Transcript The West Point Carronade: Up Close and Personal
25 April 2020
The West Point Carronade: Up Close and Personal
Aaron J. Ferguson, Ph.D., CISSP National Security Agency Visiting Professor Department of Electrical Engineering & Computer Science United States Military Academy 23 March 2005 Federal Information Systems Security Educators Association Bethesda, MD 1
Agenda
• What is a Carronade?
• Why West Point?
• Carronade Non-Technical Design Considerations • Carronade Technical Design Considerations • West Point Stakeholder Buy-in • Deployments – Carronade 1 – The Crawl – Carronade 2 – The Walk – Carronade 3 – The Run • Implementation in Other Academic Environments • Implications for Training, Teaching, and Learning (TTL) 25 April 2020 2
What is a Carronade?
• The Carronade was a Navy cannon used in the early 1770s. • The inventors, Charles Gascoigne, LTG Robert Melville, and Patrick Miller, designed the cannon in 1759 while working at the Carron Iron Works Company on the Carron River in Stirlingshire, Scotland. • The Carronade, although possessing limited range, was destructive at close quarters (less than 0.6 miles). 25 April 2020 3
The West Point Carronade
• While the email had the potential to be destructive, the intent was to get the attention of cadets, not to cause damage to the Academy network or to penalize the cadets.
• The exercise was short range--conducted inside the USMA security perimeter--only cadets with a
usma.edu
domain name could launch the embedded link.
25 April 2020 4
Why West Point?
• West Point is perhaps the only service academy with a Computer Emergency Response Team (USMA CERT) that has membership that includes academic faculty and staff • The United States Military Academy was the first undergraduate institution to be certified (since Spring 2000) by the National Security Agency (NSA) as a Center of Academic Excellence in Information Assurance Education (CAEIAE). • West Point is currently the only service academy with this certification. The CAEIAE certification establishes West Point as a proactive institution of higher learning in the area of Information Assurance. 25 April 2020 5
“Phishing” Variants
25 April 2020 6
Carronade Non-Technical Design Considerations • Randomness • Social Engineering • Timing • “High-Beam Effect” • Human Subject Research 25 April 2020 7
Carronade Technical Design Considerations • Open Source Products • Tomcat from Apache as the Web App Container – serves up both static HTML pages and dynamic Java Server Pages (JSP) • Hibernate - Object-relational mapping solution • Class Diagrams • Java Bean Standards 25 April 2020 8
25 April 2020
High-Level Architecture
in out Web App Container Web App Controller Business Logic View Email Server Model O R M DB Server
9
Stakeholder Buy-In
West Point seeks to accomplish two primary goals: 1. Balance the information technology needs of cadets, staff and faculty with the need to maintain a secure and robust network.
2. Provide a forum that would foster development of educated leaders who understand information security. These two goals were accomplished by establishing a USMA level “community of practice” called the USMA Computer Emergency Response Team (USMA CERT).
25 April 2020 10
Stakeholder Buy-In
• “Gotcha” • Information Security Officer Ownership • Incentives and/or recognition to cadets practicing good email security 25 April 2020 11
Carronade I – The Crawl
• Four regiments (1 through 4) with each regiment comprised of eight companies (A through H). Each company has approximately 130 cadets. – The goal of the Carronade was to obtain results down to the company level.
• Within each of the eight companies in each of the four regiments, four cadets were randomly selected from each class (i.e., four freshman, four sophomores, four juniors, and four seniors) for a total of 512 cadets out of a total of approximately 4200 cadets (about 12% of the Corps of Cadets). 25 April 2020
REGIMENT COMPANY
12
Carronade I – The Crawl
• Because this was a proof-of-concept with a small sample size (512), extrapolating the results to the general population is ambitious at best. • Approximately 80% (over 400) of the cadets selected clicked on the embedded link. • Even with four hours of computer security instruction, 90% of the freshmen still clicked on the embedded link. 25 April 2020 13
Carronade I – The Crawl
Feedback from the cadets that clicked on the embedded link included comments, such as
: “The email looked suspicious but it was from an Army colonel, so I figured it must be legitimate”
and
“Any email that contains the word “grade” in it gets my immediate attention and action!”
USMA Commandant-NSA Fellow Email Collision
25 April 2020 14
Carronade II – The Walk
•
There were 4155 persons in the student body minus the 37 ISOs there were 4118 persons that could potentially receive the email.
• • •
Approximately 1010 embedded link emails were sent out.
Approximately 1014 attachment emails were sent out.
Approximately 999 sensitive information emails were sent out.
25 April 2020 15
Carronade II – The Walk
•
More Stats
25 April 2020 16
Carronade III – The Run
•
More Stats
25 April 2020 17
Implementation in Other Academic Environments
• How Can It Work At My School?
25 April 2020 18
Implications for Training, Teaching, and Learning (TTL) • Educational Value Added • Training Value Added 25 April 2020 19
Summary
• Traditional classroom instruction model is necessary but not sufficient when it comes to learning. – Students have to touch, feel, and experience (“Close and Personal” the content in order to learn. • Goal of any security awareness exercise should be to make security an attitude within the organization, campus, or 25 April 2020 university.
25 April 2020
QUESTIONS?
21
Embedded Link
From: [email protected] [mailto:[email protected]] Sent: Thursday, February 17, 2005 11:49 AM To: Cobb, M. MAJ EECS Subject: Grade Report Problem
There was a problem with your last grade report. You need to do two things: Select this link Grade Report and follow the instructions to make sure that your information is correct; and Report any problems to me.
Robert Dante COL, USCC [email protected]
Olmstead Hall, 7th Floor, Room 7206 25 April 2020
Next Slide
22
Embedded Link
From:
[email protected] [mailto:[email protected]]
Sent:
Tuesday, February 15, 2005 8:01 AM
To:
Cobb, M. MAJ EECS
Subject:
Account Adminstration Error!
Our records do not show an account verification word associated with your account. This will allow you to access your account in the event you forget your password. You need to do two things: Select this link Update Account and follow the instructions to make sure that your information is correct; and Report any problems to me.
Charles Lidel LTC, AV Security Administration and Network Support Branch [email protected]
Olmstead Hall, 7th Floor, Room 7206 25 April 2020 23
Attachment
From:
[email protected] [mailto:[email protected]]
Sent:
Tuesday, February 15, 2005 11:03 AM
To:
Cobb, M. MAJ EECS
Subject:
Grade Report Problem
Attachments
: Grade Report.html (381B) There was a problem with your last grade report. You need to do two things: Open the attached web page and follow the instructions to make sure that your information is correct; and Report any problems to me.
Robert Dante COL, USCC [email protected]
Olmstead Hall, 7th Floor, Room 7206 25 April 2020 24