Professional Documents
Culture Documents
Abstract—In this paper, we discuss the development of the a network built in a virtual environment [4] [5]. However,
IoT security exercise content and the implementation of it to the the higher education institutions such as universities, there
CyExec. While the Internet of Things (IoT) devices are becoming is a high cost of introducing the Cyber Range system and a
more popular, vulnerability countermeasures are insufficient, and
many incidents have occurred. It is because there is insufficient shortage of personnel to maintain and manage the exercise en-
protection against vulnerabilities specific to IoT equipment. Also, vironment. For these reasons, the educational environment for
the developers and users have low awareness of IoT devices developing security personnel has not progressed. Therefore,
against vulnerabilities from the past. Therefore, the importance higher education institutions must develop an inexpensive ex-
of security education on IoT devices is increasing. However, the ercise system that facilitates joint development and utilization
enormous burden of introduction and operation costs limited
the use of commercial cybersecurity exercise systems. CyExec of exercise programs.
(Cyber Security Exercise System), consisting of a virtual envi- To promote practical security education, we have developed
ronment using VirtualBox and Docker, is a low-cost and flexible a cybersecurity exercise system CyExec (Cyber Security Exer-
cybersecurity exercise system, which we have proposed for the cise System) with a low-cost and flexible consisting of a virtual
dissemination of security education. And the content of the environment using VirtualBox and Docker [4] [5]. Exercises
exercises for CyExec is composed of the Basic exercises and
Applied exercises. content of CyExec is composed of the basic exercises and
Index Terms—cybersecurity, security education, IoT, CyExec applied exercises.
We explain the outline of the CyExec in Chapter II, brief
I. I NTRODUCTION an overview of IoT security exercises in Chapter III, explains
As IoT devices become popular, cyberattacks targeting it basic exercise content in Chapter IV, and provides information
are increasing. And these attacks make business and service on developing and implementing IoT security-related applied
failures, information leakage, and financial damage occur both exercises in Chapter V.
at home and abroad, threatening economic development and II. OVERVIEW OF C Y E XEC
safety and security of daily life.
In September 2016, there was a DDoS attack on a blog site CyExec is, assuming the introduction of higher education
by botnet infected with IoT equipment in the United States [1]. institutions and small and medium-sized enterprises, is the
In April 2018, the system was tampered with by unauthorized exercise system to learn the basic techniques of cyber attack
access to a floodgate water monitoring camera of a river in and defense. Figure 1 shows an overview of the CyExec
Japan [1]. exercise system [4] [5].
The cyberattacks on IoT devices cause economic and social The below lists shown the characteristics of the CyExec.
losses, and then, the social awareness and need for the security (1) highly portable exercise environment at a low cost
of IoT devices will increase more. The Ministry of Internal (2) exercise environment of proper joint development
Affairs and Communications in Japan has listed “the human and utilization
resources development” as one of the tasks in its “Compre- CyExec enhances the implementation of exercise programs
hensive measures for IoT security,” which has drawn up the by joint development and use of not only a single organization
issue of IoT security. [2]. but also a related organization. In order to realize joint devel-
As an effort of talent development, training by the Cyber opment and use by multiple higher education institutions, it
Range, which experiences cyber-attack and defense using a is necessary to develop and utilize exercise programs between
dedicated application, is carrying out to obtain knowledge and different institutions efficiently. We achieved this task using a
technology of cybersecurity in some universities and public container technology like Docker.
institutions [3]. Our system placed a container on Docker. It has imple-
Using the commercial Cyber Range exercise, a learner can mented the Docker on the virtual environment configured with
learn how to respond systematically to learners’ role to protect VirtualBox. Facilitate the creation of a purpose-specific exer-
themselves from cyber-attacks based on training scenarios on cise environment by implementing and running a variety of
horized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:40:25 UTC from IEEE Xplore. Restrictions ap
Fig. 1. Overview of CyExec exercises system.
vulnerability diagnoses, attack, and defense exercise programs example, a product management system using IC
on containers. Also, by creating an image file of the container tags or smart appliances are there.
which runs the developed exercise program, and it can be used (3) Pattern 3: An IoT device has a function as an edge
jointly by publishing it in the related organization. server and processes acquired data. It is sent the
processed data to cloud computing. As an exam-
III. I OT S ECURITY AND E XERCISE C ONTENT
ple, multi-function printers and network cameras are
A. Type and Security of IoT Systems there.
Figure 2 shows the architecture of IoT systems. IoT systems
consist of IoT devices at the lowest layer, edge computing, and B. Structure of training contents
cloud computing at the top layer [6].
