Conference Paper

Teaching Network Security Through Live Exercises.

Authors:
To read the full-text of this research, you can request a copy directly from the author.

Abstract

Live exercises represent a valuable tool to teach the practical aspects of security and the dynamics of network-based attack and defense techniques. However, these exercises are very difficult to organize and execute. For this reason, there are very few courses that offer live exercise as an integral part of the class work. This paper describes a series of live exercises that have been used in a graduate-level Computer Science course on network security. For each exercise, the setup, execution, and lessons learned are discussed The intended audience of this paper is represented by instructors - especially in colleges and universities - who want to start using this type of instructional tools but have no experience and are unsure of the possible pitfalls in their implementation.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the author.

... Gamification in education has already been advocated as a means to enrich learning experiences [15]. In particular, within IT security, the development of Capture-The-Flag like competitions have been argued to be advantageous for education and training [30]. Inspired by the gamified nature of CTF, we propose to address the issues of ICS security education and research with the SWaT Security Showdown (S3) competition. ...
... Several other similar CTF competitions are listed in [10]. In [30] Vigna proposes to use gamified live exercises to teach network security. The motivations and philosophy of this work are similar to ours. ...
... However the focus of the paper is on IT network security (e. g., gain root privileges on a webserver or steal data from a SQL database) and not on OT network security (industrial network devices and protocols). Inspired by [30], in [8] authors of the iCTF event presented two novel, live, and large-scale security competitions. The first is called "treasure hunt" and it exercises network mapping and multi-step network attacks. ...
Conference Paper
Our work considers the challenges related to education and research about the security of industrial control systems (ICS). We propose to address those challenges through gamified security competitions. Those competitions should target a broad range of security professionals (e. g., from academia and industry). Furthermore, they should involve both attack and defense components. This could include the development of new attack techniques and evaluation of novel countermeasures. Our gamification idea resulted in the design and implementation of the SWaT Security Showdown (S3). S3 is a Capture-The-Flag event specifically targeted at Industrial Control Systems security. We developed ICS-specific challenges involving both theoretical and applied ICS security concepts. The participants had access to a real water treatment facility and they interacted with simulated components and ICS honeypots. S3 includes international teams of attackers and defenders both from academia and industry. It was conducted in two phases. The online phase (a jeopardy-style capture the flag event) served as a training session and presented novel categories not found in traditional information security CTFs. The live phase (an attack-defense CTF) involved teams testing new attack and defense techniques on SWaT: our water treatment testbed. During the competition we acted as judges, and we assigned points to the attacker teams according to a scoring system that we developed internally. Our scoring system is based on multiple factors, including realistic ICS attacker models and effectiveness of the detection mechanisms of the defenders. For each phase of the S3 we present the results and relevant statistics derived from the data that we collected during the event.
... CTF-like gamified security competitions are expected to help the ICS security community in many ways [15,30,40]. A CTF is an hands-on learning experience and it can be used as an educational tool, research tool, and as an assessment tool. ...
... The gamification aspect of a CTF allows the participant to express his or her full potential, e. g., attack/defend without fear of consequences or bad marks. CTF events have already been proposed as a means to enhance security education and awareness [15,30,40]. Although such events cover a wide range of security domains, to the best of our knowledge they do not include so far the security of ICS. ...
... Gamification in education has been advocated as a means to en-rich the learning experience [22]. In particular, within IT security, the implementation of CTF-like competitions have been argued to be advantageous for education and training [40]. Inspired by the gamified nature of CTF, we propose the following approach. ...
Article
In this work, we consider challenges relating to security for Industrial Control Systems (ICS) in the context of ICS security education and research targeted both to academia and industry. We propose to address those challenges through gamified attack training and countermeasure evaluation. We tested our proposed ICS security gamification idea in the context of the (to the best of our knowledge) first Capture-The-Flag (CTF) event targeted to ICS security called SWaT Security Showdown (S3). Six teams acted as attackers in a security competition leveraging an ICS testbed, with several academic defense systems attempting to detect the ongoing attacks. The event was conducted in two phases. The online phase (a jeopardy-style CTF) served as a training session. The live phase was structured as an attack-defense CTF. We acted as judges and we assigned points to the attacker teams according to a scoring system that we developed internally based on multiple factors, including realistic attacker models. We conclude the paper with an evaluation and discussion of the S3, including statistics derived from the data collected in each phase of S3.
... A general description of different approaches to teach information security is given in [1]. Many papers focus on approaches to give the students hand-on experience [2] [2] describes the details of three live exercises that were used as a part of a graduate level course on network security to teach the practical aspects of network security. A description of course that utilizes an isolated lab infrastructure to teach security is described in [3]. ...
... A general description of different approaches to teach information security is given in [1]. Many papers focus on approaches to give the students hand-on experience [2] [2] describes the details of three live exercises that were used as a part of a graduate level course on network security to teach the practical aspects of network security. A description of course that utilizes an isolated lab infrastructure to teach security is described in [3]. ...
Conference Paper
Full-text available
With the ever-increasing dependence on e-services, an understanding of network security issues is a vital component to secure such e-services. Due to the breadth of the topic, traditional network security courses tend to focus on few aspects, which may undermine the “big picture” view of the security scene and hence results in lower overall understanding of the topic by students. This paper presents a holistic approach to teaching network security that aims to provide the students with wide perspective of the network security issues. The approach features the use of many hand-on exercises to deepen the understanding of the topics covered and increase the students’ interest. Moreover, professional skills (e.g. communication skills and impact of technical solution on local and global levels) are also incorporated in the course. Tackling and developing these professional skills is a requirement for accreditation for some programs that undergo through accreditation process (e.g. ABET). The paper provides a blueprint of undergraduate course on network security that outlines topical coverage, described hand-on experiments to enhance students understanding of theory portion, provides suggestion of suitable educational software to carry these experiments, and discusses ways to integrate professional skills into the course delivery.
