Building the Next Generation of Computer Security Professionals. Chris Simpson

Transcription

1 Building the Next Generation of Computer Security Professionals Chris Simpson

2 Overview Why teach computer security to high school students Deciding what to teach What I taught Community Support Lessons Learned and Way Ahead

3 How I got involved

4

5

6 Why teach computer security to high schools

7 Job Growth Source: information-security-analysts-web-developers-and-computer-network-architects.htm

8 "The numbers I've seen look like shortages in the 20,000s to 40,000s for years to come." Dark Tangent Source:

9 Limited computer science and computer security learning opportunities in high school

10 We need to help the next generation understand computer security related issues

11 Deciding What to Teach Never taught at the high school level No K-12 Curriculum Listed prerequisites but didn t enforce Diverse student background and experience Decided on Basic and Intermediate Class

12 Basic Class In this course, students will learn the fundamentals of securing computer operating systems. This class is a combination of theory and hands-on application.this course will show how students how operating systems work and actions that can be used to make them more secure. As a part of the class, students will be given weak systems to secure. Students will learn about Windows and UNIX Systems. Once they are done, the systems will come under simulated attack by a Red Team (virtual bad guys) and will need to work to thwart the attack. After participating in this course, the student will understand the fundamentals on how to secure an operating system.

13 Intermediate Class Description In this course, students will build on their knowledge from the first class and learn how to find and fix vulnerabilities and detect intruders. This class is a combination of theory and hands-on application, with more focus on applying hands-on skills. Students will learn how to use vulnerability scanners, scripting tools and will install a network intrusion detection system. After participating in this course, the student will understand the fundamentals on how to secure an operating system. The student will also have secured a system and defended it from attack. The course will conclude with simulated network attacks from a Red Team (virtual bad guys) that students will have to detect and respond to the threat.

14 Class Material

15 Class Setup Mix of lab and lecture plus guest speakers Utilized Virtual Box for most labs National University Virtual Education Lab Built course around Hacker High School material Class library

16 Textbooks (Licensed copy)

17 Basic versus Intermediate Used similar material in both classes with more advanced labs in the Intermediate class

18 Ethics Emphasize importance of using the Internet and security tools responsibly What happens if you break the law Case studies - Nomad Hacker - Randal Schwartz - Scott Moulton

19 Learning to Learn Security Community Be skeptical Learning Tools - Books and magazines - Blogs and social media - Videos - Academic papers (seminal security papers)

20 Intro to Hacking What is a hacker Hacker profiles Jeff Moss Johnny Long HD Moore General Keith Alexander Fyodor

21 Intro to Operating Processes Accounts Passwords Root Registry Logging Patching Systems

22 Intro to Networking Warriors of the Net Basic networking gear Network stack Encapsulation

23 What Attackers Do Attacker mindset Terms - Rootkits - Malware - Phishing

24 Forensics and Incident Response How a hard drive works Principles of Forensics

25 Linux Basic Command line - find, grep, pipes etc Scripting - Why use scripts - Basic bash script

26 Vulnerability Scanners How they work Vulnerability standards NVDB, CVE Difference between a vulnerability assessment and pentest

27 Pentest Tools NMAP Metasploit Responsible use

28 Cryptography History Caesar Cipher Vigenere Cipher Symmetric and Asymmetric Encryption NSA website

29 Security Certs and Careers Covered common security certs (ISC2, ISACA, OCSP, CEH etc) Highlighted career opportunities in the security field Discussed working environment

30 Checking knowledge retention with jokes... The best thing about packet delivery jokes is that they are best effort. In high society, TCP is more welcome than UDP. At least it knows a proper handshake. Whenever you tell a localhost joke, you're talking to yourself

31 Hands on Labs Finding stuff on the Internet Find answers OS Specific Research malware

32 Linux Labs Log onto Ubuntu Open terminal Commands ls, mv, ping etc

33 Make directory List ip addrsss Command line - copy - print - tracert - ipconfig Windows Labs

34 Honeypot Demo Showed how quickly systems can be compromised Dionaea - Caught over 100 pieces of malware in 4 days - Mostly Nimda and other common worms

35 Vulnerable Website Generic website listening on ssh and port 80 Ran TCPDUMP Downloaded and analyzed traffic SSH bruteforce attacks from Germany Note to self: Turnoff tcpdump when downloading pcap files

36 Community Support

37 Guest Speakers Scott Kennedy - Career planning and Crypto Stephen Cobb - ESET Security Evangelist - Malware San Diego Super Computer Center CSO FBI Agent

38 National University Virtual Education Lab (VEL) Four Teams Vulnerable VM s to defend XP, W2K3 and Ubuntu Grad Student Red Team located in Georgia Interactive Debrief

39

40 Vendor Tools Qualys Vulnerability Scanner

41 Pentest Lab BackTrack 5 NMAP Metasploit and Armitage Virtual Box and Vulnerable XP VM

42 Communication with Parents Pre and Post class Highlighted course material Discussed responsible use of computers and security tools

43 Lessons Learned Need 2-3 Interns to support labs More hands on labs Don t let students read Facebook etc during class Use Linux Textbook and have a 1-2 day Linux bootcamp Make sure students understand the material

44 Way Ahead Try again this Summer One or two day Linux immersion Create pre-class tutorial Build a website to share curriculum plans, lessons and other learning material Less talk more hands on Build more detailed labs Add a competition

45 How you can help build the next generation of computer security professionals

46 Mentor a High School Cyber Defense Team

47 Share Your Knowledge Volunteer at local school Share learning materials - Note: Sharing does not include sending me malicious links and files!

48 Support Hackers For Charity

49 More Info Presentation and links: Course Website: