Monday, December 27, 2010

Student Success - Part 1

With the spring 2011 semester around the corner an analysis of fall’s final grades provides some interesting feedback. Here’s the grade breakout for the one-time recruits now fighting the InfoSec war:

2 = A
4 = A-
2 = B+
1 = B
1 = B-
2 = D
1 = F

Obviously, it isn’t easy to get an A grade in this class. Not only do you have to take notes, review the lecture slides, and do the homework, but you have to be able to consistently draw on everything you’ve learned in class. In fact, that may be the most significant factor to success. Students hear this the first day of class but for some reason it doesn’t sink in until they start inquiring about extra credit (there is none) late in the semester.

Application of tools we learn in class amounts to practice and there are plenty of opportunities to do so. Practice doesn't mean the INFO3660 course should occupy every waking moment of a student’s life. Students merely need to practice ideas, methods and concepts learned in each class session and draw on this accumulated knowledge through the 14-week semester.

For example, one student lamented in the course survey that we didn’t spend enough time using Wireshark. As such, he felt lost for a good portion of the semester. Oddly enough, a refresher lesson in Wireshark is the first lab assignment students tackle. This tool is part of the curriculum because it's essential to understanding traffic flowing on the wire.

If history is an accurate barometer, I suspect this student slogged through the network sniffing section and rushed on to nMap – another part of the first lab assignment in August – without a second thought.  He probably didn't use it to monitor his FTP password attack in September. Most likely, it wasn't running when he battled his firewall and DMZ rules in October. By the time he hit DOS attacks and IDS implementation in November his Wireshark skills were a distant memory.

If the above scenario is accurate there's at least one student that lacked a valuable skill that would have made the assignments, his final grade, and a job interview much less stressful. 

Wednesday, December 15, 2010

Off To Battle

At the end of each semester I survey the students for their views on the educational journey. I ask students about their perceived level of understanding of information security principles both before and after the course. They have the chance to rave about assignments they like and rant about those they’d rather see in the scrap heap. I also ask the students to what degree they feel the material improves their hard skills and marketability. (Over 98% of students feel the course has a significant impact on their skills.)

Semester to semester, the overwhelming majority love the lab and they aren’t afraid to blast textbook assignments from the prerequisite information security course. Once they're in the lab password cracking is a perennial favorite. There’s something amazing about taking a garbled hash of characters and watching John the Ripper kick passwords out the other end. 

While rewarding, students typically find the firewall section a meat grinder. Here students cut their teeth on the Cisco ASA5505. (These are much more affordable on our limited budget, use the same code base as their 5510-5550 series brothers, and leverage the Cisco CLI used in our networking course.) Metaphorically speaking, students seem to view it like a two week family vacation: They can’t wait till they get there but at the end of 14 days of config files, rule sets, and static routing, they can’t wait to leave. Oddly enough it seems a love-hate relationship: Many of the same students wonder why we don’t do a section on VPN technology using the ASA box.

The assessment also asks “Is there a topic you would like to have discussed and added to the course?” Last year a common refrain was wireless security and metasploit penetration testing. I didn’t make it to wireless but they got a taste of metasploit and the result is clear: John the Ripper has some competition. This semester metasploit was a component of the final exam but the tidal wave of feedback suggests I should dump honeypots in favor of more time spent with this pen-testing juggernaut.

So there it is, another semester gone. The INFO3660 course is like boot camp. As a drill sergeant you never feel the troops are ready for combat but you can't keep them forever; Sooner or later you have to send the cyber warriors into the thick of the battle.

Thursday, December 2, 2010

Changing Course

Each year about 1/3 of the content for the INFO3660 course changes, becomes irrelevant, or otherwise evolves. Attack vectors change. The actors change. Vulnerabilities change. Threats that were once a serious concern drop into obscurity, replaced by something more effective or dangerous. For this reason, the course doesn’t have a textbook. Anything I could pick from the current shelf of publishers would be outdated due to the lag in publishing cycles. Instead we use readings from the web.

In the past I’ve assigned students a 15 minute presentation on a relevant security-related topic not covered in class. This semester I changed the model and moved to an “In The News” segment. Each Monday students come prepared to discuss security events in today’s headlines. So far we've had everything from WikiLeaks to Stuxnet to Eastern European carding.

