All sessions will be held in Grand Ballroom IX–X unless otherwise noted.
Papers are available for download below to registered attendees now and to everyone beginning August 13, 2018. Paper abstracts are available to everyone now. Copyright to the individual works is retained by the author[s].
Downloads for Registered Attendees
(Sign in to your USENIX account to download these files.)
Monday, August 13
8:00 am–9:00 am
Grand Ballroom Foyer
9:00 am–10:40 am
Using Competitions and CTFs
Session Chair: Mark Gondree, Sonoma State University
Git-based CTF: A Simple and Effective Approach to Organizing In-Course Attack-and-Defense Security Competition
SeongIl Wi, Jaeseung Choi, and Sang Kil Cha, KAIST
Security competitions, a.k.a., CTFs, have never been easy to run for a classroom teacher despite there being considerable body of research on these events. It is often frustrating for teachers to organize and administer such an event as doing so requires significant time and human resource investments. Creating new problems for every CTF is challenging as there are many factors to consider while developing a CTF problem such as the difficulty level of each challenge. In this paper, we propose a simple, but effective approach that we refer to as Git-based CTF to hosting an in-class attack-and-defense CTF contest while minimizing the operational costs for teachers. We share our experience and lessons learned by organizing a Git-based CTF in KAIST.
Kevin Bock, George Hughey, and Dave Levin, University of Maryland
Cybersecurity competitions are an effective and engaging way of providing students with hands-on experience of real-world security practices. Unfortunately, existing competitions are ill-suited in giving students experience in penetration testing, because they tend to lack three key aspects: (1) pivoting across multiple machines, (2) developing or implanting custom software, and (3) giving students enough time to prepare for a lively in-class competition. In this paper, we present the design, implementation, and initial run of King of the Hill (KotH), an active learning cybersecurity competition designed to give students experience performing and defending against penetration testing. KotH competitions involve a sophisticated network topology that students must pivot through in order to reach high-value targets. When teams take control of a machine, they also take on the responsibility of running its critical services and defending it against other teams. Our preliminary results indicate that KotH gives students valuable and effective first-hand experience with problems that professional penetration testers and network administrators face in real environments.
Authenticity, Ethicality, and Motivation: A Formal Evaluation of a 10-week Computer Security Alternate Reality Game for CS Undergraduates
John R. Morelock, Virginia Tech; Zachary Peterson, Cal Poly, San Luis Obispo
Alternate reality games (ARGs) have been shown to have desirable characteristics for computer security education and student motivation. We implemented a 10-week-long ARG in an introductory undergraduate computer science course, and formally assessed the ARG's impact on students' course experience, as well as examined students' motivation-related experiences in the course by gender. Among other conclusions, we found that the ARG enabled an authentic and motivating problem-solving environment, but also raised ethical concerns among students that could lead to constructive discussions on ethical behavior in computer security. We also found that the ARG's use of several programming languages has detrimental effects on novice students---especially women---who felt at a disadvantage compared to their peers. We discuss connections to extant literature and implications for future implementations of the ARG.
Jacob Springer and Wu-chang Feng, Portland State University
Symbolic execution is an essential tool in modern program analysis and vulnerability discovery. The technique is used to both find and fix vulnerabilities as well as to identify and exploit them. In order to ensure that symbolic execution tools are used more for the former, rather than the latter, we describe a curriculum and a set of scaffolded, polymorphic, "capture-the-flag" (CTF) exercises that have been developed to help students learn and utilize the technique to help ensure the software they produce is secure.
10:40 am–11:00 am
Break with Refreshments
Grand Ballroom Foyer
11:00 am–12:30 pm
CyberSecurity Curriculum and Research
Session Chair: Zachary N J Peterson, Cal Poly San Luis Obispo
Melissa Dark, Purdue University; Sidd Kaza and Blair Taylor, Towson University
It is clear that in order to address the cybersecurity education and workforce crisis, the challenges are not just numerous but also inextricably linked. The least of which include a greater number of prepared faculty, effective curriculum, and infrastructure to host, use, and disseminate the curriculum. There is a demonstrated need for a cybersecurity digital library (DL) that will help address these challenges. The Cyber DL is similar to other curricular digital libraries in some respects (material quality, uptake, etc.) and unique in others (national security concerns, presence of damaging material – malware, material integrity issues, etc.). We have been working on the design and implementation of CLARK – The Cybersecurity Labs and Resource Knowledge-base. CLARK is a prototype curriculum management platform that hosts diverse cybersecurity learning objects. This submission introduces the system and highlights its capabilities as a tool that is much needed in the cybersecurity education community.