... Is this approach suitable in depth and breadth? [13] and [14]. Because computer security in general covers a wide range of technology, careful selection of topics and particular attention given towards presenting it to the students is vital to ensure that instructors are not lost in the details of each technology. ...
... Other than that, hardware and software resource & funding must be taken into account, whether it is obtained internally or externally [14]. Student to instructor ratio must be adhered to, to enable successful implementation of this approach. ...
Article
Full-text available
This paper discusses a curriculum approach that will give emphasis on practical portions of teaching network security subjects in information and communication technology courses. As we are well aware, the need to use a practice and application oriented approach in education is paramount. Research on active learning and cooperative groups have shown that students grasps more and have more tendency towards obtaining and realizing soft skills like leadership, communication and team work as opposed to the more traditional theory and exam based teaching and learning. While this teaching and learning paradigm is relatively new in Malaysia, it has been practiced widely in the West. This paper examines a certain approach whereby students learning wireless security are divided into and work in small and manageable groups where there will be 2 teams which consist of black hat and white hat teams. The former will try to find and expose vulnerabilities in a wireless network while the latter will try their best to prevent such attacks on their wireless networks using hardware, software, design and enforcement of security policy and etc. This paper will try to show that the approach taken plus the use of relevant and up to date software and hardware and with suitable environment setting will hopefully expose students to a more fruitful outcome in terms of understanding of concepts, theories and their motivation to learn.
... Mattford and Whitman [12] survey current practices in the development of an information security and assurance laboratory while Mateti [11] describes such a course at Wright State University and Carlson [4] describes a course at a small college. Many of these hands-on courses are " cyberwar " courses [13, 23] ; similar cyberwar courses are also offered at the graduate level [8, 21, 22]. One particular exercise often taught in a course with a cyberwar component is the Capture the Flag exercise [6, 24]. ...
... Students can use the laboratory when class is not in session to prepare for the exercises; however the room is secured, and only students who are enrolled in one of our security courses can use the room. There are a number of different approaches one can take to the design of an isolated laboratory for security exercises; we mention [8, 10, 15, 16, 21, 22, 23]. Each of our 28 host machines runs VMWare Workstation and students do all of their class work in virtual machines. ...
Conference Paper
We describe a laboratory based capstone course in computer security for undergraduates. The course is based on a se- quence of hands-on laboratory exercises for four teams of students. It emphasizes defensive tools and techniques at the expense of attacks; it also takes a network centered view where student teams set up and congure entire networks. In this paper, we describe the course, how it ts into the curriculum, and the laboratory facilities we have developed. We then present the details of some of our lab exercises, and discuss the lessons that we have learned.
... These methods are central to better understanding the ways security systems may fail. Teaching students offensive skills, as opposed to defensive techniques, yields better security professionals [6][7][8][9][10]. Many academics and industry practitioners feel that the best way to prepare system defenses is to understand the attacks that the systems will face [11]. ...
... The threshold should be specified based on the firewall environement and the usage of the ICMP protocol. As an example, the threshold in this experiment has been set to 10. This means that the firewall will accept only 10 ICMP packets per second. ...
... Using CTF challenges, the skills of contesters are tested in various security topics such as cryptography, steganography, Web or binary exploitation and reverse engineering among others. Previous work has shown concerns that CTF challenges are mostly used for bug hunting, usually without including real-case scenarios and without having specific learning objectives (Vigna, 2003;Eagle & Clark, 2004;Mirkovic & Peterson, 2014;Werther et al., 2011). On the other hand, CTF challenges maintain the option for customization and might offer high interactivity levels, thus enhancing the learning experience (Trickel et al., 2017;Schreuders et al., 2017;Schreuders et al., 2018). ...
... A number of previous works mentioned the importance of maintaining live exercises and of using CTF challenges as a necessary component of the computer security curriculum (Vigna, 2003;Antonioli et al., 2017). Works such as the above outline the high difficulty and the pitfalls in the implementation and deployment of such approaches. ...
Article
Full-text available
Purpose This paper aims to highlight the potential of using capture the flag (CTF) challenges, as part of an engaging cybersecurity learning experience for enhancing skills and knowledge acquirement of undergraduate students in academic programs. Design/methodology/approach The approach involves integrating interactivity, gamification, self-directed and collaborative learning attributes using a CTF hosting platform for cybersecurity education. The proposed methodology includes the deployment of a pre-engagement survey for selecting the appropriate CTF challenges in accordance with the skills and preferences of the participants. During the learning phase, storytelling elements were presented, while a behavior rubric was constructed to observe the participants’ behavior and responses during a five-week lab. Finally, a survey was created for getting feedback from the students and for extracting quantitative results based on the attention, relevance, confidence and satisfaction (ARCS) model of motivational design. Findings Students felt more confident about their skills and were highly engaged to the learning process. The outcomes in terms of technical skills and knowledge acquisition were shown to be positive. Research limitations/implications As the number of participants was small, the results and information retrieved from applying the ARCS model only have an indicative value; however, specific challenges to overcome are highlighted which are important for the future deployments. Practical implications Educators could use the proposed approach for deploying an engaging cybersecurity learning experience in an academic program, emphasizing on providing hands-on practice labs and featuring topics from real-world cybersecurity cases. Using the proposed approach, an educator could also monitor the progress of the participants and get qualitative and quantitative statistics regarding the learning impact for each exercise. Social implications Educators could demonstrate modern cybersecurity topics in the classroom, closing further the gap between theory and practice. As a result, students from academia will benefit from the proposed approach by acquiring technical skills, knowledge and experience through hands-on practice in real-world cases. Originality/value This paper intends to bridge the existing gap between theory and practice in the topics of cybersecurity by using CTF challenges for learning purposes and not only for testing the participants’ skills. This paper offers important knowledge for enhancing cybersecurity education programs and for educators to use CTF challenges for conducting cybersecurity exercises in academia, extracting meaningful statistics regarding the learning impact.
