When you are the Boeing Co., making airplanes on which millions of people’s lives depend, you sure don’t want a bunch of college students to hack into your computer systems.
So what do you do?
You hire a bunch of college students to hack into your computer systems.
That’s how a team of Cal State Fullerton computer science students ended up being handed a hefty manual of the aerospace giant’s security standards a few months ago.
Boeing reached out to CSUF’s Center for Cybersecurity for help developing new ways to gauge how effective its security standards are at keeping malicious hackers from modifying critical software, stealing secrets or disrupting the company’s operations.
The project is right up the alley of a department that boasts an Offensive Security Society, a professional student group set up in 2014 for those interested in pursuing careers in the field of cybersecurity. Offensive security is a new philosophy in security, augmenting the old model of stopping incoming attacks by putting up a shield.
“We still do that,” said Mikhail Gofman, associate professor of computer science, who oversees the Boeing project. “But offensive security says learn the tools and techniques that the attackers use – become a good attacker yourself – then go ahead and attack yourself. Because if you can break in to your own house, then so can the bad guys. Stop the cyberattacks where they begin, which is the attacker’s mind.”
Officially it’s called penetration testing, but most people, even the students, call it hacking. Unlike what’s called “black-hat” hacking, such “white-hat” hacking has good intentions, with the testers seeking authorization and complying with rules of engagement.
The project is an example of how cybersecurity has grown to become a significant aspect of computer science instruction – to the point that it is being added to department courses that didn’t used to include security. (see accompanying story)
For example, Gofman said, a lot of companies and colleges, including Cal State Fullerton, have security policies that say passwords must be changed every few months. “But the question is, are people actually doing it? Is this control actually working?” (Likely not, all agreed.)
The manual Boeing handed over to the team had many such standards that its IT folks thought were good ones. But they needed to know whether those controls are effective and how to measure them to find out whether they are doing their job.
Shawn Wang, the team’s second faculty adviser, went through the manual chapter by chapter.
“I’ve never had a chance to look at this kind of document,” Wang said. “This is a rare, rare opportunity for anyone.”
When Gofman approached his students about the Boeing project, they jumped at the opportunity. Security classes are in high demand at the university due to the expertise of professors such as Gofman and Wang, so an out-of-class project was appealing.
“We just couldn’t say no,” said Karthik Karunanithi, a graduate student. “We were just looking for a security course, and now we are getting industry experience – with a big company. So that was a double scoop of ice cream.”
The team conducted research on what other companies are doing in this field, what kind of measurements they do and what kind of practices they follow so it could give Boeing a solid measurement that has a lower error rate, is cost-effective, works in extreme situations and can satisfy the company’s needs, Karunanithi said. The measurements had to be generic enough to extend to a variety of systems – some legacy and some cutting-edge.
“When you have such a mix of systems, you don’t get one of the IT luxuries of uniformity – a Windows shop, a Mac shop,” Gofman said. “Boeing is like a thousands-of-things shop.”
Just figuring out how to do the project was a learning experience for the team. For example, documents couldn’t be uploaded to Dropbox or the cloud, so the team developed a local server to host the documents securely, said Mandy He, a graduate student who served as team coordinator.
“This kind of an industry exposure was a high-impact learning practice for us for our cybersecurity curriculum and for students to get industry exposure, especially working on real-time security projects,” He said. “We get a taste of what security is about in companies that manufacture real lines and what kind of thought processes they do and what strategies they use behind their security technology.”
One important takeaway for the students was realizing that security is not an IT problem, it’s an organizational problem, Gofman said.
“It’s not just configuring the right firewall or setting the passwords,” he said. “You’ve got to think about it from the organizational level. Security has to be part of the day-to-day operations.”
The project opened He’s eyes to how security must be incorporated into every aspect of developing a product or designing software. She had previously focused on the internet of things – interconnected everyday devices such as home appliances – and artificial intelligence.
“I thought security isn’t my area,” she said about Gofman’s presentation of the project, but realized “Boeing is nice on my resume.”
But as the team reviewed every aspect of Boeing’s information systems, He had a change of heart.
“When you design software, it touches every perspective, from user management, how to control your access, how to control your database, how to control the export software, how to protect the network,” He said. “So I feel like, my God, I’m so glad we’re in this project. If I want to work for AI (artificial intelligence) or in internet of things, I will manage a lot of connected things. … So there are many loopholes, very possibly, that can be hacked.”
For example, she said, a sensor in an electronic device – whether at home or in the skies – that sends information to a database might be replaced. “How do you know it’s the right sensor? You have to control that.”
And when the data is analyzed, she added, you have to make sure the data are safe.
“When our consumer is consuming the data in a mobile application or at home, either with Amazon Alexa or your refrigerator in the future – those kind of things can be hacked as well.”
Now He is taking two classes in cybersecurity. She has learned that cybersecurity resources are scarce in today’s world and that if you manage a product, you need to know security.
“It will benefit me,” she said.
Cal State Fullerton and the College of Engineering and Computer Science also benefit from collaborations like the Boeing IT security review. The college works with corporate partners like Boeing to provide project-based experiences for students and build a qualified workforce, said Michael Karg, senior director of development for the college.
