Using Security Injections to Increase Security and Safety Awareness While Teaching Students to Use Technology Dr. Kara Nance, University of Alaska Fairbanks Dr. Blair Taylor, Towson University

Overview 1Introduction 2Overview 3Security Modules 4Examples 5Future Considerations

Introduction Introductions Background of the paper NSF CCLI grant # and #

During his confirmation hearings this past June, U.S. Defense Secretary Leon Panetta warned the Senate,Leon Panetta “The next Pearl Harbor we confront could very well be a cyber attack that cripples our grid, our security systems, our financial systems, our governmental systems.”

"..[the] cyber threat is one of the most serious economic and national security challenges we face as a nation." President Barack Obama at Purdue University May 29, 2009

The Perfect Storm increasingly reliant on software (military, medical, financial, critical infrastructure systems) + increased connectivity => more malicious attacks => Costs - $$$ and human

7 In 1996, software defects in a Boeing 757 caused a crash off the coast of Peru that killed 70 people… In 2003, a software vulnerability helped cause the largest U.S. power outage in decades… In 2004, known software weaknesses let a hacker invade T-Mobile, capturing everything from passwords, private , and Paris Hilton’s photos… In 2005, 23,900 Toyota Priuses were recalled for software errors that could cause the cars to shut down at highway speeds… In 2006 dubbed “The Year of Cybercrime,” 7,000 software vulnerabilities were discovered that hackers could use to access private information… In 2007, Estonia, considered one of “the most wired countries in the world”, was forced to shutdown Internet connections for more than two weeks after cyberattacks by political protesters… In 2008 (Feb), hackers compromised 10,000 sets of personal information from Harvard Graduate School applicants and students, including 6,600 Social Security numbers… 2011 – SONY admitted that an "unauthorized person" carried out an attack against its servers, and stole usernames, passwords, credit card details, security answers, purchase history and addresses Anonymous

8 Software vulnerabilities oVulnerability – weakness in the software oEstimated 1 to 7 defects per thousand lines of code (PITAC, 2005) oFor large system with millions of lines of code => thousands of vulnerabilities

9 Software vulnerabilities oThe estimated cost of insecure software to the U.S. is at least $180 billion per year oThe average large U.S. business was attacked 150,000 times in 2007 oThe average annual loss suffered by U.S. companies from computer crime was $350,000 oCost is not just in $$$ oThreaten personal and national security

10 Top three vulnerabilities (SANS) Buffer overflow - 23% increase – Leopard – RealPlayer – HP Laptops – VLC Player – Excel Integer overflow Input validation

11 Software Security Industry – SDLC => Secure Development Lifecycle – incorporates security at all phases of the traditional software development lifecycle. – Many software designers, testers, and engineers lack security skills Build Security In Create a Security Mindset

12 Software Security begins with Education “The ability to write secure code should be a fundamental to a university computer science undergraduate as basic literacy.” Matt Bishop, UC Davis “The first and foremost strategy for reducing securing related coding flaws is to educate developers how to avoid creating vulnerable code.” Robert C. Seacord, CERT “I think the most critically important part of delivering secure systems is raising awareness through security education.” Bill Gates

13 Current state of security education Security classes + Security Tracks Reach only a subset of students Secure coding principles are addressed after students have learned fundamental coding and design  Too little, too late!

Challenges Challenges for the instructor in creating a hands-on learning environment – Difficult to develop – Difficult to disseminate Security labs have additional challenges Distance Learning

Environmental challenges Below is a list of questions instructors may need to address when creating a hands-on computer lab experience: 1.Do all of the students have the same configuration? 2.Do the students all have the same computing platform? 3.Do they all have the same operating system? 4.Do their machines have enough resources to run the lab exercise? 5.How do I know that they all started from the same configuration? 6.If I am not sure that they all started from the same configuration, how can I grade them appropriately? 7.When a student has a problem with the lab exercise, how can I provide help to them? 8.If I need to make a change to the lab exercise or configuration, how do I distribute that to all students? 9.If I am not at my own computer or at the school, how can I work on the lab exercises?

