If you are having trouble accessing this website or parts of it, please call 1-800-832-0034 or email [email protected] and we will provide you with assistance.
 

BLOG

Resources for Educators
& Professionals

 

Why Cybersecurity Instructors Need to Teach Critical Thinking Skills

by  Dr. Gene Lloyd     Jun 11, 2024
critical_thinking

I have been teaching cybersecurity courses for more than a decade and spent a decade before that operating in a military cyber warfare capacity. One of the things I learned early on is that cookie-cutter approaches are great in lab environments, but they do not always work as well in the real world. This is true when defending networks and running penetration tests to find vulnerable systems. Those who use their skills in this arena as part of military warfare operations or intelligence collection understand the need to shift away from cookie-cutter approaches for a couple of key reasons.

On the defensive side, we need to recognize that hackers know what the defenders know. Common vulnerabilities are not a secret and how to defend against those vulnerabilities is also well known. We patch systems and uninstall vulnerable applications thinking we have somehow beat the hackers at their game.

Sometimes these actions are enough unless the system is one that many people want to attack, like the system used by a president, a senior leader of a large corporation, or one that controls banking activities. In these cases, a simple approach to security is a bad idea.

Students should be taught how to critically analyze a network infrastructure to determine the best devices and strategies for that particular network. Best practices are a good place to start, but they do not always take into account specific network architectures.

A small network with one or two systems that provide services for a local store can easily be protected with a firewall, antivirus, and a software-based intrusion detection system. It does not need all the bells and whistles necessary to protect the White House.

Every trick in the best-practice book would be wasted on these smaller networks and cause their security budget to be inordinately high. And even for the more sensitive networks, one cannot simply connect all the recommended devices and expect them to be locked down. The specific nature and use of the network need to be considered. When defending a network, a cookie-cutter approach is a good starting point but not a good final solution.

This is similarly true in offensive operations. On the offensive side, when scanning for vulnerable systems that could be susceptible to an attack, we should take the time to select the right exploit and configure it correctly for the necessary task. This process is often rushed when one gets excited about finding a vulnerable system, their adrenaline starts pumping, and they immediately launch an exploit attempt that both fails and alerts the defenders that someone is trying to break in. We can match common exploits to common vulnerabilities, but a good test of a network’s defenses requires a longer look at the problem to see how a hacker may modify an attack to sneak through the door.

I have seen students attempt to break into a lab system as part of an assignment and give up after the most commonly known methodology fails. They assume that the system is impenetrable because their one attempt did not yield the result they expected. They then tell me the lab is impossible, broken, or somehow misconfigured because their attempt failed to work.

In the real world, we recognize that if the first attempt does not work, we should look for alternate methods. Perhaps one patch was applied but another vulnerability exists elsewhere. Maybe a particular firewall is not susceptible to attack but a poorly configured system sitting behind an open port is begging to be taken down. A graduate with any degree in cybersecurity needs to understand how to pivot to other methodologies and how to configure network security in a way that makes sense for the network they are responsible for protecting. So, how can we teach this differently?

Students need to be trained early in their programs that portions of the computing world always require adjustments based on different use cases. We can make a network impenetrable, but in the process, it would also become unusable.

The adage that a computer disconnected from the internet is the only safe one is mostly true. Every cybersecurity student needs to know how to secure a network without removing the users’ capabilities to accomplish the mission. Some ports will need to remain open, some services will need to stay active, and some antiquated in-house software will need to stay in operation. These are the realities of a real-world environment that cookie-cutter approaches to security do not address. 

Students also need to be trained on how to successfully target an array of different vulnerabilities. The best defender is one who knows how to hack. And some defenders transition to roles where the attacking skills are more important. Attacking and defending a network are two sides of the same coin. Students need to know that attacks sometimes fail, and they will need to take the time to research other potential methodologies. They need to be encouraged to have patience in the process and tenacity to see it through to the end. Each of these is the hallmark of a great cybersecurity professional.

The bottom line here is that every network is not the same. What works to protect one may be overkill or not enough for another. The methods used to take down one vulnerable network may not work on a different infrastructure.

Teaching students to think outside of the box and critically think through each exercise, not just in the classroom, but in the real world, is essential for success in the field of cyber security. No company wants to hire a new graduate who is incapable of applying their knowledge outside of a classroom environment. We cannot train simply so students can complete an assignment. We need to teach them the skills to analyze networks in a way that allows them to see every potential vulnerability. This is valuable in defensive and offensive operations and is the only way to effectively train a new cyber security professional.

Ethical Hacking: Techniques, Tools, and Countermeasures, Fourth Edition

Ethical Hacking: Techniques, Tools, and Countermeasures, Fourth Edition covers the basic strategies and tools that prepare students to engage in proactive and aggressive cyber security activities, with an increased focus on Pen testing and Red Teams.

Instructors: Learn More
Ethical Hacking: Techniques, Tools, and Countermeasures, Fourth Edition 

Related Content:

About the Author:
Dr. Gene Lloyd is an adjunct professor at Liberty University. He teaches computer science and cyber security programs for undergraduate and graduate students with a focus on applied cryptography, digital forensics, ethics, legal issues and policies, web security, ethical hacking, security operations, risk management, network security, access control systems, and advanced topics in computer security.

