The Infocomm Technology (Information Security) degree programme at SIT trains cyber soldiers to take on real threats in authentic environments.
When Joel Chan Zhee Meng’s social media account was hacked 10 years ago, he had no idea how it was compromised. But it got him curious about the deep, dark world of cyber dangers. He enrolled into a diploma in cyber security at a polytechnic, learned about phishing, and realised what was behind the attack he had encountered. He wanted to find out more: “How does it work? Why do people still fall for such things?”
He found the answers while reading the four-year Information and Communications Technology (Information Security) degree programme at the Singapore Institute of Technology (SIT), where theoretical knowledge marries applied learning, and cyber soldiers are trained to take on real threats.
Such authenticity, stressed Associate Professor Steven Wong from the university’s Infocomm Technology cluster, is critical to fighting the world of online scourges. “In SIT, applied learning is important, and it’s even more so for cyber security education,” said A/Prof Wong. “You can’t throw a book at a hacker and tell the hacker not to hack.”
For instance, SIT organised a Punggol Digital District (PDD) Bug Bounty competition in May 2021, when about 50 students were given four hours to identify vulnerabilities – also known as ‘bugs’ – that could compromise building management systems hosted on an isolated network managed by the university. The contest was held in partnership with Singapore-based cybersecurity firm Group-IB, the Cyber Security Agency of Singapore, and cyber security community Division Zero.
Joel Chan (left) and Prof Tan Thiam Soon, President, SIT, with the certificate he received at the prize giving ceremony held at the ‘PDD: Connecting Smartness’ event on 28 July 2021.
Joel won in the speed round, uncovering the first ‘bug’ in less than 10 minutes. “It’s a good hands-on opportunity to hone our skills in a real-world setting, and prepare us for what’s to come,” he said.
Familiar cybersecurity activities like ‘Capture the Flag’ and ‘Blue team, Red team’ are also used to help students understand the different types of vulnerabilities. The university prepares networks and websites for students to hack into so they can work on real-life systems as much as possible.
The biggest infrastructure inside SIT’s ‘living lab’ at the SIT@NYP campus is a network where real-life smart building systems are deployed, allowing students to hone their skills in a real environment.
“The boundary of uncertainty is much higher,” A/Prof Wong said of the living lab. “We are looking at real systems that control our living space, like door access and building management systems.”
He added: “It is not a situation where the instructors are planting bugs for the students. In fact, the instructors may not even be aware of existing bugs in the living lab.”
SIT, industry partners and SITizens shared their views on the Bug Bounty programme.
A world in need of cybersecurity talent
While the living lab allows experimentation and authentic learning to happen, it must also have the ability to prevent students from going out of bounds, which means “people hacking what they’re not supposed to hack,” A/Prof Wong explained.
“This is where industry collaborations are important, because we leverage on our partners’ state-of-the-art solutions and products to help us ensure that students attain crucial skillsets but don’t go too far.”
The living lab also allows industry partners, especially small- and medium-sized enterprises, to test their products and services on campus. Students can test out the functionality of these innovations or look for vulnerabilities in them.
It is a win-win partnership, said A/Prof Wong. Students are exposed to what professionals are doing, and can peg themselves to industry standards. Industry partners, in turn, have a ready pool of trained, ethical, professional and passionate cyber security talents to hire from.
“The companies realise that by helping us, they are helping themselves,” A/Prof Wong said.
Group-IB’s Managing Director in APAC, Mr Shafique Dawood, agreed. With Singapore’s cybersecurity market expected to reach S$1.2 billion in 2022, “this means that Singapore desperately needs cybersecurity talent since cyber threats never cease to evolve”.
“From day one, we’ve been paving the way for students to go into the cybersecurity professions no one teaches yet, inviting them to intern with one of our offices worldwide and then join our team,” he added. “We aspire to facilitate the entry of young specialists into the labour market and expedite their adaptation to the cyber battleground by sharing collective knowledge and experiences by our experts.”The talent shortage will likely widen unless private players join forces with universities to groom young talent. But a lack of practical skills is a major obstacle preventing fresh graduates from entering the job market, he said.
Group-IB is also collaborating with SIT to develop and operate a cybersecurity testing facility called the PDD Cyberpolygon Sandzone in the Punggol Digital District, where SIT’s future centralised campus will also be located. The company aims for it to offer a platform for large-scale ethical hacking, vulnerability research and networking events, including those where cybersecurity analysts can engage with students to share knowledge and expertise.
This way, students will not only be exposed to cutting-edge technologies, but garner contextual knowledge as well, ensuring that SIT graduates are ready to deal with real-life incidents.
In fact, SIT’s industry-focused approach is so effective that more than 95 per cent of the programme’s graduates secured full-time employment within six months following completion of their studies, consistently over the past three years – since the launch of the degree programme.
Take for instance Joel, who is already looking at provisional offers, exploring his options, and considering his next move.
He has come a long way from being the victim of a cyberattack to being one of the ‘good guys’ in cyber security. As he shared confidently: “I always think like a hacker. It’s when I look at things from a hacker’s perspective to visualise how he would execute a cyberattack that I can be one step ahead and find ways to protect against it.”