From the Winter 2023 Issue

Teaching Kids How to Hack

Alex Haynes
CISO | IBS Software

Many industry professionals bemoan the lack of qualified candidates within information security and resource scarcity is a common issue for many companies. According to latest estimates and depending which numbers you follow, there is a potential shortfall of up to one million cybersecurity professionals globally and this is just getting worse.

Granted, geo-political issues like the Covid pandemic have had an impact on this, on top of the great resignation and changes to working patterns like working from home. There are ample discussions in all sorts of forums on how to improve this shortfall and lots of good solutions have come out of it: apprenticeships are back on the cards, short and sharp industry certifications to prove baseline knowledge and of course expansion of cybersecurity courses into university and even high school curriculum will have an impact at future-proofing a pipeline of qualified candidates.

However, what if this stretches back further, how do you explain cybersecurity and things like hacking to children in general, and effectively train them up to be the next generation of cybersecurity professionals? Having been involved in various initiatives to teach kids of all ages cybersecurity and ethical hacking skills  it is interesting to find what works, and crucially, what switches people off.

Interestingly, there are lots of comparisons with how security awareness is received within businesses and common pitfalls that impact user engagement apply to kids as well. There are also lots of misconceptions about the technical capabilities of kids at an innate level that really work to our advantage when teaching them.  Below, a few of these are covered:

Technical Knowledge

The technical knowledge of many kids today sometimes surpasses adults of the current generation. Their upbringing was of a world where the internet already existed, apps were de rigeur and social media is an omnipresent way of communicating. They understand bugs and glitches and how to exploit them, even if they aren’t directly related to security. Take for example one of the most common kids games today – Roblox. Hundreds of mini-games embedded into the roblox platform engage kids with challenges of all types, but it’s quite common for them to frequently ‘glitch’ a game to get an advantage over a competitor, obtain extra in-game currency, or even bypass the paywall to advance further. This is a fundamental skill in hacking and offensive security – approaching an entity and assessing it for risk and vulnerability. Which brings us to the next point

Hacking Behavior is Embedded in Kids

As long as it’s taught the right way, it’s surprising how innate the ability to hack is already embedded in kids. Children spend a great deal of their time navigating social constructs built for them by adults based on societal rules that they must respect. Bypassing these rules is often met with punishment but when encouraged correctly, shows an innate understanding of weaknesses in processes and technology. For example, during the pandemic many kids were subject to homeschooling on distance learning platforms. A 9 year old (we’ll call her Kamina) was explaining how she was provided a login and password combination for the platform but she noticed quickly that the password given to her was simply her initials followed by her class number. She then proceeded to login as her classmates as the default passwords were easy to guess. She went so far as to login for a classmate who she noticed had been falling behind in his homework, did all his homework because she felt sorry for him and then logged out again. This would be the equivalent of a hacker breaking into your server, patching it, and then logging out again. If only this happened more often!

A second anecdote was from a similar perspective where another child, aged 12, was being taught HTML and learned to modify entities directly in the browser by bringing up the ‘developer’ mode (by hitting F12 for example) and started bypassing restrictions in home-learning platforms because they were poorly coded, whereby some forms or buttons which would have displayed a hint system or some kind of knowledge base were disabled but only on the client-side. By opening this up, deleting the ‘disabled’ attribute, they quickly figured out that you could activate disabled form entities to their advantage. Again, this is without an inherent understanding of the client-server model or even how to code, and this vulnerability is surprisingly still found in many platforms today.

Gamification

Gamifying engagement when it comes to cybersecurity is key. There’s a parallel to be drawn here with how employees are trained and what they retain (and crucially, what they forget). The uptake of things like phishing simulations, gamified ‘hacking days’ and humorous pictures to embed good behavior in employees is no accident – they are popular because they work!

A good exercise for introducing kids to encryption, for example, is simply writing out a phrase that’s encrypted with the ‘caesar’ cipher, a simple substitution cypher and watching them solve it. This is a good segway into other things where encryption is present like websites and teaching them the fundamentals of security and how encryption is important in everyday life.

Teaching the basics of hacking too is important and this is where concepts are more important than understanding the intricacies of protocols like TCP/IP or HTTP. It was once explained via a demo site how a hacker would break into a fake bank application by using a SQL injection, using the common SQLi payload of ‘or 1=1’ to show it bypassing authentication and let the kids have a go. Sure enough, once they had tried and succeeded on the fake application they understood quickly that this would work anywhere where there was an input box.

This is where guidance is important since after looking away for a few minutes one of the kids said ‘I’m trying to hack google’ since they saw an input box on the google homepage. They now understand the concept of sanitizing user input. They don’t understand the SQL protocol or even the client-server model or how databases work, but understand the concept of authentication and user input, core competencies in application security.

Humor

While there’s nothing funny about identity theft happening to you, humor does wonders at retention. This is why funny videos go viral and are talked about – they are easy to associate to and the laughter can cause the release of dopamine and endorphins. In a work environment, there are other categories that do assist in retention: sex and violence, but these are of course usually not permitted in a work environment and obviously not permitted in an educational setting suitable for kids.

Using humor to transmit cybersecurity concepts also works well for kids, both in video and image format. There is a website called www.scrytap.com that even creates TikTok videos, and it often uses examples from the image or video content side to communicate things that would otherwise require some kind of powerpoint presentation or be too opaque for kids to understand (think GDPR or data protection).

Cybersecurity as a Part of a Broader Curriculum

Interestingly, in many schools cybersecurity is only taught as part of the computing curriculum or is completely absent, which is not ideal for building a pipeline of talent for the future. Schools in Israel are famous for having dedicated cybersecurity courses as their own topics and it is believed this is one of the main reasons that the country has produced a great pedigree of cybersecurity companies and tools in the past.

Introducing cybersecurity as its own knowledge stream also disconnects it from the myth that cybersecurity is purely a technology issue, and will help feed in the arguably more important aspects that are commonly neglected (people and processes). This also makes it more mainstream, placing it apart from computing specific courses that may be perceived to be more male-dominated or somehow ‘nerdy’.

Teaching cybersecurity has come a long way at all levels. 10 years ago a dedicated cybersecurity degree in universities was quite rare and now there’s a plethora of readily available information, certifications and knowledge that has expanded the audience to all academic levels. Cybersecurity certifications have also dropped in cost and initiatives like those by ISC2 to give out one million certifications for free are great initiatives to broaden the base of talent to those that may not be able to afford the sometimes expensive certification and exam fees.

Teaching kids about cybersecurity is not so different to teaching employees about cybersecurity, and following the principles of humor, gamification and getting away from the stigma that it’s ‘just’ about computers will go a long way to making cybersecurity a more attractive field for all kids, and a potential academic option for those that want to try something different. This is where everyone wins, taking innate skill and fostering it into something we can all use to stay safer. lock

Alex Haynes

Leave a Comment