Stay Connected

Categories

Clear

Search Blogs

Featured Posts

Why Cybersecurity Instructors Need to Teach Critical Thinking Skills

by  Dr. Gene Lloyd     Jun 11, 2024
critical_thinking

I have been teaching cybersecurity courses for more than a decade and spent a decade before that operating in a military cyber warfare capacity. One of the things I learned early on is that cookie-cutter approaches are great in lab environments, but they do not always work as well in the real world. This is true when defending networks and running penetration tests to find vulnerable systems. Those who use their skills in this arena as part of military warfare operations or intelligence collection understand the need to shift away from cookie-cutter approaches for a couple of key reasons.

On the defensive side, we need to recognize that hackers know what the defenders know. Common vulnerabilities are not a secret and how to defend against those vulnerabilities is also well known. We patch systems and uninstall vulnerable applications thinking we have somehow beat the hackers at their game.

Sometimes these actions are enough unless the system is one that many people want to attack, like the system used by a president, a senior leader of a large corporation, or one that controls banking activities. In these cases, a simple approach to security is a bad idea.

Students should be taught how to critically analyze a network infrastructure to determine the best devices and strategies for that particular network. Best practices are a good place to start, but they do not always take into account specific network architectures.

A small network with one or two systems that provide services for a local store can easily be protected with a firewall, antivirus, and a software-based intrusion detection system. It does not need all the bells and whistles necessary to protect the White House.

Every trick in the best-practice book would be wasted on these smaller networks and cause their security budget to be inordinately high. And even for the more sensitive networks, one cannot simply connect all the recommended devices and expect them to be locked down. The specific nature and use of the network need to be considered. When defending a network, a cookie-cutter approach is a good starting point but not a good final solution.

This is similarly true in offensive operations. On the offensive side, when scanning for vulnerable systems that could be susceptible to an attack, we should take the time to select the right exploit and configure it correctly for the necessary task. This process is often rushed when one gets excited about finding a vulnerable system, their adrenaline starts pumping, and they immediately launch an exploit attempt that both fails and alerts the defenders that someone is trying to break in. We can match common exploits to common vulnerabilities, but a good test of a network’s defenses requires a longer look at the problem to see how a hacker may modify an attack to sneak through the door.

I have seen students attempt to break into a lab system as part of an assignment and give up after the most commonly known methodology fails. They assume that the system is impenetrable because their one attempt did not yield the result they expected. They then tell me the lab is impossible, broken, or somehow misconfigured because their attempt failed to work.

In the real world, we recognize that if the first attempt does not work, we should look for alternate methods. Perhaps one patch was applied but another vulnerability exists elsewhere. Maybe a particular firewall is not susceptible to attack but a poorly configured system sitting behind an open port is begging to be taken down. A graduate with any degree in cybersecurity needs to understand how to pivot to other methodologies and how to configure network security in a way that makes sense for the network they are responsible for protecting. So, how can we teach this differently?

Students need to be trained early in their programs that portions of the computing world always require adjustments based on different use cases. We can make a network impenetrable, but in the process, it would also become unusable.

The adage that a computer disconnected from the internet is the only safe one is mostly true. Every cybersecurity student needs to know how to secure a network without removing the users’ capabilities to accomplish the mission. Some ports will need to remain open, some services will need to stay active, and some antiquated in-house software will need to stay in operation. These are the realities of a real-world environment that cookie-cutter approaches to security do not address. 

Students also need to be trained on how to successfully target an array of different vulnerabilities. The best defender is one who knows how to hack. And some defenders transition to roles where the attacking skills are more important. Attacking and defending a network are two sides of the same coin. Students need to know that attacks sometimes fail, and they will need to take the time to research other potential methodologies. They need to be encouraged to have patience in the process and tenacity to see it through to the end. Each of these is the hallmark of a great cybersecurity professional.

The bottom line here is that every network is not the same. What works to protect one may be overkill or not enough for another. The methods used to take down one vulnerable network may not work on a different infrastructure.

Teaching students to think outside of the box and critically think through each exercise, not just in the classroom, but in the real world, is essential for success in the field of cyber security. No company wants to hire a new graduate who is incapable of applying their knowledge outside of a classroom environment. We cannot train simply so students can complete an assignment. We need to teach them the skills to analyze networks in a way that allows them to see every potential vulnerability. This is valuable in defensive and offensive operations and is the only way to effectively train a new cyber security professional.

Ethical Hacking: Techniques, Tools, and Countermeasures, Fourth Edition

Ethical Hacking: Techniques, Tools, and Countermeasures, Fourth Edition covers the basic strategies and tools that prepare students to engage in proactive and aggressive cyber security activities, with an increased focus on Pen testing and Red Teams.

Instructors: Learn More
Ethical Hacking: Techniques, Tools, and Countermeasures, Fourth Edition 

Related Content:

About the Author:
Dr. Gene Lloyd is an adjunct professor at Liberty University. He teaches computer science and cyber security programs for undergraduate and graduate students with a focus on applied cryptography, digital forensics, ethics, legal issues and policies, web security, ethical hacking, security operations, risk management, network security, access control systems, and advanced topics in computer security.

Tags

Clear