© 2008 T.Zlateva, L.Burstein, A.MacNeil
Virtual Laboratories for Learning Real World Security
The 12th Colloquium for Information Systems Security EducationUniversity of Texas, DallasJune 2-4, 2008
Presented by: Tanya ZlatevaLeo BursteinAndy MacNeil
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Agenda Introductions, Institutional Context Motivation Choosing Topic, Scope and Technology Lab Scenario and Implementation Overview Step by Step Walkthrough Future Work Student Feedback Q&A
Virtual Laboratories for Learning Real World Security
2
04/21/23
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Institutional Context
Graduate programs in CS, CIS, TC, concentration in security
Majority of students are working professionals typically employed by high-tech Boston area companies
Course Delivery is face-to-face, online, blended
Virtual Laboratories for Learning Real World Security 04/21/23
3
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Motivation To succeed in complex modern workplace, students
need solid academic knowledge and practical skills combined with key enterprise competencies
Reinforcement effect: studies show that students learn better when they understand practical applications of theoretical concepts
Properly designed Labs help students to develop important career-building skills (teamwork, passion to innovate, managing change, working in a global environment, building toolkits, etc.)
Virtual Laboratories for Learning Real World Security 04/21/23
4
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Choosing Topics, Scope and Technology Putting Cryptography in Context
Crypto algorithms draw on the most abstract branches of mathematics while their correct (or incorrect) application decides vital problems ranging from security of nation’s critical infrastructure to privacy of personal information.
Choosing the ScopeModeling complex end-to-end integrated practical scenario (vs. isolated concept-specific exercises) helps to “see the whole picture”, learn real-life scenarios, and emphasize human factors (process vs. technology).
Virtualization as an Enabling Technology Minimize setup times and hardware requirements, promote role playing and team collaboration, implementation flexibility esp. simulating distributed environments, support for larger classes.
Virtual Laboratories for Learning Real World Security 04/21/23
5
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Scenario and Implementation Overview
Hardware Platform
Virtualization Layer
Application Server
Certification Authority
Network Protocol Analyzer
Client Workstation
vii
viii
ix
iii iv v
x
ii
vi
i
End User
SystemsAdmin
HackerSecurity Manager
Virtual Laboratories for Learning Real World Security 04/21/23
6
MS IIS/2003 WireShark IE Browser MS Server 2008
MS VS 2005
(Dell 16GB)
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Step by Step Walkthrough Step 1 – Security Fundamentals, Setting Up the Stage
Theory: Fundamental Security Properties
• Authentication• Authorization• Confidentiality• Integrity• Non-repudiation
Practice: Exploring Vulnerabilities of Typical Infrastructures
•Web server security-related configurations•Common Internet protocols•Network traffic analyzers (not just a hacking tool)•Common vulnerabilities and countermeasures
Virtual Laboratories for Learning Real World Security 04/21/23
7App.
ServerClient
Wstation
...110101011101010100101000101 USERNAME 0111001010101001101 PASSWORD 0110...
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Step by Step Walkthrough
Theory: Crypto
• Fundamentals of Group Theory • Encryption Algorithms• Hash Functions• Digital Signatures• Secret and Public Key Cryptography
• SECURITY PROTOCOLS
Practice: Securing Internet Communications:
• Configuring servers with TLS• Generating and exchanging keys and digital certificates
Step 2 – Interplay of Crypto Theory and Internet Security
Virtual Laboratories for Learning Real World Security 04/21/23
8
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Step by Step Walkthrough
Theory: Secret and Public Key Cryptography
• Security Protocols
• Public Key Infrastructure
Practice: Implementing PKI
• Elements of Public Key Infrastructure
• Anatomy of TLS negotiations – matching theory with practice
Step 3: Public Key Cryptography and Public Key Infrastructure
Virtual Laboratories for Learning Real World Security 04/21/23
9
App. Server
Client Wstation
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Step by Step Walkthrough
Theory : Secret and Public Key Cryptography (cont.)
Security Protocols
Practice: Managing Trust
• Certificate Authority (CA) (and operational procedures!)• CA Hierarchies • Key Management nightmare• Out-of-bound communications• Emergencies • Revocation Lists (more procedures…)• Strong authentication and client-side configurations
Step 4 – Trusts, Signatures, Revocations – and Management
Virtual Laboratories for Learning Real World Security 04/21/23
10
Discuss: technology vs. processes; collaboration – all levels; security vs. business objectives; risk management; controls; central/ mandate vs. distributed/grassroots
“Tools” + “Rules” < 100%• awareness• clearly seeing “the whole picture” knowing what we don’t know
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Future Work Offer choice of application platforms, browsers, CA, etc. to
accommodate group preferences Optimize lab implementation for larger classes, online and
blended programs Explore additional security protocols (e.g. IPSec) Introduce additional workplace scenarios (e.g. enterprise
perimeter security, SCADA systems, database security) Introduce additional attack vectors, vulnerabilities and
countermeasures, elements of network forensics Add case studies and simulations to emphasize importance
of processes and promote experience sharing How to measure learning outcomes?
Virtual Laboratories for Learning Real World Security 04/21/23
11
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Student’s Perspective
Andy MacNeil,2008 BU Graduate, NSA Information Assurance Scholarship Program Participant
Virtual Laboratories for Learning Real World Security 04/21/23
12
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Key Learning Points
Reality of Basic Network Security
Use of Encryption Algorithms
Establishing relationships
Building a valuable toolbox and skill inventory
Virtual Laboratories for Learning Real World Security
13
04/21/23
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Basic Security
Username and password concept is very simple
Simplicity in exchange for security
Initial thoughts
Virtual Laboratories for Learning Real World Security 04/21/23
14
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Encryption Algorithms
Was unclear how encryption could be used to secure a transmission Do we have to install a separate program to
encrypt the data we send? Cipher Suites
What is this? How are they determined? Ex. TLS_RSA_WITH_RC4_128_SHA (0x0005)
Virtual Laboratories for Learning Real World Security 04/21/23
15
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Piecing It All Together
How can we be certain? Where does the trust/mistrust occur? Trusted Root Stores
What is this What does it do
Virtual Laboratories for Learning Real World Security 04/21/23
16
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
My Toolset
Useful tools and skills to jump-start my career Working with others and having fun! Learning through writing a manual to teach others … and getting respect for security processes for
the rest of my life
Virtual Laboratories for Learning Real World Security
17
04/21/23
Boston University Slideshow Title Goes Here
© 2008 T.Zlateva, L.Burstein, A.MacNeil
Questions & Answers
Virtual Laboratories for Learning Real World Security
18
04/21/23