When I become an instructor, I plan to implement this idea whether through the campus or not. There truly is a lack of hands-on training when it comes to network and information security classes. Regarding a fellow student’s concern about the lack of hands-on security learning experiences:
What I’d like to see is more hands-on. I’ve had classes that promised it but never delivered.
I think it’d be fun to have some sort of white-hat event where students are given a semester to discover potential security flaws of a system set up on class. A honeypot of sorts. Let students use some constructive and creative means in figuring out various aspects of the machine without actually being able to sit in front of it and log in. For instance:
What OS is the machine running?
What services are running?
What services could potentially be abused or are misconfigured?
Can you access the user accounts on the machine remotely?
Are the passwords to the accessible user accounts easily crackable?
Examples of a misconfigured machine:
Run any distro of Linux with ftp, telnet, SSH, mail server, web server, webmin. Give each student a user account on the machine and allow them to poke, prod, and see what can be done if they have user-level access to the machine. Throw in a couple of fake user accounts with weak passwords.
Run Windows 2003 server with no service packs. Set up an ftp, telnet, mail, and web server. Give each student a user account on the machine and allow them to poke, prod, and see what can be done if they have user-level access to the machine. Again, throw in a couple of fake user accounts with weak passwords.
Throw the machines up on the network as ownme.*.edu and pwnme.*.edu. The cost would be fairly minimal – maybe a couple thousand dollars for the machines and the Windows 2003 server OS. Then the disaster recovery class could set up a backup system at the beginning of the semester and “recover” at the end of the semester after everyone else gets to play. Things like this could be useful to several other classes as well.
Not only that, but this kind of stuff would be fun and would give students a chance to be creative and see security from more than just a home user view. It would also give students a chance to research tools that crackers use as well as tools that could help them, as security experts, maintain an acceptable level of security on their own systems.
As you can tell, I’ve had this in mind for quite some time. Mainly because both schools I’ve been to have not had any form of hands-on security training other than a lame “wild packets” sniffer. I’d LOVE to be a part of setting something like this up (hint hint).
If anyone runs with my idea, you heard it here first 😛
Kidding aside, hands-on security research really should be implemented and more wide-spread throughout colleges and universities. Being book-smart about it won’t prepare you for what’s really out there nor will it familiarize you with the methods used by malicious individuals to crack your system/network/information.