... There are also issues regarding curriculum content [11] [16]. Is this approach suitable in depth and breadth? ...
... Other than that, hardware and software resource & funding must be taken into account, whether it is obtained internally or externally [16]. Student to instructor ratio must be adhered in order to enable successful implementation of this approach. ...
Article
Full-text available
This paper discusses a curriculum approach that will give emphasis on practical sessions of teaching network security subjects in information and communication technology courses. As we are well aware, the need to use a practice and application oriented approach in education is paramount [1]. Research on active learning and cooperative groups showed that students grasps and have more tendency towards obtaining and realizing soft skills like leadership, communication and team work as opposed to learning using the traditional theory and exam based method. While this teaching and learning paradigm is relatively new in Malaysia, it has been practiced widely in the West. This paper examines a particular approach whereby students learning wireless security are divided into small manageable groups consisting of black hat and white hat team. The former will try to find and expose vulnerabilities in a wireless network while the latter will try to prevent such attacks on their wireless networks using hardware, software, design and enforcement of security policy and etc. This paper will try to demonstrate whether this approach will result in a more fruitful outcome in terms of students concept and theory understandings and motivation to learn.
... The field of academic security education today is dominated by defensive techniques like cryptography, firewalls, access control, and intrusion detection. But since some years we are observing a trend toward more offensive methods [19,16]. In the academic literature, offensive techniques are also gaining widespread approval [2,8,1]. ...
... Vigna [19] reports on his experiences with courses where students gain handson experience with attack and defense. Students first work in two teams: red team (the attacker) and blue team (the defender). ...
Conference Paper
Full-text available
There is a tendency in information security education at universities to not only teach protection measures but also attack techniques. Increasingly more universities offer hands-on labs, where students can experience both the attackers’ and the administrators’ view. Getting to know the attackers’ view is thought to lead to a better understanding of information security and its problems compared to teaching only strategies for defense. The paper analyzes the situation of information security education at German and international universities. We present a method to measure knowledge in information security and – using this method in an empirical study – evaluate the offensive teaching approach. Analysis of the empirical data gathered in the study shows a tendency in favor of the offensive approach compared to the classic defensive security education.
... The field of academic security education today is dominated by defensive techniques like cryptography, firewalls, access control, and intrusion detection. But also here we are observing a recent trend towards more offensive methods [22,19]. In the academic literature, offensive techniques are also gaining widespread approval [4,12,3]. ...
Conference Paper
A recent trend in security education is towards teaching offensive techniques which were originally developed by hackers. This reflects tendencies in the professional world where offensive security testing (penetration testing) is quickly gathering widespread acceptance. We report on good experiences with a security curriculum at a university degree level which emphasizes offensive techniques over defensive ones. Our claim is that teaching offensive methods yields better security professionals than teaching defensive techniques alone. The paper presents an experimental setup with which we plan to investigate this claim further. The experimental setup uses concepts from psychology and pedagogical sciences to empirically assess the benefit of offensive teaching.
... Student access to the laboratory is allowed outside of class only to students registered in one of our security courses. There are a number of different approaches one can take to the design of an isolated security laboratories; we mention [11,14,17,18,24,25,26]. See also [10,27] for distributed security laboratories. ...
Article
Full-text available
We describe our experiences from the first three years we have offered our track in computer security for our computer science major. We present the details of the track, including descriptions of the courses we have offered. We discuss the lessons we have learned offering the track, as well as the challenges that remain.
... In Vigna,15 using a distributed client/server architecture, the simulation of cyber attacks is performed with the help of the red and blue teams (i.e., real attackers and defenders are involved in the simulation process). A similar work is Brown et al., 16 where HLA is used to create a human-inthe-loop simulation. ...
Article
The aim of this work is to propose a framework for the distributed simulation of cyber attacks based on high-level architecture (HLA), which is a commonly used standard for distributed simulations. The proposed framework and the corresponding simulator, which is called the distributed cyber attack simulator (abbreviated by DCAS), help administrators to model and evaluate the security measures of the networks. At the core of the DCAS is a simulation engine based on Portico, which is an open source HLA run-time infrastructure. The DCAS works in two modes: interactive and automated. Three types of simulation components (which are called federates in HLA terminology) are considered in the framework: the (1) network federate, (2) attacker federate and (3) defender federate. The simulator provides features for graphical design of the network models, animated traffic simulation, data collection, statistical analysis and different consoles for attacking and defending elements (e.g., intrusion detection systems, intrusion prevention systems). To increase the fidelity of the simulation outputs, real-world payloads are used by the DCAS. All the exploits information and the parameters of various network elements are automatically extracted from the open source vulnerability database. Also, the Snort rule-set is used as the signature database of the defending elements. The architecture and algorithms of the DCAS and the corresponding underlying simulation engine plus the security evaluation results of two illustrative examples are presented in this paper.
... On the other side, the offensive security training is also an effective way to learn information security, as discussed by Vigna [7] and Mink [8]. This type of training prepares the participants for the generic job of penetration tester and helps them "think like the enemy", in a proactive manner. ...
Article
Full-text available
Cyber security exercises are a very effective way of learning the practical aspects of information security. But designing such exercises is not an easy task and requires the work of several people. This paper presents a number of steps and guidelines that should be followed when designing a new cyber security exercise. The steps include: defining the objectives, choosing an approach, designing network topology, creating a scenario, establishing a set of rules, choosing appropriate metrics and learning lessons. The intended audience of this paper is persons who are in charge with design and organization of a new cyber security exercise and do not have the experience of previous exercises.
... Treasure Hunt [14] is an event organized as part of the graduate-level security course at the University of California at Santa Barbara. The class was divided into two teams: Alpha and Omega and the goal was to compete against each other in breaking into a payroll system and performing a money transaction. ...