Mirror, Mirror, On the Wall: What are we Teaching Them All? Characterising the Focus of Cybersecurity Curricular Frameworks
Joseph Hallett, Robert Larson, and Awais Rashid, University of Bristol
Many cybersecurity curricular frameworks exist, but are they all equal? If a student takes a course based on one framework, what should they expect to get out of it? Different frameworks have different emphasis and will shape the courses implementing them leading to varying skill sets. This is not bad, but such biases should be clear. The Cybersecurity Body of Knowledge (CyBOK) is a broad guide to foundational cybersecurity knowledge developed through consultation with industry and academia. Using the knowledge areas from CyBOK as a basis for comparison, we characterise 4 curricular frameworks and find that different frameworks have different emphasis, and that not all frameworks cover all cybersecurity topics.
David Formby, Georgia Institute of Technology and Fortiphyd Logic; Milad Rad, Georgia Institute of Technology; Raheem Beyah, Georgia Institute of Technology and Fortiphyd Logic
Despite the abundance of free online resources and increased research into innovative educational techniques, the shortage of cybersecurity skills in the workforce continues. The skills gap in the specific area of industrial control system (ICS) security is even more dismal due to the higher barriers to entry raised by the exclusive use of expensive, proprietary hardware and software and the inherent dangers of manipulating real physical processes. To help beginners in ICS security overcome these barriers to entry we developed a graphical realism framework for industrial control simulations (GRFICS). GRFICS virtualizes entire ICS networks, from the operator interface down to realistic simulations of the physical process visualized in a 3D game engine. Using this framework, students can practice exploiting common ICS vulnerabilities and vividly see the physical impact in the visualization of the process. After gaining a better appreciation of the close relationship between the cyber and the physical worlds in ICS networks, students can then practice hardening the network against such attacks. This free and open-source framework can be used as the basis for formal classroom instruction, ICS-specific CTF competitions, or for independent study.
12:30 pm–2:00 pm
Grand Ballroom VI
1:15 pm–2:00 pm
Cyber Sleuth Escape Room (Optional Lunch Activity)
Suzanne Mello-Stark, WPI
2:00 pm–3:30 pm
Human Factors of CyberSecurity
Session Chair: Wu-chang Feng, Portland State University
Z. Cliffe Schreuders, Thomas Shaw, Aimée Mac Muireadhaigh, and Paul Staniforth, Leeds Beckett University
Capture the flag (CTF) has been applied with success in cybersecurity education, and works particularly well when learning offensive techniques. However, defensive security and incident response do not always naturally fit the existing approaches to CTF. We present Hackerbot, a unique approach for teaching computer security: students interact with a malicious attacker chatbot, who challenges them to complete a variety of security tasks, including defensive and investigatory challenges. Challenges are randomised using SecGen, and deployed onto an oVirt infrastructure.
Evaluation data included system performance, mixed methods questionnaires (including the Instructional Materials Motivation Survey (IMMS) and the System Usability Scale (SUS)), and group interviews/focus groups. Results were encouraging, finding the approach convenient, engaging, fun, and interactive; while significantly decreasing the manual marking workload for staff. The cloud infrastructure deployment using SecGen/oVirt was a success, generating VMs with randomised challenges, and enabling students to work from home.
Jorge Blasco and Elizabeth A. Quaglia, Royal Holloway, University of London
We present InfoSec Cinema, a film-based teaching activity that uses commercial films to teach information security. We analyse ten films to verify their suitability and build a public and editable database of information security events from films. Our findings show that most films embed enough security events to be used as a teaching tool. This could be used to produce information security teaching activities for a very wide range of audiences. Our experience in running two sessions of InfoSec Cinema was positive. Students were able to identify the most relevant events and even designed mitigations to avoid the problems that were depicted during the film. We also learned that the identification of security events greatly depends on the background and personality of the viewer.
