ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Is attack better than defense?: teaching information security the right way
Full text PdfPdf (62 KB)
Source Information security curriculum development archive
Proceedings of the 3rd annual conference on Information security curriculum development table of contents
Kennesaw, Georgia
SESSION: Pedagogy table of contents
Pages: 44 - 48  
Year of Publication: 2006
ISBN:1-59593-437-5
Authors
Martin Mink  RWTH Aachen University, Germany
Felix C. Freiling  University of Mannheim, Germany
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 20,   Downloads (12 Months): 147,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1231047.1231056
What is a DOI?

ABSTRACT

A recent trend in security education is towards teaching offensive techniques which were originally developed by hackers. This reflects tendencies in the professional world where offensive security testing (penetration testing) is quickly gathering widespread acceptance. We report on good experiences with a security curriculum at a university degree level which emphasizes offensive techniques over defensive ones. Our claim is that teaching offensive methods yields better security professionals than teaching defensive techniques alone. The paper presents an experimental setup with which we plan to investigate this claim further. The experimental setup uses concepts from psychology and pedagogical sciences to empirically assess the benefit of offensive teaching.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Black Hat briefings, training and consulting. http://www.blackhat.com.
 
2
Defcon hacking event, Las Vegas. http://www.defcon.org.
 
3
Iváan Arce , Gary McGraw, Guest Editors' Introduction: Why Attacking Systems Is a Good Idea, IEEE Security and Privacy, v.2 n.4, p.17-19, July 2004  [doi>10.1109/MSP.2004.46]
4
Kirk P. Arnett , Mark B. Schmidt, Busting the ghost in the machine, Communications of the ACM, v.48 n.8, August 2005  [doi>10.1145/1076211.1076246]
 
5
J. Bortz and N. Döring. Forschungsmethoden und Evaluation für Human- und Sozialwissenschaftler. Springer, 3rd edition, 2003.
6
Gregory Conti, Why computer scientists should attend hacker conferences, Communications of the ACM, v.48 n.3, March 2005  [doi>10.1145/1047671.1047694]
7
Gregory Conti, Introduction, Communications of the ACM, v.49 n.6, June 2006  [doi>10.1145/1132469.1132497]
 
8
Digital Evolution. Homepage "Digital Evolution". http://www.dievo.org/. Accessed March 2006.
 
9
R. Dodge, D. J. Ragsdale, and C. Reynolds. Organization and training of a cyber security team. In Proceedings of the 2003 IEEE International Conference on Systems, Man & Cybernetics, 2003.
 
10
D. Farmer and W. Venema. Improving the security of your site by breaking into it. Usenet Posting to comp.security.unix, 3. Dec. 1993.
 
11
M. Dornseif, F. C. Freiling, M. Mink, and L. Pimenidis. Teaching data security at university degree level. In Proceedings of the Fourth World Conference on Information Security Education, pages 213--222, 2005.
 
12
M. Dornseif, F. C. Gärtner, T. Holz, and M. Mink. An Offensive Approach to teaching Information Security: "Aachen Summer School Applied IT Security". Technical Report AIB-2005-02, RWTH Aachen, Jan. 2005.
 
13
Ghetto Hackers. Homepage "Root-Fu". http://www.ghettohackers.net/rootfu/. Accessed April 2006.
 
14
Hack this page. Homepage "Hack this page". http://www.hackthispage.tk/. Accessed May 2006.
 
15
P. G. Neumann. The risks-forum digest. http://catless.ncl.ac.uk/risks.
16
Peter G. Neumann, The big picture, Communications of the ACM, v.47 n.9, September 2004  [doi>10.1145/1015864.1015896]
 
17
D. Rost. Interpretation und Bewertung pädagogisch-psychologischer Studien. Beltz, 2005.
 
18
W. Schepens and J. James. Architecture of a cyber defense competition. In Proceedings of the 2003 IEEE International Conference on Systems, Man & Cybernetics, 1998.
 
19
M. Schumacher, M.-L. Moschgath, and U. Roedig. Angewandte Informationssicherheit: Ein Hacker-Praktikum an Universitäten. Informatik Spektrum, 6(23), June 2000.
20
Ton Slewe , Mark Hoogenboom, Who will rob you on the digital highway?, Communications of the ACM, v.47 n.5, May 2004  [doi>10.1145/986213.986240]
 
21
UCSB. Homepage "UCSB Capture The Flag". http://www.cs.ucsb.edu/~vigna/CTF/. Accessed May 2006.
 
22
Giovanni Vigna, Teaching network security through live exercises, Security education and critical infrastructures, Kluwer Academic Publishers, Norwell, MA, 2003
 
23
Georgory White , Georgory Nordstrom, Security across the curriculum: using computer security to teach computer science principles, Internet besieged: countering cyberspace scofflaws, ACM Press/Addison-Wesley Publishing Co., New York, NY, 1997

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.3 COMPUTERS AND EDUCATION
      K.3.2 Computer and Information Science Education
          Subjects: Curriculum

Additional Classification:
  K. Computing Milieux
  K.3 COMPUTERS AND EDUCATION
      K.3.2 Computer and Information Science Education
          Subjects: Information systems education


General Terms:
Measurement, Security


Keywords:
computer forensics, empirical measurement, offensive techniques, security education, security lab, summerschool

Collaborative Colleagues:
Martin Mink: colleagues
Felix C. Freiling: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player