Meet Justin Cappos
Justin Cappos teaches his students to understand cybersecurity risks by thinking like a hacker
To be successful at protecting the world’s most sensitive data you must have the ability to think like a hacker who is trying to steal or gain access to that data.
According to Justin Cappos, professor in the Tandon School of Engineering and curriculum designer and course director of the Information Security and Application Security courses, this is exactly what makes the courses he teaches so compelling and, ultimately, useful.
We sat down with Justin to get a better sense of what these courses are all about, where ‘paranoia’ is a desired course outcome, and how it is that teaching these courses means being part magician, part hacker, and part pundit.
What’s your professional passion? Of all your professional research and interests, which do you feel especially strong about?
I feel especially that in security, you are only doing good work if that work is able to impact the real world. I am particularly passionate about looking at real world problems, looking at ways that people can be hacked, or ways that systems can be insecure and plugging those holes before the attackers are able to exploit them and cause millions of dollars of damage—or even loss of life in some situations.
In the Cyber Fellows program, Information Security and Privacy is the first required course. I was wondering if you might describe that for us?
Information Security and Privacy is basically meant to teach what could possibly go wrong and to make you think about how security systems work and how they fail. It is meant even for somebody who's not technical. I have lawyers and others who take it, and they come out understanding a bit about how security in the world around them works. I hope that everyone who takes the class comes away appropriately paranoid.
What’s the role of this course in the program as a whole?
It lays a foundation for thinking like an attacker and about how to attack systems. Then you use this foundational knowledge across a whole bunch of other courses such as Network Security, where you apply those techniques to a variety of different networking technologies. Or in Application Security, where you apply them to defensively fixing security code or production code that has been written by others, or you apply it to Penetration Testing, where you learn how to break into systems offensively and use that access to go laterally. But at the foundation of all that, you need to have an understanding of how to reason about threats and risks--where to attack and where to defend.
What about the course do you find most compelling?
I enjoy teaching the class because I get to be a little bit of a magician in some ways. People often have a lot of preconceptions about the world around them and the way things work. For instance, if you see someone has a bike lock, you look at this and you think: it’s not possible to open it without the key or combination—this is meant to lock something. But if you understand a little bit about how these systems work, you can actually fairly easily go and hack them without knowing the actual combination for the lock. So the ability to dispel people’s misconceptions and get them thinking in a different way, is something that I find particularly compelling and beautiful. You take the biggest step towards being a security professional with that initial time the veil is pulled away from your eyes.
What’s cutting edge or extremely current about the course?
Every week something new happens that could easily replace some previous slides in the class. That’s, of course, also the down side of it--there’s always so much you want to add and change and adapt. But in general, there’s always things happening that are topical that relate to it. One other nice thing about it is the way the class is structured. When you get to the last portion of the class and you have this basic foundational knowledge, we get to explore a lot of different topics. We get to go and look at more cutting edge technologies. We spend time looking at crypto currencies, hacking automobiles, and looking at trusted hardware. That's the reason why it’s hard to copy DVDs and other things like that in their systems. Look at the way that the autonomous communications network, those which enabled huge political movements like the Arab Spring or Edward Snowden to go and communicate and disclose information to Wikileaks. We’re able to look at those topics and I find it exciting that we can always can have one eye towards the future.
What do students get the most out of?
I hope that they’ll start to really look at things and view the world around them not through the eyes and through the design of how things were meant to be used, but how they could be used. I find that part particularly compelling and fun. I have had students come back to me afterwards and say, “Hey, I never realized that before—but after I took your class I saw this thing” or, “I was in a situation, and I realized immediately what was going on.” And so I find those to be some of the most rewarding interactions. It’s often not very technical things—it’s the mindset.
What real world problems are being addressed by people who have the skills developed in this course?
Students who come out of this class are often going and helping to secure really just about anything. They work in major banks, they secure the trains that you may ride on when you commute to work. They’ll work in the tech industry—they really work everywhere on the products and services that you use today.
I have found that the students are often extremely security aware and will often reach back out to me and say, “Hey, can we talk a little bit about this? Can I get your advice?” So, they’re obviously very plugged in and very concerned about what is happening to the organizations around them. That’s actually one of the most important things when you go and take a job to work in a position. It’s not just doing what your boss says, but also understanding the security implications, privacy implications, security for your consumers and things for the world around you so you don’t end up in situations like at Facebook or other companies like that.
How does your research come into play in your courses?
One of the advantages you have by learning from folks that are very active in the cyber security community, is you get to understand a lot more of how the real world works and that gets translated into the things you learn in the course. And so there are hands on exercises that I do when I teach classes, like this security class where we’ll go and look at your actual privacy footprint that is being collected by companies like Apple/Google and others about you. There are types of physical penetration testing that you might do if you’re actually trying to do a site audit and the students getting a chance to experience those real world things in an environment where they have an instructor that can help guide them.
For students in the Cyber Fellows program, this is their first course. Do they realize how we’re always under attack?
I think most students appreciate it. It really takes a while to look at and understand and see how you’re impacted and to what degree. By technology, you are able to think about them in an effortless way. So for instance, a lot of the students are paranoid and wouldn’t want to have an Amazon Alexa, Google Home, or whatever personal assistance devices that listen to you and track you and know what you’re saying, and always creepily listening in my living room. Well, your smartphone can do that for wherever you go. It has a camera, it has a GPS and your credit card information, and your social network. You type your password and you do all this other stuff with your smartphone, which makes it even more sensitive than your Amazon or Google device, right? But I think a lot of them haven’t internalized that yet. Oh no, I have grown up with this smartphone, I’ve done this, I’ve done that, and they know it’s visible and thanks to GDPR and other things like that, students are going to get a lot of visibility into what they really do know.