University’s pwn.college is teaching next-gen cybersecurity martial artists the moves to thwart cyberattacks
It can be a dangerous internet out there. Not only are cyberattacks on the rise, but we are also lacking the defenses needed to fight them. Projections indicate that the total number of unfilled cybersecurity jobs will hit 3.5 million globally this year, according to Cybersecurity Ventures.
Enter Arizona State University’s pwn.college, described as a “cybersecurity dojo” by founder Yan Shoshitaishvili, an assistant professor in ASU’s School of Computing, Informatics, and Decision Systems Engineering.
It’s where novices — or “white belts” — in cybersecurity learn and gain hands-on practice blocking modern-day computer exploitation techniques used by hackers.
“When you go to a dojo to learn a martial art, you don’t just learn how to block,” said Shoshitaishvili. “You learn how the attacks work so you can understand, then defend yourself.”
As students build their knowledge, they learn to reason about simple security challenges (“yellow belts”), eventually developing skills needed in the cybersecurity industry (“brown belts”) before emerging as hacking masters (“black belts”).
All the right moves
The online educational platform trains students enrolled in ASU’s computer systems security course (CSE 466) offered during fall semester. It is also open, for free, to aspiring cybersecurity ninjas outside ASU.
Sparring with hackers “is a contact sport,” said Jamie Winterton, director of strategy at ASU’s Global Security Initiative. “Pwn.college comes at it from the hacker’s perspective. To defend networks, it’s really essential to know how people think and what they may be doing offensively to your network. It’s impossible to do without that hands-on skill. You can play a better defense when you know the offense.”
One of today’s hottest job skills
Cybersecurity skills are in hot demand in today’s information technology job market. According to the U.S. Bureau of Labor Statistics’ Information Security Analyst’s Outlook, cybersecurity jobs are among the fastest-growing career areas nationally. The BLS predicts cybersecurity jobs will grow 31% through 2029, over seven times faster than the national average job growth of 4%.
Pwn.college’s hands-on training “really builds up skills for students to go to that next level of advanced cybersecurity knowledge and skills, which is what the industry and marketplace desperately needs,” said Adam Doupé, acting director of GSI’s Center for Cybersecurity and Digital Forensics.
“Businesses are essentially unable to hire enough professionals with the level of cybersecurity expertise that is needed,” he said. “We need things like pwn.college to address the gap to train students up to that level where they are needed by government and industry to fight to defend our systems. You’re fighting a very smart adversary who has a lot of motivation to break into your system. To secure our networks, we need people who are just as smart, who know about the ways attackers think and the tools and techniques they use.”
Protecting government and business
It’s not rare for companies or government agencies to suffer security breaches, as the December SolarWinds hack illustrates. The cyberattack was named for a Texas-based company that was used as a staging ground for a suspected Russian hacking campaign that is believed to have affected more than 250 federal agencies and businesses.
“Pwn.college takes university content and opens it up to a broader audience,” Winterton said. “Given the global prevalence of cybersecurity issues, the knowledge should be open and global as well. We need to bring more people, and different people, to the table if we want to improve our collective security.”
Through pwn.college, students learn common hacking techniques and software vulnerabilities that every IT professional should know about.
“You can think of it as cracks in a shield,” Shoshitaishvili said. “You may have a complex shield, but if there is a crack in the right place, then the whole system collapses.”
Practice makes perfect
Pwn.college training is organized as a set of modules covering different topics, each with a set of lecture slides, videos and practice problems. Training is hosted across multiple internet services, with prerecorded lectures on YouTube; live classroom sessions on Twitch, a streaming platform that’s popular with gamers; students holding discussions on Discord, a VoIP instant messaging platform; and questions answered on a public Google group.
Each week, students tackle as many as 30-45 practice problems to learn how to detect and defuse common cybersecurity threats such as:
- Shellcoding: Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine.
- Reverse engineering: Playing a central role to almost every hacker when attacking applications, reverse engineering is about looking at a program from the outside in, allowing the hacker to understand how a given program or system works when no source code is available.
- Outsmarting sandboxes: To protect themselves from cybersecurity threats, organizations have relied on sandboxes, where they check incoming files and URLs for security risks in an isolated environment before they could move on and corrupt a network. Today, hackers have created new methods and technologies that can escape sandboxes and create havoc.
- Memory errors: Lack of memory safety in low-level programming languages, such as C, opens the door to a variety of exploitation techniques hackers use to gain control over software.
- Return-oriented programming: Using this computer security exploit technique, an attacker hijacks a program’s control flow to execute code on a machine employing defenses that thwart simpler attacks.
“By approaching the topic of cybersecurity in this super hands-on fashion, it’s really getting at the deep core of how computing itself works,” said Connor Nelson, an ASU computer science graduate student and co-founder of pwn.college. “This class is not only teaching security, it’s teaching people to master computer science itself.”
Ready to become a black belt in a cybersecurity dojo? Suggested prerequisites include knowing C programming, operating system internals, Linux operations and other computer skills. Learn more at pwn.college.
Top illustration by Ana Hernandez