This 15 minute segment has two important elements. First, it reinforces the applicability of course topics. Second, the students realize how quickly the security landscape changes. If they expect to maintain their fluency in the discipline they’ve got to stay up with current trends.

There’s also another benefit: my professional (and academic) skills stay sharp. In the past cloud technologies were for infrastructure. Two weeks ago when media outlets announced that Thomas Roth cracked SHA-1 hashing algorithm – using $2.00 worth of GPU instances on the Amazon cloud -- security professionals were forced to take notice.  You can bet that security implications of the cloud will work it’s way into the Spring 2011 curriculum.

Monday, November 22, 2010

The Home Stretch

As we approach the end of the semester things are firing on all cylinders. Students have the 3-way handshake down pat and have seen live network attacks – most recently, out of Mumbai, India. They've used a popular cracking tool to perform both dictionary and brute force attacks against a password file. The assignment prompted a few to change the the passwords to their online banking sites.

In a recent series of assignments future practitioners of the information security art configured Cisco ASA firewalls. This is one of the most challenging sections of the course students but by the end students truly  understand a firewall isn’t a solution to every security woe. When that aspect of layered security breaks down, another takes over. That’s where our next section on network security monitoring (NSM) enters the picture.

Snort is a popular open-source IDS from SourceFire Corporation and it serves as a great introduction to NSM implementation. Used by businesses both large and small, Snort acts as a detection enging and BASE, a GUI front end, displays a variety of information about the attack. BASE allows for archiving and escalation of events for further investigation. We won't get that far, but this serves as a good introduction.

In our most recent class session I demonstrated port mirroring. In the safety of our quarantined lab environment, I also taught them how to use a popular network security tool to launch a denial of service (DoS) attack against a target. Combine hubs, switches, port mirroring, DoS, and Snort and you’ve got a solid foundation for future NSM implementation.

Another combination of tools, more skills for the resume, and three weeks remaining, with Pen-testing and the Metasploit Framework to go.

Wednesday, November 17, 2010

Forensic Analysis

Through the gracious donation of a copier from Les Olson Company we’ve started a section on forensic analysis. We tackled this project based on an investigation by CBS News. You can see their report on the CBS news web site

This kind of project is departure for the Network Defense and Countermeasures course. However, we have a former student turned security engineer that was willing to give us a hand. And the upcoming visit by Assistant Director Hooper made it an easy decision.

Our first educational insight occurred when we discovered the “write blocker” device we used to practice (supposedly) sound forensic techniques ships with write features ENABLED. The lesson: know your equipment.

We’re also learning a lot about forensic software. One version works, another crashes. Some software is easy to use but finds nothing. Some students throw up their hands. Others shrug it off and look for different software or use their critical reasoning skills to head off in new directions. 

When we tackled this quest the students knew it wouldn’t be easy. I warned that we’d learn as we go. Even our Security Engineer mentor came up short on answers. But that's typical of any new endeavor. In this case reality flies in the face of book-based, paint-by-the-numbers exercises. As always the value – or lack thereof – of an assignment is proportional to the effort students are willing commit to the task.

Thursday, November 4, 2010

Guest Speaker Confirmed


I like to give students exposure to the real world because it places classroom topics into perspective. Armed with this framework they come to realize things learned in class aren't just marching orders toward a degree.

To that end Mr. Daniel Hooper, Assistant Director of the Intermountain West Regional Computer Forensic Laboratory (iwrcfl), has agreed to serve as a guest lecturer for the INFO3660 class From the lab's web site (www.iwrcfl.org):
-----
An RCFL is a one-stop, full service forensics laboratory devoted entirely to the examination of digital evidence in support of criminal investigations. The IWRCFL and its satellite network support investigations into such crimes as, but not limited to—

    * Terrorism
    * Child Pornography
    * Violent Crimes
    * The Theft or Destruction of Intellectual Property
    * Internet Crime
    * Fraud.
--------------
 I met Mr. Hooper at a security conference last month and his presentation provided some great insight into information security and digital forensic issues.

Excitement, Frustration, and Elation


Tonight I helped some students bang through DMZ setup. While my assignments provide general directions they’re not click-here, select the combo-box there. Students simply retain more when they struggle a bit. That takes practice and persistence. Still, it’s one thing to throw them into the deep end without a life jacket; it’s another to teach them the backstroke while the waves crash over us together. That's why I was there.

