UMBC Mic'd Up
UMBC Mic'd Up
Defending the Digital World - An Active Approach
Dive into the world of cybersecurity with UMBC's Mic'd Up podcast! In this episode, Dennise Cardona sits down with Charles Nicholas, an instructor in UMBC's Computer Science program, to discuss the Active Cyber Defense course.
Learn about the hands-on approach that prepares students for real-world cyber challenges, the importance of cyber competitions, and the evolving tactics used to defend against digital threats.
Charles shares insights on ethical considerations, overcoming intimidation in the field, and the future of cybersecurity education.
🔍 Topics covered:
Overview of the Active Cyber Defense course
The role of cyber competitions in learning
Real-world skills gained through hands-on exercises
Balancing ethics with cybersecurity knowledge
Staying up to date with evolving cyber threats
Don't miss out on these valuable insights that can help shape your career in cybersecurity!
📌 For more information about UMBC's cybersecurity programs: https://professionalprograms.umbc.edu/cybersecurity
Please also check out: https://courses.cs.umbc.edu/undergraduate/CMSC491activeCyber/
Dennise Cardona 0:00
Hey, welcome to this episode of UMBC Mic'd Up podcast. My name is Dennise Cardona, from the Office of Professional Programs here at UMBC, and today I am joined by a special guest and instructor with the graduate programs in cybersecurity here at UMBC. His name is Charles Nicholas, and he teaches the active cyber defense course. Welcome to the podcast. It's nice to have you here.
Charles Nicholas 0:25
Thank you, Dennise.
Dennise Cardona 0:26
First of all, can you start by giving us an overview of the active cyber defense class and what makes it unique within the cyber security area?
Charles Nicholas 0:35
First of all, I should clarify a couple of things. This course is not in the cyber security program, but it's rather listed as a computer science class, and it's offered at both the undergraduate and graduate level. So the class is intended, in fact, to support the needs of graduate students in computer science as well as cyber, and undergraduates in computer science, and there are sometimes undergraduates from other majors that are also involved in the class. It has been a popular elective for, I think it's been offered since, 2016 or so, something like that. We've been running the class for a while now. And you wanted an overview of it, the genesis of it is students participating in cyber competitions. Sometimes folks are or are not aware that cyber is now an intercollegiate sport, and universities compete with each other in this and there's prestige, after a manner of speaking, and it's nice when you win a cyber competition. So I noticed that students who were on these teams were spending a lot of time preparing, studying all different kinds of things, and they weren't gaining academic credit for it. So we decided, let's create a course that will allow these students who are spending the time and investing their energy and so forth anyway, to gain some academic credit in a way that would make sense for all concerns. That's how it came out. The active cyber defense class is frankly appealing to an overlapping, but only slightly overlapping population of students. The students in my class can certainly participate in hackathons if they wish, but more often than not, they don't, because they're busy with other stuff, including cyber competitions, which are of a different nature. So if you're interested in hearing about the different cyber competitions, I can make this very quick. There's, the most common is actually kind of a Jeopardy style, where people are awarded points for answering questions. So there's a certain set of questions, and the students often working in teams, but also as individuals, will answer these different questions and gain points, and whoever has the most points at the end of the competition wins. That's actually called a capture the flag, CTF, for short. And those are very popular. There's a lot of them going on at any one time and it's good experience. The other major form of competition is red versus blue teams. So often enough, the students are the blue teams, and their job is to protect the systems that they're given, and protect those systems, keep them up and running, keep the bad guys out, and keep on providing services to their customers, while the red teams often are professional cyber people, pen testers we call them, penetration testers, people with much more experience in attacking will try to break in and make life miserable for the students in general, and this too can be, a lot of fun. The time goes by quickly in these events, I assure you. And there's nothing like trying to work as a team to solve technical problems under intense pressure, frankly, that will let people learn about the cybersecurity profession.
Dennise Cardona 4:08
What are the primary learning objectives of the active cyber defense course and how do they align with the demands of the current cybersecurity landscape?
