Student Success - Part 1

With the spring 2011 semester around the corner an analysis of fall’s final grades provides some interesting feedback. Here’s the grade breakout for the one-time recruits now fighting the InfoSec war:

2 = A

4 = A-

2 = B+

1 = B

1 = B-

2 = D

1 = F

Obviously, it isn’t easy to get an A grade in this class. Not only do you have to take notes, review the lecture slides, and do the homework, but you have to be able to consistently draw on everything you’ve learned in class. In fact, that may be the most significant factor to success. Students hear this the first day of class but for some reason it doesn’t sink in until they start inquiring about extra credit (there is none) late in the semester.

Application of tools we learn in class amounts to practice and there are plenty of opportunities to do so. Practice doesn't mean the INFO3660 course should occupy every waking moment of a student’s life. Students merely need to practice ideas, methods and concepts learned in each class session and draw on this accumulated knowledge through the 14-week semester.

For example, one student lamented in the course survey that we didn’t spend enough time using Wireshark. As such, he felt lost for a good portion of the semester. Oddly enough, a refresher lesson in Wireshark is the first lab assignment students tackle. This tool is part of the curriculum because it's essential to understanding traffic flowing on the wire.

If history is an accurate barometer, I suspect this student slogged through the network sniffing section and rushed on to nMap – another part of the first lab assignment in August – without a second thought.  He probably didn't use it to monitor his FTP password attack in September. Most likely, it wasn't running when he battled his firewall and DMZ rules in October. By the time he hit DOS attacks and IDS implementation in November his Wireshark skills were a distant memory.

If the above scenario is accurate there's at least one student that lacked a valuable skill that would have made the assignments, his final grade, and a job interview much less stressful. 

Off To Battle

At the end of each semester I survey the students for their views on the educational journey. I ask students about their perceived level of understanding of information security principles both before and after the course. They have the chance to rave about assignments they like and rant about those they’d rather see in the scrap heap. I also ask the students to what degree they feel the material improves their hard skills and marketability. (Over 98% of students feel the course has a significant impact on their skills.)

Semester to semester, the overwhelming majority love the lab and they aren’t afraid to blast textbook assignments from the prerequisite information security course. Once they're in the lab password cracking is a perennial favorite. There’s something amazing about taking a garbled hash of characters and watching John the Ripper kick passwords out the other end. 

While rewarding, students typically find the firewall section a meat grinder. Here students cut their teeth on the Cisco ASA5505. (These are much more affordable on our limited budget, use the same code base as their 5510-5550 series brothers, and leverage the Cisco CLI used in our networking course.) Metaphorically speaking, students seem to view it like a two week family vacation: They can’t wait till they get there but at the end of 14 days of config files, rule sets, and static routing, they can’t wait to leave. Oddly enough it seems a love-hate relationship: Many of the same students wonder why we don’t do a section on VPN technology using the ASA box.

The assessment also asks “Is there a topic you would like to have discussed and added to the course?” Last year a common refrain was wireless security and metasploit penetration testing. I didn’t make it to wireless but they got a taste of metasploit and the result is clear: John the Ripper has some competition. This semester metasploit was a component of the final exam but the tidal wave of feedback suggests I should dump honeypots in favor of more time spent with this pen-testing juggernaut.

So there it is, another semester gone. The INFO3660 course is like boot camp. As a drill sergeant you never feel the troops are ready for combat but you can't keep them forever; Sooner or later you have to send the cyber warriors into the thick of the battle.

Changing Course

Each year about 1/3 of the content for the INFO3660 course changes, becomes irrelevant, or otherwise evolves. Attack vectors change. The actors change. Vulnerabilities change. Threats that were once a serious concern drop into obscurity, replaced by something more effective or dangerous. For this reason, the course doesn’t have a textbook. Anything I could pick from the current shelf of publishers would be outdated due to the lag in publishing cycles. Instead we use readings from the web.

In the past I’ve assigned students a 15 minute presentation on a relevant security-related topic not covered in class. This semester I changed the model and moved to an “In The News” segment. Each Monday students come prepared to discuss security events in today’s headlines. So far we've had everything from WikiLeaks to Stuxnet to Eastern European carding.

This 15 minute segment has two important elements. First, it reinforces the applicability of course topics. Second, the students realize how quickly the security landscape changes. If they expect to maintain their fluency in the discipline they’ve got to stay up with current trends.

There’s also another benefit: my professional (and academic) skills stay sharp. In the past cloud technologies were for infrastructure. Two weeks ago when media outlets announced that Thomas Roth cracked SHA-1 hashing algorithm – using $2.00 worth of GPU instances on the Amazon cloud -- security professionals were forced to take notice.  You can bet that security implications of the cloud will work it’s way into the Spring 2011 curriculum.