compromise, privilege escalation and complete control of the machine. ... students provided with a Windows virtual machine infected with multiple live and current malware ... We have provided the students with a basic version of the crypto tool.
Enhancement Techniques for Student Engagement in Cybersecurity Education Oliver Bill* and Basel Halak*+ *Electronics and Computer Sciences, Southampton University +
Institute for Learning Innovation and Development
Abstract. In order to create successful cybersecurity professionals, it is important to engage students in a way that bridges the gap from the academic to the real world. In this paper, we present three examples used within teaching at Southampton University: The use of real-world scenarios presented through virtual environments, the creation of a cryptography learning platform and the fostering of student communities to support learning through social networking. We explore the ways in which practical hands-on experience based on industry can better support the development skills. We examine how real-life techniques can be combined with gamification and personalised learning to engender positive engagement. We consider how real-world scenarios within the educational institution can be utilised to further learning within in a safe but relevant context, being mutually beneficial to the students and institution. Finally, we consider the role of fostering a strong cybersecurity student community, using social networking, student societies and extra-curricular activities.
1. Introduction In this paper, we explore three examples of student engagement at Southampton University, combining real-world scenarios, applications and techniques with interactivity, gamification, practical hands-on assessment and social interaction. This paper explores the use of pre-built virtual environments mimicking real-world scenarios as assessment, a specialised software platform for teaching cryptography and the successful development of online cybersecurity communities to support learning within the institution. 2. Real-world scenarios through virtual environments The first method to aid engagement is utilisation of virtual machines as self-contained learning objects to provide assessed, practical, hands-on experience (Bullers et al. 2006) in the Cybersecurity and Secure Systems modules at Southampton University. In contrast to traditional exercises, each machine was built to provide a real-world scenario reflecting what students would face in the cybersecurity industry. We present three differing assessments using this model:
The first assessment, ‘Rob the Bank’ (Figure 1), is a functional but insecure online banking system, designed to provide a unique, humorous, game-based experience for each student. The application contains various examples of web vulnerabilities, from SQL Injection to exposed infrastructure. Based on a random seed for each student, every experience sees the same vulnerabilities but in unique locations, creating individualised coursework in a similar way to usage in statistics (Hunt 2007). This aids engagement, as it freely allows students to share thoughts and techniques without concern of sharing answers. Gamification is used, with achievements unlocked for each successful exploit and a competition for those with both the most and the least amounts of money, which led to a high level of engagement and competition amongst students. This was combined with humour and memes to further reward and engage students. To address the issues in balancing gamification with report writing as described in (Domínguez et al. 2013), the two were linked through context-sensitive assessment, such that on exploiting vulnerabilities, students are immediately asked to explain what they had achieved.
Figure 1: Rob the Bank, a vulnerable web application game The second assessment on penetration testing sees students tasked with a fully-configured virtual machine for which they had no access, mimicking a shared hosting web server running multiple sites and applications. Engagement was achieved through the open and challenging nature of the environment, with students needing to apply their understanding to a real-world application while working together and sharing findings. Through utilising appropriate tools and resources building on (Patriciu & Furtuna 2009), they are challenged with identifying open services, exploiting each service to incrementally gain further knowledge or access to the system, eventually leading to code execution, system compromise, privilege escalation and complete control of the machine.
The final assessment, covering malware detection, analysis and removal (Figure 2), sees students provided with a Windows virtual machine infected with multiple live and current malware. The malware ranges from Trojans to worms to rootkits, originating from incoming spam to the university. Relying purely on technical skills and with no signature-based tools available, students are tasked with detecting and quarantining malware on the machine to return it to a clean state, followed by analyzing everything encountered. Students engaged with the real-world scenario presented, the in the wild malware and the practical techniques required. Engagement was further built through interactive lectures, the effectiveness illustrated by (Rehman et al. 2013). In these lectures, similar scenarios are presented in-class with students working together to detect, clean and analyse additional scenarios.