Charles Nicholas 4:20
First of all, we want to make people aware of the variety of topics that are covered under the broad umbrella or under the tent of cybersecurity. So there's people who are concerned with network security as such. There are folks that are interested in just cracking passwords. Other people worry about database security and making sure that database queries are formulated properly and don't accidentally let people in or destroy data on such things. So there's a variety of other topics that are falling in there. So one purpose of the class is to give people experience with the variety of cyber activity. The other objective is to give people competition experience. And you might say that's an odd course objective, and frankly, it is, but we want people to get experience in what it would be like in the cyber workplace, and this is the best way we know in order to do that. I guess that's about it -- to give people experience what it's like to be in the cyber profession, and to understand the breadth and depth as appropriate of the different areas of knowledge.
Dennise Cardona 5:28
Sure, and that real world, hands on experience is so paramount to UMBC philosophy. That is their model, how to be able to create this environment that allows their students to be able to go out there with real world skills, have that experience in the classroom, so that they can then bring that value to the job market.
Charles Nicholas 5:50
That philosophy of we want to make partnerships with local government agencies, obviously, but also local industry, large and small, to prepare people for what they're going to need to attack the problems of the near term, medium term and long term future of the economy in this area, this state and the nation, and frankly, cybersecurity, broadly defined, including national security aspects. We want students to be able to contribute in all those different kinds of ways.
Dennise Cardona 6:28
That's great. How do you balance teaching the offensive aspects of cybersecurity with the ethical considerations that come with learning, say, how to hack?
Charles Nicholas 6:39
Well, we avoid teaching the offensive aspects. But to temper that answer a little bit, in cyber defense, there's often a thin line between offense and defense. The knowledge that somebody has to protect a system can also be used to attack a system that is vulnerable. So people who know how to protect their own systems can also have some idea what it might take to attack somebody else's. We emphasize the cyber defense aspect of it. There are people who care about offensive cyber for sure, but we don't teach that on purpose. We make people aware of it, and one of the first things I'm going to tell my students is the knowledge that you gain in a course like this can be used for good or for ill, and there are criminal penalties that pertain. So don't, don't do anything stupid.
Dennise Cardona 7:35
Yeah, don't do anything stupid. Words of advice.
Charles Nicholas 7:38
That's pretty good life, life advice, anyway, I'd like to think so.
Dennise Cardona 7:42
Indeed. Stay out of trouble.
Charles Nicholas 7:44
Stay out of trouble.
Dennise Cardona 7:45
Could you share some examples of the hands on activities that students may engage with during this course, like, how do these exercises prepare them for the real world challenges that they are going to face out there?
Charles Nicholas 7:59
So the hands on exercises include things like getting their hands dirty with a variety of systems. So most of our students use the Linux operating system during their coursework here in computer science, in IS there's a little bit more -- Information Systems program, which is almost as big as ours, if not bigger -- there's a somewhat of more emphasis on Windows. We want students to be able to defend both kinds of systems. And in fact, there's other kinds of systems to that should be defended, Macs, but also websites, and even cell phones. So there's lessons in a class like this that pertain to all those different platforms. So just bringing up those kinds of systems and installing software and so forth, those are specific lab exercises that we'll be doing for the first month or so of the class. One of the other exercises that we use is password cracking. And now you might think, now, what could be more offensive cyber than that? You know, sometimes people lose passwords, or whoever, or the device is abandoned somehow, and, oh, we've got this device that, I don't have an example handy, but there might be a device laying around that nobody remembers how it works. So you plug it in and see what happens, and you go, oh, shoot, it's password protected. So then it's helpful to be able to know, all right, so how would one go about trying to figure out the password if there was a legitimate need to recover it? So that's what we look for. Is there a legitimate need to take whatever technical steps you're taking -- recovering lost data on a disk, recovering a lost password, tracking down problems in network logs. What, where did the email come from that somebody answered as part of a phishing operation? Will the audience know about phishing? If not, then quickly, it's a matter of somebody will send you an email that says, "Please open this document and do what it says." And the document is nonsense, except that it exploits some vulnerability in the system, and all of a sudden security goes down the drain in that system. I answer your question there, if not, I forgot the other part.
Dennise Cardona 10:16
Absolutely you did. Yes. Thank you. What skills or knowledge do students typically struggle with the most in this type of class? And how do you help them overcome these challenges?
