Cybersecurity training

As hacker forums breed recruits, government stages cyber education counterattack

Cybersecurity has become a neck-and-neck race between the public sector and the public enemy -- hackers.

While government adds cybersecurity training facilities to beef up its cyber workforce, hackers are learning their trade through hacker forums, which have become a training ground for cyber criminals.

Roughly one-third (28 percent) of all hacker forum conversations are related to beginner hacking and hacker training, with another 5 percent relating to hacking tutorials, according to recent report by Imperva.
 
The business security solutions provider analyzed one of the largest hacker forums, which contains roughly 250,000 members, for its October Intelligence Initiative report, “Monitoring Hacker Forums.”

Analyzing conversations by specific keywords, Imperva found the most common topics of conversation to be SQL injection and DDoS, both at 19 percent of discussion volume. However, Imperva estimates that less than 5 percent of security budgets are allocated to products that mitigate SQL injection attacks.

“We believe this imbalance encourages hackers to continue to learn and deploy this attack method,” the report noted. Furthermore, it said that many security professionals do not spend time exploring hacker forums to understand the tools and techniques hackers use to attack.

According to Rob Rachwald in an October 31st Imperva blog, many tools exist to automate SQL attacks, which enable hackers to profitably steal data. Yet “security teams continue to rely on IPS, network firewalls and antivirus--all of which don't even know a SQL injection from a hole in the wall,” he wrote.

Social networks are also prominent sources of information, with 39 percent of discussions concerning Facebook and 37 percent concerning Twitter.

While hacker forums may be an incubator for future cyber criminals, government is building an arsenal of educational tools of its own. For example, Iowa State University launched its Information Systems Security Lab (ISSL), an education and product and security testing site in late August, GCN reported at the time.

ISSL, operated by the school’s Information Assurance Center, a National Security Agency center for academic excellence in information, provides basic training, both for general security awareness and literacy to produce better stewards of sensitive data.

Similarly, last December a nonprofit group supported by government, academia and the private sector announced an education and training program to develop the cybersecurity workforce needed to protect the nation’s critical infrastructure. The National Critical Infrastructure Cybersecurity Education Initiative will produce sector-specific curricula and training programs for all ages -- from K through 12 -- through professional training and certification for current workers, GCN reported.

This coming January may also bring some new tools to government cybersecurity teams as the Air Force wants to expand its cyber force development next year by opening its cyber warfare simulation center to more military commands, educational institutions and other federal agencies, GCN reported in August.

In addition, academia and the public and private sectors have established initiatives to identify and recruit cybersecurity talent. The seventh annual National Cyber Defense Competition, held in April, pitted teams from 10 universities around the country to defend networks against attacks. While the prizes offered are modest, the competition brings exposure and job offers to participants.

About the Author

Kathleen Hickey is a freelance writer for GCN.

Reader Comments

Fri, Dec 21, 2012

Why not try to enlist (some) hackers in a cyber militia? Give them a target (Iran, China, North Korea) and set them free. Turn it into a game where they could earn "points" for proven effectiveness and host a leaderboard. Cyber militias from other countries have proven effective and world opinion was unsure how to react. We could end up with a cost effective method for dealing with cyber attacks if it was organized properly.

Thu, Nov 8, 2012

One obvious difference in approach is economics, hacker resources are available to anyone irrespective of age and financial resources, government educational assets are restricted to a specific age and socio-economic group. By the time many people with the inclination to pursue cyber security on either side of the fence reach college age, they have already been exposed to hacker culture and the decision may have already been made. My point being cyber-security education should be targeted as early as practical, and not tied to optional (and financially prohibitive) educational institutions.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above