Building the Next Generation of Computer Security Professionals Chris Simpson
Overview Why teach computer security to high school students Deciding what to teach What I taught Community Support Lessons Learned and Way Ahead
How I got involved
http://sandiegocsta.org/
http://education.sdsc.edu/studenttech/
Why teach computer security to high schools
Job Growth Source: www.bls.gov information-security-analysts-web-developers-and-computer-network-architects.htm
"The numbers I've seen look like shortages in the 20,000s to 40,000s for years to come." Dark Tangent Source: http://www.reuters.com/article/2012/06/12/usmedia-tech-summit-symantec-idusbre85b1e220120612
Limited computer science and computer security learning opportunities in high school
We need to help the next generation understand computer security related issues
Deciding What to Teach Never taught at the high school level No K-12 Curriculum Listed prerequisites but didn t enforce Diverse student background and experience Decided on Basic and Intermediate Class
Basic Class In this course, students will learn the fundamentals of securing computer operating systems. This class is a combination of theory and hands-on application.this course will show how students how operating systems work and actions that can be used to make them more secure. As a part of the class, students will be given weak systems to secure. Students will learn about Windows and UNIX Systems. Once they are done, the systems will come under simulated attack by a Red Team (virtual bad guys) and will need to work to thwart the attack. After participating in this course, the student will understand the fundamentals on how to secure an operating system.
Intermediate Class Description In this course, students will build on their knowledge from the first class and learn how to find and fix vulnerabilities and detect intruders. This class is a combination of theory and hands-on application, with more focus on applying hands-on skills. Students will learn how to use vulnerability scanners, scripting tools and will install a network intrusion detection system. After participating in this course, the student will understand the fundamentals on how to secure an operating system. The student will also have secured a system and defended it from attack. The course will conclude with simulated network attacks from a Red Team (virtual bad guys) that students will have to detect and respond to the threat.
Class Material
Class Setup Mix of lab and lecture plus guest speakers Utilized Virtual Box for most labs National University Virtual Education Lab Built course around Hacker High School material Class library
Textbooks (Licensed copy)
Basic versus Intermediate Used similar material in both classes with more advanced labs in the Intermediate class
Ethics Emphasize importance of using the Internet and security tools responsibly What happens if you break the law Case studies - Nomad Hacker - Randal Schwartz - Scott Moulton
Learning to Learn Security Community Be skeptical Learning Tools - Books and magazines - Blogs and social media - Videos - Academic papers (seminal security papers)
Intro to Hacking What is a hacker Hacker profiles Jeff Moss Johnny Long HD Moore General Keith Alexander Fyodor
Intro to Operating Processes Accounts Passwords Root Registry Logging Patching Systems
Intro to Networking Warriors of the Net Basic networking gear Network stack Encapsulation
What Attackers Do Attacker mindset Terms - Rootkits - Malware - Phishing
Forensics and Incident Response How a hard drive works Principles of Forensics
Linux Basic Command line - find, grep, pipes etc Scripting - Why use scripts - Basic bash script
Vulnerability Scanners How they work Vulnerability standards NVDB, CVE Difference between a vulnerability assessment and pentest
Pentest Tools NMAP Metasploit Responsible use
Cryptography History Caesar Cipher Vigenere Cipher Symmetric and Asymmetric Encryption NSA website
Security Certs and Careers Covered common security certs (ISC2, ISACA, OCSP, CEH etc) Highlighted career opportunities in the security field Discussed working environment
Checking knowledge retention with jokes... The best thing about packet delivery jokes is that they are best effort. In high society, TCP is more welcome than UDP. At least it knows a proper handshake. Whenever you tell a localhost joke, you're talking to yourself
Hands on Labs Finding stuff on the Internet Find answers OS Specific Research malware
Linux Labs Log onto Ubuntu Open terminal Commands ls, mv, ping etc
Make directory List ip addrsss Command line - copy - print - tracert - ipconfig Windows Labs
Honeypot Demo Showed how quickly systems can be compromised Dionaea - Caught over 100 pieces of malware in 4 days - Mostly Nimda and other common worms
Vulnerable Website Generic website listening on ssh and port 80 Ran TCPDUMP Downloaded and analyzed traffic SSH bruteforce attacks from Germany Note to self: Turnoff tcpdump when downloading pcap files
Community Support
Guest Speakers Scott Kennedy - Career planning and Crypto Stephen Cobb - ESET Security Evangelist - Malware San Diego Super Computer Center CSO FBI Agent
National University Virtual Education Lab (VEL) Four Teams Vulnerable VM s to defend XP, W2K3 and Ubuntu Grad Student Red Team located in Georgia Interactive Debrief
Vendor Tools Qualys Vulnerability Scanner
Pentest Lab BackTrack 5 NMAP Metasploit and Armitage Virtual Box and Vulnerable XP VM
Communication with Parents Pre and Post class email Highlighted course material Discussed responsible use of computers and security tools
Lessons Learned Need 2-3 Interns to support labs More hands on labs Don t let students read Facebook etc during class Use Linux Textbook and have a 1-2 day Linux bootcamp Make sure students understand the material
Way Ahead Try again this Summer One or two day Linux immersion Create pre-class tutorial Build a website to share curriculum plans, lessons and other learning material Less talk more hands on Build more detailed labs Add a competition
How you can help build the next generation of computer security professionals
Mentor a High School Cyber Defense Team http://uscyberpatriot.org http://www.saic.com/cyber-cup
Share Your Knowledge Volunteer at local school Share learning materials - Note: Sharing does not include sending me malicious links and files!
Support Hackers For Charity http://volunteer.hackersforcharity.org/
More Info Presentation and links: http://www.brightmoonsecurity.com/toorcon Course Website: http://brightmoonsecurity.com/techcamp Email: chris@brightmoonsecurity.com Twitter: @BrightMoonSec