Workshop Program

This paper shows how it is possible to use commercial off-the-shelf IoT devices in a taught cyber security course. We argue that the current level of IoT device security makes testing them an excellent exercise for students. We have developed a course based around this idea that teaches students basic penetration testing techniques and then sets two rounds of group assignments in which they get hands-on experience with performing a security analysis of an IoT device. In the first round, the students get devices which we know are vulnerable. In the second round, the groups are mixed and they get devices with no previously known vulnerabilities. This approach enables us to provide them enough guidance in the first round to get the experience needed to perform the analysis independently in the second round. This seems to have been successful because our student teams found previously unknown vulnerabilities in five devices in the second round of tests.

Hands-on cyber security training is generally accepted as an enjoyable and effective way of developing and practising skills that complement the knowledge gained by traditional education. At the same time, experience from organizing and participating in these events show that there is still room for making a larger impact on the learners, and providing more engaging and beneficial learning. In particular, the area of the game and exercise design is not sufficiently well-developed. There is no comprehensive methodology or best practices that can be used to prepare, test, and carry out events.

We present the concept of a security game and lessons learned from a prototype game played by 260 participants. Based on the lessons, we describe the enhancements to the game design and a user study evaluating new game features. The results of the study show the importance of logging events which describe the course of the game. It also suggests what type of information can be predicted from the game logs and what can be found by other methods such as surveys.

Research on cybersecurity competitions is still in its nascent state, and many questions remain unanswered, including how effective these competitions actually are at influencing career decisions and attracting a diverse participant base. The present research aims to address these questions through surveying a sample of ex-cybersecurity competition participants from New York University’s Cyber-Security Awareness Week (CSAW). 195 survey respondents reported on their self-esteem, general self-efficacy, and perceived efficacy in cyber-security-related tasks, along with important competi-tion- and career-related variables such as reasons for participating, competition performance, appeal and ef-fectiveness of competitions, job satisfaction, and per-ceived organizational fit. Correlational analyses showed that confidence in cybersecurity-related tasks was posi-tively related to interest in cybersecurity, performance within the competition, job satisfaction within a cyber-security job, and perceived organizational fit within cybersecurity organizations. Specific self-efficacy was better at predicting competition performance than gen-eral self-efficacy or self-esteem, but was unrelated to participants’ positive image of competitions and wheth-er or not the cybersecurity competitions influenced their career decisions. Instead, general self-efficacy was a better predictor of positive competition experience even more-so than performance within the competition. Overall, the results show that participants with self-confidence in their cybersecurity-relevant skills are more likely to do well in the competition and be satis-fied when entering a cybersecurity career, but any par-ticipant with high general self-efficacy will likely still have a positive experience when participating in com-petitions.

In order to accomplish cyber security tasks, one needs to know how to analyze complex data and when and how to use tools. Many hands-on exercises for cybersecurity courses have been developed to teach these skills. There is a spectrum of ways that these exercises can be taught. On one end of the spectrum are prescriptive exercises, in which students follow step-by- step instructions to run scripted exploits, perform penetration testing, do security audits, etc. On the other end of the spectrum are open-ended exercises and capture-the- flag activities, where little guidance is given on how to proceed.

This paper reports on our experience with trying to find a balance between these extremes in the context of one of the suite of cybersecurity exercises that we have developed in the EDURange framework. The particular exercise that we present teaches students about dynamic analysis of binaries using strace. We have found that students are most successful in these exercises when they are given the right amount of prerequisite knowledge and guidance as well as some opportunity to find creative solutions. Our scenarios are specifically designed to develop analysis skills and the security mindset in students and to complement the theoretical aspects of the discipline and develop practical skills.

Despite the remarkable cybersecurity education efforts from traditional approaches such as offering dedicated courses and even degree programs or tracks, the computer science curricula of many institutions still severely fall short in promoting cybersecurity education. We advocate to further explore the security integration approach to complement other approaches and better promote cybersecurity education. We contribute to this approach by concretely exploring a viable implementation solution and evaluating its effectiveness. Specifically, we explore to discuss relevant cybersecurity topics in upper and graduate level non-security courses to engage students in learning cybersecurity knowledge and skills from the perspectives of different computer science sub-areas, and help them understand the correlation and interplay between cybersecurity and other sub-areas of computer science. Our experience in six class sessions of five non-security courses is very encouraging: the majority of students found the discussed cybersecurity topics interesting, useful, and relevant; they would like to have cybersecurity topics discussed in other non-cybersecurity courses in the future; they improved their understanding of the discussed content. We hope our experience can be helpful for other educators to adopt and further explore the security integration approach in the future.

Talent management is usually not well-supported by traditional curricula, because university courses are typically designed for a large number of average students and not for the few outstanding ones. In this paper, we share our experiences on running a talent mentoring program in IT security at our university. We describe the whole process from increasing awareness of IT security among students, via maintaining a community of practice where they can improve their skills, to finally connect them to well-established IT companies. We also introduce avatao, a platform to support hands-on IT security practice. Our methods could serve as a blueprint to establish a successful talent management program in IT security in a typical academic environment.

Attack-defence Capture The Flag (CTF) competitions are effective pedagogic platforms to teach secure coding practices due to the interactive and real-world experiences they provide to the contest participants. Two of the key challenges that prevent widespread adoption of such contests are: 1) The game infrastructure is highly resource intensive requiring dedication of significant hardware resources and monitoring by organizers during the contest and 2) the participants find the gameplay to be complicated, requiring performance of multiple tasks that overwhelms inexperienced players. In order to address these, we propose a novel attack-defence CTF game infrastructure which uses application containers. The results of our work showcase effectiveness of these containers and supporting tools in not only reducing the resources organizers need but also simplifying the game infrastructure. The work also demonstrates how the supporting tools can be leveraged to help participants focus more on playing the game i.e. attacking and defending services and less on administrative tasks. The results from this work indicate that our architecture can accommodate over 150 teams with 15 times fewer resources when compared to existing infrastructures of most contests today.