560 likes | 680 Views
Computer Security: A Special E-Learning Challenge . Robert Bruen Springfield Technical Community College. Outline. Brief Introduction to Digital Security Teaching & Curriculum Teaching Security On-Line Virtual Machines. Digital Security. Security in the digital universe is complicated
E N D
Computer Security: A Special E-Learning Challenge Robert Bruen Springfield Technical Community College
Outline • Brief Introduction to Digital Security • Teaching & Curriculum • Teaching Security On-Line • Virtual Machines MCO Conference on E-Learning
Digital Security • Security in the digital universe is complicated • It affects everything • What part of “everything” didn’t you get? • Networks, computers, information, knowledge, identity, crime, science, intellectual property, entertainment, automobiles, cargo containers, money... MCO Conference on E-Learning
Basic Concepts • What does “Secure” mean? • Lots of things to lots of people. • In the digital universe: • Confidentiality • Integrity • Availability MCO Conference on E-Learning
Basic Concepts cont. • Authorization • Authentication • Something you: • Are; Have; Know • Audits • Access Controls MCO Conference on E-Learning
Technical • Intrusion Detection (Network & Host) • Secure Programming (Buffer Overflow) • Architecture (Firewalls, DMZ, Bastion Hosts, Sensors, Honeypots) • Vulnerability Assessment • Penetration Testing • SNMP • XSS MCO Conference on E-Learning
Technical cont. • Encryption, PKI, VPN, SSL, TLS • Biometrics • Steganography • Threat Analysis • DoS, DDoS • Spoofing MCO Conference on E-Learning
Technical cont • DNS Cache Poisoning • Virus • Worm • Phish • Pharm • Spam MCO Conference on E-Learning
Security Summary • Technical • Complex • Broad scope • Steep entry requirements • Continuous evolution • Not just about the hackers in the news MCO Conference on E-Learning
Teaching Security • Curriculum • Real Experiences • Issues MCO Conference on E-Learning
Curriculum • We teach how to break into computers • Lots of background necessary • Tools: Open Source Software • Focus: Business vs. Computer Science MCO Conference on E-Learning
Syllabus Examples Technical • Keyloggers • Securing user accounts • Modifying permissions • Scanning systems • Analyzing log files • Installing Intrusion Detection Software MCO Conference on E-Learning
Syllabus Examples Business • Risk Analysis • Asset valuation • Budgeting for Security Operation • Cost of Spam • Product Evaluation/Comparison • Disaster Recovery Planning MCO Conference on E-Learning
Real Experiences • Babson College • Merrimack College • Empire State College • Springfield Technical CC MCO Conference on E-Learning
Babson College • Business School, Math & Science Division • Taught Java, Web Development • Introduced first security course • Extremely popular: novelty, hacking, jobs • Demanding workload: papers, exams, group projects, challenges, presentations • Wide range of choices for student projects MCO Conference on E-Learning
Course Work • Provided a machine for attack • Username & password not provided • Not really difficult to guess • Interesting distribution of knowledge MCO Conference on E-Learning
Projects • Credit card fraud • Hacking software • Terrorism & Technology • Network Security Financials • Peer-to-Peer Networks • Firewalls – Product Comparison • Virtual Private Network setup MCO Conference on E-Learning
Merrimack College • Taught Networks, Web Design, Business Software Apps • Taught security course two semesters • Extreme for the environment MCO Conference on E-Learning
Merrimack - Coursework • Similar requirements to Babson • Computer Science students also signed up. No equivalent course in CS • Interesting mix of Business & CS • Similar production by students • I provided a target machine MCO Conference on E-Learning
Empire State College • Distance education • Will cover later MCO Conference on E-Learning
Springfield TechnicalCommunity College • Teach Linux and networks • Offers an Associate Degree with a security concentration option • Three courses required • First course is closer to industry certifications than my other courses MCO Conference on E-Learning
STCC • My first lab • Will be even better next year • Students’ range was broader than the four year schools (prep, capability) • Students Similar to Distance Ed college MCO Conference on E-Learning
Issues • Fear – Teaching kids to hack! • Fears come true every time • Handling problems MCO Conference on E-Learning
Fear • A dean contacted me when she discovered that there was a hacking component to the course. MCO Conference on E-Learning
Fears Realized • One student ran a password cracker against the faculty server. Shut it down for several hours. • In general, there is a certain amount of immature behavior when students get some power. • A mistake I made was exploited by a student to discover other student passwords. MCO Conference on E-Learning
Not My fault • A DHCP server was shutdown from my lab. The IT people blamed my students. Turned out it was bug in Microsoft’s server software which had an undocumented response. MCO Conference on E-Learning
Handling Problems • Dean was satisfied when she learned from the public course web site that I required several ethical issue papers. • The student who shutdown the faculty server was confronted – successfully. • The student who exploited my mistake was praised in class. Every one changed their password. I fixed my mistake. MCO Conference on E-Learning
Handling Problems cont. • The DHCP server issue forced IT to discover the bug and upgrade. • Contracts to be signed by students • Criminal background checks • All of this confirmed my belief that security needs to be taught differently from most other courses. MCO Conference on E-Learning
E-Learning • Real Experiences • Special Issues • Proposed Solution MCO Conference on E-Learning
Real Experiences • Empire State College (SUNY) • Security course (3 semesters) • Computer Forensics ( 1 semester) • Networks (2 semesters) MCO Conference on E-Learning
Environment • Lotus Notes, not Blackboard • Superior support – Library & media • Long history • Rich, rigid structure • Modules, not weekly topics MCO Conference on E-Learning
Issues • No lab arrangement • Global student body • Working adults, single parents, etc • Unexpected = Norm • Florida hurricane • Student soldiers went to Middle East MCO Conference on E-Learning
Limitations • No lab • No lab assignments • No hands-on • No controls • Technical aspects severely limited MCO Conference on E-Learning
Positive Outcomes • Papers – same as In-Class • Group Projects – mostly same • Discussions – better than In-Class • Students support each other better MCO Conference on E-Learning
Standard Security Teaching Options • Lectures / Distance Ed • Severely Limited • Simulations / Scenarios • Inflexible, costly to create & update • Standard computer lab • Event leakage; maintenance issues • Isolated lab • Expensive, single use MCO Conference on E-Learning
Proposed Solution • On campus lab will use VMWare on individual computers • Distance Lab will use VMWare on one shared computer MCO Conference on E-Learning
Virtual Machines • It’s all pretend anyway • VirtualPC/Virtual Server – All Microsoft • User Mode Linux – All Linux • VMWare – Vendor independent • XEN – Researcher software • Others under development MCO Conference on E-Learning
VM Basics • Host operating system on hardware • VM software runs as an application • Guest operating systems run on top • Each guest thinks it owns the hardware MCO Conference on E-Learning
Virtual Machines Guest Guest Guest Guest VMWare Operating system Hardware MCO Conference on E-Learning