Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • Lessons from Teaching Cybersecurity: Week 5
  • Critical Vulnerability
  • Data Breach

Lessons from Teaching Cybersecurity: Week 5

6 years ago Tyler Reguly
Lessons from Teaching Cybersecurity: Week 5

As I had mentioned previously this year, I’m going back to school. Not to take classes, but to teach a course at my alma mater, Fanshawe College. I did this about a decade ago and thought it was interesting, so I was excited to give it another go. Additionally, after a friend mentioned that their kid wanted to learn Python, I developed an Intro to Python class aimed at high school students that I’m teaching weekly. I thought that this would be good fodder for the State of Security. So, whenever I have something interesting to discuss, I’ll post it here.

Week 5 proved to be an interesting week for a couple of reasons. I volunteered seven hours of my time to provide extra Python help to some of the college students who wanted to put in more time with the language. We had SecTor, which my team here at Tripwire along with several of my students attended. In my high school class, we reviewed their previous week’s quiz, and with the college students, I discussed obfuscation. It was the obfuscation that I wanted to talk about this week.

Shroud of Mystery

Cybersecurity is shrouded in mystery. To be fair, many industries are, but there’s something different in our mystery. Sure, companies like Coca-Cola and KFC keep their recipes under lock and key, but that’s one aspect of their business. In our industry, everything is a mystery. From businesses to criminals to enterprises to individuals, everyone wants to keep information secret and limit the flow. Everyone thinks they have a reason to do this, and in many cases, they are correct. For those entering the industry or learning, this can make the waters even trickier to navigate.

Interestingly, there’s a lot that we don’t intentionally hide, but it remains hidden to those not in the know. This stood out to me as I discussed obfuscation with my students this week. While we may not lock up recipes like the food industry, we definitely obfuscate a lot of the information behind communities, working groups and even private cliques. I don’t think this is intentional. It’s just the nature of security.

Take groups like Infragard in the United States or CCTX in Canada, for example. These organizations are only open to individuals of their respective nations. There are reasons for this, but in the grand scheme of things, do these reasons make sense? They definitely control access, but a nation-state or organized group would likely have means of infiltrating these organizations if they really wanted to.

Finding the Point

So, what’s the point of this post? Perhaps my point is so finely obfuscated that it is impossible to see. The point is to ask yourself if obfuscation is necessary. Are we making it harder to get access to information than we need to? I was discussing this with a colleague, and he pointed out that years ago, you commonly heard the phrase, “Security through Obscurity.” We’ve accepted that maybe it isn’t the best approach to security, but somehow we’ll still obfuscate data and resources from time to time. The question we need to ask ourselves is whether or not that obfuscation is necessary… is security improved by requiring individuals to jump through steps to de-obfuscate knowledge? Unrelated question: Deobfuscate or Unobfuscate? Let me know your opinion on Twitter, as people seem to be split.

Still Looking for that Point

The reason I found myself thinking about this is that my students’ lab this week on obfuscation led to varied results. While some students finished the lab quickly via intentional shortcuts, others took their time to really understand what was happening. Finally, some students struggled and were frustrated. The way I look at it, that translates into three types of employees.

Those that will get the job done and deliver it quickly; those that will take their time and future-proof the job, building something that is easy for future engineers to maintain; and those that want to do the job but are missing the knowledge or critical thinking to accomplish the task and may need some help.

We also attended SecTor this week, a conference designed to convey the latest in the security world. We work in an industry where people come together on various scales in multiple venues to educate each other. From local meet-ups to industry-specific conferences to cybersecurity mega shows. We have people who work together to de-obfuscate our industry, to demystify it. Think of how difficult that must be for people entering the field, how frightening it must be.

Even as employers, we need to be aware of the mystery around what we do with new employees. I recently found out that a tool I’ve used for nearly a decade that I wrote to accomplish a task was unknown to several of my team members. I hadn’t purposely hidden its existence. I wasn’t trying to obfuscate certain tasks. It just hadn’t crossed my mind that the one time I shared it, not everyone immediately jumped on it and remembered it. In other cases, people do purposely obfuscate their roles and responsibilities. They consider it a form of job security, and that makes it even harder for new people starting out.

Look Mom! A Point!

At the end of the day, my point is simple. We work in a confusing industry that spans the globe, that spans verticals and that spans a variety of responsibilities. A mistake in our line of work could shut down cellular networks or payment systems, render areas without utilities or, worst case scenario, take a life. Luckily, for most of us, these are stresses we won’t likely realize during our careers, but some will. We need to make it easier for people to step into the role of defender, the role of “Protector of the Enterprise.”

We should make it our goal to de-obfuscate knowledge in our industry, to demystify actions that we take and to enable learning with employees regardless of their time with an organization.

More Reading

Helping Inspire the Next Generation of Cybersecurity Professionals

Lessons From Teaching Cybersecurity: Week 1

Lessons From Teaching Cybersecurity: Week 2

Lessons From Teaching Cybersecurity: Week 3

Lessons From Teaching Cybersecurity: Week 4

The post ” Lessons from Teaching Cybersecurity: Week 5″ appeared first on TripWire

Source:TripWire – Tyler Reguly

Tags: Critical Severity, High Severity, TripWire

Continue Reading

Previous NVIDIA Patches Critical Bug in High-Performance Servers
Next Advantages of a secure Wi-Fi router to protect all your connected devices at home

More Stories

  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email

6 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

7 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access

19 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets

19 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories

20 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike

22 hours ago [email protected] (The Hacker News)

Recent Posts

  • On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
  • CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits
  • Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
  • Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets
  • ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT