Wichita State students go phishing to reveal cybersecurity vulnerabilities

  • Applied Computing Intermediate Design Project asks students to send phishing attempts to targeted email accounts around the university.
  • The exercise gives students practice identifying approaches that hackers use successfully.
  • Students also benefit from the applied learning experience to evaluate and improve defensive strategies.

 Joe Jabara doesn’t call his class Hacking 101, but his students do learn how to develop effective attacks on computer systems.

The course is actually called Applied Computing Intermediate Design Project, and this past spring its students carried out phishing attempts against a targeted group of Wichita State faculty, staff and students.

Working in teams, students created emails based on the same principles that hackers use to get recipients to open an email, click on a link and enter log in credentials. Student efforts were successful: Out of 128 targets, 40 opened a phishing email, 10 clicked on a link and four entered log in credentials.

“While the exercise didn’t go so far as to infect the network or steal credentials, it gave the students baseline data as to what type of emails succeed in fooling the user,” said Jabara, director of the College of Engineering’s Hub for Cybersecurity Education and Awareness.

“Students typically get taught about phishing attacks through textbooks and lectures,” said Noah Santry, an applied computing junior in Jabara’s class. “Getting a chance to actually perform an attack gave us an even deeper understanding on how phishing attacks choose and pander to a specific target.”

The broader purpose is not to train future hackers but cybersecurity professionals who can successfully defend private and public institutions against hacks. Students get the applied learning experience of simulating a “red team attack” that identifies a computer network’s vulnerabilities – both technical and human -- so that defenses can be evaluated and improved.

 “This was a great real-world type of exercise for the students, who had to develop a business plan and offer and perform their services as a real cybersecurity risk assessment/audit firm would,” Jabara said.

The class project was conducted under the cooperation of oversight of Mark Rodee, Wichita State’s chief information security officer. Rodee said the university computer system is under attack regularly.

“Wichita State, like almost all organizations, receive a major percentage of its total emails as spam and phishing,” Rodee said. Recipients of suspicious emails are asked to avoid clicking any links, forward such emails to spamreport@wichita.edu, and then delete them.

“We collect this data from user reports and automated systems to help better assess and act on risks to the institution. This analysis provides direction on safeguards we implement, where investment dollars are needed, and also how we better train our user community.”

Rodee said threats often target both technology – like a malicious code – and human behavior – such as the inclination to trust or the desire to be helpful. Neither Jabara or Rodee would disclose the nature of the students’ phishing emails, but common strategies involve emails that claim to be an urgent request from a top administrator or to contain an invoice for a purchase not actually made.

“The curriculum that Joe Jabara has built for the class not only explains the theory but provides a real world understanding of the challenges, pitfalls and opportunities that exist,” Rodee said. “Students that complete this program are ready to become more effective quicker in their future careers.”

Applied Computing Intermediate Design is a core course in the College of Engineering’s applied computing bachelor’s degree program. Students particularly interested in learning about the role of human behavior – often termed social engineering – can purse a Certificate in Human Factors in Security and Technology as part of the degree.

Read more stories like this