1 / 112

Tools For Teaching Security+

Tools For Teaching Security+. Mark Ciampa Western Kentucky University mark.ciampa@wku.edu. 1. Cengage Feedback. Shorter sentences or just key words or phrases instead of longer, complete sentences No more than 3-5 points per slide Have 20 slides for entire presentation. 2.

tackitt
Télécharger la présentation

Tools For Teaching Security+

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tools For Teaching Security+ Mark Ciampa Western Kentucky University mark.ciampa@wku.edu 1

  2. Cengage Feedback • Shorter sentences or just key words or phrases instead of longer, complete sentences • No more than 3-5 points per slide • Have 20 slides for entire presentation 2

  3. Cengage Feedback 3

  4. Limit of Material 4

  5. Teaching, Tools & Presentation Philosophy Broad vs. Deep 5

  6. Teaching Security+ • CompTIA Security+ is more broad than deep • No single domain or topic is significantly in depth • When teaching Security+ very important to keep moving • Going too deep in a topic means you won’t be able to cover the material 6

  7. Tools When Teaching Security+ • Tools for students likewise need be more broad than deep • Tempting to spend 4 weeks on configuring Server 2012 security • But very important to keep moving • Reflection of Hands-On Projects in Security+ Guide to Network Security Fundamentals 5e 7

  8. Presentation Security+ Tools • This presentation of Tools for Teaching Security+ is more broad than deep • Will not go into deep dive on any single tool; otherwise won’t be able to cover the material • Few tools demonstrated while most introduced • None of these in Security+ Guide to Network Security Fundamentals 5e Hands-On Projects • Presented where fall in current chapter • Tools for student Hands-On Projects and demos 8

  9. Presentation Security+ Tools • This presentation of Tools for Teaching Security+ is more broad than deep • Will not go into deep dive on any single tool; otherwise won’t be able to cover the material • Few tools demonstrated while most introduced • None of these in Security+ Guide to Network Security Fundamentals 5e Hands-On Projects • Presented where fall in current chapter • Tools for student Hands-On Projects and demos 9

  10. Security Employment • Tools for Teaching Security+ 10

  11. How To Make Money In Security 11

  12. Carbanak • Most cybercrime targets consumers and businesses, stealing account information like passwords and other data that then lets thieves cash out hijacked bank accounts or create fake credit/debit cards • Group now specializes in breaking into banks directly and then use ways to funnel cash from the financial institution itself • Carbanak deployed malware via phishing scams to get inside of computers at 100+ banks and steal between $300 million to $1 billion 12

  13. Worst Data Breaches Last 15 Months 13

  14. 14

  15. 15

  16. Source 16

  17. Bug Bounties • Organizations pay for vulnerabilities that are reported by researchers • In 2014 Google paid out $150,000 to a researcher for uncovering a multi-vulnerability chain that exploited the Google Chrome OS • Google set aside an astonishing $3.14 million (yes, million) for paying for these "bug bounties." • In 2014 Facebook was able to patch 61 high-severity vulnerabilities, twice as many as the previous year • Facebook pays a minimum of $500 per reported vulnerability with no upper limit for the high-value vulnerability (that's right, the sky's the limit) • In 2014 it paid $1.3 million to 321 researchers from 65 countries (India had the most submissions at 196 while the U.S. was third with 61) • The top five individuals who disclosed a problem to Facebook earned a combined $256,750. 18

  18. Hacker Bounty Hunter • Two U.S. government agencies are offering a $3 million reward for information leading to the arrest or conviction of Evgeniy Mikhailovich Bogachev who is suspected of having served as an administrator for the destructive Gameover Zeus botnet • Over a two-year period Gameover Zeus targeted banking credentials resulted in financial losses exceeding $100 million. • Bogachev is listed on the FBI's Cyber's Most Wanted list (did you know such a list even existed?). • The rewards for the other five members on this list are a mere $1 million each. • Here's your first clue in tracking down Bogachev: he's believed to be living in Russia (good luck). 19