Charles Nicholas 10:29
Well, getting their hands dirty seems to be very important. The students will often have, what I consider, too little experience just with computer systems. Of course, they know how to turn on a PC and run Windows and click a mouse and all that kind of stuff. And some students will have been doing this since they were kids, middle school or earlier, in many cases, nowadays, but not every student has had that opportunity. Just getting experience with a variety of systems is part of it. And the thing about this kind of work is that if at first you don't succeed, you're normal. Because if you knew how to do it already, what would you need to take a class for? All right, so I'm kind of being a little facetious here, but just the experience of doing something that you haven't done before can be very helpful. And of course, you're going to bump your head against the wall a couple of times and then succeed, and that's what you want. Once students get that experience of trying something and, okay, let's try something else that didn't work. Did I follow the procedures the way they were supposed to? Do I need to look at the documentation again. Do I need to look at other documentation? Do I need to ask chatgpt for some advice on this? Students will do that. We know that. And in fact, working professionals will do that, and are doing that. So I don't have any problem with people who are using generative AI in the sense of helping them learn. Generative AI, by the way, is not real good at solving cyber problems just yet, so that day may come, and it might come soon. But for right now, I view generative AI as an intelligent search engine, rather than a, let's say, an oracle that will tell the students exactly what they need. It can give you good advice, and that's fine, but it's still up to the student to try to figure out how to make it work in the long run, in the end. Okay, so just that experience, the variety of tools available to them, and some students just have not had that experience before. So I think that's the long and the short of it, getting your hands dirty and bumping your head against the wall a few times. Yeah, you get a mild headache, but it goes away and then you've done it.
Dennise Cardona 12:49
Yeah, the growing pains are necessary.
Charles Nicholas 12:51
Yes.
Dennise Cardona 12:51
How does this course stay up to date with the constantly evolving tactics and techniques used in cybersecurity threats out there?
Charles Nicholas 13:01
The details of techniques and so forth, do change from time to time -- do change on a continuous basis, I should say. The underlying strategies remain relatively constant. That notion of phishing, for example, people have been doing that for years because it works. So that kind of thing is not going to change. The underlying principles are not going to change. The details do change from year to year, and we update the course every year. And one of the things that's gratifying about this class is that alumni, people who have had the cyber competition experience, alumni who have taken this class with me, alumni who have helped me teach the class as teaching assistants, or as assistant instructors, as is the case this year, many of them remain involved, and I find that gratifying. And I will get the word every year that okay, we should emphasize this a little bit more. This other topic, we can put a little bit less time into that. So the course does continue to evolve, mostly with the help of alumni and others -- local industry, local government -- who can give us advice as to how the course should go into the future.
Dennise Cardona 14:20
Indeed, does this course run primarily just in the fall? Does it also run in the spring and summer?
Charles Nicholas 14:26
Yeah, so far it's only been in the fall.
Dennise Cardona 14:28
Okay, that's good to know.
Charles Nicholas 14:30
It's an elective class. It's not required for any major, although it's, in effect, it is required for students who are taking the cybersecurity track in the computer science degree program at the undergraduate level. But it's been a popular elective. Enrollments have never been under 50 and have been as many as close to 100 which is large for an elective class at this university. It's been popular every year it's been taught, despite me being the teacher, I don't understand.
Dennise Cardona 15:03
In your opinion, what are the key benefits for students who complete the active network defense course, especially when entering the job market?
Charles Nicholas 15:14
The benefits are, first of all, they can say that they did it, and that they have some experience with cyber competition, and relatively few students have that experience, not just at this university, but at other universities. So it's a way to distinguish yourself from the 300 other people from all over the country, perhaps, that are competing for a given set of positions. So it's just the experience of cyber competition that I view as part of, what people will call, the secret sauce to this class. It also seems that even though the job market in IT is changing, the job market in cyber seems to be remaining strong. As I said, generative AI is not expected to revolutionize cyber. Now, this is my own opinion right now, at least it's not happening yet. But people are thinking that, Oh, generative AI is going to replace all the programmers. No, it will not, I don't think. As part of being an assistant, making life easier for, and people being more productive, both in software development, but also in cyber jobs -- okay, that's what's happening. So just understanding the breadth and depth of this field, getting experience hands on. Get your hands dirty. Experience in this seems to be of benefit. The other thing we like is that interaction with students that I mentioned earlier: alumni, former team members and so forth. We also have guest speakers. I like to have at least two guest speakers every semester representing local industry, usually, sometimes local government. It's usually been industry, who will come in and say things like, they'll talk about what their particular company does a little bit or what their kind of work involves, and so on. And when students hear about this, then they have a little bit more idea of what to expect when they go on interviews.
