slide1 n.
Download
Skip this Video
Download Presentation
The West Point Carronade: Up Close and Personal

Loading in 2 Seconds...

play fullscreen
1 / 24

The West Point Carronade: Up Close and Personal - PowerPoint PPT Presentation


  • 118 Views
  • Uploaded on

The West Point Carronade: Up Close and Personal. Aaron J. Ferguson, Ph.D., CISSP National Security Agency Visiting Professor Department of Electrical Engineering & Computer Science United States Military Academy. 23 March 2005 Federal Information Systems Security Educators Association

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The West Point Carronade: Up Close and Personal' - cheche


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

The West Point Carronade:

Up Close and Personal

Aaron J. Ferguson, Ph.D., CISSP

National Security Agency Visiting Professor

Department of Electrical Engineering & Computer Science

United States Military Academy

23 March 2005

Federal Information Systems

Security Educators Association

Bethesda, MD

agenda
What is a Carronade?

Why West Point?

Carronade Non-Technical Design Considerations

Carronade Technical Design Considerations

West Point Stakeholder Buy-in

Deployments

Carronade 1 – The Crawl

Carronade 2 – The Walk

Carronade 3 – The Run

Implementation in Other Academic Environments

Implications for Training, Teaching, and Learning (TTL)

Agenda
what is a carronade
The Carronade was a Navy cannon used in the early 1770s.

The inventors, Charles Gascoigne, LTG Robert Melville, and Patrick Miller, designed the cannon in 1759 while working at the Carron Iron Works Company on the Carron River in Stirlingshire, Scotland.

The Carronade, although possessing limited range, was destructive at close quarters (less than 0.6 miles).

What is a Carronade?
the west point carronade
While the email had the potential to be destructive, the intent was to get the attention of cadets, not to cause damage to the Academy network or to penalize the cadets.

The exercise was short range--conducted inside the USMA security perimeter--only cadets with a usma.edu domain name could launch the embedded link.

The West Point Carronade
why west point
West Point is perhaps the only service academy with a Computer Emergency Response Team (USMA CERT) that has membership that includes academic faculty and staff

The United States Military Academy was the first undergraduate institution to be certified (since Spring 2000) by the National Security Agency (NSA) as a Center of Academic Excellence in Information Assurance Education (CAEIAE).

West Point is currently the only service academy with this certification. The CAEIAE certification establishes West Point as a proactive institution of higher learning in the area of Information Assurance.

Why West Point?
carronade non technical design considerations
Randomness

Social Engineering

Timing

“High-Beam Effect”

Human Subject Research

Carronade Non-Technical Design Considerations
carronade technical design considerations
Open Source Products

Tomcat from Apache as the Web App Container

serves up both static HTML pages and dynamic Java Server Pages (JSP)

Hibernate - Object-relational mapping solution

Class Diagrams

Java Bean Standards

Carronade Technical Design Considerations
high level architecture

Web App Container

in

Web App Controller

Business Logic

Email Server

out

O

R

M

Model

View

DB Server

High-Level Architecture
stakeholder buy in
West Point seeks to accomplish two primary goals:

Balance the information technology needs of cadets, staff and faculty with the need to maintain a secure and robust network.

Provide a forum that would foster development of educated leaders who understand information security.

These two goals were accomplished by establishing a USMA-level “community of practice” called the USMA Computer Emergency Response Team (USMA CERT).

Stakeholder Buy-In
stakeholder buy in1
“Gotcha”

Information Security Officer Ownership

Incentives and/or recognition to cadets practicing good email security

Stakeholder Buy-In
carronade i the crawl
Four regiments (1 through 4) with each regiment comprised of eight companies (A through H). Each company has approximately 130 cadets.

The goal of the Carronade was to obtain results down to the company level.

Within each of the eight companies in each of the four regiments, four cadets were randomly selected from each class (i.e., four freshman, four sophomores, four juniors, and four seniors) for a total of 512 cadets out of a total of approximately 4200 cadets (about 12% of the Corps of Cadets).

Carronade I – The Crawl
carronade i the crawl1
Because this was a proof-of-concept with a small sample size (512), extrapolating the results to the general population is ambitious at best.

Approximately 80% (over 400) of the cadets selected clicked on the embedded link.

Even with four hours of computer security instruction, 90% of the freshmen still clicked on the embedded link.

Carronade I – The Crawl
carronade i the crawl2
Feedback from the cadets that clicked on the embedded link included comments, such as:

“The email looked suspicious but it was from an Army colonel, so I figured it must be legitimate” and “Any email that contains the word “grade” in it gets my immediate attention and action!”

USMA Commandant-NSA Fellow Email Collision

Carronade I – The Crawl
carronade ii the walk
There were 4155 persons in the student body minus the 37 ISOs there were 4118 persons that could potentially receive the email.

Approximately 1010 embedded link emails were sent out.

Approximately 1014 attachment emails were sent out.

Approximately 999 sensitive information emails were sent out.

Carronade II – The Walk
slide20

Summary

  • Traditional classroom instruction model is necessary but not sufficient when it comes to learning.
    • Students have to touch, feel, and experience (“Close and Personal” the content in order to learn.
  • Goal of any security awareness exercise should be to make security an attitude within the organization, campus, or university.

20

embedded link
Embedded Link

From: sr1770@usma.edu [mailto:sr1770@usma.edu] Sent: Thursday, February 17, 2005 11:49 AMTo: Cobb, M. MAJ EECSSubject: Grade Report Problem

There was a problem with your last grade report. You need to do two things:Select this link Grade Report and follow the instructions to make sure that your information is correct; andReport any problems to me.Robert DanteCOL, USCCsr1770@usma.eduOlmstead Hall, 7th Floor, Room 7206

Next Slide

embedded link1
Embedded Link

From: sr1770@usma.edu [mailto:sr1770@usma.edu] Sent: Tuesday, February 15, 2005 8:01 AMTo: Cobb, M. MAJ EECSSubject: Account Adminstration Error!

Our records do not show an account verification word associated with your account. This will allow you to access your account in the event you forget your password. You need to do two things:Select this link Update Account and follow the instructions to make sure that your information is correct; and Report any problems to me.Charles LidelLTC, AVSecurity Administration and Network Support Branch sr1770@usma.eduOlmstead Hall, 7th Floor, Room 7206

attachment
Attachment

From: sr1770@usma.edu [mailto:sr1770@usma.edu] Sent: Tuesday, February 15, 2005 11:03 AMTo: Cobb, M. MAJ EECSSubject: Grade Report ProblemAttachments: Grade Report.html (381B)

There was a problem with your last grade report. You need to do two things:Open the attached web page and follow the instructions to make sure that your information is correct; andReport any problems to me.Robert DanteCOL, USCCsr1770@usma.eduOlmstead Hall, 7th Floor, Room 7206

ad