Students wage war on computer weaknesses
Norwich University grad school develops security experts
|
|
Charles Gibson of West Virginia mulls his next move while trying to hack into a computer system during a "digital combat" exercise for students graduating from the master of science in information assurance program at Norwich University on Thursday. Jeb Wallace-Brodeur/Times Argus |
Toolbox
By Mel Huff Times Argus Staff - Published: June 13, 2008
NORTHFIELD – Thursday afternoon six men and two women sat around tables arranged in a U in the National Guard Armory at Norwich University, focused intently on the laptops in front of them. Today they will receive degrees of Master of Science in Information Assurance, but at the moment they were engaged in probing the vulnerabilities of other computers and finding secret files.
The game they were playing was designed by Justin Peltier, a Michigan security consultant who organizes similar events each year for the Detroit area FBI and police.
"There are several vulnerabilities on each system," Peltier said. "Part of what makes this a more realistic environment is that there's going to be a large number of targets, and they're all going to be different."
The students would win a point for each IP address they discovered, a point for finding a port that was opening, three points for finding a vulnerability, 10 points for getting administrator-level access to a computer and 10 points for finding secret files – although not every system had one.
In the morning, 22 other students in the program had taken part in the digital combat exercise; Peltier had made some changes in it so the afternoon students couldn't use the morning students' work.
"We have a number of people who are attempting to learn as much as they can about 15 target computers with different operating environments, and that includes learning their vulnerabilities," said Peter Stephenson, the associate director of the information assurance program and the university's chief information security officer.
The exercise Thursday has been offered for the last few years to let students test their skills and simulate the kind of attacks they might someday try to fend off.
"A typical vulnerability might be that you can break into the computer through the Web interface," Stephenson said. Looking for weaknesses by trying to break into a server is called penetration testing, he explained. Finding weaknesses that makes the server vulnerable to attack makes it possible to find and fix them.
The tool the students were using to test the computers is a gold-standard utility called Core Impact: The license costs $25,000 a year.
The winner would receive a limited-use copy of Core Impact and a copy of the official Computer Hacking Forensic Investigator study guide.
Norwich has an I-War laboratory equipped with Core Impact and other costly software and hardware, made available by the vendors, that students must know how to use if they go into the security field.
In an adjoining room, observers and Stephenson watched as one student's computer tried to find the IP address of a target computer, number 107.
"Right now the only one doing anything to 107 is 119 (a student)," Stephenson said.
Stephenson vehemently denies that his program teach students to become hackers. The difference between hacking and penetration testing is that penetration testing is used to confirm vulnerability, he said. "When I was in the Navy, I was an expert marksman. I could kill you," he declared. "Would I?"
Norwich carefully screens students for the information assurance programs, he noted, and the tools such as Core Impact can't be used outside the I-War lab.
The nature of hacking has changed from the early days of the Internet, he said. Hackers are no longer teenagers competing for bragging rights.
"The guys that bother me are the guys we don't see," Stephenson said. "We now have a whole subculture of hackers for hire. Hacking has become very profitable. There are companies that hire them. There are armies that hire them. There are drug gangs that hire them, and they can make a lot of money."
A spammer can rent a "bot-net" by the hour from a cyber-mercenary to deliver millions of spam e-mails, he observed.
Stephenson is optimistic about the outcome of the cat-and-mouse game between hackers and those defending computers against attack. He is beginning to see an emphasis on information assurance at the university level, not only in teaching but in research. "Our challenge is to begin the process of getting there first," he said. "I can smell it. We have colleagues who are beginning to make real strides in information assurance research."
Samuel Vivian, who was observing the action, has worked in information technology as a system administrator for 10 years and wants "to move up the ladder" in the security field. He applied to the Norwich program after looking at several others.
The National Security Agency came up with the idea of creating Master of Science in Information Assurance degrees, Vivian said. Norwich was in the first round of schools it chartered as centers of excellence.
The different schools have different focuses, Vivian said. He looked at Carnegie Mellon's program, which is narrowly focused on technology: It offers a course in the mathematics of encrypting information. He looked at another that focused solely on management.
Norwich's program falls in the middle. "I found that it's a very, very good program," he said. "There are aspects of leadership and management, understanding the technology behind it, understanding the management of people" – how to deal with the human factor, such as people keeping their password on a sticky note on the bottom of their keyboard. Vivian is receiving his diploma today.
At 4:15 p.m., Stephenson went to the classroom where the exercise was going on. "The time is upon us," he told the students. He collected the score sheets and pronounced the winner to be number 119 – Charles Gibson.
Gibson, a 51-year-old owner of a small technical services business in West Virginia, said he thinks the degree will help him expand his portfolio of clients – small medical practices, nonprofits and schools who "have no one to help them." Gibson chose Norwich because he needed a program that was completely online.
Gibson believes his clients "will become the target of opportunists some day soon." He and his classmates have to learn how to compromise computers so they will know how to defend them, he said, explaining, "We're professional defenders – that's how I sell it to clients."
19