In three action packed days last summer nine high school juniors and seniors built their own computers and installed the operating systems, used packet sniffing programs to watch network traffic and decode the packets, talked with real information security pros, and defended their networks against hackers. As if this weren't enough, they learned about steganography, computer forensics and wireless security. They ate, they talked and they kept their counselors up way past their bedtimes. A good time was had by all.
It was all a part of a partnership between Iowa State University's Information Assurance Center1 and the Iowa Chapter of InfraGard to give high school juniors and seniors an opportunity to learn first hand about information security. This was the second year the camp was offered. Run by Iowa State University professors, infosec professionals, and graduate students, the hands-on laboratory oriented camp provided an overview of computer security, including network security concepts, cryptography, and information warfare. Students worked with state of the art equipment and learned from business, industry, academic and law enforcement leaders.
The Partnership
We worked with the local chapter of InfraGard to help define the camp and develop the curriculum. The idea originated during a brainstorming session with some of my fellow InfraGard members on ways to promote security as a career. In addition to working with us to develop curriculum both years, the group helped recruit students and provided $500 the first year for scholarships. Several members of the group also provided tours of their companies and spoke at the career night. For the second year of the camp some InfraGard members also came to the pizza and a movie night, as well as serving as hackers for the attack lab. This partnership has been critical in making the camp a success.
The Computer Security Summer Camp is synergistic with existing instructional activities at Iowa State University (ISU) and fits well into our long history of community outreach. ISU has a robust program in computer security and offers two graduate degrees in information assurance. In fact, in 1999 the National Security Agency named the university as a Charter Center of Excellence in Information Assurance Education.
Goals and Objectives
The primary goal is to raise awareness of computer security issues and career possibilities through a laboratory oriented curriculum. At the end of the camp we expected the students to be able to:
- Assemble a computer from parts and install an operating system
- Identify security risks in common computer and network activities
- Sniff network traffic and decode packets
- Setup and configure a firewall, an intrusion detection system
- Setup, configure, and secure an email server, web server wireless access point
- Recover data from a forensic image
- Hide images within other images and then recover the original data
- Identify the strengths of cryptography
- Defend networks from attacks
- Understand the ethical issues associated with security and hacking
Camp agenda and curriculum
The summer camp lasted three days, plus an opening session on Sunday night. Students lived with a graduate student mentor in the dorms on campus. While the first camp was housed on the ISU campus with most of the instruction taking place in a computer lab, we found it difficult to reconfigure general purpose teaching labs to support the types of security based activities we wanted. The second year of the camp was moved to the Internet-Scale Event and Attack Generation Environment (ISEAGE)2 (pronounced "ice age"), a 3000 sq. ft. facility at the Iowa State University research park.
The table below shows the agenda and curriculum for the 2005 summer camp.
Sunday:
|
Time
|
Topics
|
|
2:00 – 5:00
|
Check in
|
|
6:00 – 9:00
|
Build Computers & BBQ
|
Monday:
|
Time
|
Topics
|
|
8:00 – 9:30
|
Intro to camp and security
|
|
9:30 – 10:15
|
Security stories
|
|
10:30 – 11:00
|
Ethics
|
|
11:00 – 12:00
|
Services (www, email, etc.)
|
|
12:00 – 12:30
|
Lunch
|
|
12:30 – 1:30
|
Networking
|
|
1:30 – 2:30
|
Steganography
|
|
2:30 – 3:30
|
Securing your environment
|
|
3:30 – 5:30
|
Plan attack lab
|
|
5:30-8:30
|
Dinner, Movie and games
|
Tuesday
|
Time
|
Topics
|
|
8:00 – 9:00
|
Wireless security
|
|
9:00 – 10:00
|
Crypto
|
|
10:15 – 11:30
|
Set up for attack Lab
|
|
11:30 – 12:30
|
Tour & Lunch
|
|
12:30 – 8:00
|
Des Moines tours
|
|
5:00 – 8:00
|
Pizza & Career Discussion
|
|
8:00 – 9:00
|
Travel to Ames
|
|
9:00 – 12:00
|
Set up for attack lab
|
Wednesday
|
Time
|
Topics
|
|
8:00 – 9:30
|
Forensics Lab & Tour
|
|
10:00-12:00
|
Set up for attack lab
|
|
12:00 – 1:00
|
Lunch & final set up
|
|
1:00 – 5:00
|
Information Warfare
|
|
5:00 – 6:00
|
Open house
|
|
6:00 – 7:30
|
Dinner and awards
|
Lab experiments
Feedback from the first year indicated that the campers wanted more hands-on activities. Therefore in 2005 we added several additional lab experiments, such as:
Networking - The networking lab exercises were intermixed within the lectures. Students used a packet sniffing program3 to watch the traffic on the network and decode the packets. They looked for packets that contained user names and passwords, and saw the effect of encryption on the traffic.
Steganography- This session showed the students how to hide pictures inside of other pictures and how this can be used in security. They used software that let them experiment with different methods of data concealment.
Wireless Security - This session provided lectures about how wireless worked and demonstrated security problems with these networks. The students setup a wireless access point and then captured the traffic looking for usernames and passwords. They then configured the access points to provide security and saw that they could no longer decode the data within the packets.
Forensics - The forensics lab is located on campus and the students were given a lecture on how forensics is used to recover data and to solve crimes. Presented with a case and a disk drive with data hidden on it, they were able to use state of the art forensics software to find the evidence and solve the case.