Conference Paper
Full-text available
A significant challenge in applying IDS alert correlation in today's dynamic threat environment is the labor and expertise needed in constructing the correlation model, or the knowledge base, for the correlation process. New IDS signatures capturing emerging threats are generated on a daily basis, and the attack scenarios each captured activity may be involved in are also multitude. Thus it becomes hard to build and maintain IDS alert correlation models based on a set of known scenarios. Learning IDS correlation models face the same challenge caused by the dy-namism of cyber threats, compounded by the inherent difficulty in applying learning algorithms in an adversarial environment. We propose a new method for conducting alert correlation based on a simple and direct semantic model for IDS alerts. The correlation model is separate from the semantic model and can be constructed on various granularities. The semantic model only maps an alert to its potential meanings, without any reference to what types of attack scenarios the activity may be involved in. We show that such a correlation model can effectively capture attack scenarios from data sets that are not used at all in the model construction process, illustrating the power of such correlation methods in detecting novel, new attack scenarios. We rigorously evaluate our prototype on a number of publicly available data sets and a production system, and the result shows that our correlation engine can correctly capture almost all the attack scenarios in the data sets.
... We started in 2003 and have since designed, implemented, and run 11 security competitions (see Table 1), and, to this day, the iCTF has been consistently the world's largest interactive CTF focused on computer security education. In more than ten years of competitions, we have experimented with different designs, scoring systems, combinations of challengebased and interactive competitions, and ways to collect interesting datasets that might support research into security education in particular, and system security in general [5,7,3,2,9,8]. ...
Conference Paper
Full-text available
Security competitions have become a popular way to foster security education by creating a competitive environment in which participants go beyond the effort usually required in traditional security courses. Live security competitions (also called " Capture The Flag, " or CTF competitions) are particularly well-suited to support hands-on experience, as they usually have both an attack and a defense component. Unfortunately, because these competitions put several (possibly many) teams against one another, they are difficult to design, implement, and run. This paper presents a framework that is based on the lessons learned in running, for more than 10 years, the largest educational CTF in the world, called iCTF. The framework's goal is to provide educational institutions and other organizations with the ability to run customiz-able CTF competitions. The framework is open and leverages the security community for the creation of a corpus of educational security challenges.
... To raise defender vigilance against deceptive threats, a different way of thinking is required-one that adopts the thinking process of the adversary [17,19,23]. Modern defenders must understand the psychology of attackers, and be aware of their strategies and techniques in order to anticipate their actions. ...
Conference Paper
Full-text available
Modern cyber security educational programs that emphasize technical skills often omit or struggle to effectively teach the increasingly important science of cyber deception. A strategy for effectively communicating deceptive technical skills by leveraging the new paradigm of honey-patching is discussed and evaluated. Honey-patches mislead attackers into believing that failed attacks against software systems were successful. This facilitates a new form of penetration testing and capture-the-flag style exercise in which students must uncover and outwit the deception in order to successfully bypass the defense. Experiences creating and running the first educational lab to employ this new technique are discussed, and educational outcomes are examined.
... Players have to deal with real security problems and come acquainted with the terms used in this field. Giovanni Vigna [3] has also presented an approach using a Treasure Hunt game, where two teams have to complete a number of tasks in order to break into a simulated payroll system and perform a money transfer transaction. By playing this Treasure Hunt game, the player approaches the network security from the perspective of the attacker. ...
... Alternatively, a dedicated lab/network may be constructed that will be cut-off from the rest of the network (Hill et al. 2001, Mateti 2003, Tikekar 2003, Vigna 2003a, Vigna 2003b, Wagner & Wudi 2004. Under such circumstances the restoration of its normal operation is both easier and quicker. ...
Article
Full-text available
Purpose – Teaching information systems security features some peculiarities, compared to other scientific fields, as the trainees have to design and protect systems against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system. The paper aims to discuss these issues. Design/methodology/approach – Within the scope of two different modules in higher education institutes, the students' involvement into practical pre-designed scenarios was attempted, in order for them to understand the way intruders think, the methodologies they follow and the liabilities one may face for the flawed security of network applications and/or the supporting infrastructure. For this reason, an educational software tool was developed (named “Hackademic Challenges”), which comprised a variety of realistic scenarios, where the student had to locate and exploit various vulnerabilities, in order to successfully complete the challenge. Evaluation of the developed tool was attempted through an online, anonymous questionnaire. Findings – The results show that the students embraced this approach and have benefited significantly from going through these exercises. Originality/value – The contribution consists of findings that may be useful to other instructors teaching similar subjects.
... We have continued to host the iCTF every year since then (the most recent edition was in March of 2017). Each year, we experiment with various designs and approaches to the game [12,15,31,34,36]. ...
Conference Paper
Full-text available
Although we are facing a shortage of cybersecurity professionals , the shortage can be reduced by using technology to empower all security educators to efficiently and effectively educate the professionals of tomorrow. One powerful tool in some educators' toolboxes are Capture the Flag (CTF) competitions. Although participants in all the different types of CTF competitions learn and grow their security skills, Attack/Defense CTF competitions offer a more engaging and interactive environment where participants learn both offensive and defensive skills, and, as a result, they develop their skills even faster. However, the substantial time and skills required to host a CTF, especially an Attack/Defense CTF, is a huge barrier for anyone wanting to organize one. Therefore, we created an on-demand Attack/Defense tool via an easy-to-use website that makes the creation of an Attack/Defense CTF as simple as clicking a few buttons. In this paper, we describe the design and implementation of our system, along with lessons learned from using the system to host a 24-hour 317 team Attack/Defense CTF.
... Generally, CTF game is divided into three-frequentlyused-scenarios: Jeopardy, Attack-Defense and Mixed [6]. In Jeopardy scenario, the players are asked to solve several tasks -to gain and collect points. ...
