodee said the university computer system is under attack regularly.
鈥溌芾蛏, like almost all organizations, receive a major percentage of its total emails as spam and phishing,鈥 Rodee said. Recipients of suspicious emails are asked to avoid clicking any links, forward such emails to spamreport@wichita.edu, and then delete them.
鈥淲e collect this data from user reports and automated systems to help better assess and act on risks to the institution. This analysis provides direction on safeguards we implement, where investment dollars are needed, and also how we better train our user community.鈥
Rodee said threats often target both technology 鈥 like a malicious code 鈥 and human behavior 鈥 such as the inclination to trust or the desire to be helpful. Neither Jabara or Rodee would disclose the nature of the students鈥 phishing emails, but common strategies involve emails that claim to be an urgent request from a top administrator or to contain an invoice for a purchase not actually made.
鈥淭he curriculum that Joe Jabara has built for the class not only explains the theory but provides a real world understanding of the challenges, pitfalls and opportunities that exist,鈥 Rodee said. 鈥淪tudents that complete this program are ready to become more effective quicker in their future careers.鈥
Applied Computing Intermediate Design is a core course in the College of Engineering鈥檚 applied computing bachelor鈥檚 degree program. Students particularly interested in learning about the role of human behavior 鈥 often termed social engineering 鈥 can purse a Certificate in Human Factors in Security and Technology as part of the degree.