180 likes | 319 Views
Virtual Laboratories for Learning Real World Security. The 12 th Colloquium for Information Systems Security Education University of Texas, Dallas June 2-4, 2008. Presented by: Tanya Zlateva Leo Burstein Andy MacNeil. Agenda. Introductions, Institutional Context Motivation
E N D
Virtual Laboratories for Learning Real World Security The 12th Colloquium for Information Systems Security Education University of Texas, Dallas June 2-4, 2008 Presented by: Tanya Zlateva Leo Burstein Andy MacNeil
Virtual Laboratories for Learning Real World Security Agenda • Introductions, Institutional Context • Motivation • Choosing Topic, Scope and Technology • Lab Scenario and Implementation Overview • Step by Step Walkthrough • Future Work • Student Feedback • Q&A
Virtual Laboratories for Learning Real World Security Institutional Context • Graduate programs in CS, CIS, TC, concentration in security • Majority of students are working professionals typically employed by high-tech Boston area companies • Course Delivery is face-to-face, online, blended
Virtual Laboratories for Learning Real World Security Motivation • To succeed in complex modern workplace, students need solid academic knowledge and practical skills combined with key enterprise competencies • Reinforcement effect: studies show that students learn better when they understand practical applications of theoretical concepts • Properly designed Labs help students to develop important career-building skills (teamwork, passion to innovate, managing change, working in a global environment, building toolkits, etc.)
Virtual Laboratories for Learning Real World Security Choosing Topics, Scope and Technology • Putting Cryptography in Context Crypto algorithms draw on the most abstract branches of mathematics while their correct (or incorrect) application decides vital problems ranging from security of nation’s critical infrastructure to privacy of personal information. • Choosing the Scope Modeling complex end-to-end integrated practical scenario (vs. isolated concept-specific exercises) helps to “see the whole picture”, learn real-life scenarios, and emphasize human factors (process vs. technology). • Virtualization as an Enabling Technology Minimize setup times and hardware requirements, promote role playing and team collaboration, implementation flexibility esp. simulating distributed environments, support for larger classes.
Virtual Laboratories for Learning Real World Security Scenario and Implementation Overview MS Server 2008 MS IIS/2003 WireShark IE Browser MS VS 2005 (Dell 16GB) Systems Admin Security Manager Hacker End User
Virtual Laboratories for Learning Real World Security Step by Step Walkthrough Step 1 – Security Fundamentals, Setting Up the Stage • Practice: Exploring Vulnerabilities of Typical Infrastructures • Web server security-related configurations • Common Internet protocols • Network traffic analyzers (not just a hacking tool) • Common vulnerabilities and countermeasures • Theory: Fundamental Security Properties • Authentication • Authorization • Confidentiality • Integrity • Non-repudiation ...110101011101010100101000 101 USERNAME 01110010101 01001101 PASSWORD 0110... App. Server Client Wstation
Virtual Laboratories for Learning Real World Security Step by Step Walkthrough Step 2 – Interplay of Crypto Theory and Internet Security • Theory: Crypto • Fundamentals of Group Theory • Encryption Algorithms • Hash Functions • Digital Signatures • Secret and Public Key Cryptography • SECURITY PROTOCOLS • Practice: Securing Internet Communications: • Configuring servers with TLS • Generating and exchanging keys and digital certificates
Virtual Laboratories for Learning Real World Security Step by Step Walkthrough Step 3: Public Key Cryptography and Public Key Infrastructure • Theory: Secret and Public Key Cryptography • Security Protocols • Public Key Infrastructure • Practice: Implementing PKI • Elements of Public Key Infrastructure • Anatomy of TLS negotiations – matching theory with practice App. Server Client Wstation
Virtual Laboratories for Learning Real World Security Step by Step Walkthrough Step 4 – Trusts, Signatures, Revocations – and Management Theory : Secret and Public Key Cryptography (cont.) Security Protocols • Practice: Managing Trust • Certificate Authority (CA) (and operational procedures!) • CA Hierarchies • Key Management nightmare • Out-of-bound communications • Emergencies • Revocation Lists (more procedures…) • Strong authentication and client-side configurations Discuss: technology vs. processes; collaboration – all levels; security vs. business objectives; risk management; controls; central/ mandate vs. distributed/grassroots • “Tools” + “Rules” < 100% • awareness • clearly seeing “the whole picture” • knowing what we don’t know
Virtual Laboratories for Learning Real World Security Future Work • Offer choice of application platforms, browsers, CA, etc. to accommodate group preferences • Optimize lab implementation for larger classes, online and blended programs • Explore additional security protocols (e.g. IPSec) • Introduce additional workplace scenarios (e.g. enterprise perimeter security, SCADA systems, database security) • Introduce additional attack vectors, vulnerabilities and countermeasures, elements of network forensics • Add case studies and simulations to emphasize importance of processes and promote experience sharing • How to measure learning outcomes?
Virtual Laboratories for Learning Real World Security Student’s PerspectiveAndy MacNeil,2008 BU Graduate, NSA Information Assurance Scholarship Program Participant
Virtual Laboratories for Learning Real World Security Key Learning Points • Reality of Basic Network Security • Use of Encryption Algorithms • Establishing relationships • Building a valuable toolbox and skill inventory
Virtual Laboratories for Learning Real World Security Basic Security • Username and password concept is very simple • Simplicity in exchange for security • Initial thoughts
Virtual Laboratories for Learning Real World Security Encryption Algorithms • Was unclear how encryption could be used to secure a transmission • Do we have to install a separate program to encrypt the data we send? • Cipher Suites • What is this? • How are they determined? • Ex. TLS_RSA_WITH_RC4_128_SHA (0x0005)
Virtual Laboratories for Learning Real World Security Piecing It All Together • How can we be certain? • Where does the trust/mistrust occur? • Trusted Root Stores • What is this • What does it do
Virtual Laboratories for Learning Real World Security My Toolset • Useful tools and skills to jump-start my career • Working with others and having fun! • Learning through writing a manual to teach others • … and getting respect for security processes for the rest of my life
Virtual Laboratories for Learning Real World Security Questions & Answers