With the growing shortage of cybersecurity professionals, universities are increasingly stepping up efforts to develop curricula and opportunities for student engagement around cybersecurity disciplines. Universities globally have been introducing students to ethical hacking not only through coursework, but also by developing student-run hacking clubs that train students for cyber defense competitions and advocate for the development of cybersecurity skills and careers.
In the inaugural InterUni Bug Bounty Challenge, jointly organized by the National University of Singapore (NUS) and Singapore Management University (SMU) from 12 August to 9 September 2020, students and staff from the two universities will get to hone their hacking skills by looking for vulnerabilities (or ‘bugs’) across the digital assets of their respective universities in exchange for monetary rewards, or bounties.
NUS is the first university in Singapore to host a well-received bug bounty challenge last year. More than 200 NUS students participated in the three-week hacking challenge in August 2019, surfacing 13 valid vulnerabilities and six NUS Computing undergraduate and Masters students winning US$4,550 in total.
To kick off the InterUni Challenge, we sat down with NUS Chief Information Technology Officers Tommy Hor to learn more about the project, why cybersecurity is so important to educational institutions like NUS, and more.
Q: Introduce yourself and NUS. Tell us what you do and why cybersecurity is so important to your organization.
Tommy: I’m Tommy Hor, the Chief Information Technology Officer for NUS, and I head the central IT department for NUS with over 250 staff handling applications, infrastructure, research computing, and cybersecurity. Our mission is to provide reliable, high-performance and secure IT infrastructure and services to support the University’s business needs.
We have a large number and a mix of users, consisting of staff, students, faculty, and researchers. Cybersecurity threats constitute a major risk area, as shown by the prevalence of data breaches reported globally in recent years. Hence, we need to safeguard the vast amount of data that is generated so as to prevent any leakage or loss which might result in institutional knowledge, reputational or financial loss to the University.
Q: NUS is the first university in Singapore to start a bug bounty initiative. What made you start this annual initiative? And, are there any lessons learned or key takeaways from last year’s Challenge that will help inform this year’s Challenge?
Tommy: We have been doing the typical vulnerability assessments and penetration testing for years now. We thought, since we have some of the brightest students, why not collaborate with them to see what we can achieve together? By allowing our students to hack our own applications, we are breaking conventional and conservative notions, and offering students the unique experience of hacking on production systems. For their effort and “successful hacks,” they were rewarded with cash prizes and bonus marks. And the bugs discovered would directly translate into a more secure environment, after we fix them of course!
With the success from the bug bounty challenge last year, we are definitely making this a yearly affair, expanding the scope of applications being tested, and increasing the number of participants. In the meantime, we will continue to work with our faculty and researchers to boost our cybersecurity initiatives through the exchange of knowledge and the infusion of practical real-world scenarios into the teaching curriculum. By popular demand, we have extended the InterUni Bug Bounty Challenge to staff and incorporated a 10-week accredited bug bounty crash course leading up to the challenge. This will help more students and staff, who had never tried hacking before, to learn something new out of this.
Q: How has hacking become an integral part of the cybersecurity education over the last year?
Tommy: The IT environment for higher education is a challenging one because we have to strike a fine balance between security and digital freedom. We can all agree that there’s no such thing as 100% safety in cybersecurity. Thus, we adopt a proactive and predictive approach to cybersecurity, leveraging active threat-hunting and dynamic red-teaming concepts. The bug bounty programme is a good example of the latter, and in this case, participants are helping the process by searching for vulnerabilities in the systems and applications they are already familiar with because of regular usage.
There is an inherent resistance to allow anyone, especially your own staff or students, to hack into your live production systems. However, we boldly explore options for reducing such risks, such as stepping up on monitoring efforts and establishing a functional backup system.
Q: Tell us about the initiative and the decision to extend Bug Bounty Challenge to SMU? What do you hope for participants to take away from this year’s NUS/SMU Challenge?
Tommy: We aim to gather the thought leaders, especially fellow institutions of higher learning to share knowledge, synergise resources, and work towards cyber resilience together. We had earlier engendered this sharing through the inaugural CyberN’US 2019 conference. We have taken this further by extending the Bug Bounty Challenge to SMU.
Q: Who is eligible to participate?
Tommy: Students and staff at NUS and SMU are eligible to participate. Similar to the last NUS bug bounty challenge, students and staff are invited to participate for a four-week window and the bounty ranges up to US$1,500 depending on the severity of the discovery. This is the first year staff are eligible to participate.
Q: As your team gets reports and results, what happens next? What does success look like?
Tommy: IT teams will work together with the participants, lecturers, and security researchers to understand the reports and fix the vulnerabilities. This engagement provides opportunities for networking, learning, and reflection. For participants, there is greater clarity on the validity of the vulnerabilities. For lecturers, they have real world examples to showcase during their classes. From the IT angle, there is a fresh perspective on the controls that can be further tightened. All these contribute towards nurturing a stronger cybersecurity culture within the NUS community. Other successful outcomes include the additional scope of applications that are tested by students and staff, number of participants, and the meaningful bounty reports that arise from the Challenge.
Find out more about how NUS collaborated with HackerOne on the 2019 NUS Bug Bounty Challenge here.