Training students to steal: a practical assignment in computer security education

Practical courses in information security provide students with first-hand knowledge of technical security mechanisms and their weaknesses. However, teaching students only the technical side of information security leads to a generation of students that emphasize digital solutions, but ignore the physical and the social aspects of security. In the last two years we devised a course where students were given a practical assignment which includes a combination of physical security, social engineering and digital penetration testing. As part of the course, the students stole laptops using social engineering from unaware employees throughout the university campus. The assignment provided the students with a practical overview of security and increased their awareness of the strengths and weaknesses of security mechanisms. In this paper we present the design of the practical assignment and the observations from the execution.

[1]  Pieter H. Hartel,et al.  Effectiveness of Physical, Social and Digital Mechanisms against Laptop Theft in Open Organizations , 2010, 2010 IEEE/ACM Int'l Conference on Green Computing and Communications & Int'l Conference on Cyber, Physical and Social Computing.

[2]  S. Berg Snowball Sampling—I , 2006 .

[3]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[4]  Amanda M. Holland-Minkley Cyberattacks: a lab-based introduction to computer security , 2006, SIGITE '06.

[5]  L.L. DeLooze Counter hack: Creating a context for a cyber forensics course , 2008, 2008 38th Annual Frontiers in Education Conference.

[6]  Jim Aman,et al.  A capstone exercise for a cybersecurity course , 2010 .

[7]  Dawn M. Cappelli,et al.  Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector , 2005 .

[8]  D. Baumrind,et al.  Research using intentional deception. Ethical issues revisited. , 1985, The American psychologist.

[9]  Barbara Endicott-Popovsky,et al.  A Social Engineering Project in a Computer Security Course , 2006 .

[10]  Brian A. Pashel Teaching students to hack: ethical implications in teaching students to hack at the university level , 2006, InfoSecCD '06.

[11]  Wil Allsopp Unauthorised Access: Physical Penetration Testing For IT Security Teams , 2009 .

[12]  Pieter H. Hartel,et al.  Two methodologies for physical penetration testing using social engineering , 2009, ACSAC '10.

[13]  Neil Barrett,et al.  Penetration testing and social engineering: Hacking the weakest link , 2003, Inf. Secur. Tech. Rep..

[14]  Patricia Y. Logan,et al.  Teaching students to hack: curriculum issues in information security , 2005 .

[15]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[16]  Sec.,et al.  PART 50—PROTECTION OF HUMAN SUBJECTS , 2000 .

[17]  Joel Sommers,et al.  Educating the next generation of spammers , 2010, SIGCSE.