ABSTRACT
Education in the information security domain increasingly integrates practical hands-on training; where exercises focusing on secure cyber operations and secure software development are used for training the participants in designing and building secure systems. These exercises utilize multiple approaches in their context, such as capture the flag, attack/defense, reverse engineering, and incident response, while they are conducted on specifically created testbeds that by design integrate vulnerabilities to support the training scenarios. However, these exercises represent only the perspective of the attacker and/or the defender, without reflecting the perspective of the designer, while they statistically have primary focus on network security. In this article, we argue that the best way to understand the consequences of insecure design and development is to combine engineering and exploitation activities in one exercise, proposing the use of "Make it and break it" type of exercises for security training in cyber physical systems. Accordingly, we conducted a case study for validation and verification, the results of which are presented in this article. The case study was performed over the period of two days, during the training boot camp of the Norwegian national team for the European cyber security challenge 2018. During the boot camp, the team has been separated into two groups, which were challenged to design and build an IoT (Internet of Things) smart home using secure design principles, and then attack each other in order to identify security weaknesses. Pre and post-exercise surveys have been conducted, and the feedback from the participants was used in order to evaluate the effectiveness of the exercise, as a pilot towards further development and optimization.
- Cowan, Crispin, Seth Arnold, Steve Beattie, Chris Wright, and John Viega. "Defcon capture the flag: Defending vulnerable code from intense attack." In DARPA Information Survivability Conference and Exposition, 2003. Proceedings, vol. 1, pp. 120--129. IEEE, 2003.Google Scholar
- Gurnani, Rahul, Kaushik Pandey, and Shashi Kant Rai. "A scalable model for implementing Cyber Security Exercises." In Computing for Sustainable Global Development (INDIACom), 2014 International Conference on, pp. 680--684. IEEE, 2014.Google Scholar
- Halfond, William G., Jeremy Viegas, and Alessandro Orso. "A classification of SQL-injection attacks and countermeasures." In Proceedings of the IEEE International Symposium on Secure Software Engineering, vol. 1, pp. 13--15. IEEE, 2006.Google Scholar
- Harmon, T. Cyber Security Capture The Flag (CTF): What Is It? https://blogs.cisco.com/perspectives/cybersecurity-capture-the-flag-ctf-what-isit, 2016.Google Scholar
- Line, Maria B., and Nils Brede Moe. "Understanding collaborative challenges in it security preparedness exercises." In IFIP International Information Security Conference, pp. 311--324. Springer, Cham, 201Google Scholar
- M. Lange, A. Kott, N. Ben-Asher, W. Mees, N. Baykal, C.-M. Vidu, M. Merialdo, M. Malowidzki, B. Madahar, Recommendations for model-driven paradigms for integrated approaches to cyber defense, arXiv preprint arXiv:1703.03306.Google Scholar
- Mattson, Jeffrey A. "Cyber defense exercise: A service provider model." In Fifth World Conference on Information Security Education, pp. 81--86. Springer, Boston, MA, 2007.Google Scholar
- Moore, Erik, Steven Fulton, and Dan Likarish. "Evaluating a Multi Agency Cyber Security Training Program Using Prepost Event Assessment and Longitudinal Analysis." In IFIP World Conference on Information Security Education, pp. 147--156. Springer, Cham, 2017.Google Scholar
- Park, Yong Tae, Pranesh Sthapit, and Jae-Young Pyun. "Smart digital door lock for the home automation." In TENCON 2009-2009 IEEE Region 10 Conference, pp. 1--6. IEEE, 2009.Google Scholar
- Ruef, Andrew, et al. "Build It, Break It, Fix It: Contesting Secure Development." Proceedings of the 2016.Google Scholar
- S. Furnell, P. Fischer, A. Finch, Can't get the staff? the growing need for cybersecurity skills, Computer Fraud & Security 2017 (2) (2017) 5--10.Google ScholarDigital Library
- Schuba, Christoph L., Ivan V. Krsul, Markus G. Kuhn, Eugene H. Spafford, Aurobindo Sundaram, and Diego Zamboni. "Analysis of a denial of service attack on TCP." In Security and Privacy, 1997. Proceedings., 1997 IEEE Symposium on, pp. 208--223. IEEE, 1997. Google ScholarDigital Library
- Uckan Färnman, Baris, Mats Koraeus, and Sarah Backman. "The 2015 Report on National and International Cyber Security Exercises: Survey, Analysis and Recommendations." (2015).Google Scholar
- Vigna, Giovanni, Kevin Borgolte, Jacopo Corbetta, Adam Doupe, Yanick Fratantonio, Luca Invernizzi, Dhilung Kirat, and Yan Shoshitaishvili. "Ten Years of iCTF: The Good, The Bad, and The Ugly." In 3GSE. 2014Google Scholar
- Vykopal, Jan, Martin Vizváry, Radek Oslejsek, Pavel Celeda, and Daniel Tovarnak. "Lessons learned from complex hands-on defence exercises in a cyber range." In Frontiers in Education Conference (FIE), pp. 1--8. IEEE, 2017.Google Scholar
Recommendations
Multi-National Cyber Security Exercise, Case Flagship 2
ICETC '22: Proceedings of the 14th International Conference on Education Technology and ComputersCyber security is not merely about securing devices and focusing on software and hardware. Staff members with skills and know-how are among the most valuable assets in the context of cyber security. Globally, there is a lack of competent cyber security ...
Guide for designing cyber security exercises
E-ACTIVITIES'09/ISP'09: Proceedings of the 8th WSEAS International Conference on E-Activities and information security and privacyCyber security exercises are a very effective way of learning the practical aspects of information security. But designing such exercises is not an easy task and requires the work of several people. This paper presents a number of steps and guidelines ...
Design and implementation of automated IoT security testbed
AbstractThe emergence of technology associated with the Internet of Things (IoT) is reshaping our lives, while simultaneously raising many issues due to their low level of security, which attackers can exploit for malicious purposes. This ...
Comments