1 / 24

The West Point Carronade: Up Close and Personal

The West Point Carronade: Up Close and Personal. Aaron J. Ferguson, Ph.D., CISSP National Security Agency Visiting Professor Department of Electrical Engineering & Computer Science United States Military Academy. 23 March 2005 Federal Information Systems Security Educators Association

morgank
Download Presentation

The West Point Carronade: Up Close and Personal

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The West Point Carronade: Up Close and Personal Aaron J. Ferguson, Ph.D., CISSP National Security Agency Visiting Professor Department of Electrical Engineering & Computer Science United States Military Academy 23 March 2005 Federal Information Systems Security Educators Association Bethesda, MD

  2. What is a Carronade? Why West Point? Carronade Non-Technical Design Considerations Carronade Technical Design Considerations West Point Stakeholder Buy-in Deployments Carronade 1 – The Crawl Carronade 2 – The Walk Carronade 3 – The Run Implementation in Other Academic Environments Implications for Training, Teaching, and Learning (TTL) Agenda

  3. The Carronade was a Navy cannon used in the early 1770s. The inventors, Charles Gascoigne, LTG Robert Melville, and Patrick Miller, designed the cannon in 1759 while working at the Carron Iron Works Company on the Carron River in Stirlingshire, Scotland. The Carronade, although possessing limited range, was destructive at close quarters (less than 0.6 miles). What is a Carronade?

  4. While the email had the potential to be destructive, the intent was to get the attention of cadets, not to cause damage to the Academy network or to penalize the cadets. The exercise was short range--conducted inside the USMA security perimeter--only cadets with a usma.edu domain name could launch the embedded link. The West Point Carronade

  5. West Point is perhaps the only service academy with a Computer Emergency Response Team (USMA CERT) that has membership that includes academic faculty and staff The United States Military Academy was the first undergraduate institution to be certified (since Spring 2000) by the National Security Agency (NSA) as a Center of Academic Excellence in Information Assurance Education (CAEIAE). West Point is currently the only service academy with this certification. The CAEIAE certification establishes West Point as a proactive institution of higher learning in the area of Information Assurance. Why West Point?

  6. Embedded Link Attachment “Phishing” Variants

  7. Randomness Social Engineering Timing “High-Beam Effect” Human Subject Research Carronade Non-Technical Design Considerations

  8. Open Source Products Tomcat from Apache as the Web App Container serves up both static HTML pages and dynamic Java Server Pages (JSP) Hibernate - Object-relational mapping solution Class Diagrams Java Bean Standards Carronade Technical Design Considerations

  9. Web App Container in Web App Controller Business Logic Email Server out O R M Model View DB Server High-Level Architecture

  10. West Point seeks to accomplish two primary goals: Balance the information technology needs of cadets, staff and faculty with the need to maintain a secure and robust network. Provide a forum that would foster development of educated leaders who understand information security. These two goals were accomplished by establishing a USMA-level “community of practice” called the USMA Computer Emergency Response Team (USMA CERT). Stakeholder Buy-In

  11. “Gotcha” Information Security Officer Ownership Incentives and/or recognition to cadets practicing good email security Stakeholder Buy-In

  12. Four regiments (1 through 4) with each regiment comprised of eight companies (A through H). Each company has approximately 130 cadets. The goal of the Carronade was to obtain results down to the company level. Within each of the eight companies in each of the four regiments, four cadets were randomly selected from each class (i.e., four freshman, four sophomores, four juniors, and four seniors) for a total of 512 cadets out of a total of approximately 4200 cadets (about 12% of the Corps of Cadets). Carronade I – The Crawl

  13. Because this was a proof-of-concept with a small sample size (512), extrapolating the results to the general population is ambitious at best. Approximately 80% (over 400) of the cadets selected clicked on the embedded link. Even with four hours of computer security instruction, 90% of the freshmen still clicked on the embedded link. Carronade I – The Crawl

  14. Feedback from the cadets that clicked on the embedded link included comments, such as: “The email looked suspicious but it was from an Army colonel, so I figured it must be legitimate” and “Any email that contains the word “grade” in it gets my immediate attention and action!” USMA Commandant-NSA Fellow Email Collision Carronade I – The Crawl

  15. There were 4155 persons in the student body minus the 37 ISOs there were 4118 persons that could potentially receive the email. Approximately 1010 embedded link emails were sent out. Approximately 1014 attachment emails were sent out. Approximately 999 sensitive information emails were sent out. Carronade II – The Walk

  16. More Stats Carronade II – The Walk

  17. More Stats Carronade III – The Run

  18. How Can It Work At My School? Implementation in Other Academic Environments

  19. Educational Value Added Training Value Added Implications for Training, Teaching, and Learning (TTL)

  20. Summary • Traditional classroom instruction model is necessary but not sufficient when it comes to learning. • Students have to touch, feel, and experience (“Close and Personal” the content in order to learn. • Goal of any security awareness exercise should be to make security an attitude within the organization, campus, or university. 20

  21. QUESTIONS?

  22. Embedded Link From: sr1770@usma.edu [mailto:sr1770@usma.edu] Sent: Thursday, February 17, 2005 11:49 AMTo: Cobb, M. MAJ EECSSubject: Grade Report Problem There was a problem with your last grade report. You need to do two things:Select this link Grade Report and follow the instructions to make sure that your information is correct; andReport any problems to me.Robert DanteCOL, USCCsr1770@usma.eduOlmstead Hall, 7th Floor, Room 7206 Next Slide

  23. Embedded Link From: sr1770@usma.edu [mailto:sr1770@usma.edu] Sent: Tuesday, February 15, 2005 8:01 AMTo: Cobb, M. MAJ EECSSubject: Account Adminstration Error! Our records do not show an account verification word associated with your account. This will allow you to access your account in the event you forget your password. You need to do two things:Select this link Update Account and follow the instructions to make sure that your information is correct; and Report any problems to me.Charles LidelLTC, AVSecurity Administration and Network Support Branch sr1770@usma.eduOlmstead Hall, 7th Floor, Room 7206

  24. Attachment From: sr1770@usma.edu [mailto:sr1770@usma.edu] Sent: Tuesday, February 15, 2005 11:03 AMTo: Cobb, M. MAJ EECSSubject: Grade Report ProblemAttachments: Grade Report.html (381B) There was a problem with your last grade report. You need to do two things:Open the attached web page and follow the instructions to make sure that your information is correct; andReport any problems to me.Robert DanteCOL, USCCsr1770@usma.eduOlmstead Hall, 7th Floor, Room 7206

More Related