Welcome Cyber Defense Bootcamp for High School Teacher Cyber Defense Lab (ISAT/CS Room 140) Department of Computer Science James Madison University Summer,

Welcome

• Cyber Defense Bootcamp for High School Teacher

• Cyber Defense Lab (ISAT/CS Room 140)

• Department of Computer Science

• James Madison University

• Summer, 2013

Introductions

• Bryan Conner

• Livia Griffith

• Hossain Heydari

• Andrew Hutchson

• Evan Johnson

• Emil Salib

• Brett Tjaden

• Xunhua (Steve) Wang

Goals

• Have fun!

• Teach you about Cyber Defense so that you can:

– Interest your students in Cyber Defense– Teach your students about Cyber Defense

• Cyber Defense Clubs

• CyberPatriot Program (http://www.uscyberpatriot.org/)

Schedule

• Meet Monday – Friday:– 9:00 – 10:15: Session #1– 10:15 – 10:30: Break– 10:30 – 11:45: Session #2– 11:45 – 1:00: Lunch– 1:00 – 2:15: Session #3– 2:15 – 2:30: Break– 2:30 – 4:45: Session #4

General Information

• No food or drinks near our brand-new laptops

• Restrooms:– Out the door and turn left

– Right at main hallway

– Right at next hallway

– Restrooms are on the right

• If you have a car on campus see us for a parking permit

• Fill out a W-9 form if you want your money

Questions

• Always welcome!

Cyber Defense

• Prepare

• Protect

• Detect

• Triage

• Respond

The Information Security Problem

• Over the last couple of decades, our world has rapidly become very dependent on computers:– Store medical information– Guide aircrafts– Handle the majority of financial transactions

• There are flaws in our computers’:– Operating systems– Applications– Protocols

• Result: threats

Exacerbating the Problem

• The problem of how to design secure OSs, applications, and protocols is hard

• Too few security professionals

• Many users do not understand the magnitude of the threat

• Many managers do not understand the magnitude of the threat

Threats

• A threat is a potential violation of system security• Examples (from Shirey):

– Disclosure – unauthorized access to information

– Deception – acceptance of false data

– Disruption – interruption or prevention of correct operation

– Usurpation – unauthorized control of some part of the system

Attackers

• Those who intentionally perform actions that cause security violations– Outsiders:

• Competitors• Hackers• Organized crime• Terrorists• Foreign government, military, or law enforcement

– Insiders• Customers, suppliers, vendors, or business partners• Disgruntled current (or former) employees• Contractors, temps, or consultants

Types of Attackers

• Third tier– “Script kiddies” with little knowledge or skill– Run attack scripts and other software written by more

sophisticated attackers

• Second tier– Moderately knowledgeable and skilled attackers– Discover vulnerabilities; create and disseminate exploit tools

• First tier– Elite attackers– Discover vulnerabilities; create private tools

Why You Should Not Be an Attacker

• It is illegal:– United States Code, Title 18, Section 1030 (and

others)– USA Patriot Act, Homeland Security Act,

PROTECT Act– www.cybercrime.gov

• Basically:– Unauthorized access or use of a computer or

network system is illegal– Unintentional attacks are illegal too

Understanding the Tools and Techniques of Attackers

• Important for defenders– Can evaluate systems you defend as attackers will

– Can implement countermeasures designed to thwart attackers

– Better understand the implications of certain decisions

The Pillars of Computer Security

• The security “triad”:

– Confidentiality

– Integrity

– Availability

The Security Triad

• Which is most important?

– Confidentiality

– Integrity

– Availability

Policy and Mechanism

• A security policy is a statement of what is, and what is not, allowed– Examples?

• A security mechanism is a method, tool, or procedure for enforcing a security policy– Examples?

Goals of Security

• Prevention – mechanism(s) that cause attacks to fail– Example?

• Detection – mechanism(s) that determines that an attack is under way, or has occurred, and reports it– Example?

• Recovery – mechanism(s) that stop attacks and assess and repair any damage caused– Example?

Justifying Policy and Mechanism

• The benefits of protection should be justified by the cost of designing, implementing, and using the mechanism– Cost-benefit analysis – the benefits of computer

security is weighed against the cost

– Risk analysis – the level of protection is a function of the probability of an attack occurring and the effect of the attack should it succeed

– Laws and customs

Getting Started

• What to do first?– Get to know you systems

• You cannot effectively defend what you don't understand

• Attackers make it their job to understand systems better than the defenders and leverage their advantage in knowledge

• “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle” - Sun Tzu

Getting Started

• What to do first?– Get to know you systems

• You cannot effectively defend what you don't understand

• Attackers make it their job to understand systems better than the defenders and leverage their advantage in knowledge

• “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle” - Sun Tzu

• “You Don't Know Me” - Elvis

After You Know Your Systems

• Think about threats and attackers

• Think about what needs to be protected (security triad)

• Think about what security policies and mechanisms you will employ

• Think about your goals (prevention, detection, recovery)

• Think about how what policies and mechanisms are justified

After You Have Thought About Your Systems

• Start to plan, implement, and test improvements to your systems' security posture

• Respond to actions by attackers

Getting started Defending Computer Systems

• Get to know your systems

• Assess the current security posture of your systems

• Identify what needs to be protected

• Think about how threats, attackers, the security triad, security policies/mechanisms, and security goals relate to your systems

• Plan, implement, and test improvements to your systems' security posture

Bootcamp Exercises

• You will not just be listening, you will be doing

• Virtual machines (VMs) – a simulated computer running on another computer

• VMs are great for hands-on Cyber Defense exercises

• You can create and use VMs with your students using free software:

– VirtualBox (https://www.virtualbox.org/)

– VMWare Player (http://www.vmware.com/products/player/)

Accessing your VM for this Bootcamp

• Turn on laptop

• Click on “CyberDefender” account to log in

• Double click on Firefox icon to open web browser

• Enter this information in the vSphere

• If you are not already on it, go to the following page:

• https://10.0.0.250:9443/vsphere-client/

Accessing your VM for this Bootcamp (cont)

• Log in with the credentials you were given

• Click on “Host and Clusters”

• Expand the items on the left side until you see your “student” VM

• Click on your student VM to highlight it

• In the center window click on the “Summary” tab

• Click on “Launch Console”

• Power on the VM