... The number of such events is gradually increasing [13], [16]. Such events aid in learning about security vulnerabilities, how these could be exploited, nature of attacks, and strength of the deployed [18], [33], [45] defense mechanisms. To the best of our knowledge, S 3 is the first CTF style event of its kind in ICS that involves participants from the industry and academia, and focuses on an operational water treatment testbed. ...
Article
Full-text available
A hackfest named SWaT Security Showdown (S 3) has been organized consecutively for two years. S 3 has enabled researchers and practitioners to assess the effectiveness of methods and products aimed at detecting cyber attacks launched in real-time on an operational water treatment plant, namely, Secure Water Treatment (SWaT). In S 3 independent attack teams design and launch attacks on SWaT while defence teams protect the plant passively and raise alarms upon attack detection. Attack teams are scored according to how successful they are in performing attacks based on specific intents while the defense teams are scored based on the effectiveness of their methods to detect the attacks. This paper focuses on the first two instances of S 3 and summarizes the benefits of hackfest and the performance of an attack detection mechanism, named Water Defense, that was exposed to attackers during S 3 .
... The number of such events is gradually increasing [13], [16]. Such events aid in learning about security vulnerabilities, how these could be exploited, nature of attacks, and strength of the deployed [18], [33], [45] defense mechanisms. To the best of our knowledge, S 3 is the first CTF style event of its kind in ICS that involves participants from the industry and academia, and focuses on an operational water treatment testbed. ...
Preprint
Full-text available
A hackfest named SWaT Security Showdown (S3) has been organized consecutively for two years. S3 has enabled researchers and practitioners to assess the effectiveness of methods and products aimed at detecting cyber attacks launched in real-time on an operational water treatment plant, namely, Secure Water Treatment (SWaT). In S3 independent attack teams design and launch attacks on SWaT while defence teams protect the plant passively and raise alarms upon attack detection. Attack teams are scored according to how successful they are in performing attacks based on specific intents while the defense teams are scored based on the effectiveness of their methods to detect the attacks. This paper focuses on the first two instances of S3 and summarizes the benefits of hackfest and the performance of an attack detection mechanism, named Water Defense, that was exposed to attackers during S3.
... It provides an excellent opportunity and ultimate learning experience [4,5] for the students to improve their skills in protecting and defending information systems are assessed in the context of realistic, true-to-life scenario [6]. On the other side, as discussed by Vigna [7] and Mink [8], the offensive security training is also an effective way to learn information security. The previous works in this area examined the structure [9] and how to use of cyber defence competitions, overall effectiveness of live-attack exercises in teaching information security [10], curriculum and course format at CDX in which teams design, implement, manage and defend a network of computers [11][12][13][14][15]. ...
Conference Paper
Full-text available
This paper discusses the concept of cyber defence exercises (CDX) that are very important tool when it comes to enhancing the safety awareness of cyberspace, testing an organization's ability to put up resistance and respond to different cyber events to establish the secure environment, gathering empirical data related to security, and looking at the practical training of experts on this subject. The exercises can give ideas to the decision makers about the precautions in the cybersecurity area and to the officials, institutions, organizations, and staff who are responsible on the cyber tools, techniques, and procedures that can be developed for this field. In the cyber defense exercises, the scenarios that are simulated closest to reality which provides very important contributions by bringing together the necessity of making the best decisions and management capabilities under the cyber crisis by handling stress and coordinated movement as a team. The objective of this paper is to address the issue from a scientific point of view by setting out the stages of planning, implementation, and evaluation of these exercises, taking into account and comparing international firefighting exercises. Another aim of the work is to be able to reveal the necessary processes that are required for all kind of cyber exercises, regardless of the type, although the processes involved vary according to the target mass of the planned exercise.
... It provides an excellent opportunity and ultimate learning experience [4,5] for the students to improve their skills in protecting and defending information systems are assessed in the context of realistic, true-to-life scenario [6]. On the other side, as discussed by Vigna [7] and Mink [8], the offensive security training is also an effective way to learn information security. The previous works in this area examined the structure [9] and how to use of cyber defence competitions, overall effectiveness of live-attack exercises in teaching information security [10], curriculum and course format at CDX in which teams design, implement, manage and defend a network of computers [11][12][13][14][15]. ...
Preprint
This paper discusses the concept of cyber defence exercises -CDX- that are very important tool when it comes to enhancing the safety awareness of cyberspace, testing an organization's ability to put up resistance and respond to different cyber events to establish the secure environment, gathering empirical data related to security, and looking at the practical training of experts on this subject. The exercises can give ideas to the decision makers about the precautions in the cybersecurity area and to the officials, institutions, organizations, and staff who are responsible on the cyber tools, techniques, and procedures that can be developed for this field. In the cyber defense exercises, the scenarios that are simulated closest to reality which provides very important contributions by bringing together the necessity of making the best decisions and management capabilities under the cyber crisis by handling stress and coordinated movement as a team. The objective of this paper is to address the issue from a scientific point of view by setting out the stages of planning, implementation, and evaluation of these exercises, taking into account and comparing international firefighting exercises. Another aim of the work is to be able to reveal the necessary processes that are required for all kind of cyber exercises, regardless of the type, although the processes involved vary according to the target mass of the planned exercise.
... It provides an excellent opportunity and ultimate learning experience for the students to improve their skills in protecting and defending information systems are assessed in the context of realistic, true-tolife scenario. On the other side, as discussed by Vigna [1] and Mink [2] , the offensive security training is also an effective way to learn information security. The previous works in this area examined the structure and how to use of cyber defense competitions, overall effectiveness of live-attack exercises in teaching information security, curriculum and course format at CDXs in which teams design, implement, manage and defend a network of computers. ...
