Issues Teaching Ethical Hacking in the University Environment

1. Issues Teaching Ethical Hacking in the University Environment Peter Hannay p.hannay@ecu.edu.au SECAU – Security Research Centre School of Computer & Security Science Edith Cowan University

2. UNRELATED COMPLAINT SOMEBODY ON THE INTERNET IS WRONG  • People get USB sticks all the time.  The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks.  The problem is that the OS will automatically run a program that can install malware from a USB stick.  The problem is that it isn't safe to plug a USB stick into a computer.  Bruce Schneier

4. People are Idiots • 20 government agencies • 70%+ hit rate • Some sticks phoned home from multiple ‘sensitive’ networks

5. Issues Teaching Ethical Hacking in the University Environment Opposition from inside

6. Administration • Concerns about image • Not fond of ‘non-traditional’ content • Perception of criminality

7. IT Department • Training criminals to break into our network! • Liability for attacks on externals • Extra work • Securing network • Providing resources • Lack of technical knowledge

8. Information Security Department • Hesitant to sign off on increased access • Love their firewalls • Do not understand requirements

9. Compromises • Administration • The word ‘ethical’ & ‘defence’ • A class on ethics

10. Issues Teaching Ethical Hacking in the University Environment Opposition from OUTSIDE

11. Media • Training criminals • Slow walking, dramatic music • Targeting students • Real interview questions • Do students require a police clearance? • Are there any sort of background check done?

12. Academic Community • Practical focus is not seen as ‘scholarly’

13. Compromise • Don’t talk to the media

14. Issues Teaching Ethical Hacking in the University Environment Teaching Issues

15. Students • Perceived to be ‘computer literate’ • High rate of computer use • Low rate of technical ability • Lack of understanding of core concepts • Majority of students had Windows XP as their first OS • Resurgence of traits associated with older generation • No ability to intuitively use a system • High reliance on lists of instructions • Little ability to deal with variance

16. Resources • Labs • Need root • SOE OS not adequate • Connectivity • Firewalls prevent learning

17. Student Perception • Become super hacker • Little effort required • Just like the movies

18. Issues Teaching Ethical Hacking in the University Environment Implementation

19. Topics • Ethics • Recon • Social & Physical • Web • Password Schemes • Exploit Development • Shellcode Development • Protocol Weaknesses • Defence

20. Labs • Heavy use of virtualisation • Alternate internet gateway • Network isolation

21. Issues Teaching Ethical Hacking in the University Environment Response

22. Administrative • None • This is a good thing

23. Media • None… yet • This is a good thing

24. Students • Overwhelmingly positive • Acting responsibly • Achieving outcomes / self guided learning • Over half of students chose to do extension assignments

25. Issues Teaching Ethical Hacking in the University Environment Thoughts

26. Issues Teaching Ethical Hacking in the University Environment Conclusion & QUESTIONS