using students to pen test your network (for credit) (166253699)
TRANSCRIPT
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 1/31
Using Students to PentestYour Network
(For Credit)Robert MaxwellMichael Hicks
1Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 2/31
No, seriously.
This presentation leaves copyright of the content to the presenter. Unless otherwise noted in the materials, uploaded content carries the Creative Commons Attribution-NonCommercial-ShareAlikelicense, which grants usage to the general public with the stipulated criteria.
2Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 3/31
Mike Hicks
• Director of theMaryland Cybersecurity
Center
• Associate Professor of CS at UMCP
• Lots more: http://www.cs.umd.edu/~mwh/
3Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 4/31
Rob MaxwellManager, Security Operations,UMCP
Faculty of MC2.
4Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 5/31
Secure Maryland
•Undergraduate
Penetration Testing class
• Students do work onour live network
• Really.
5Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 6/31
How did the IT guys get
involved in teaching?• Long term cooperation with some
researchers for access to data (my boss
gets most of the credit here, but he’d likeus to forget about that)
• This leads to our involvement with the
Maryland Cybersecurity Center (MC^2)
• then one day...
6Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 7/31
Seriously, how the hell
did this ha en?• University signs a contract with a job site
where students will post resumes, obliges
departments to use it.
• CS professors (Dr. Hicks and others)discover massive security holes in the site.
• To make it much worse, vendor is veryunresponsive to their concerns.
7Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 8/31
The Brainstorm
• Let’s have a class of students pen test thecampus network to make it more secure.
8Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 9/319Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 10/31
What could go wrong?
• Lots
10Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 11/31
A Digression
• The contemporaneous state of pen testing
on campus:
• nil
• At this point, we were not providing this
service on a regular basis. We have sinceimproved our capabilities in this area.
11Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 12/31
Convincing Lawyers• They eventually
approved our plan:
• We argued that
students wouldn’t bedoing anything thatanyone couldn’t dofrom Starbuck’s
• They deferred to our judgement
• They suggested weforego any sort of NDA
12Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 13/31
Goals of the class
• Teach qualified undergraduates the art of
penetration testing.
• Teach the foundations of ethical hacking.
•Improve the security posture of theuniversity.
13Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 14/31
Teaching Undergrads
Art
• Penetration testing training, methodologies
• Using real world systems guarantees realworld results
•Requires creativity and ingenuity - noassured “right answers”
14Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 15/31
Ethical
Considerations
• Ethical implications of this work coveredthoroughly
• Business contracts involved in this work
discussed
• Engagement rules and scoping covered
15Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 16/31
Improving Our Security
• Large decentralized network (50,000+nodes)
• Students are finding problems and notifyingthe responsible parties to help themremedy vulnerabilities
• Things can get forgotten or abandoned ona network this big.
16Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 17/31
•Students could damage systems or downservices
• Students could access or exfiltrate sensitiveinformation or intelligence about our
networks
17Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 18/31
Mitigation
•Students performed these tests fromstandard network access (no specialconnections - the Starbuck’s argument)
•Network traffic was recorded for later
examination
18Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 19/31
Scope of Work
• Students were warned away from specific
sensitive systems• Engagement level is gradually increased
through semester
• Finally, actual exploitation of systems mustbe approved by the instructor
19Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 20/31
Course Design
• Initial instruction in techniques and tools,ethics, and business processes
• As techniques are taught, students begin touse them to explore the network.
•As vulnerabilities are found, students notifysystem admins (and SOC) to remedy andmust follow up to assist and report
20Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 21/3121Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 22/31
Cooperative Course
• Wiki used to share course information
• Targeting information, interesting results
• Useful tools and techniques shared via wikiand in class
• Students provided information fromsecurity office to facilitate contacts
22Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 23/31
Final Project -
Departmental Engagement• Final third of semester, student teams are
put in touch with departments to create a
professional pen testing engagement.
• Full documentation of every step fromlaying out scope of work right through final
recommendations.
• All techniques were on the table
23Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 24/31
Technology
• BackTrack/Kali linux distro
• Google, Shodan
•Nmap, Nessus/OpenVAS, Metasploit
24Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 25/31
Student Work Product
• Notifications to admins (which become
SOC tickets at the end of the class)• Paper describing in detail their work on the
greater network
• The report resulting from the departmentalengagement
25Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 26/31
Class paper
• Descriptions of activities, evolution of
strategy, successes and failures• Lessons learned
• Appendix containing all retained
information (screen captures, pcaps, outputfiles, etc.)
26Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 27/31
Results?
• Printers
• Webcams
• Web vulnerabilities
•Printers (hundreds)
• Abandoned stuff
27Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 28/31
SCADA
• HVAC control systems
• Lighting control systems
• Serial interfaces for card
readers
28Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 29/31
Chapel Carillon
System
29Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 30/31
Byrd Stadium Scoreboard
30Tuesday, April 16, 13
7/29/2019 Using Students to Pen Test Your Network (for Credit) (166253699)
http://slidepdf.com/reader/full/using-students-to-pen-test-your-network-for-credit-166253699 31/31
Robert [email protected]