Article
Full-text available
Cyber defense exercises (CDXs) are excellent testbed platforms to test and assess IT and OT systems. They (CDXs) are also very important tools when it comes to enhancing the safety awareness of cyberspace, testing an organization"s ability to put up resistance and respond to different cyber events to establish the secure environment, gathering empirical data related to security, and looking at the practical training of experts on this subject. The exercises can give ideas to the decision makers about the precautions in the cybersecurity area and to the officials, institutions, organizations, and staff who are responsible on the cyber tools, techniques, and procedures that can be developed for this field. In the cyber defense exercises, the scenarios that are simulated closest to reality which provides very important contributions by bringing together the necessity of making the best decisions and management capabilities under the cyber crisis by handling stress and coordinated movement as a team. The objective of this paper is to address the issue from a scientific point of view by taking CDXs as a testbed and lesson learned platforms to be able to create better and safer cyber environment.
... Virtual machines reduce the hardware and maintenance requirements of an information warfare exercise. " Capture the Flag " exercises have been run since 1996 at the Defcon conference[1, 4, 7] and recent papers describe their use as teaching tools in computer security courses[15, 16, 18]. The exercise described in this paper differs from those in prior educational papers in its real-time nature, scoring system, and in its use of a virtual network. ...
Conference Paper
Information warfare exercises, such as "Capture the Flag," serve as a capstone experience for a computer security class, giving students the opportunity to apply and integrate the security skills they learned during the class. However, many information security classes don't offer such exercises, because they can be difficult, expensive, time-consuming, and risky to organize and implement. This paper describes a real-time "Capture the Flag" exercise, implemented using a virtual network with free, open-source software to reduce the risk and effort of conducting such an exercise.
... Another advantage is that students usually operate against a determined opponent while under strict time constraints and with limited resources thus mimicking a more realistic situation than one can reproduce using paper-and-pencil Gedanken experiments. Unfortunately, security competitions have one major disadvantage: they usually require a large amount of resources to design, develop, and run [10,11]. ...
Conference Paper
Full-text available
Computer security competitions and challenges are a way to foster innovation and educate students in a highly-motivating setting. In recent years, a number of different security competitions and challenges were carried out, each with different characteristics, configurations, and goals. From 2003 to 2007, we carried out a number of live security exercises involving dozens of universities from around the world. These exercises were designed as “traditional” Capture The Flag competitions, where teams both attacked and defended a virtualized host, which provided several vulnerable services. In 2008 and 2009, we introduced two completely new types of competition: a security “treasure hunt” and a botnet-inspired competition. These two competitions, to date, represent the largest live security exercises ever attempted and involved hundreds of students across the globe. In this paper, we describe these two new competition designs, the challenges overcome, and the lessons learned, with the goal of providing useful guidelines to other educators who want to pursue the organization of similar events.
... However, others claim that teaching offensive techniques yields better security professionals than those that are taught only defensive techniques Freiling 2006, Arce andMcGraw 2004, Arnett and Schmidt 2005, Dornseif, Holz, and Mink 2005, Vigna 2003, Yuan, Matthews, Wright, Xu, and Yu 2010, Livermore 2007. It is important to note that the corporate businesses employ experts that use offensive techniques for penetration testing, to ensure their security. ...
Conference Paper
Full-text available
Teaching offensive techniques is a necessary component of a computer security education and yields better security professionals than teaching defensive techniques alone. In this paper, we describe a case study of the implementation of comprehensive hands-on lab exercises that are essential to security education. The first hands-on lab exercise is about how to perform a Denial of Service (DoS) attack based on the poisoning of the CAM tables (Content Access Memory) of Local Area Network (LAN) switches. The second exercise is about how to prevent CAM table poisoning attack. The hands-on labs confirmed further the ethical and legal concerns regarding the teaching of offensive techniques in the academic environment. In fact, the number of injected malicious traffic targeting the university switches' CAM tables, increased considerably each time the students experiment the DoS attack. That is why every course in IT security should be accompanied by a basic discussion of legal implications and ethics.
Conference Paper
Full-text available
Information Systems Security experts should be able to confront new, unknown threats. Therefore, "out-of-the-box" thinking is a necessary skill which can not be taught using traditional educational methodologies. In order to introduce our students into the mentality of modern adversaries and cyber criminals we designed a course based on the well-established theoretical frameworks of Information Systems Security as well as the unconventional challenges which experienced hackers use for training newcomers. Moreover, we developed additional open source software tools which encourage the collaboration between students and confront plagiarism or cheating attempts during the exams. Our course in a Higher Education Institute has been enriched with the use of the Hackademic tool, a virtual framework that allows students to perform hacking attacks and penetration testing in a deliberately vulnerable, but isolated, safe and controlled environment.
Article
It's a difficult mental exercise to simultaneously envision how a system could be forced to fail while you're busy designing how it's meant to work. At George Mason University, instructors give their students practice at this skill by requiring them to write attack scripts for all their assignments. Creating an attack script is a mental exercise for the student in which they align themselves with an attacker's perspective to formulate a structured plan of attack: a series of tasks and experiments that gain information about the internal state of the probed system. The purpose of this exercise is to help the student nurture a mindset in which they can appreciate how systems might be attacked in all their aspects, from design and implementation to runtime configuration.
Article
Full-text available
We give an overview over a three-week intensive course on applied compu-ter security, the RWTH Aachen summer school Applied IT Security.
Conference Paper
While many institutions include cyber exercises as a part of their curricula, the outcomes assessment of the exercises do not generally include the mapping of the exercises to specific standards. Thus, while students are obtaining important foundational skill sets in information assurance, the resulting competencies are not as quantifiable as those from more standard types of educational activities such as uniform quizzes and exams. This paper discusses an approach through which cyber exercises can be developed with a focus on measuring performance against specific standards. This method facilitates the use of cyber exercises as a foundational component in the education of the information assurance professional, while providing a consistent outcomes assessment framework.
