Introduction
Recently I volunteered and became a CyberPatriot mentor. In this program I work with local area high school students interested in cyber security who compete in cyber security competitions. Side note: If you work in cyber security, please consider being a mentor; there are perks and we need more STEM/cyber interest, especially from young women. One of the more challenging aspects of competitions for these groups, and most administrators, is discovering how a system you are given may be incorrectly configured. Some examples include discovering if telnet is running, no firewall enabled, a blank password on an administrator account, or a root/root username/password on Linux. In most cases, the competitions use a plethora of operating systems very much like most organizations (e.g. Windows 7, Windows 10, Ubuntu 14, Ubuntu 16, OSX) The Challenge In my previous experience, there are a lot of programs out there that automate this process. I began researching products I use, or know of and have used before to share and demonstrate. This is when I learned, that over the past 5 years the automated vulnerability configuration landscape has drastically changed from an open and free one, to a cloud-based, payed one. This proved to be more of a challenge than I anticipated requiring much more time than I allotted. I had to adjust my requirements for products which are here:
I scoured NIST's Computer Resource Security Center (CRSC) website to find products which were Security Content Automation Protocol (SCAP) compliant. SCAP is a method for using standards to automate system configuration checks/compliance. Cyber security software providers want to be SCAP compliant for Government compliance. It also helps in the private sector too. SCAP compliance uses the former OVAL-based standards or the newer XCCDF checklist format to assess system configurations. A tool that is SCAP compliant is going to be easier for students to learn how to use. Unfortunately, as you'll see, I didn't find a single tool. Tools, not a tool In this case, students take a recommended configuration checklist using XML-based evaluation standards (OVAL, XCCDF) and use the file/list with an evaluation tool/program which outputs results showing the difference. The problem is a lot of the tools out there are either no longer free, or, they only work for specific operating systems. This means now having to use not one tool, but two. Note: OpenVAS is a good tool for this, but it is complicated and difficult to learn and use as it has many more features outside of configuration analysis. The Tools I ended up choosing were
As the tools above show, I did find some tools. But there is not one tool. I ended up discovering there were many available but that there wasn't a single inexpensive, or free tool which could help these students assessments during cyber security competitions. I think as young persons learning cyber security, the industry is doing a disservice by not providing readily available tools for them to practice with and to learn to use. Cyber security is tough. There is a lot of overwhelming content, vulnerabilities, system specific caveats, configuration data, network knowledge, and programming information a person has to learn while also trying to do it easily. I hoped there would be an easy way for these students learn I have is that an automated way to review hundreds or thousands of configuration settings
0 Comments
|
AuthorI am a Doctoral Scholar at Colorado Technical University and a graduate of the Cyber Security Operations and Leadership program from the University of San Diego. I work in cybersecurity, and have accumulated twenty years in the IT industry. There are few IT roles I have not performed, which gives me great insights into making sense of all the IT confusion. Archives
February 2022
Categories
All
|