  19. Finished! 20

  20. Information Security Specialist • Mundane job in information security • According to Bureau of Labor Statistics (BLS) Information Security Analysts with a bachelor's degree and less than five years' experience had median pay in 2013 of $86,130 (the most recent data available) • Over the next seven years these positions are expect to grow at a rate of 37%, or "much faster than average." 21

  21. 22

  22. Information Security Employment 23 • In the past security was rarely outsourced – but that now changing • The increased use of cloud computing is particularly concerning • By next year about 10% of overall IT security enterprise capabilities will be delivered as a cloud service • Gartner says by 2018 over half of all organizations will have to rely on external security services firms that specialize in data protection, risk assessment, and infrastructure management

  23. Value of Degree 24

  24. Value of Certification • 72% of employers use IT certifications as a requirement for specific job roles • 66% of employers say that IT certifications are "very valuable" (increase from 30% in 2011) • 60% of employers often use IT certifications to confirm a candidate's subject matter knowledge or expertise • 65% of employers said if there are two otherwise equally qualified candidates for a job then will turn to IT certifications as the deciding factor 25

  25. Value of Security+ Certification • Foote Partners recently released its "IT Skills Demand and Pay Trends Report“: Which certifications will carry the most weight throughout 2015 in terms of pay and demand? • Charted pay growth over the last 3, 6 and 12 months for 337 different IT certifications and came up with the "historical pay premium performance." • Over last 3 months the market pay value of a Security+ certificate increased 30% (those with Security+ certification earned that much more than without) • Over last 12 months the market pay value for the Security+ certificate increased a whopping 40% 26

  26. 27

  27. Network+ • Tools for Teaching Security+ 28

  28. Network Security • There are many different terms that are used when referring to security, like cybersecurity or information assurance • Network security still common • Network viewed as the protecting wall around which client computers could be kept safe: secure network keep attackers away from devices • Not foolproof • Too many entry points that circumvent the network and allow malware to enter like infected USB flash drive • Malware started taking advantage of common network protocols, such as Hypertext Transfer Protocol (HTTP), and could not always be detected or blocked by network security devices 29

  29. Network Security • Network security still important • Not all applications are designed and written with security and reliability in mind, so it falls on the network to provide protection • Network-delivered services can scale better for larger environments and can complement server and application functionality • Attacker who can successfully penetrate a computer network may have access to hundreds or even thousands of desktop systems, servers, and storage devices • Organizations should make network defenses one of the first priorities in protecting information • Network security is alive and well 30

  30. CompTIA Network+ N10-006 • Feb 28 2015 CompTIA released new Network+ exam (N10-006) • Increased emphasis on security • It has a separate domain just on security: "3.0 Network Security" • Although the percentage of the exam that covers network security is officially listed as 18%, according to CompTIA the overall coverage of security in the new Network+ exam is actually double that at 37% • Exam also has extended coverage of wireless local area networks and security and covers about 30% of objectives found on Certified Wireless Network Administrator (CWNA) exam 31

  31. Chapter 1Introduction to Security • Tools for Teaching Security+ 32

  32. Chapter 1 Projects Security+ Guide 5e • Project 1-1: Examine Data Breaches (The Privacy Rights Clearinghouse) • Project 1-2: Scan for Malware Using the Microsoft Safety Scanner • Project 1-3: Create a Virtual Machine of Windows 8.1 for Security Testing—Part 1 • Project 1-4: Create a Virtual Machine of Windows 8.1 for Security Testing—Part 2 (VirtualBox) 33

  33. Your Privacy • Google Location History • Immersion • You’ve Been Pwned! 34

  34. Real Time Attack Trackers • FireEye Cyber Threat Map • Norse IPViking • Arbor Networks Digital Attack Map • Kaspersky Cyberthreat Real-time Map • Anubis Network Cyberfeed • F-Secure World Map • Trend Micro Global Botnet Threat Activity Map • Team Cymru Graphs • OpenDNS Global Network • Madiant IPew Attack • Alien Vault Global Dashboard 35

