Using Students to Pen Test Your Network (For Credit) Robert Maxwell Michael Hicks

Transcription

1 Using Students to Pen Test Your Network (For Credit) Robert Maxwell Michael Hicks

2 No, seriously. This presentation leaves copyright of the content to the presenter. Unless otherwise noted in the materials, uploaded content carries the Creative Commons Attribution-NonCommercial- ShareAlikelicense, which grants usage to the general public with the stipulated criteria.

3 Mike Hicks Director of the Maryland Cybersecurity Center Associate Professor of CS at UMCP Lots more:

4 Rob Maxwell Manager, Security Operations, UMCP Faculty of MC^2.

5 How did the IT guys get involved in teaching? Long term cooperation with some researchers for access to data (my boss gets most of the credit here, but he d like us to forget about that) This leads to our involvement with the Maryland Cybersecurity Center (MC^2) then one day...

6 Seriously, how did this happen? University signs a contract with a job site where students will post resumes, obliges departments to use it. CS professors are made aware of serious security holes in the site. To make it much worse, vendor is very unresponsive to their concerns. by an applicant for the directorship of the center

7 The Brainstorm Let s have a class of students pen test the campus network to make it more secure.

8 Secure Maryland Undergraduate Penetration Testing class Students do work on our live network Really.

9 What could go wrong? Lots

10 A Digression The contemporaneous state of pen testing on campus: nil At this point, we were not providing this service on a regular basis. We have since improved our capabilities in this area.

11 Convincing Lawyers They eventually approved our plan: We argued that students wouldn t be doing anything that anyone couldn t do from Starbuck s They deferred to our judgement They suggested we forego any sort of NDA Given the state of our network defenses, this was largely true, at the time.

12 Goals of the class Teach qualified undergraduates the art of penetration testing. Teach the foundations of ethical hacking. Improve the security posture of the university.

13 Teaching Undergrads Art Penetration testing training, methodologies Using real world systems guarantees real world results Requires creativity and ingenuity - no assured right answers

14 Ethical Considerations Ethical implications of this work covered thoroughly Business contracts involved in this work discussed Engagement rules and scoping covered Honor Code invoked

15 Improving Our Security Large decentralized network (50,000+ nodes), 2x /16 networks and then some Students are finding problems and notifying the responsible parties to help them remedy vulnerabilities Things can get forgotten or abandoned on a network this big.

16 Students could damage systems or down services Students could access or exfiltrate sensitive information or intelligence about our networks

17 Mitigation Students performed these tests from standard network access (no special connections - the Starbuck s argument) Network traffic was recorded for later examination Tried having dedicated network access points. Students didn t want to use them in a lab setting. Dedicated VPN access for testing is an option that continues to be evaluated. Also, traffic recorded as insurance.

18 Scope of Work Students were warned away from specific sensitive systems Engagement level is gradually increased through semester Finally, actual exploitation of systems must be approved by the instructor

19 Course Design Initial instruction in techniques and tools, ethics, and business processes As techniques are taught, students begin to use them to explore the network. As vulnerabilities are found, students notify system admins (and SOC) to remedy and must follow up to assist and report

20

21 Cooperative Course Wiki used to share course information Targeting information, interesting results Useful tools and techniques shared via wiki and in class Students provided information from security office to facilitate contacts Tried using some scan-sharing software, but it broke under load Students

22 Final Project - Departmental Engagement Final third of semester, student teams are put in touch with departments to create a professional pen testing engagement. Full documentation of every step from laying out scope of work right through final recommendations. All techniques were on the table for negotiation Techniques including social engineering and physical testing (taser rule)

23 Technology BackTrack/Kali linux distro Google, Shodan Nmap, Nessus/OpenVAS, Metasploit Additional tools encouraged Started w/ backtrack, some have moved on to Kali tried using centrally-hosted VMs, had poor luck with them. Dirbuster, ZAP,

24 Student Work Product Notifications to admins (which become SOC tickets at the end of the class) Paper describing in detail their work on the greater network The report resulting from the departmental engagement

25 Class paper Descriptions of activities, evolution of strategy, successes and failures Lessons learned Appendix containing all retained information (screen captures, pcaps, output files, etc.)

26 Results? Printers Webcams Web vulnerabilities Printers (hundreds) Abandoned stuff Printers - doc servers, no password, telnet/web interface configurable webcams

27 SCADA HVAC control systems Lighting control systems Serial interfaces for card readers

28 Byrd Stadium Scoreboard

29 Chapel Carillon System

30 Results Still completing final tally for this semester. Quick count has us down from over 300 to just over 100 vulnerable printers. Bulk of what was found in the second iteration is new We can prioritize the repeat offenders

31 Robert Maxwell