Article
The role of the network security administrator is continually morphing to keep pace with the ever-changing area of computer and network security. These changes are due in part to both the continual development of new security exploits by attackers as well as improvements in network security products available for use. One area which has garnered much research in the past decade is the use of visualization to ease the strain on network security administrators. Visualization mechanisms utilize the parallel processing power of the human visual system to allow for the identification of possible nefarious network activity. This research details the development and use of a visualization system for network security. The manuscript is composed of four papers which provide a progression of research pertaining to the system. The first paper utilizes research in the area of information visualization to develop a new framework for designing visualization systems for network security. Next, a visualization system is developed in the second paper which has been utilized during multiple cyber defense competitions to aid in competition performance. The last two papers deal with evaluating the developed system. First, an exploratory analysis provides an initial assessment using participant interviews during one cyber defense competition. Second, a quasi field experiment explores the intention of subjects to use the system based on the type of visualization being viewed.
Article
Zusammenfassung Offensive Methoden der IT-Sicherheit haben das Ziel, Schutzvorkehrungen eines IT-Systems zu überwinden und somit dessen Integrität, Vertraulichkeit oder Verfügbarkeit zu verletzen. Obwohl sie mittlerweile zum Standardwissen von Sicherheitsfachleuten gehören, ist das eigentliche Potential offensiver Methoden für die IT-Sicherheit noch weitgehend unentdeckt.
Article
Full-text available
The field of academic security education today is dominated by defensive techniques. However, recently, offensive techniques which were originally developed by hackers, are gaining widespread approval. Many information security educators believe that teaching offensive methods yields better security professionals than teaching defensive techniques alone. In addition, every course in IT security should be accompanied by a basic discussion of legal implications and ethics. In this paper, we describe a case study of the implementation of comprehensive hands-on lab exercises that are essential to security education. The lab exercises are about how to perform Denial of Service (DoS) and Man-in-the-Middle (MiM) attacks using ARP (Address Resolution Protocol) cache poisoning. The available defense techniques for detecting and preventing malicious ARP cache poisoning activities are also presented. The consequence of offering offensive lab exercises is that the overall students performance improved; but a major ethical concern has been identified. That is, the number of injected malicious ARP packets in the university network, from the students' laptops, increases considerably each time the students experiment the attacks in an isolated network laboratory environment.
Conference Paper
Conference Paper
Games have a long tradition in teaching IT security: Ranging from international capture-the-flag competitions played by multiple teams to educational simulation games where individual students can get a feeling for the effects of security decisions. All these games have in common, that the game's main goal is keeping up the security. In this paper, we propose another kind of educational security games which feature a game goal unrelated to IT security. However, during the game session gradually more and more attacks on the underlying infrastructure disturb the game play. Such a scenario is very close to the reality of an IT security expert, where establishing security is just a necessary requirement to reach the company's goals. By preparing and analyzing the game sessions, the students learn how to develop a security policy for a simplified scenario. Additionally, the students learn to decide when to apply technical security measures, when to establish emergency plans, and which risks cannot be covered economically. As an example for such a disturbed playing game, we present our distributed air traffic control scenario. The game play is disturbed by attacking the integrity and availability of the underlying network in a coordinated manner, i.e., all student teams experience the same failures at the same state of the game. Beside presenting the technical aspects of the setup, we are also discussing the didactic approach and the experiences made in the last years.
Conference Paper
Higher education is facing a paradigm shift in the ownership and use of computer hardware. The school computer lab is no longer the primary place of student computer use. Instead, students increasingly expect to use their own hardware to complete their school assignments. This creates a challenge for computer science educators: we must now support a wide range of heterogeneous hardware without the benefits of tight control over its use. To address this ``Bring-Your-Own-Device'' (BYOD) challenge, we leverage virtualization and software packaging systems to gracefully deploy and support a standardized development environment for all core CS courses across a range of both school-owned and student-owned computing devices. We have deployed and evaluated our system for the previous two years at scale and continue to actively use and develop it. It has effectively helped us support multiple classes comprising hundreds of students with very limited IT staffing. We describe the design and management of our system, present our experience using our system, and discuss the lessons we've learned. We also provide data reflecting current student user experience with our system. Our system has proven very effective in addressing the student BYOD challenge in a manageable, cost-efficient, and easy-to-use manner.
Conference Paper
This paper discusses a curriculum approach that will give emphasis on practical sessions of teaching network security subjects in information and communication technology courses. As we are well aware, the need to use a practice and application oriented approach in education is paramount [1]. Research on active learning and cooperative groups showed that students grasps and have more tendency towards obtaining and realizing soft skills like leadership, communication and team work as opposed to learning using the traditional theory and exam based method. While this teaching and learning paradigm is relatively new in Malaysia, it has been practiced widely in the West. This paper examines a particular approach whereby students learning wireless security are divided into small manageable groups consisting of black hat and white hat team. The former will try to find and expose vulnerabilities in a wireless network while the latter will try to prevent such attacks on their wireless networks using hardware, software, design and enforcement of security policy and etc. This paper will try to demonstrate whether this approach will result in a more fruitful outcome in terms of students concept and theory understandings and motivation to learn.
Article
This paper reports on the experience of using the EDURange framework, a cloud-based resource for hosting on-demand interactive cybersecurity scenarios. Our framework is designed especially for the needs of teaching faculty. The scenarios we have implemented each are designed specifically to nurture the development of analysis skills in students as a complement to both theoretical security concepts and specific software tools. Our infrastructure has two features that make it unique compared to other cybersecurity educational frameworks. First, EDURange is scalable because it is hosted on a commercial, large-scale cloud environment. Second, EDURange supplies instructors with the ability to dynamically change the parameters and characteristics of exercises so they can be replayed and adapted to multiple classes. Our framework has been used successfully in classes and workshops for students and faculty. We present our experiences building the system, testing it, and using feedback from surveys to improve the system and boost user interest.