  35. Create & Run VM from USB Flash Drive • Fork of VirtualBox called Portable VirtualBox • Run VM from USB flash drive as application running under Windows (like a virtualized version Windows 8 Enterprise Windows to Go option) • Caveats • Requires administrator privileges to run • Consumes hard drive space, RAM (can adjust), processing power • Need licensed copy of OS • Format USB drive as an NTFS file system (FAT32 on some USB drives have file size limit to 4GB) 36

  36. Create & Run VM from USB Flash Drive • Download Portable VirtualBox (http://www.vbox.me/) • Extract and launch Portable-VirtualBox.exe • Click Download installation files of VirtualBox • Click Extract files box for 32-bit or 64-bit operating systems • Check Start Portable-VirtualBox after the extract and/or compress • IMPORTANT: Click OK button in bottom left corner (NOT Exit button) 37

  37. Create & Run VM from USB Flash Drive • Launch Portable-VirtualBox.exe to enter VirtualBox • Network and USB support are disabled by default • Can create VM of Windows, Linux Mint (http://www.linuxmint.com/), Android (https://code.google.com/p/android-x86/downloads/list) • Can also be used in Chapter 10 Mobile Device Security 38

  38. Chapter 2Malware & Social Engineering Attacks • Tools for Teaching Security+ 39

  39. Chapter 2 Projects Security+ Guide 5e • Project 2-1: Write-Protecting and Disabling a USB Flash Drive (Thumbscrew) • Project 2-2: Scan for Rootkits Using a Basic Tool (TDSSKiller) • Project 2-3: Scan for Rootkits Using an Advanced Tool (GMER) • Project 2-4: Use a Software Keylogger (Spyrix) 40

  40. 41

  41. 42

  42. RawDisk • “RawDisk library offers software developers direct access to files, disks and partitions of the disks (hard drives, flash disks etc.) for user-mode applications, bypassing security limitations of Windows operating systems” • Direct access to disks and protected files from user-mode applications in Windows 8/7/Vista/XP • Can read/write disks sector by sector without operating-system-imposed restrictions • “Comes in handy for development of data recovery, undelete and forensic applications” • https://www.eldos.com/rawdisk/ 43

  43. Microsoft Attack Surface Analyzer • “Understand how the attack surface of Windows systems change as a result of installing software” • Can take snap shot of multiple security related information elements on a system, then after the system changes can take another snapshot • Compares the before and after snapshots and show what changed in an HTML report    • http://www.microsoft.com/en-us/download/details.aspx?id=24487 44

  44. 45

  45. DVWA • DVWA is PHP/MySQL vulnerable web application • Install Apache Webserver • Install Mysql Server • Install PHP • Install and configure DVWA • Can perform XSS, SQL injection attacks • http://www.dvwa.co.uk/ 46

  46. WebGoat • WebGoat - Deliberately insecure web application designed to teach web application security lessons • Install and practice with WebGoat in either J2EE or WebGoat for .Net in ASP.NET. • Users demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications • Example: User must use SQL injection to steal fake credit card numbers • https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project 47

  47. Chapter 3Application & Network-Based Attacks • Tools for Teaching Security+ 48

  48. Chapter 3 Projects Security+ Guide 5e • Project 3-1: Scan Web Browser Plug-ins (Qualys Browser Check) • Project 3-2: Configure Microsoft Windows Data Execution Prevention (DEP) • Project 3-3: Set Web Browser Security • Project 3-4: Hosts File Attack • Project 3-5: ARP Poisoning • Project 3-6: Create an HTTP Header • Project 3-7: Manage Flash Cookies 49

  49. Enhanced Mitigation Experience Toolkit (EMET) • Strengthens the security of non-Microsoft applications by using defenses built within Windows • Includes “Attack Surface Reduction” can block some of an application’s modules or plugins that might be abused • EMET tell Internet Explorer to halt an SSL connection if an untrusted certificate is detected without sending session data • http://www.microsoft.com/en-us/download/details.aspx?id=43714 50

  50. 51

More Related