using students to pen test your network (for credit) (166253699)

7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)

http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 1/31

Using Students to PentestYour Network

(For Credit)Robert MaxwellMichael Hicks

1Tuesday, April 16, 13



No, seriously.

This presentation leaves copyright of the content to the presenter. Unless otherwise noted in the materials, uploaded content carries the Creative Commons Attribution-NonCommercial-ShareAlikelicense, which grants usage to the general public with the stipulated criteria.


https://creativecommons.org/licenses/by-nc-sa/3.0/






Mike Hicks

• Director of theMaryland Cybersecurity

Center

• Associate Professor of CS at UMCP

• Lots more: http://www.cs.umd.edu/~mwh/


http://www.cs.umd.edu/~mwh/







Rob MaxwellManager, Security Operations,UMCP

Faculty of MC2.




Secure Maryland

•Undergraduate

Penetration Testing class

• Students do work onour live network

• Really.




How did the IT guys get

involved in teaching?• Long term cooperation with some

researchers for access to data (my boss

gets most of the credit here, but he’d likeus to forget about that)

• This leads to our involvement with the

Maryland Cybersecurity Center (MC^2)

• then one day...




Seriously, how the hell

did this ha en?• University signs a contract with a job site

where students will post resumes, obliges

departments to use it.

• CS professors (Dr. Hicks and others)discover massive security holes in the site.

• To make it much worse, vendor is veryunresponsive to their concerns.




The Brainstorm

• Let’s have a class of students pen test thecampus network to make it more secure.



http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 9/319Tuesday, April 16, 13



What could go wrong?

• Lots




A Digression

• The contemporaneous state of pen testing

on campus:

• nil

• At this point, we were not providing this

service on a regular basis. We have sinceimproved our capabilities in this area.




Convincing Lawyers• They eventually

approved our plan:

• We argued that

students wouldn’t bedoing anything thatanyone couldn’t dofrom Starbuck’s

• They deferred to our judgement

• They suggested weforego any sort of NDA




Goals of the class

• Teach qualified undergraduates the art of

penetration testing.

• Teach the foundations of ethical hacking.

•Improve the security posture of theuniversity.




Teaching Undergrads

Art

• Penetration testing training, methodologies

• Using real world systems guarantees realworld results

•Requires creativity and ingenuity - noassured “right answers”




Ethical

Considerations

• Ethical implications of this work coveredthoroughly

• Business contracts involved in this work

discussed

• Engagement rules and scoping covered




Improving Our Security

• Large decentralized network (50,000+nodes)

• Students are finding problems and notifyingthe responsible parties to help themremedy vulnerabilities

• Things can get forgotten or abandoned ona network this big.




•Students could damage systems or downservices

• Students could access or exfiltrate sensitiveinformation or intelligence about our

networks




Mitigation

•Students performed these tests fromstandard network access (no specialconnections - the Starbuck’s argument)

•Network traffic was recorded for later

examination




Scope of Work

• Students were warned away from specific

sensitive systems• Engagement level is gradually increased

through semester

• Finally, actual exploitation of systems mustbe approved by the instructor




Course Design

• Initial instruction in techniques and tools,ethics, and business processes

• As techniques are taught, students begin touse them to explore the network.

•As vulnerabilities are found, students notifysystem admins (and SOC) to remedy andmust follow up to assist and report



http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 21/3121Tuesday, April 16, 13



Cooperative Course

• Wiki used to share course information

• Targeting information, interesting results

• Useful tools and techniques shared via wikiand in class

• Students provided information fromsecurity office to facilitate contacts




Final Project -

Departmental Engagement• Final third of semester, student teams are

put in touch with departments to create a

professional pen testing engagement.

• Full documentation of every step fromlaying out scope of work right through final

recommendations.

• All techniques were on the table




Technology

• BackTrack/Kali linux distro

• Google, Shodan

•Nmap, Nessus/OpenVAS, Metasploit




Student Work Product

• Notifications to admins (which become

SOC tickets at the end of the class)• Paper describing in detail their work on the

greater network

• The report resulting from the departmentalengagement




Class paper

• Descriptions of activities, evolution of

strategy, successes and failures• Lessons learned

• Appendix containing all retained

information (screen captures, pcaps, outputfiles, etc.)




Results?

• Printers

• Webcams

• Web vulnerabilities

•Printers (hundreds)

• Abandoned stuff




SCADA

• HVAC control systems

• Lighting control systems

• Serial interfaces for card

readers




Chapel Carillon

System




Byrd Stadium Scoreboard




Robert [email protected]

mailto:[email protected]

mailto:[email protected]

using students to pen test your network (for credit) (166253699)

Documents