Pedagogical challenges support a meaningful hands-on educational experience for the student – providing adequate foundational elements to bring all students to a common level – educational content to meet the learning objectives – reflective activities to ensure that the learning objectives have been met – extension activities to demonstrate how the concepts fit into the big picture. current state of Computer Science (CS) labs – ad hoc – inadequately address synthetic and analytical thinking

17 Solution: Security Integration oTo address the needs of all computing students oInfuse secure coding principles oEarly and Often oUtilize Active Learning in the Laboratory oSeamless integration oProblem solving -> critical thinking oShareable Security Modules: labs and checklists

18 Solution: Security Integration oTo integrate Security throughout the curriculum oLay the foundation of Creating a Security Mindset oTo reiterate security concepts early and often oTo facilitate security education by creating a library of security materials

19 Active Learning students engage with subject matter generate rather than receive knowledge Most effective when used to enhance traditional learning environment the environment of the classroom is more enjoyable

20 students learn more, retain information longer, can apply learned material in more contexts fosters high-order thinking tasks of: – Analysis, Synthesis, & Evaluation

21 Active Learning CS students are active and visual learners (Briggs, McConnell) Secure coding requires critical thinking skills that extend beyond programming Security lab modules extend the traditional programming assignment to include analysis, critical thinking, and synthesis Security checklists encourage self-evaluation and reinforce learning

22 Computer Lab Ideal setting for these activities Some flexibility in the lab Minimal burden on curriculum – alleviate the challenge of creating appropriate laboratory exercises – Meaningful, purposeful Typical computer lab – problem solving – “get it running”

23 Traditional sciences Scientific method – Hypothesis – Experimentation – Analyze data – Lab reports  critical thinking and analysis

24 Implementation: Security Module 1.Background 2.Problem (Security Lab) 3.Security Checklist 4.Discussion Questions

25 Security Module: Background Definitions – vulnerabilities, integer overflow, malware, etc. Real-life examples – Example: On 12/25/2004, Comair halted all operations and grounded 1,100 flights after a crash of its flight crew scheduling software. The number of monthly changes was stored in a 16-bit integer (max: 32,768). A series of storms in early December caused the crew reassignments to exceed this number. Research questions – Example: What is black hat vs. white hat security?

26 Checklists reduce likelihood of human error reminder list helps to ensure consistency and completeness Used in many applications – aviation Increasingly used in software assurance (Bishop)

27 Security Module: Security Checklists Based on well-established security mantras that guide software security Reduce the likelihood of omitting a key security feature Purpose – Reinforce security principles – Critical thinking skills: – Self-monitoring, evaluation, & reflection – Helps the student internalize key concepts

28 Security Module: Analysis Follow-up questions Example: – Describe the buffer overflow problem. – Give three real life examples of buffer overflow attacks (research on the web). – List three ways you could potentially overflow a buffer in your program. – How could you prevent a buffer overflow from occurring in your program? Provides additional feedback to the instructor Require students to reflect and synthesize concepts

More detail with examples for each section is provided below. Additionally, each module begins with a catch or clever title to help catch the student’s attention and create a visual image. Example titles include: Passwords: “Long, Strong, but Memorable” Cryptography – “Scrambling information" Integer Error –”You can’t count that high” Input Validation – "All Input is Evil" Buffer Overflow - "Data gone wild"

Objectives Develop a comprehensive plan for creating sharable security labs – Identify challenges of hands-on lab activities – Identify unique challenges of security labs – Summarize current state of security labs – Outline strategies to address challenges – Identify dissemination strategies

How can we address these challenges? Problem: more instructors recognize the need for incorporating security into the curriculum, many are hindered by the environmental challenges listed above and – resource limitations – time constraints – insufficient security training – lack of effective pedagogical materials

Framework for Security Modules Specifically, a framework for shareable security modules should: be broadly applicable across institutions and courses be extendible to meet the needs of diverse audiences be easy to use from a student perspective be easy to identify, access, and implement for instructors encourage active learning facilitate and stimulate development of new modules be largely platform independent

3.1 Security 1) increase faculty awareness of secure coding concepts 2) increase students’ awareness of secure coding issues 3) increase students’ ability to apply secure coding principles and 4) increase the number of security-aware students Modules for CS0, CS1, CS2, Computer Literacy, Web, and database Sample lab

Initial RAVE Deployments  ~1,300 GB RAM, ~80 TB Storage, ~450 Logical Processors  2011 At-Large Regional CCDC ran across this infrastructure