Rob Olson
Rob Olson is a Lecturer and Undergraduate Program Director of Computing Security in GCCIS. He shares how he helps students develop critical thinking skills by having them approach assignments as a real firm would and produce work products that a real client would find actionable. Read his answers to a few critical thinking questions HERE!
1. How Do You Teach Applied Critical Thinking?
My approach to teaching applied critical thinking is very practical and industry-oriented. At every opportunity, I try to put students in the role of an industry professional approaching the problem. In my graduate Enterprise Penetration Testing and undergraduate Network and System Security Auditing courses, I have my students form teams that are framed as firms working for a client over the course of the semester. The students have to approach their assignments as a real firm would and produce work products that a real client would find actionable. This approach forces them to think critically about the strengths and weaknesses of their client, the history behind the technical systems with which they are working, and how to frame their results in ways that will encourage client growth.
This approach was inspired by my experiences coaching RIT’s Collegiate Penetration Testing team, Brick Strike. During the competition, students evaluated on their ability to act as a real firm would act on a consulting engagement. Hacking is an element of the competition, but the real challenge isn’t technical. It’s thinking critically about the client’s needs and how they can best help their client improve their security posture.
2. Why Do You Think Applied Critical Thinking is Important in Your Domain?
Cybersecurity is nothing but critical thinking applied to technical systems. To excel in this space, one needs to be able to break a system down into its core components, find the points of interaction between the components, describe the rules that those interactions should follow, and identify ways that those rules could be violated. One then needs to determine the significance of the problems identified and remediation strategies that would be successful for the environment in which you are working. Although some technical knowledge is needed in a variety of domains for this process, analytical ability is far more important.
3. Can You Share a Story Where Quality Applied Critical Thinking Was Key to Your Success?
It’s hard, given that strict non-disclosure agreements are standard in the security industry and for good reason. There are many examples of where the Eaton Cybersecurity SAFE Lab applied critical thinking skills to help clients improve their security posture. Unfortunately, I can’t talk about the best examples.
One example I can talk about involves my high school alumni website. Through Facebook, I became aware that my high school had contracted someone to build them a new alumni website. I sought out, found it, and immediately observed that the account creation page – which required users to provide a password – happened over HTTP rather than HTTPS. This meant the password was transmitted unencrypted and that anyone could read it as users were being sent to the site.
Even though I saw that the users of the website were leaking data, I still created an account for myself using a password which was unique to that site. As with most account creation workflows, I received a registration email. The registration email had a link I needed to visit which was enclosed in quotation marks. This made Gmail not display the link as something which was clickable, so I had to copy and paste the link into my browser. While doing so, I accidentally copied the closing quotation mark without realizing it. When I pasted the copied text into my browser and pressed enter, I was presented with a database error.
The database error was symptomatic of a serious security problem called SQL Injection and all users of the site were potentially at risk of having their data exposed. I attempted to disclose the vulnerabilities to the developer, who failed to respond to my emails. After a reasonable amount of time, I contacted my high school and disclosed the vulnerabilities. Contacting my school, the developer’s client, caused the developer to at least acknowledge the problem although it took nearly two years for both problems to be fixed.
Critical thinking helped me in several ways during this example. Most significantly, I was able to analyze my interactions with the site without testing it. Penetration testing – hacking for good – is only permitted in very tightly controlled circumstances which always require written authorization that I did not have. If I had experimented with this site, even working in good faith to explore the scope of the problem, I could have been committing a crime.
4. How Do You Use Critical Thinking in Other Areas of Your Life Outside of RIT?
This past summer, I started a vegetable garden with only a second-floor balcony to work with. It took some research and analytical skill to come up a strategy for producing a sufficiently large harvest to justify the cost of the materials while working within the physical limitations of the space. With a little discipline and creativity, though, I had a sizable harvest.
5. Any Last Critical Thoughts?
Thinking critically about cybersecurity is hard. The subject area is technical and there are a variety of complex issues at stake, like privacy and national security. The stakes are high and, quite often, there aren’t clear answers. When someone asks me if something is secure, I most often answer that it depends. It often depends on small details that can have significant security implications. It often depends on the context in which the technology is being used. Most often, though, it depends on your threat model and your level of risk tolerance.
Security professionals generally think that one cannot stop a sufficiently skilled and funded adversary for an indeterminate amount of time. However, most of us aren’t interesting enough to be targeted by those adversaries. When determining if our actions present a cybersecurity risk, we need to spend more time thinking about who we’re trying to defend ourselves against. Quite a lot of the time, the security industry designs cybersecurity controls to defend large organizations against advanced actors. However, we often fail to think about little, personal cybersecurity threats. For example, it is likely that many more people have an immediate need to secure their data from abusive partners or parents than they do from intelligence agencies.