Frank Abagnale parlayed a six-year stretch of check forgery and false identities into a lucrative career as a bank security specialist, in which he routinely educates banks about how he used his fraud and forgery techniques. Cybersecurity education professionals may be borrowing a page from Abagnale’s life in their attempts to teach “ethical hacking”, but to many critics, defending against hacking by teaching students how to hack places too much reliance on the morals and ethics of those students. Once they learn the basics of hacking techniques, the lucrative nature of cyberhacking can tempt them to join the ranks notwithstanding the criminal risks they are taking.
A few of the more controversial hacking education techniques are mirror images of the more successful hacking strategies that have targeted organizations.
#1 Ransomware Bribes
#2 Certified Ethical Hacking Education
Educational entities such as the Cyber Security Academy take a more direct approach to hacking education. This Academy and other organizations like it teach information systems professionals and other interested parties how to think like a hacker. At some point in history, locksmiths were likely criticized for plying their trade and teaching their apprentices how to open physical locks. Similar criticism is also being brandished against these academies as they expose the world of hacking to a larger pool of practitioners.
#3 Hackathons
In its generic form, a hackathon is an intense gathering of coding professional who convene over a short period of time to solve a coding problem in a collaborative fashion. The competitive and collaborative aspects of hackathons have attracted younger followers, who participate in these events to learn or to hone their cybersecurity hacking skills. The question remains as to whether these events encourage young coders to pursue legitimate cyberdefense careers, or if they only bring together like minds to pursue illegitimate hacking.
#4 Simulated Phishing Attacks
Organizations work with outside security companies to test their networks with simulated phishing and “SMSishing” attacks. This is not an education strategy as much as is it a stress test on an organization’s information systems and networks. To the extent that a simulated phishing attack exposes weaknesses, the individuals who are hired to create a simulated attack can use that information against other entities that might have similar weaknesses in their systems.
An organization’s cyber-defense security team can try to stay abreast of the numerous threats to an internal network, either through self-education or with the aid of one of more of these education methodologies. When education is not enough, cyber liability insurance carriers can form the last line of protection against potentially catastrophic losses from a successful cyberattack. Those carriers also can also provide consulting and other services to review an organization’s cyber-defenses and to make recommendations on improving those defenses, without exposing an organization to rogue hackers who honed their skills through an organized cyber-defense educational program.
The demand for cybersecurity education will continue to be high as hackers become more sophisticated. Cyber liability insurance carriers can give a targeted organization a high degree of certainty that it will have available resources to compensate for losses associated with a hacking attack.
