When you are the Boeing Co., making airplanes on which millions of people's lives depend, you sure don't want a bunch of college students to hack into your computer systems.
So what do you do?
You hire a bunch of college students to hack into your computer systems.
That's how a team of Cal State Fullerton computer science students ended up being handed a hefty manual of the aerospace giant's security standards a few months ago.
Boeing reached out to CSUF's Center for Cybersecurity for help developing new ways to gauge how effective its security standards are at keeping malicious hackers from modifying critical software, stealing secrets or disrupting the company's operations.
The project is right up the alley of a university department that boasts an Offensive Security Society, a professional student group set up in 2014 for those interested in pursuing careers in the field of cybersecurity.
"Offensive security" is a new philosophy in security, augmenting the old model of stopping incoming attacks by putting up a shield.
"We still do that," said Mikhail Gofman, associate professor of computer science, who oversees the Boeing project. "But offensive security says learn the tools and techniques that the attackers use -- become a good attacker yourself -- then go ahead and attack yourself. Because if you can break into your own house, then so can the bad guys. Stop the cyberattacks where they begin, which is the attacker's mind."
Officially it's called penetration testing, but most people, even the students, call it hacking. Unlike what's called "black-hat" hacking, such "white-hat" hacking has good intentions, with the testers seeking authorization and complying with rules of engagement.
The project is an example of how cybersecurity has grown to become a significant aspect of computer science instruction -- to the point that it is being added to department courses that didn't used to include security.
For example, Gofman said, a lot of companies and colleges, including Cal State Fullerton, have security policies that say passwords must be changed every few months. "But the question is, are people actually doing it? Is this control actually working?" (Likely not, all agreed.)
The manual that Boeing handed over to the team had many such standards that its IT folks thought were good ones. But they needed to know whether those controls are effective and how to measure them to find out whether they are doing their job.
Shawn Wang, the team's second faculty adviser, went through the manual chapter by chapter.
"I've never had a chance to look at this kind of document," Wang said. "This is a rare, rare opportunity for anyone."
When Gofman approached his students about the Boeing project, they jumped at the opportunity. Security classes are in high demand at the university due to the expertise of professors such as Gofman and Wang, so an out-of-class project was appealing. "We just couldn't say no," said Karthik Karunanithi, a graduate student. "We were just looking for a security course, and now we are getting industry experience -- with a big company. So that was a double scoop of ice cream."
The team conducted research on what other companies are doing in this field, what kind of measurements they do and what kind of practices they follow so it could give Boeing a solid measurement that has a lower error rate, is cost-effective, works in extreme situations and can satisfy the company's needs, Karunanithi said. The measurements had to be generic enough to extend to a variety of systems -- some legacy and some cutting-edge.
"When you have such a mix of systems, you don't get one of the IT luxuries of uniformity -- a Windows shop, a Mac shop," Gofman said. "Boeing is like a thousands-of-things shop."
Just figuring out how to do the project was a learning experience for the team. For example, documents couldn't be uploaded to Dropbox or the cloud, so the team developed a local server to host the documents securely, said Mandy He, a graduate student who served as team coordinator.
"This kind of an industry exposure was a high-impact learning practice for us for our cybersecurity curriculum and for students to get industry exposure, especially working on real-time security projects," He said. "We get a taste of what security is about in companies that manufacture real lines and what kind of thought processes they do and what strategies they use behind their security technology."
One important takeaway for the students was realizing that security is not an IT problem, it's an organizational problem, Gofman said.
"It's not just configuring the right firewall or setting the passwords," he said. "You've got to think about it from the organizational level. Security has to be part of the day-to-day operations."
The project opened He's eyes to how security must be incorporated into every aspect of developing a product or designing software. She had previously focused on the internet of things -- interconnected everyday devices such as home appliances -- and artificial intelligence.
"I thought security isn't my area," she said about Gofman's presentation of the project. But then she realized: "Boeing is nice on my resume."
But as the team reviewed every aspect of Boeing's information systems, He had a change of heart.
"When you design software, it touches every perspective, from user management, how to control your access, how to control your database, how to control the export software, how to protect the network," He said. "So I feel like, my God, I'm so glad we're in this project. If I want to work for AI (artificial intelligence) or in internet of things, I will manage a lot of connected things. ... So there are many loopholes, very possibly, that can be hacked."
For example, she said, a sensor in an electronic device -- whether at home or in the skies -- that sends information to a database might be replaced.
"How do you know it's the right sensor? You have to control that."
And when the data is analyzed, she added, you have to make sure the data are safe.
"When our consumer is consuming the data in a mobile application or at home -- either with Amazon Alexa or your refrigerator in the future -- those kind of things can be hacked as well."
Now He is taking two classes in cybersecurity. She has learned that cybersecurity resources are scarce in today's world and that if you manage a product, you need to know security.
"It will benefit me," she said.
Cal State Fullerton and the College of Engineering and Computer Science also benefit from collaborations like the Boeing IT security review. The college works with corporate partners like Boeing to provide project-based experiences for students and build a qualified workforce, said Michael Karg, senior director of development for the college.
Boeing benefits from the students' growing awareness of cybersecurity, said Sharon Lucas, program manager for the company's Strategic Work Placement.
"Partnering with universities and higher education institutions around the world such as CSUF, our priority is to fuel Boeing's second century of talent and innovation by fostering world-class university relationships and delivering benchmark entry-level career programs that align with our enterprise-wide business goals," Lucas said.
The CSUF students have completed their work, roughly doubling the company's security standards, and are finalizing their report to Boeing.
Hacking a fake company as a practice run
One reason Cal State Fullerton's computer science students could jump into a real-world corporate project such as the one with Boeing is that they have been practicing in a make-believe world.
This spring, the school took second place in a competition by the Cal Poly Pomona's Management Information Systems Student Association in which the students pose as hackers to successfully breach a fictitious company's computer system. Last year, the school took first place.
The "company" that CSUF students hacked this year was a physical therapy firm. Using a virtual program on which they could use real tools, the team ran the company through an external and internal blind penetration test and analyzed its overall network infrastructure, ensuring that it was in compliance with the Health Insurance Portability and Accountability Act and e-commerce practices such as properly storing customers' credit card information and Social Security numbers.
"We were looking for any holes that this fictitious company had in their networks in terms of what we could poke around and find from the outside," said Joshua Christ, one of the students on the team and a member of the Offensive Security Society.
After the testing, the team had to write a report and present it as though they were talking to the company's board of directors. Such so-called soft skills are an overlooked but vital part of the process, said team mentor Gofman.
"It definitely helps to be able to explain those technical terms in a meeting where people who don't have that expertise or familiarity with those terms can understand it," said Christ, who landed a summer internship with government contractor Mitre Corp. The judges gave the team a list of things they did well on and things they missed.
And how did a team with little security experience do so well competing against such schools as Cal State San Bernardino, Cal State Northridge and Cal Poly Pomona?
"We actually didn't know what we were supposed to do," said team member Sae Hun Kim. The members benefited from the tutelage of their mentors, including CSUF alum Laura Chiu, who competed in 2015 on her own and took second place. She now works with Bechtel Corp.
But what clinched the successful outcome, Gofman said, was determination. Team members were posting messages to one another (such as "Why isn't that working?") into the wee hours of the morning on their Slack team communications tool, he said.
"The thing I'm hoping for as an adviser," Gofman said, "is that people who are really passionate about it have a place like a sandbox where they can take their skills for a joyride without the consequences."
(c)2017 The Orange County Register (Santa Ana, Calif.), Distributed by Tribune Content Agency, LLC.
