Writing malware, attacking systems, breaking security measures: it’s not just cyber-attackers who concern themselves with these things, but TU/e students do as well. In the master’s track Information Security Technology – soon to be renamed Cybersecurity – they learn to think like a cyber-attacker in order to stay one step ahead of the real attackers. After all, you can’t protect yourself against something you don’t understand, says Associate Professor Luca Allodi. “And you can’t understand something unless you try it yourself and see where the complexity and limitations lie.”

In the bachelor’s program in Computer Science, students already learn how to crack systems in Offensive Security. This is a popular Challenge Based Learning (CBL) course in which students come up with their own original ideas for attacking systems and are given hacking assignments similar to Capture the Flag (CTF) challenges. In these challenges, they have to search for a ‘flag’ that has been placed in a system. By identifying the vulnerabilities of the system and breaking into it, they find the flag.

Competition

It’s a popular concept in cybersecurity, as evidenced by the large CTF competition organized by cybersecurity association E.S.H.A. Trojan this weekend. This time, 200 participants—twice as many as last year—will take on a total of 35 CTF challenges. These can be websites and systems with built-in vulnerabilities that you have to hack, but also videos or games with encrypted sections or a photo of which you have to determine where it was taken, say organizers Ronald den Ouden and Andrei Tudor Popescu. “We want to make the assignments as diverse as possible so that everyone can get acquainted with different aspects of cybersecurity.”

You don’t need a background in cybersecurity to participate, and for some assignments you don’t even need to know how to code. But there are also some very challenging assignments that are difficult to crack. The students think that in the six hours the contestants are given, beginners can complete two or three assignments per person. For advanced hackers, it’s a different matter entirely. “Last year, there were three groups that solved all the challenges,” says Popescu.

Ingenuity

Although vulnerabilities are built into the assignments, there’s not just one possible solution, explains Den Ouden. “It happened more than once that participants managed to find the flag in a completely different way. You try to close everything off except for that one vulnerability, so when they find another way to get into the system, it’s all the more impressive.”

It shows the ingenuity of the participants, which Allodi also sees in his students. He’s not convinced that he could solve all the CTF assignments himself. “My golden days as a “hacker” are behind me. I think many students are more inventive than I am.” That’s precisely what he encourages, because hackers also innovate. It’s for this very reason that the master’s track continues to evolve and extend. “Although to extend it we need more resources, particularly to keep the CBL focus we and students love.” In the new courses AI will play a major role and there will probably be a course in which students learn to design malware. Not to train a new generation of hackers, but to understand them better.

Hoodie

According to Allodi, there is a perception that cyber-attackers are some kind of magical entities. “Wearing hoodies,” he jokes. “Always those hoodies.” But hackers are people. They may have jobs, families, other interests besides hacking, and little time, just like everyone else. These are all factors you have to consider if you want to be able to predict what a hacker will do. For this reason, the cybersecurity master’s track is very broad, with cognitive psychology and criminology also playing an important role. “That multidisciplinary approach is one of the reasons students like it so much.”

The same goes for Popescu, although his enthusiasm mainly goes out to the technical side. “I initially wanted to do a master’s in Computer Science, but then I realized that cybersecurity goes much deeper into everything related to computer science. It can be applied to all kinds of systems.” This makes the impact you can have all the greater, adds Den Ouden.

“It’s also relevant to society, you have a good chance of getting a job, and you know it will remain important.” It’s no surprise that students are lining up for the CTF competition. There’s even a waiting list. Signing up is no longer possible, but anyone who wants to try their hand at hacking can take part in the smaller CTF events organized by the association throughout the year. You don’t have to be a member of the association or even a Computer Science student. All students are welcome.