Article
Full-text available
As mobile devices grow increasingly in popularity within the student community, novel educational activities and tools, as well as learning approaches can be developed to get benefit from this prevalence of mobile devices (e.g. mobility and closeness to students’ daily lives). Particularly, information security education should reflect the current trend in computing platforms away from the desktop and towards mobile devices. This paper discusses a case study of a learning approach that aims at taking advantages of the benefits of mobile devices and the best practices in learning information security, as well as promoting students’ interests and increasing their self-efficacy. The learning approach uses two Android learning apps to enhance students’ hands-on skills on firewall filtering rules implementation, by practicing network traffic filtering outside the traditional laboratory activities, in the real-world environment; i.e., anywhere and anytime, at the students’ convenience. Practically, the two Android apps are a firewall app and a packet generator app; both apps are freely available at Google Play Store. Based on statistics from the Google Play Store, in about one and a half years, the packet generator app turned popular with over 20,000 downloads worldwide and a 3.75 users’ rating. A comparative analysis of various existing Android firewall apps with the proposed firewall app emphasizes its significance. The impact of the Android apps on the students’ performance in terms of achieving the course outcomes is also discussed.
Conference Paper
This paper describes an exercise that combines the business case for penetration testing with the application of the testing and subsequent management reporting. The exercise was designed for students enrolled in information systems and computer science courses to present a more holistic understanding of network and system security within an organization. This paper explains the objectives and structure of the exercise and its planned execution by two groups of students, the first group being information systems students in Australia and the second group comprising students enrolled in a computer security course in the United States.
Conference Paper
Full-text available
Recently, smartphones have been growing increasingly in popularity within the student community. Hence, novel educational activities and tools, as well as learning approaches can be developed to get benefit from the prevalence of smartphones (e.g. mobility and closeness to students' daily lives). This paper discusses an Android mobile app, called Packets Generator, that aims at taking advantages of the benefits of smartphones and the best practices in learning information security, as well as promoting students' interests and increasing their self-efficacy. Packets Generator app allows students to further enhance their hands-on skills on network traffic and Denial of Service (DoS) attacks generation, using their smartphones, by practicing inside as well as outside the traditional desktop based laboratories, in the real-world environment; i.e., anywhere and anytime, at the students' convenience. Packets Generator app is freely available at Google Play Store. Based on statistics from Google Play Store, in about two years, the app turned popular with more than 50,000 downloads worldwide and around 3.73/5.0 users' rating. The impact of the app on the students' performance in terms of achieving the course outcomes is discussed.
Conference Paper
Designing a cybersecurity course for a big cohort of students from the different educational background is a challenging job. Examined in this study are the perceptions, preferences and performance of students who have participated in a strategic blended learning initiative aimed at preparing students for their working lives. For this purpose, both self-reported and observational data were collected from 115 students who voluntarily registered for the pilot run of the course. Self-reported data was used to measure students’ preferences as well as perceptions related to satisfaction, engagement, convenience, interaction and views on learning. Observational data measuring students’ performance was directly extracted from the collaborative learning platform on which the course was hosted. The results show that overall students liked the blended design of the course. They were satisfied with the format of the course, they felt engaged, and most of them secured good grades. Moreover, no significant difference in perceptions and preferences were found when controlled for gender, educational discipline, and overall performance, showing that the blended design of the course was accepted across the board.
Chapter
Designing engaging exercises when students do not yet possess a lot of knowledge can be difficult. We show how we draw on students’ prior knowledge, along with basic introductory concepts, to design an elemental (but fun) port scan exercise in an introductory security testing module. While “capture the flag” is a security industry standard for exercises, it can require a lot of in-depth knowledge to properly implement and complete. Using basic computer science concepts such as ports and ASCII values, we design a simplified capture the flag exercise where students can make use of deductive reasoning to complete the game. Overall, the exercise was received favourably by the students who found it challenging but enriching.
Conference Paper
Full-text available
Denial of Service (DoS) attacks are important topics for security courses that teach ethical hacking techniques and intrusion detection. This paper presents a case study of the implementation of comprehensive offensive hands-on lab exercises about three common DoS attacks. The exercises teach students how to perform practically the DoS attacks in an isolated network laboratory environment. The paper discuses also some ethical and legal issues related to teaching ethical hacking, and then lists steps that schools and educators should take to improve the chances of having a successful and problem free information security programs.
Article
: This paper presents experience from laboratory projects performed by students in Applied Computer Security, a course given at Chalmers University of Technology. From this, we conclude that the combination of security research and education results in a synergy that can be very beneficial to both fields. The paper describes in detail three different types of laboratory projects: intrusion experiments, intrusion analysis and remediation, and intrusion detection. Furthermore, we discuss the outcome and impact of the student projects with respect to education, research, and synergy between the two, as well as ethical issues. Among the benefits of the close connection between research and education in the projects, we find that the students were very motivated by this research connection and that they produced unique research data with natural diversity. 1 The author is also with the Department of Computer Science, Karlstad University, SE-651 88 Karlstad, Sweden. 2 Stefan Lindskog, Ulf Lindqvist, and Erland Jonsson 1.
ECE 297—Special Topics Network Security: Honeypots
  • R Daniel
[Daniel, 2002] Daniel, R. (2002). ECE 297-Special Topics. Network Security: Honeypots. The George Washington University, School of Engineering and Applied Science, Department of Electrical and Computer Engineering.
  • D Boneh
, 2002] Boneh, D. (2002). CS 155: Computer and Network Security. Stanford University.
What Do We Mean By “Computer Security Education
  • M Bishop
Academia and Education in Information Security: Four Years Later
  • M Bishop
, 1999] Bishop, M. (1999). What Do We Mean By "Computer Security Education"? In Proceedings of the 22nd National Information Systems Security Conference. [Bishop, 2000] Bishop, M. (2000). Academia and Education in Information Security: Four Years Later. In Proceedings of the Fourth National Colloquium on Information System Security Education.