virtual laboratories for learning real world security

18
© 2008 T.Zlateva, L.Burstein, A.MacNeil Virtual Laboratories for Learning Real World Security The 12 th Colloquium for Information Systems Security Education University of Texas, Dallas June 2-4, 2008 Presented by: Tanya Zlateva Leo Burstein Andy MacNeil

Upload: tacey

Post on 10-Jan-2016

29 views

Category:

Documents


0 download

DESCRIPTION

Virtual Laboratories for Learning Real World Security. The 12 th Colloquium for Information Systems Security Education University of Texas, Dallas June 2-4, 2008. Presented by: Tanya Zlateva Leo Burstein Andy MacNeil. Agenda. Introductions, Institutional Context Motivation - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Virtual Laboratories for Learning Real World Security

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Virtual Laboratories for Learning Real World Security

The 12th Colloquium for Information Systems Security EducationUniversity of Texas, DallasJune 2-4, 2008

Presented by: Tanya ZlatevaLeo BursteinAndy MacNeil

Page 2: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Agenda Introductions, Institutional Context Motivation Choosing Topic, Scope and Technology Lab Scenario and Implementation Overview Step by Step Walkthrough Future Work Student Feedback Q&A

Virtual Laboratories for Learning Real World Security

2

04/21/23

Page 3: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Institutional Context

Graduate programs in CS, CIS, TC, concentration in security

Majority of students are working professionals typically employed by high-tech Boston area companies

Course Delivery is face-to-face, online, blended

Virtual Laboratories for Learning Real World Security 04/21/23

3

Page 4: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Motivation To succeed in complex modern workplace, students

need solid academic knowledge and practical skills combined with key enterprise competencies

Reinforcement effect: studies show that students learn better when they understand practical applications of theoretical concepts

Properly designed Labs help students to develop important career-building skills (teamwork, passion to innovate, managing change, working in a global environment, building toolkits, etc.)

Virtual Laboratories for Learning Real World Security 04/21/23

4

Page 5: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Choosing Topics, Scope and Technology Putting Cryptography in Context

Crypto algorithms draw on the most abstract branches of mathematics while their correct (or incorrect) application decides vital problems ranging from security of nation’s critical infrastructure to privacy of personal information.

Choosing the ScopeModeling complex end-to-end integrated practical scenario (vs. isolated concept-specific exercises) helps to “see the whole picture”, learn real-life scenarios, and emphasize human factors (process vs. technology).

Virtualization as an Enabling Technology Minimize setup times and hardware requirements, promote role playing and team collaboration, implementation flexibility esp. simulating distributed environments, support for larger classes.

Virtual Laboratories for Learning Real World Security 04/21/23

5

Page 6: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Scenario and Implementation Overview

Hardware Platform

Virtualization Layer

Application Server

Certification Authority

Network Protocol Analyzer

Client Workstation

vii

viii

ix

iii iv v

x

ii

vi

i

End User

SystemsAdmin

HackerSecurity Manager

Virtual Laboratories for Learning Real World Security 04/21/23

6

MS IIS/2003 WireShark IE Browser MS Server 2008

MS VS 2005

(Dell 16GB)

Page 7: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Step by Step Walkthrough Step 1 – Security Fundamentals, Setting Up the Stage

Theory: Fundamental Security Properties

• Authentication• Authorization• Confidentiality• Integrity• Non-repudiation

Practice: Exploring Vulnerabilities of Typical Infrastructures

•Web server security-related configurations•Common Internet protocols•Network traffic analyzers (not just a hacking tool)•Common vulnerabilities and countermeasures

Virtual Laboratories for Learning Real World Security 04/21/23

7App.

ServerClient

Wstation

...110101011101010100101000101 USERNAME 0111001010101001101 PASSWORD 0110...

Page 8: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Step by Step Walkthrough

Theory: Crypto

• Fundamentals of Group Theory • Encryption Algorithms• Hash Functions• Digital Signatures• Secret and Public Key Cryptography

• SECURITY PROTOCOLS

Practice: Securing Internet Communications:

• Configuring servers with TLS• Generating and exchanging keys and digital certificates

Step 2 – Interplay of Crypto Theory and Internet Security

Virtual Laboratories for Learning Real World Security 04/21/23

8

Page 9: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Step by Step Walkthrough

Theory: Secret and Public Key Cryptography

• Security Protocols

• Public Key Infrastructure

Practice: Implementing PKI

• Elements of Public Key Infrastructure

• Anatomy of TLS negotiations – matching theory with practice

Step 3: Public Key Cryptography and Public Key Infrastructure

Virtual Laboratories for Learning Real World Security 04/21/23

9

App. Server

Client Wstation

Page 10: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Step by Step Walkthrough

Theory : Secret and Public Key Cryptography (cont.)

Security Protocols

Practice: Managing Trust

• Certificate Authority (CA) (and operational procedures!)• CA Hierarchies • Key Management nightmare• Out-of-bound communications• Emergencies • Revocation Lists (more procedures…)• Strong authentication and client-side configurations

Step 4 – Trusts, Signatures, Revocations – and Management

Virtual Laboratories for Learning Real World Security 04/21/23

10

Discuss: technology vs. processes; collaboration – all levels; security vs. business objectives; risk management; controls; central/ mandate vs. distributed/grassroots

“Tools” + “Rules” < 100%• awareness• clearly seeing “the whole picture” knowing what we don’t know

Page 11: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Future Work Offer choice of application platforms, browsers, CA, etc. to

accommodate group preferences Optimize lab implementation for larger classes, online and

blended programs Explore additional security protocols (e.g. IPSec) Introduce additional workplace scenarios (e.g. enterprise

perimeter security, SCADA systems, database security) Introduce additional attack vectors, vulnerabilities and

countermeasures, elements of network forensics Add case studies and simulations to emphasize importance

of processes and promote experience sharing How to measure learning outcomes?

Virtual Laboratories for Learning Real World Security 04/21/23

11

Page 12: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Student’s Perspective

Andy MacNeil,2008 BU Graduate, NSA Information Assurance Scholarship Program Participant

Virtual Laboratories for Learning Real World Security 04/21/23

12

Page 13: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Key Learning Points

Reality of Basic Network Security

Use of Encryption Algorithms

Establishing relationships

Building a valuable toolbox and skill inventory

Virtual Laboratories for Learning Real World Security

13

04/21/23

Page 14: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Basic Security

Username and password concept is very simple

Simplicity in exchange for security

Initial thoughts

Virtual Laboratories for Learning Real World Security 04/21/23

14

Page 15: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Encryption Algorithms

Was unclear how encryption could be used to secure a transmission Do we have to install a separate program to

encrypt the data we send? Cipher Suites

What is this? How are they determined? Ex. TLS_RSA_WITH_RC4_128_SHA (0x0005)

Virtual Laboratories for Learning Real World Security 04/21/23

15

Page 16: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Piecing It All Together

How can we be certain? Where does the trust/mistrust occur? Trusted Root Stores

What is this What does it do

Virtual Laboratories for Learning Real World Security 04/21/23

16

Page 17: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

My Toolset

Useful tools and skills to jump-start my career Working with others and having fun! Learning through writing a manual to teach others … and getting respect for security processes for

the rest of my life

Virtual Laboratories for Learning Real World Security

17

04/21/23

Page 18: Virtual Laboratories for Learning Real World Security

Boston University Slideshow Title Goes Here

© 2008 T.Zlateva, L.Burstein, A.MacNeil

Questions & Answers

Virtual Laboratories for Learning Real World Security

18

04/21/23