Attack Lab - The attack lab, which was added during the second year, is the focal point of the summer camp and is based on the cyber defense competition4,5,6 we hold for college students. We deliberately built excitement by telling the campers about the lab on the first night, and providing them with several opportunities to plan and implement their defenses. Teams of two students each setup a small network and then defended it against a group of hackers, all security professionals from InfraGard. We also invited several InfraGard members of to attend a pizza party and advise them about different security methods. The students were given time Monday night to develop a plan for their networks, as well as lab time on Tuesday and Wednesday to work on it. For three exhilarating hours on Wednesday afternoon they defended their networks against the hackers. Following the hacking session the students met with the hackers to talk about what happened during the attack lab.
Highlights
The first night activity was one of the several things we added in 2005. The students were given a brief tour of ISEAGE and then taken into a conference room where they found boxes with computer cases, motherboards, processors, memory, and disk drives. They were told to assemble the computers they would be using during the camp and install the Windows XP operating system. The campers jumped right in and were very focused on putting the computers together. Once finished they challenged the graduate student mentor to play computer games. We had planned to finish by 9 pm, but the campers insisted on staying and playing until midnight.
On Tuesday after lunch we loaded up a van and headed for tour of several companies. To reinforce the concepts of wireless security we took two laptops equipped with special antennas that allowed the students to wardrive (see how many wireless networks they can find). During the 50 mile round trip they found more than 300 wireless networks and discovered about half were not security enabled. The students had a great time doing this, but we were careful to caution them both about the legality of wardriving and hacking.
During the first year of the camp we had a career night where the students were able to ask questions of a panel of security professionals that represented several aspects of the computer security field ranging from the FBI, military, banking and insurance, to network security companies. It was a great success the first year and we continued it the second year. The panel members also enjoyed the interaction with the students.
The attack lab was added in the second year. The students looked forward the idea of defending their networks against "real" hackers. During the setup times for the attack lab we had several graduate students available to answer any questions and help them find software. For most of the campers this was the first time they had ever set up web servers, firewalls, and the UNIX operating system. Once the hackers arrived and started hacking the students had to defend their networks.
After three hours of hacking we called a truce and the hackers had a chance to debrief the students, showing them some of the tools they used and the methods they tried. The students enjoy talking to the hackers and were quite excited about the lab. Following the debriefing the students had some time to just talk informally before the dinner and awards. When their parents showed up the campers eagerly showed them the networks they had built and defended. We could tell by the conversations that they had a good time and were very excited about the lab and the camp.
Recruitment, costs and lessons learned
The first year of the camp we expected to have a large number of students, and set a limit of 30, but only attracted 25. We had to work hard to get that many. We found out that most high schools do not have a good method to disseminate this information. Our goal for the second year was 15 students. We wanted a smaller number since we were trying a more lab oriented camp and we were not sure if we could handle more then 15 students. We only had nine students attend the 2005 camp. Our only conclusion is that we need to do a better job of recruitment.
The costs to run the camp are show in the table below:
|
Year
|
Total Cost
|
Number of Students
|
Cost per Student
|
|
2004
|
$8269
|
25
|
$330
|
|
2005
|
$2239
|
9
|
$223
|
The largest factor in the cost difference was the change in venue for the Wednesday night dinner. In 2004 we held the dinner at an off campus site that charged $1200 to use.
Conclusions and future direction
After two years of camp we concluded that it is well worth the time and effort. Our primary goal is to provide an opportunity for high school students to experience computer security. The faculty and security professionals volunteer their time to help.
There are several things that are planned for change in the 2006 camp and many things we will keep the same:
>
We are planning for 14 campers in 2006
>
We will be sending out large posters that can be hung on the walls at high schools in an effort to make it easier for high schools teachers and staff to get the word out
>
For the attack lab we will provide pre-built systems for which students will build a defense system to protect. Although the lab went well this past summer, it was somewhat overwhelming for the campers, in part because they did not have adequate time to setup the computers and did not have much to defend. This meant that the hackers did not have much to hack, either. We are hoping the new plans will solve both problems.
>
In a second partnership with InfraGard and the Technology Association of Iowa, we are starting to run cyber defense competitions with high school students. As part of that program we will be providing the high schools with educational materials and equipment, as long as they create student security clubs.
References
1.
ISU Information Assurance Center, www.iac.iastate.edu
2.
ISEAGE, www.iac.iastate.edu/iseage
3.
Ethereal, www.ethereal.com
4.
Doug Jacobson, "Teaching Information Warfare with a Break-in Laboratory", Proceedings of the 2004 American Society for Engineering Education, Salt Lake City, June 2004.
5.
L.J. Hoffman and D. Ragsdale, "Exploring a National Cyber Security Exercise for Colleges and Universities", tech. report CSPRI-04-08, Cyber Security Policy and Research Inst. Aug 2004, www.cpi.seas.gwu.edu/library/docs/2004-08.pdf
6.
L.J Hoffman and D. Ragsdale, "Exploring a National Cybersecurity Exercise for Universities", IEEE Security and Privacy, Volume 3, Number 5, September 2005, pg27-33.
Doug Jacobson is an Associate Professor in the Department of Electrical and Computer Engineering at Iowa State University, and director the Iowa State University Information Assurance Center. An InfraGard member, he also works with local law enforcement and is a computer forensics analyst for the Iowa State University Police department. dougj@iastate.edu