Jane Blanken-Webb, Imani Palmer, Sarah-Elizabeth Deshaies, Nicholas C. Burbules, Roy H. Campbell, and Masooda Bashir, University of Illinois at Urbana-Champaign
This paper describes the rationale for and implementation of an experimental graduate-level cybersecurity ethics course curriculum recently piloted at the at the University of Illinois at Urbana-Champaign. This case study based ethics curriculum immerses students in real life ethical dilemmas within cybersecurity and engages in open dialogue and debate within a community of ethical practice. We uphold the importance of preparing students for a future that is truly unknown and uncertain and note that this requires a push beyond some established curricular guidelines for cybersecurity that underlie a rule and compliance-based approach to ethics education. Details of the course layout are offered as well as results from a student-evaluation survey.
Tom Chothia, Stefan-Ioan Paiu, and Michael Oultram, Univ. of Birmingham
Phishing, and particularly spear phishing, is a major security concern, however it is often not taught in any detail on security courses. Showing students examples of what they know to be phishing e-mails tends to give the incorrect impression that phishing is easy to spot and those that fall for phishing e-mails are foolish. Phishing students without their knowledge might be an effective way to teach students the dangers of phishing, but would lead to ethical and legal issues.
We have developed a framework in which students can try to perform phishing attacks against a simulated company. The framework takes the form of a single VM which the students download and runx on their own machines. On this VM the students find a website for a fictional company (with employee details), an e-mail client and common tools used for phishing.
Using what they can find out about the company employees the students need to carefully craft spear phishing e-mails. A script in the VM processes every e-mail sent by the student and uses rules to decide if they have produced a realistic spear phishing e-mail. If the e-mail passes this test then any attached executable, or any macros in Office documents will be run. Hence, the students need to both craft a successful phishing e-mail and a malicious payload. There is a docker container for each possible phishing victim, successful payloads may give the student a shell on this container, where they can find a flag, which they can submit to show they successfully completed a phishing attack.
3:30 pm–4:00 pm
Break with Refreshments
Grand Ballroom Foyer
4:00 pm–4:40 pm
Session Chair: Ashley Podhradsky, Dakota State University
Panelists: Blair Taylor, Towson University, NSA(CON); Tina Ladabouche, Steve LaFountain, Maureen Turney, and Lynne Clark, NSA
One of the goals of the National Security Agency is to advance the state of cybersecurity. Towards that goal, the College of Cyber at the National Security Agency (NSA) is leading several important initiatives to build a diverse cyber-skilled workforce. In this panel, presenters will discuss the role of the College of Cyber and various ongoing initiatives focused on improving national cybersecurity education, including: the National Center of Academic Excellence (CAE) Programs, GenCyber, and the National Cybersecurity Curriculum Program (NCCP).
- National Centers of Academic Excellence (CAE)—The Department of Homeland Security (DHS) and the NSA jointly sponsor the National CAE program. Through this program, colleges and universities receive designations in Cyber Defense (CAE_CD) and/or Cyber Operations after meeting stringent CAE criteria that includes mapping curricula to cybersecurity-related knowledge units. Discussion will include recent program initiatives such as academic peer mentorship, community collaboration, and evolving designation criteria as well as an overview of various internship programs.
- GenCyber—The GenCyber program provides summer cybersecurity camp experiences (free of charge) for K-12 students and teachers across the nation. The goals of the program are to grow and improve cybersecurity education in the United States, increase interest in cybersecurity careers and diversity in the cybersecurity workforce of the Nation, help students practice correct and safe on-line behavior and understand the foundational principles of cybersecurity, and improve teaching methods for delivering cybersecurity content in K-12 computer science curricula.
- National Cybersecurity Curriculum Program (NCCP)—The primary goal of the National Cybersecurity Curriculum Program is to develop cybersecurity curricula that will be made publicly available for educational institutions who wish to educate and prepare cybersecurity graduates with the requisite knowledge and skills to join the federal workforce. This session will highlight some of the 54 projects that have been awarded and describe the Cyber Ed workshops.
4:40 pm–5:00 pm
Laura Bate, Senior Program Associate, Cybersecurity Initiative, New America
For the past three years, Cybersecurity Policy Fellows have been a major part of New America’s Cybersecurity Initiative. The fellowship provides a group of academics, practitioners, technologists, and others with a yearlong, non-resident fellowship with New America’s Cybersecurity Initiative. The fellowship is designed to enable Fellows to work creatively with the Initiative, each other, and the cybersecurity community to improve the quality of cybersecurity policy discussion.
See the fellowship application for more information.