Virtualisation in Education: Information Security Lab in Your Pocket Alexandre Karlov, JINR

The international community and cyber criminals Theft of money and racket Industrial espionage and sabotage Cyber attacks to the state organizations 2

Facts (1) 2013: Hackers have stolen in Russia and the CIS (Commonwealth of Independent States) $ 2.5 billion, 10% of Russian banks were attacked Carbanak: Trojan -> Banks had lost $1 billion for the last few years (Sept 2015) A new front in cybercrime – stock markets: A powerful insider data theft scheme was discovered in USA; it allowed getting hundred million dollars by trading on the sensitive internal corporative information (Aug 2015) Hacking the website of the US Tax Service: $50 million > 100 thousand people were concerned (Aug 2015) 3

Facts (2) “Stuxnet” was a very sophisticated cyber attack against the Iranian nuclear programme. SCADA (Supervisory Control and Data Acquisition) software from Siemens was infected and a full control over PLCs (programmable logic controllers), responsible for the rotational speed of the uranium enrichment centrifuges was obtained. Variation of the rotational speed of the centrifuges over the month put out them of action and made useless. Metallurgical plant in Germany: Attackers were able to not only get access to the plant control system, but put it out of operation, causing significant damage to the company. First, hackers took control of the of the factory workers by sending them letters with phishing links. Through e- mail employees, hackers gained access to the enterprise network, and then – to the entire control system of the plant 4

Facts (3) Confidential data of 1,500 US military personal ( addresses, passwords in an unencrypted form, place of work, phone numbers, etc.) were stolen (Aug 2015). The intrusion to Pentagon affected about 4,000 military and civilian personnel who work there (July 2015) Stealing personal data of millions of Americans in the cyber attacks on the US Office of Personnel Management, OPM. Hacking OPM allowed to compromise the data on special operations and employees of several intelligence agencies, including the CIA and the NSA (Sept 2015). 5

Fact (4) - July

Facts (5) - July

Shortage of information security skills By 2019 there will 6 Million security professionals needed 8

Complexity of IT and its impact on Education IT industry becoming more complex and fast moving Students must learn faster Professional education plays a more important role You never stop learning 9

In computing, a Virtual Machine (VM) is an emulation of a particular computer system on a real (or hypothetical) computer 10

Benefits of VMs Improve utilisation - More users can have an access to the given common resources (from 5-15% to 60-80%) Minimize Downtime - If one VM crashes, simply switch to another one (migration without interruption) More security - one VM under attack vill not effect other VMs

Importance of Information Security Education Risk = Prob (Threat exploits a Vulnerability) X Impact You can estimate the impact fairly well for you situation How do you estimate the Probability ? How do you become aware of vulnerabilities and ways of exploiting them ? Training by trying different attacks and exploiting vulnerabilities 12

Perfect times for education How do you perform education in information security ? How do you learn about exploiting vulnerabilities in infrastructure and software without spending to much time? You can simulate an entire company’s network, a data centre, a website etc. on your own portable computer Computer security is fundamentally a practitioner’s art, and that requires every day practice 13

Possible configuration 14

Typical setup All components can be on one physical host (laptop) With products such as VMWare complex network topologies can be created 15

Learning Infrastructure Your environment will depend on your learning goal If you are just starting learning, download: Kali linux for your attacking machine - A linux distribution with all necessary security tools already installed, vast amount of information available on the web Metasploitable - a vulnerably machine from unleashed/requirements/ ) and deploy it on your VM environmentwww.offensive-security.com/metasploit- unleashed/requirements/ NETinVM - a whole vulnerable network from ( Vulnhub a website where users are uploading their own vulnerable VMs and ‘challenging other users to break themwww.vulnhub.com 16

Further ways of learning and education Thanks to virtualisation many websites are proposing online security challenges to teach web security, reverse engineering, forensics, cryptography and system hardening Some examples: securityoverride.org, w3challs.com, Digital « battlefields » where teams compete agains each other - Capture the Flag competitions (CTFs) Great way to learn and keep your information security skill sharp 17

18

Thank you ! Questions ? 19