1 / 29

Three Strands in Security Education

Three Strands in Security Education. Tadayoshi Kohno. Three Main Strands. Overall security awareness: Control-Alt-Hack (funded by Intel and NSF) Game development completed Evaluation: surveys and play sessions W/ Tamara Denning, Adam Lerner, and Adam Shostack

billy
Télécharger la présentation

Three Strands in Security Education

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Three Strands in Security Education Tadayoshi Kohno

  2. Three Main Strands • Overall security awareness: Control-Alt-Hack (funded by Intel and NSF) • Game development completed • Evaluation: surveys and play sessions • W/ Tamara Denning, Adam Lerner, and Adam Shostack • Overall security awareness, security thinking, and threat modeling: Security and Privacy Thread Discovery Cards (funded by NSF) • Cards largely completed • Preparing for distribution • W/ Tamara Denning, Batya Friedman, Daisy Fry, Nell Grey, and Daisy Yoo • Security throughout the curriculum: Book audit (funded by Intel) • Started • W/ Miles Sackler

  3. Security and Games • [d0x3d!] • Exploit! • Elevation of Privilege • Protection Poker • CyberCIEGE • CyberProtect • Capture the flag competitions

  4. Control-Alt-Hack 4

  5. Hacker Cards

  6. Mission Cards

  7. Entropy Cards

  8. Key Concepts Covered • Computer security is important for all items with computers • Vulnerabilities can come in a variety of shapes and forms • Diversity of attack techniques, creativity of attackers, and attacker motivations

  9. Insider Threats

  10. Non-Standard Target

  11. Unusual Attacks

  12. Strategies for Use • Just play (e.g., leave in student lounge, or play with friends) • Play in class (may not work with all classrooms, e.g., graduate students vs high school AP classes) • Non-play classroom activities • Cards + game mechanics used as “starting off points” (e.g., pick two mission cards and discuss risks; create new cards)

  13. Security and Privacy Threat Discovery Cards

  14. Card Suits and Titles

  15. Adversary’s Resources Note: Old text and photos

  16. Adversary’s Methods Note: Old text and photos

  17. Adversary’s Motivations Note: Old text and photos

  18. Human Impact Note: Old text and photos

  19. Card Suits and Titles

  20. Usage Scenarios • Classroom activity examples • Audit specific technology • Use cards as “starting off” point • In industry • Does not replace threat modeling process • But our belief is that it can help creativity during a threat modeling process

  21. Book Audit • Background: • Many students take lower-level computing courses • Fewer students take security courses, and even when they do they might be senior students (and have developed many habits along the way) • Introductory text books don’t necessarily address security • Goal: • Audit lower-level undergraduate textbooks from a security perspective

  22. Status • In progress • Auditing books (two independent auditors per book) • Labeling security concerns with the “CWE/SANS Top 25 Most Dangerous Software Errors” codeshttp://cwe.mitre.org/top25/#Listing

  23. Three Main Strands • Overall security awareness: Control-Alt-Hack (funded by Intel and NSF) • Game development completed • Evaluation: surveys and play sessions • W/ Tamara Denning, Adam Lerner, and Adam Shostack • Overall security awareness, security thinking, and threat modeling: Security and Privacy Thread Discovery Cards (funded by NSF) • Cards largely completed • Preparing for distribution • W/ Tamara Denning, Batya Friedman, Daisy Fry, Nell Grey, and Daisy Yoo • Security throughout the curriculum: Book audit (funded by Intel) • Started • W/ Miles Sackler

  24. Additional Slides

  25. Control-Alt-Hack Feedback

  26. Social/Engagement Quotes • 56 undergraduates, Cyber-Security and Information Awareness: “It worked as a way to break the ice and get students from diverse majors get to know each other and get thinking about the topics of the course.” • 27 undergraduates, Computer and Network Security: “I just wanted to reiterate how great my students thought the game was! The students begged me to leave the game in the student lounge so they could continue to play, and from what I hear it’s made a trip or two out to our weekly majors night at the pub.”

  27. Awareness Quotes • 60 high school students, Computers and Information Technology: “The game did not necessarily teach security methods, but it did a great job of teaching vocabulary and literacy.”...“It increased awareness of my program, and it got more students interested in computer science.” • 27 undergraduates, Computer and Network Security: “They really got into it and there was a lot of strategizing”...“They were mainly focused on causing pain to their classmates, but as I wandered around the room I heard some great discussions about the tradeoffs of choosing various hackers’ skill sets, what various missions meant, etc.”

  28. Critiques • Game does take time to play, and time to learn • Expectations not set correctly: Game does not teach technical skills • “The game could use more specificity around computer activity. My students were hoping for a higher level of rigor.” • “Since we approached the game expecting to be tested on our knowledge of vulnerabilities and penetration techniques, we were dissatisfied in that manner, but we enjoyed the overall concept.”

  29. Overall • 13 of 14 educators who used the game in their classrooms reported that they would suggest the game to others • 10 said they would use the game again • 2 more said they would use with different students or as out-of-class activities

More Related