Figure 2: Malware analysis virtual environment 3. Cryptography learning software platform The second method aimed at enhancing engagement is Crypto tool, used to support teaching of the Cryptography module. Crypto tool is a software platform for teaching encryption and decryption schemes, developed as open-source software in order to illustrate how encryption/decryption algorithms can be employed to achieve privacy, based on (Paar & Pelzl 2010; Trappe et al. 2007; Stinson 2005). The main goal for developing this tool is to encourage students to find practical applications for the theories and algorithms learnt in class. To achieve this, we adopt a three-stage approach: 1.
First, we choose a practical security problem which all students can relate to.
2.
Second, we give students a basic solution that has security problems;
3. Third, students are asked to identify the weaknesses of the provided solution and develop a more enhanced version. The proposed teaching platform encourages students to critically analyse the security of an implemented security solution, identify potential weaknesses and use cryptographic primitives to develop better solutions. The Crypto tool can be used as a coursework, lab exercise or as the basis of an individual project. We present one case of the proposed platform from 2014/2015 academic year as an individual project. We have provided the students with a basic version of the crypto tool which implements classic ciphers and only supports text files. Students are then asked to develop their own secure file storage tools. Student’s solutions are assessed based on the quality of their implementations in terms of security and usability. The tool also supports multi-stage encryption, which allows the user to build their own encryption algorithm by combining algorithms, detecting malicious modifications of files using hash functions and support all known file formats. The platform can also be used as the basis of other security applications of cryptography such as secure communication over noisy channels and authentication protocols. 4. Building learning communities The final method employed at Southampton is the engagement of students as a collective in the formation of an engaged community of cybersecurity experts using social networking to promote collective and collaborative learning (Irwin et al. 2012). The use of module Facebook groups alongside a general university cybersecurity group has drawn strong levels of student engagement. A formula for success of module Facebook groups has been developed, which sees immediate and helpful feedback and assistance from academic staff in the first few days to encourage usage of the group, which leads to a high initial uptake. The group is treated as an alternative to traditional learning environments, as explored by (Wang et al. 2012), with course materials and resources being shared directly onto the group. Following the initial usage, students take to helping and engaging with each other, sharing resources, techniques and skills and most importantly, forming a community. For continued development, it is important for academic staff to ensure an informal and relaxed environment and to refrain from over-engaging themselves, allowing the group to develop naturally. 5. Conclusion In conclusion, we have highlighted how student engagement can be enhanced through realworld scenarios, enhanced with interactivity, gamification, practical hands-on assessment and social interaction. The techniques described in this paper have led to positive
engagement, with interested, enthused, high-performing students and strong participation levels, which is reflected in the student feedback on the modules discussed. 6. References 1. Bullers, W.I., Burd, S. & Seazzu, A.F., 2006. Virtual machines - an idea whose time has returned. ACM SIGCSE Bulletin, 38(1), p.102. 2. Domínguez, A. et al., 2013. Gamifying learning experiences: Practical implications and outcomes. Computers & Education, 63, pp.380–392. 3. Hunt, N., 2007. COMPUTING CORNER. Individualized Statistics Coursework Using Spreadsheets. Teaching Statistics, 29(2), pp.38–43. 4. Irwin, C. et al., 2012. Students’ perceptions of using Facebook as an interactive learning resource at university. Australasian Journal of Educational Technology, 28(7), pp.1221–1232. 5. Paar, C. & Pelzl, J., 2010. Understanding Cryptography. Understanding Cryptography., pp.293–317. 6. Patriciu, V.-V. & Furtuna, A.C., 2009. Guide for designing cyber security exercises. , pp.172–177. 7. Rehman, R., Afzal, K. & Kamran, A., 2013. Interactive Lectures: A perspective of students and lecturers. Journal of Postgraduate Medical Institute (Peshawar Pakistan), 27(2). 8. Stinson, D.R., 2005. Cryptography: Theory and practice, Chapman and Hall/CRC. 9. Trappe, W. et al., 2007. Introduction to cryptography with coding theory, second edition, 10. Wang, Q. et al., 2012. Using the Facebook group as a learning management system: An exploratory study. British Journal of Educational Technology, 43(3), pp.428–438.