During the session I saw emotions ranging from excitement to frustration to elation. They were enthusiastic at the start, frustrated when the config didn’t work on the first (or second or third) pass, and elated when the web site finally popped up on the browser. Now it’s time to take off my educator’s hat: welcome to IT.

In a year or two these same students will be excited when they get that first big assignment at Huge Company Inc. They’ll be frustrated when, though it seems they’ve done everything right, the firewall won’t fire and the server doesn’t serve. Finally, in the twilight of sunrise, they’ll be elated when they discover the proper  command syntax that makes the bits flow.

Unfortunately, their effort will go unappreciated. Just as you don’t call the water heater company to thank them for a hot shower, we don’t expect people to fawn over the fact that they can log in. Your boss might let you go get some sleep, but it starts all over again tomorrow morning. 

Monday's class session brings a new assignment with more points up for grabs. Sad? Yes, but we'll tackle it with enthusiasm just the same.

Monday, November 1, 2010

Application of Learning

As the semester races by I continue to see students carry course concepts beyond the walls of the classroom. A few examples:
  • One student is applying his knowledge of firewall rules to slam the door on hackers banging on his company's perimeter firewall. "I think I've dropped all of China," he says with a grin.
  • Another student routinely catches ankle biters trying to brute force the authenticated door of the company FTP site. 
  • Yet another used his white hat skills to crack the password (in less than 60 seconds!) of a laptop destined for the scrap heap: The original user figured that, since no one could remember the admin password, it was a candidate for the recycle bin.
  • One student learned his company was replacing their old firewalls with Cisco devices and wanted to know how to configure them for failover -- one week before the failover lecture!
  • Once a Ubuntu fan, Backtrack is now the operating system of choice on one student's work machine. 
  • Others are using nMap to discover networks, implementing code to monitor for attacks, teaching administrators the balance of password complexity, and campaigning for the use of a passphrase rather than a password.
  • They're conversant in the language of Wireshark, the three-way handshake, and know the difference between a full scan, half scan, and Xmas tree scan.
  • In less than 60 seconds, given the IP address of an attacker, they can tell you target country of origin.
With port mirroring, Snort/IDS, system hardening, SQL injection, pen testing, and forensic analysis of a copier hard drive to go, these students -- and their local employers -- are definitely on the fast track.

Lawful Employers Outgunned

No wonder information security people are outgunned. When a 27 year old bot herder can pull down over $100,000 month, private and public sector employment looks pretty dismal.

Elegant Solutions

Last week the INFO3660 course moved to a section on stateful firewalls and the in-class lecture examined creation of basic rules on the Cisco ASA family. The lab assignment tasked students to block access to a handful of popular E-Commerce sites. But interestingly enough one student’s submission used regular expressions (RegEx) to do the heavy lifting.
Regular expressions allow filtering of string combinations and a recent guest lecturer had mentioned them. Somewhere along the way the idea clicked. Rather than creating rules to block IP addresses of web hosts and DNS servers around the world as I'd expected, with the help of some Cisco tutorials, he'd taught himself to use RegEx.
Did it take him longer than writing simple firewall rules? Perhaps. But late one night, as I was wandering through the lab and found him working the assignment, he explained his logic: “Once I get this running for eBay, amazon and buy.com will be a snap.” Later, grading his assignment, I found it an elegant solution. Can he create standard access/deny rules? Sure. But now he’s added a new skill set to his bag of tricks.
In today's fast-paced Web 2.0 environment the ability to research new solutions and adapt to the method of the attacker is essential. In this case, RegEx was the perfect tool for the job.

Thursday, October 28, 2010

Blocking a web site


While it sounds simple in principle, configuring a firewall isn’t a task to take lightly. Blocking access to a site (or sites) is no exception. Like most things in IT there are several ways to accomplish the task; some are harder than others.
Does the site(s) have a single IP address? Or are there multiple aliases? Can you block access to the site’s DNS server? Do you plan to block the IP address? The URL? Does the target site move/jump around as is the case with a web server hosting a phishing scam? Is the site hosted on multiple Akami servers? Can you take advantage of subnet masking to hit a range of IP addresses?
As you plow forward ask yourself: what tools can I use to help in the process? Resources like Dig, NSLookup, and Whois may make things easier. Perhaps the answer lies in a hybrid solution where you use all of the above. As I’ve said in class several times before, it’s important you leverage everything you know.