Changing Curriculum

Three years ago when I was asked to create the content for the IT3700 (Network Defense and Countermeasures) course I knew the curriculum would change. What I didn’t know is how much – and how quick – the subject matter would change.  Each semester I’ve discovered about 1/3 of the material evolves or morphs in one way or another. This year is no exception.

Perhaps it has something to do with the sites I follow. Places like ComputerWorld’s Cybercrime and Hacking Topic Center, SearchSecurity.com, or the Dark Reading web site substitute for the morning paper at breakfast. There are tweets from the InfoSec community; people like Bruce Schneier (schneierblog), Richard Bejtlich (taosecurity), Dan Kaminsky (dakimi) and securityninja have forgotten more about security than I’ll ever know.

It could also be my trip to both BlackHat and DefCon. When you’re immersed in APT, Wireless attacks, Malware, horror stories of BotNet takedowns, and war stories from Jennifer Granick and the Electronic Frontier Foundation you get a different perspective on all things hacker related.

So what does it all mean? It means I have to scramble to find funding for a high-end video card to demo GPU-based password cracking. It means my personal skills are pushed to the edge, I’m running one step ahead of the students, and assignments can be rough around the edges. And while I have to apologize to the students for some things, I won’t ask forgiveness for the fact that they’re on the leading edge of the cyber war.

Password Cracking

Passwords represent the last and, in most cases, the only line of defense. For this reason students study several aspects of password security. What differentiates a bad password from a good one? What single aspect of a passphrase makes it much more secure than the supposedly secure 8 character p@55w0rd using l33t? The answer to these questions lies in John the Ripper (JTR) a password auditing tool.

Cracking passwords is mathematical process that takes time – a lot of time. I’ve seen JTR hammer away at passwords at 50,000,00 to 400,000,000 possibilities per second on a standard desktop or laptop system. That’s an amazing number, but given a solid, complex passphrase like “This 2 is a complex password!” a brute force attack has 7.29x10⁵³ possible combinations. At the top end, banging through 400 million combinations per second, it would take 5.78x10³⁷ years to try all the possibilities. For this reason, there’s no room for wasted time or extra effort.

JTR offers practitioners of the security art an abundance of options. When students take their first shot at this assignment they tend to go overboard with options. In class I often cite Occam ’s razor and this is key to the assignment.  The assignment is straightforward. It doesn’t require a complex series of steps or exhaustive solutions. A student’s life is hectic enough without busy work from my course. In the words of Albert Einstein, "Make everything as simple as possible, but not simpler."

Thinking like a Hacker

The semester is firing on all cylinders and we've moved beyond use of basic security tools to password security. In this popular lab assignment students have a three-part task. They're to use a popular hacking tool to compromise a server system in our quarantined and firewall-protected information security lab. Once they've blown a hole in the web/FTP server's authentication mechanism, they use another masterpiece of software to snatch the password file and move it to their personal system. The final step in the process is cracking as many user passwords as possible.

Last night I had the opportunity to watch a group of students, loosely formed as a cyber "gang", take their first footsteps into the dark side. The group had the trappings of the goons I see from China, Korea, and other areas of the globe hammering at our academic servers. There's just one problem: my students haven't learned to think like a hacker. Yet.

At the outset, they're unorganized. No one is in charge and it's total anarchy. After a few minutes they realize  organization is the key. Wordlists are divided, tasks assigned. One student is on his cell phone, talking over strategy with a friend. Others are thinking in terms of buffer overflows and denial of service, trying to crash the server in an effort to find a weakness on reboot.

I let them wander, occasionally offering up observations on ways thugs on the pacific rim might tackle the problem, but never give the secret away. Students mull over the ideas. Puzzled looks soon turn to a flurry of keystrokes.

A few minutes later I hear "I've got it..." and a student rattles off a username and all-too-weak (by design) password. Seconds later the team is prowling the system working part two of the assignment. Ideas are thrown about, some more complex than others. One student stumbles on the solution by accident. It isn't elegant, but it's effective just the same. But there's a problem: he's lost the password file. A  few seconds pass before another student leverages a server tool against itself. He deftly locates then moves the username and hash-laden file to his workstation. In hacker speak, the box is pwn3d.

The team is riding the wave, smiles abound, spirits are high. The file is Emailed to each member of the crew where they'll resume part 3 on machines at work and home.

As they're packing up I ask the team what they've learned. Each student offers up a nugget of wisdom. Heads nod in agreement. It's clear they understand the objectives of the exercise. Inside, I smile to myself because they're now thinking like hackers.

Student Success - Part 1

With the spring 2011 semester around the corner an analysis of fall’s final grades provides some interesting feedback. Here’s the grade breakout for the one-time recruits now fighting the InfoSec war:

2 = A

4 = A-

2 = B+

1 = B

1 = B-

2 = D

1 = F

Obviously, it isn’t easy to get an A grade in this class. Not only do you have to take notes, review the lecture slides, and do the homework, but you have to be able to consistently draw on everything you’ve learned in class. In fact, that may be the most significant factor to success. Students hear this the first day of class but for some reason it doesn’t sink in until they start inquiring about extra credit (there is none) late in the semester.

Application of tools we learn in class amounts to practice and there are plenty of opportunities to do so. Practice doesn't mean the INFO3660 course should occupy every waking moment of a student’s life. Students merely need to practice ideas, methods and concepts learned in each class session and draw on this accumulated knowledge through the 14-week semester.

