We’ve all gotten emails that attempt to gain sensitive personal information or hack into our employer’s systems. The pervasiveness of malicious hacking, including phishing campaigns, has made the need to combat such efforts a top priority for businesses across the globe. Santa Fe College (SF) is revolutionizing its security curriculum by training students in the Information Technology Education (ITE) department’s ethical hacking class to conduct phishing campaigns in collaboration with Information Technology Services (ITS). Students gain real-world experience protecting the college’s systems by learning to think like a malicious hacker and using the same tactics a malicious hacker would use to attack a system. However, as ethical hackers, the students first gain permission to test the system for vulnerabilities; only test the system based upon the parameters they’re provided; and report their results, particularly the vulnerabilities, to the college so the system can be fortified.

Social engineering is a common category of attacks focused on psychologically manipulating people into giving out information that could lead to a security breach. What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Phishing is one of the most popular forms of social engineering. Phishing emails look legitimate, but attempt to take advantage of recipients who interact with the email (i.e., click on a link), enter information into a form (i.e., usernames and passwords), or open an attachment. Recipients who interact with the email by providing information are known as victims.

At SF, the employees are the ethical phishing campaign’s recipients. All SF employees are required to participate in security training; the ethical phishing campaign serves as a sort of pop quiz to ensure that the material has been learned to prevent incidents that can cost the institution millions of dollars.

The goal of this collaborative effort is to provide students with the valuable experience of understanding what happens in a phishing campaign, as they may eventually work for a company that conducts ethical phishing campaigns to protect its employees. The author and ethical hacking course instructor was interested in providing a more hands-on approach for security for his students. He approached ITS about this collaboration and provided a project proposal that was approved by the ITS Director, Chief Information Officer, Provost, and President.

Students learn the entire process of a phishing campaign, from how hackers gather emails via website reconnaissance and determine who to target to what kind of email would make the victim more likely to click on a link or open an attachment to reviewing the results of the campaign. The students design the emails in collaboration with ITS; ITS then sends them out using simulated phishing software and reports the aggregated data to the students for analysis. The process prevents anyone outside of ITS from seeing specific names to protect those individuals and the college. In addition, students are required to sign a perpetual nondisclosure agreement (NDA) at the beginning of the semester that prevents them from discussing anything that could compromise the college’s security.

Student Albert Barzaga said:

I enjoyed the learning experience I received from this campaign a lot. Getting to craft emails to send out to certain groups of people to test weaknesses was just something I never thought we would get to execute as a part of the class. This opportunity gave the students, including me, a chance to see the entire process from crafting the email, sending it, and seeing the results. An experience that will mark a difference in my resume and on what I’ve learned. I was thankful to be a part of it.

Another student, Gabriel Cruz, echoed the benefit of being involved in the campaign:

What I learned the most was how necessary phishing campaigns are when it comes to creating a more secure environment, but it also showed me a realistic side to cybersecurity, . . . Overall, I think it was a good boost of enthusiasm and motivation as I go into this field.

The ITS department has benefited as well, and they appreciate the support. “Having an instructor outside of the ITS department bringing up the topic to collaborate with us helps to counter possible pushback from various college stakeholders in conducting this campaign on our own,” stated Tim Modisette, Desktop Computer Specialist. He continued,

It’s less of an uphill battle to secure buy-in within the educational field if you can provide an educational argument to the various stakeholders of preparing students for the workforce. . . . We appreciate being able to support the educational mission of the college by providing insight into industry best practices.

ITS also gains new perspectives on possible attacks that might succeed from the diversity of the students in the class. Ulysses Fann, Systems, Network and Desktop Director, noted that, “ITE and ITS will continue to collaborate on other ways to involve students in the IT security process. Anything we can do to put our students ahead and provide them with real-world experience is a plus for everyone involved.”

The students conclude the experience by individually presenting the business case to justify why money should be spent on security and why this class should continue to be involved in this process. Students gain real-world skills by creating a PowerPoint and presenting their case in five minutes or less, then answering questions from panelists. This activity is essential because when they have an IT job, they will need to know how to justify the cost of IT equipment, software, and security measures.

Lisa Armour, Vice President and Interim Provost, affirms the commitment of Santa Fe College to learning experiences that are relevant, engaging, and impactful. She noted that,

When students work with Dr. Nichols and the college’s IT professionals to apply their skills, they learn more deeply, demonstrate their abilities in a way that speaks to potential employers, increase our collective watchfulness to improve IT security, and see firsthand the good they can accomplish through their work.

Student Keith Ballentine said,

Theory is great. We’ve all learned what phishing is and how it works, but to get to peak behind the curtain and see how a phishing campaign works—and to actually participate—brought this theory to life. I was surprised to learn how much thought goes into creating a phishing email. Psychology, art, timing, and a lot of luck are needed for a successful (or in our case failing) phish. . . . Though the phishing campaign activity took a fair amount of classroom time, I feel the educational benefits greatly outweighed the time commitment.

Santa Fe College offers an A.S. degree in IT Security and a B.A.S. in Information Systems Technology with a Security concentration. For more information about the phishing campaign, read the article Santa Fe College is Getting Ethically Hacked.

Lead image: Cybersecurity students at Santa Fe College learn how to conduct phishing campaigns with assistance from Information Technology Services.

James Nichols is Associate Professor, Information Technology Education, at Santa Fe College in Gainesville, Florida.

Opinions expressed in Member Spotlight are those of the author(s) and do not necessarily reflect those of the League for Innovation in the Community College.