Dennise Cardona 15:14
What advice would you give to prospective students who are interested in the cybersecurity field but might be intimidated by the idea of a course focused on active cyber defense?
Charles Nicholas 17:00
There is an intimidation factor. But there's also the powerful motivation of a student's own curiosity. If people are interested in this area, then there's oodles of relatively low commitment, easily accessible resources out on the web for people to learn about this, lots and lots of them. They simply have to know where to look. And it's really not that hard to figure out, particularly if students can find the website for a course like mine. Now, the folks at home can just use their favorite search engine to look at active cyber defense, computer science, 491, 691, at UMBC, and they'll come up with my course web page, and that might be something to put at the bottom of the screen someday if this makes it into a podcast. Who knows? I'll put that into the chat here later if you want, in case that's helpful. Anyway, you can go to any of different websites. There's not a lot of courses like this, actually, the other universities offer similar things, but most do not yet do getting your hands dirty, and that notion of, I didn't quite get this on the first try, so I'll try again and again and again, and eventually the student succeeds, and that's a confidence builder. And there's nothing like trying something and realizing, Oh, this wasn't so bad. Now I understand what's going on, and all of a sudden that intimidation, the feeling of intimidation, subsides, and that's really what we want. In other words, we want students to have that feeling of expending some effort, encountering not instant success, but eventual success after some struggle, and if that turns out to be an experience in character development, fine, we could all use some of that from time to time. I think.
Dennise Cardona 19:16
Indeed. Finally, what do you see as the future of cybersecurity education, particularly in the context of hands on defense focused courses like this one?
Charles Nicholas 19:30
I see the need for this course to continue into the future. Cybersecurity is going to be an issue for as long as humanity uses computers. Now that might seem like a very broad statement that I, for example, will not ever, I won't live long enough to see the truth of that 100 years from now, fine. But it seems right now that cybersecurity is going to be a concern in society for as far as we can see into the future. All right, so that's fine, and it is a field that is changing, and hands on experience is going to be better than people who just have heard about it second- or third-hand and don't really know. I'm optimistic about courses like this. They do need to keep up with the times. There's not the slightest doubt about that. I guess I'm optimistic. People will continue to be interested in having computers, and will continue to be interested in having their computers and their data and their infrastructure safe going forward.
Dennise Cardona 20:36
Yes, indeed, that's very powerful. I'd like to ask this one last question. I know I said finally on the last question, but what do you personally love most about the cybersecurity field?
Charles Nicholas 20:49
The fact that there's always something to learn. I've been in my own way and in accordance with the technology of the times. I've had a little bit of experience hacking, even if it wasn't called that at the time, since the mid 1970s, since I really was a young person, and of course, the computing landscape has changed a lot since then. But this subject has remained interesting, and there's always new stuff to learn. So I think that's really the primary motivation, is that there's more information to be learned, more insight to be gained, more experience to be experienced. So that's what I like, the ongoing development, the ongoing challenge. Students are interested in this, as am I. It has not been my main focus as a scholar or as a computer science researcher. There's other people that do that. I've been working on other stuff, but this has always been a, I don't want to even say the background, but a neighboring sort of interest of mine for quite a long time.
Dennise Cardona 21:56
Well, thank you so much for being here, sharing the insights on this course, on the cybersecurity industry as a whole, we really appreciate that.
Charles Nicholas 22:06
My pleasure. Thank you for having me.
Dennise Cardona 22:08
And thanks so much to everyone for tuning into this episode of UMBC's Mic'd Up podcast. If you'd like to learn more about our offerings, there are some links in the description. Check them out.