Boeing benefits from the students’ growing awareness of cybersecurity, said Sharon Lucas, program manager for the company’s Strategic Work Placement.
“Partnering with universities and higher education institutions around the world such as CSUF, our priority is to fuel Boeing’s second century of talent and innovation by fostering world-class university relationships and delivering benchmark entry-level career programs that align with our enterprise-wide business goals,” Lucas said.
The CSUF students have completed their work, roughly doubling the company’s security standards, and are finalizing their report to Boeing.
Hacking a fake company as a practice run
One reason Cal State Fullerton’s computer science students could jump into a real-world corporate project such as the one with Boeing is that they have been practicing in a make-believe world.
This spring, the school took second place in a competition by the Cal Poly Pomona’s Management Information Systems Student Association in which the students pose as hackers to successfully breach a fictitious company’s computer system. Last year, the school took first place.
The “company” that CSUF students hacked this year was a physical therapy firm. Using a virtual program on which they could use real tools, the team ran the company through an external and internal blind penetration test and analyzed its overall network infrastructure, ensuring it was in compliance with the Health Insurance Portability and Accountability Act and e-commerce practices such as properly storing customers’ credit card information and Social Security numbers.
“We were looking for any holes that this fictitious company had in their networks in terms of what we could poke around and find from the outside,” said Joshua Christ, one of the students on the team and a member of the Offensive Security Society.
After the testing, the team had to write a report and present it as though they were talking to the company’s board of directors. Such so-called soft skills are an overlooked but vital part of the process, said team mentor Mikhail Gofman, associate professor of computer science.
“It definitely helps to be able to explain those technical terms in a meeting where people who don’t have that expertise or familiarity with those terms can understand it,” said Christ, who landed a summer internship with government contractor Mitre Corp. The judges gave the team a list of things they did well on and things they missed.
And how did a team with little security experience do so well competing against such schools as Cal State San Bernardino, Cal State Northridge and Cal Poly Pomona?
“We actually didn’t know what we were supposed to do,” said team member Sae Hun Kim. The members benefited from the tutelage of their mentors, including CSUF alum Laura Chiu, who competed in 2015 on her own and took second place. She now works with Bechtel Corp.
But what clinched the successful outcome, Gofman said, was determination. Team members were posting messages to one another (such as “Why isn’t that working?”) into the wee hours of the morning on their Slack team communications tool, he said.
“The thing I’m hoping for as an adviser,” Gofman said, “is that people who are really passionate about it have a place like a sandbox where they can take their skills for a joyride without the consequences.”
Center touts the invisible benefits of cybersecurity
It’s a paradox of security: If you succeed in preventing attacks, there’s little or nothing to show for it. So why should businesses put money toward something when the result appears to be … nothing?
That is something those in cybersecurity must struggle with as they attempt to convince companies with limited budgets and other management priorities of the importance of protecting their computer systems.
“Security is a kind of investment that is difficult to explain,” said Shawn Wang, Cal State Fullerton computer science professor. “Why do we need to spend so much money? If nothing happens, it looks like the money didn’t go anywhere. The money you spent is why nothing happened. You don’t spend the money, something will happen. And there is going to be a big problem.”
But in the past year, hackers have gotten more and more skillful, Wang said. Hacking software can be downloaded, some for free, by junior high kids around the world. Incidents such as last month’s WannaCry ransomware cyberattack have prompted more companies to look for employees who can protect their computer systems.
That rising demand makes Cal State Fullerton’s Center for Cybersecurity all the more valuable, Wang said, and its curriculum is evolving quickly to meet the market’s needs.
When associate professor Mikhail Gofman arrived at CSUF in 2012, the computer science department had one security course, and an outdated one at that. Now there are four, expected to grow to seven.
The department is also adding cybersecurity instruction into non-security classes and advocating for every computer science student to learn it.
“Staying secure is like staying healthy,” Gofman said. “It’s up to everyone. Not just the security pros.”
Interim dean Susamma Barua has made it a priority to fund and grow the Center for Cybersecurity. More companies are interested in partnering – joining sponsors such as Raytheon and Boeing – as a way to build technology and a future workforce.
“We want to be purposeful,” Barua said. “We can’t say yes to everyone.” The relationship has to be mutually beneficial and strategic for the university, she said.
The department is outgrowing its space as enrollment has tripled since 2000, to more than 4,600 students, with at least 32 faculty members hired.
“How do we accommodate them and their research?” plus new initiatives such as the Center for Cybersecurity, asks Barua. Money from the state barely keeps up with administrative needs, while student projects are supported with money raised by the dean’s development team.
As the department’s cybersecurity presence grows through the dean’s efforts, students are building it bottom up through the Offensive Security Society, started by a student in 2014. Last summer it held a competition, CampX, in which participants were tasked with collecting intelligence from a fictitious “target of interest” for a prize worth $1,500. It now hosts workshops for students and has some off-campus members.
Recruitment is now aimed at getting students involved earlier – as freshmen and sophomores; Gofman said the club is even eying an outreach to high schools.