Monday, November 22, 2010

The Home Stretch

As we approach the end of the semester things are firing on all cylinders. Students have the 3-way handshake down pat and have seen live network attacks – most recently, out of Mumbai, India. They've used a popular cracking tool to perform both dictionary and brute force attacks against a password file. The assignment prompted a few to change the the passwords to their online banking sites.

In a recent series of assignments future practitioners of the information security art configured Cisco ASA firewalls. This is one of the most challenging sections of the course students but by the end students truly  understand a firewall isn’t a solution to every security woe. When that aspect of layered security breaks down, another takes over. That’s where our next section on network security monitoring (NSM) enters the picture.

Snort is a popular open-source IDS from SourceFire Corporation and it serves as a great introduction to NSM implementation. Used by businesses both large and small, Snort acts as a detection enging and BASE, a GUI front end, displays a variety of information about the attack. BASE allows for archiving and escalation of events for further investigation. We won't get that far, but this serves as a good introduction.

In our most recent class session I demonstrated port mirroring. In the safety of our quarantined lab environment, I also taught them how to use a popular network security tool to launch a denial of service (DoS) attack against a target. Combine hubs, switches, port mirroring, DoS, and Snort and you’ve got a solid foundation for future NSM implementation.

Another combination of tools, more skills for the resume, and three weeks remaining, with Pen-testing and the Metasploit Framework to go.
Posted by at No comments:

Wednesday, November 17, 2010

Forensic Analysis

Through the gracious donation of a copier from Les Olson Company we’ve started a section on forensic analysis. We tackled this project based on an investigation by CBS News. You can see their report on the CBS news web site

This kind of project is departure for the Network Defense and Countermeasures course. However, we have a former student turned security engineer that was willing to give us a hand. And the upcoming visit by Assistant Director Hooper made it an easy decision.

Our first educational insight occurred when we discovered the “write blocker” device we used to practice (supposedly) sound forensic techniques ships with write features ENABLED. The lesson: know your equipment.

We’re also learning a lot about forensic software. One version works, another crashes. Some software is easy to use but finds nothing. Some students throw up their hands. Others shrug it off and look for different software or use their critical reasoning skills to head off in new directions. 

When we tackled this quest the students knew it wouldn’t be easy. I warned that we’d learn as we go. Even our Security Engineer mentor came up short on answers. But that's typical of any new endeavor. In this case reality flies in the face of book-based, paint-by-the-numbers exercises. As always the value – or lack thereof – of an assignment is proportional to the effort students are willing commit to the task.
Posted by at No comments:

Thursday, November 4, 2010

Guest Speaker Confirmed


I like to give students exposure to the real world because it places classroom topics into perspective. Armed with this framework they come to realize things learned in class aren't just marching orders toward a degree.

To that end Mr. Daniel Hooper, Assistant Director of the Intermountain West Regional Computer Forensic Laboratory (iwrcfl), has agreed to serve as a guest lecturer for the INFO3660 class From the lab's web site (www.iwrcfl.org):
-----
An RCFL is a one-stop, full service forensics laboratory devoted entirely to the examination of digital evidence in support of criminal investigations. The IWRCFL and its satellite network support investigations into such crimes as, but not limited to—

    * Terrorism
    * Child Pornography
    * Violent Crimes
    * The Theft or Destruction of Intellectual Property
    * Internet Crime
    * Fraud.
--------------
 I met Mr. Hooper at a security conference last month and his presentation provided some great insight into information security and digital forensic issues.

Posted by at No comments:

Excitement, Frustration, and Elation


Tonight I helped some students bang through DMZ setup. While my assignments provide general directions they’re not click-here, select the combo-box there. Students simply retain more when they struggle a bit. That takes practice and persistence. Still, it’s one thing to throw them into the deep end without a life jacket; it’s another to teach them the backstroke while the waves crash over us together. That's why I was there.

During the session I saw emotions ranging from excitement to frustration to elation. They were enthusiastic at the start, frustrated when the config didn’t work on the first (or second or third) pass, and elated when the web site finally popped up on the browser. Now it’s time to take off my educator’s hat: welcome to IT.

In a year or two these same students will be excited when they get that first big assignment at Huge Company Inc. They’ll be frustrated when, though it seems they’ve done everything right, the firewall won’t fire and the server doesn’t serve. Finally, in the twilight of sunrise, they’ll be elated when they discover the proper  command syntax that makes the bits flow.

Unfortunately, their effort will go unappreciated. Just as you don’t call the water heater company to thank them for a hot shower, we don’t expect people to fawn over the fact that they can log in. Your boss might let you go get some sleep, but it starts all over again tomorrow morning. 

Monday's class session brings a new assignment with more points up for grabs. Sad? Yes, but we'll tackle it with enthusiasm just the same.
Posted by at No comments:

Monday, November 1, 2010

Application of Learning

As the semester races by I continue to see students carry course concepts beyond the walls of the classroom. A few examples:
  • One student is applying his knowledge of firewall rules to slam the door on hackers banging on his company's perimeter firewall. "I think I've dropped all of China," he says with a grin.
  • Another student routinely catches ankle biters trying to brute force the authenticated door of the company FTP site. 
  • Yet another used his white hat skills to crack the password (in less than 60 seconds!) of a laptop destined for the scrap heap: The original user figured that, since no one could remember the admin password, it was a candidate for the recycle bin.
  • One student learned his company was replacing their old firewalls with Cisco devices and wanted to know how to configure them for failover -- one week before the failover lecture!
  • Once a Ubuntu fan, Backtrack is now the operating system of choice on one student's work machine. 
  • Others are using nMap to discover networks, implementing code to monitor for attacks, teaching administrators the balance of password complexity, and campaigning for the use of a passphrase rather than a password.
  • They're conversant in the language of Wireshark, the three-way handshake, and know the difference between a full scan, half scan, and Xmas tree scan.
  • In less than 60 seconds, given the IP address of an attacker, they can tell you target country of origin.
With port mirroring, Snort/IDS, system hardening, SQL injection, pen testing, and forensic analysis of a copier hard drive to go, these students -- and their local employers -- are definitely on the fast track.
Posted by at No comments:

Lawful Employers Outgunned

No wonder information security people are outgunned. When a 27 year old bot herder can pull down over $100,000 month, private and public sector employment looks pretty dismal.
Posted by at No comments:

Elegant Solutions

Last week the INFO3660 course moved to a section on stateful firewalls and the in-class lecture examined creation of basic rules on the Cisco ASA family. The lab assignment tasked students to block access to a handful of popular E-Commerce sites. But interestingly enough one student’s submission used regular expressions (RegEx) to do the heavy lifting.
Regular expressions allow filtering of string combinations and a recent guest lecturer had mentioned them. Somewhere along the way the idea clicked. Rather than creating rules to block IP addresses of web hosts and DNS servers around the world as I'd expected, with the help of some Cisco tutorials, he'd taught himself to use RegEx.
Did it take him longer than writing simple firewall rules? Perhaps. But late one night, as I was wandering through the lab and found him working the assignment, he explained his logic: “Once I get this running for eBay, amazon and buy.com will be a snap.” Later, grading his assignment, I found it an elegant solution. Can he create standard access/deny rules? Sure. But now he’s added a new skill set to his bag of tricks.
In today's fast-paced Web 2.0 environment the ability to research new solutions and adapt to the method of the attacker is essential. In this case, RegEx was the perfect tool for the job.
Posted by at No comments:
Subscribe to: Posts (Atom)