For example, one student lamented in the course survey that we didn’t spend enough time using Wireshark. As such, he felt lost for a good portion of the semester. Oddly enough, a refresher lesson in Wireshark is the first lab assignment students tackle. This tool is part of the curriculum because it's essential to understanding traffic flowing on the wire.

If history is an accurate barometer, I suspect this student slogged through the network sniffing section and rushed on to nMap – another part of the first lab assignment in August – without a second thought.  He probably didn't use it to monitor his FTP password attack in September. Most likely, it wasn't running when he battled his firewall and DMZ rules in October. By the time he hit DOS attacks and IDS implementation in November his Wireshark skills were a distant memory.

If the above scenario is accurate there's at least one student that lacked a valuable skill that would have made the assignments, his final grade, and a job interview much less stressful. 

Off To Battle

At the end of each semester I survey the students for their views on the educational journey. I ask students about their perceived level of understanding of information security principles both before and after the course. They have the chance to rave about assignments they like and rant about those they’d rather see in the scrap heap. I also ask the students to what degree they feel the material improves their hard skills and marketability. (Over 98% of students feel the course has a significant impact on their skills.)

Semester to semester, the overwhelming majority love the lab and they aren’t afraid to blast textbook assignments from the prerequisite information security course. Once they're in the lab password cracking is a perennial favorite. There’s something amazing about taking a garbled hash of characters and watching John the Ripper kick passwords out the other end. 

While rewarding, students typically find the firewall section a meat grinder. Here students cut their teeth on the Cisco ASA5505. (These are much more affordable on our limited budget, use the same code base as their 5510-5550 series brothers, and leverage the Cisco CLI used in our networking course.) Metaphorically speaking, students seem to view it like a two week family vacation: They can’t wait till they get there but at the end of 14 days of config files, rule sets, and static routing, they can’t wait to leave. Oddly enough it seems a love-hate relationship: Many of the same students wonder why we don’t do a section on VPN technology using the ASA box.

The assessment also asks “Is there a topic you would like to have discussed and added to the course?” Last year a common refrain was wireless security and metasploit penetration testing. I didn’t make it to wireless but they got a taste of metasploit and the result is clear: John the Ripper has some competition. This semester metasploit was a component of the final exam but the tidal wave of feedback suggests I should dump honeypots in favor of more time spent with this pen-testing juggernaut.

So there it is, another semester gone. The INFO3660 course is like boot camp. As a drill sergeant you never feel the troops are ready for combat but you can't keep them forever; Sooner or later you have to send the cyber warriors into the thick of the battle.

Changing Course

Each year about 1/3 of the content for the INFO3660 course changes, becomes irrelevant, or otherwise evolves. Attack vectors change. The actors change. Vulnerabilities change. Threats that were once a serious concern drop into obscurity, replaced by something more effective or dangerous. For this reason, the course doesn’t have a textbook. Anything I could pick from the current shelf of publishers would be outdated due to the lag in publishing cycles. Instead we use readings from the web.

In the past I’ve assigned students a 15 minute presentation on a relevant security-related topic not covered in class. This semester I changed the model and moved to an “In The News” segment. Each Monday students come prepared to discuss security events in today’s headlines. So far we've had everything from WikiLeaks to Stuxnet to Eastern European carding.

This 15 minute segment has two important elements. First, it reinforces the applicability of course topics. Second, the students realize how quickly the security landscape changes. If they expect to maintain their fluency in the discipline they’ve got to stay up with current trends.

There’s also another benefit: my professional (and academic) skills stay sharp. In the past cloud technologies were for infrastructure. Two weeks ago when media outlets announced that Thomas Roth cracked SHA-1 hashing algorithm – using $2.00 worth of GPU instances on the Amazon cloud -- security professionals were forced to take notice.  You can bet that security implications of the cloud will work it’s way into the Spring 2011 curriculum.

The Home Stretch

As we approach the end of the semester things are firing on all cylinders. Students have the 3-way handshake down pat and have seen live network attacks – most recently, out of Mumbai, India. They've used a popular cracking tool to perform both dictionary and brute force attacks against a password file. The assignment prompted a few to change the the passwords to their online banking sites.

In a recent series of assignments future practitioners of the information security art configured Cisco ASA firewalls. This is one of the most challenging sections of the course students but by the end students truly  understand a firewall isn’t a solution to every security woe. When that aspect of layered security breaks down, another takes over. That’s where our next section on network security monitoring (NSM) enters the picture.

Snort is a popular open-source IDS from SourceFire Corporation and it serves as a great introduction to NSM implementation. Used by businesses both large and small, Snort acts as a detection enging and BASE, a GUI front end, displays a variety of information about the attack. BASE allows for archiving and escalation of events for further investigation. We won't get that far, but this serves as a good introduction.

In our most recent class session I demonstrated port mirroring. In the safety of our quarantined lab environment, I also taught them how to use a popular network security tool to launch a denial of service (DoS) attack against a target. Combine hubs, switches, port mirroring, DoS, and Snort and you’ve got a solid foundation for future NSM implementation.

Another combination of tools, more skills for the resume, and three weeks remaining, with Pen-testing and the Metasploit Framework to go.