The architecture of the IoT system can classify into three Figure 3 shows the configuration of the CyExec exercise
patterns depending on the lower layer configuration. content. CyExec exercise content consists of law and ethics,
(1) Pattern 1: IoT devices cannot process the data. The basic and applied exercises [4].
acquired data without processing, to the cloud com- We provide the law and ethics practice before entering the
puter via IoT gateway. As an example, digital water main exercises to prevent the participants from exploiting to
temperature systems and weather sensors are there. a crime the attack techniques they have learned. The lecturer
(2) Pattern 2: Install IoT devices within an IoT area net- of the exercise obliges the lecture of law and ethics education
work consisting of near-range communications, such before the practice.
as wireless LAN and Bluetooth. IoT devices cannot In the part of the basic exercise, uses OSS (Open Source
process data. Edge server process acquired data and Software) exercise content to learn the basics of vulnerability
transmit the processed data to a cloud computer. For knowledge and detection methods.
282
horized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:40:25 UTC from IEEE Xplore. Restrictions ap
Fig. 4. Implementing Basics Exercise in CyExec.
283
horized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:40:25 UTC from IEEE Xplore. Restrictions ap
for learning “Pattern 3” security described in Chapter III-A current, the developers and users of IoT devices have not been
OWASP has scheduled 12 exercises for IoTGoat exercise. understanding enough of these issues. So, most of all, it is of
Among these exercises, five of which were can available in importance to raise awareness. Therefore, we developed two
the WebGoat exercise. application exercises. One is about an IoT camera, and the
Table II shows the corresponding exercises theme and other is an exercise on digital signage. The following describes
available WebGoat exercises for the subject of IoTGoat. the exercises on digital signage.
We assumed the exercise about a CSRF (Cross-Site Re-
TABLE II quest Forgeries) attack on digital signage web applications
C ORRESPONDENCE OF I OTG OAT AND W EB G OAT EXERCISES THEME
connected to the network. In order to make it easier for trainees
IoTGoat WebGoat to imagine, we used the digital signage with a display as an
Weak, Guessable, or Hardcoded Passwords Authentication Flaws IoT device, and CSRF, a typical Web application vulnerability,
General
Injection Flaws
was taken up as a vulnerability.
Authentication Flaws Among digital signage installed on the street and display-
Cross-Site Scripting ing images and characters, we assumed that the system is
Insecure Ecosystem Interfaces Access Control Flaws
Insecure Communication
connected to the network, and the administrator can log in
Insecure Deserialization remotely and changes the display contents by HTTP commu-
Request Forgeries nication. The learner will experience cyberattacks and defense
Client side
Use of Insecure or Outdated Components Vulnerable Components
through the exercise of unauthorized changes in passwords for
Insufficient Privacy Protection Access Control Flaws digital signage devices, faking images held by digital signage
Insecure Data Transfer and Storage Access Control Flaws devices, and displaying them contrary to the intentions of the
Insecure Communication user (administrator).
284
horized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:40:25 UTC from IEEE Xplore. Restrictions ap
Fig. 6. System configuration of the applied exercise.
link, the attacker (learner) performs exercises of exploit CSRF (administrator) clicks the link. The user (admin-
vulnerabilities to change passwords and falsification of the istrator) changes the password unintentionally
display images. and uploads the image. The displays change in
digital signage is executed.
E. Exercise procedure
To using the CyExec, a learner needs to implement CyExec
on PCs and then implement OWASP-created attack exercise
environment containers within CyExec and run on Docker.
WebWolf plays the role of a trap server that installs the attack
file created by the attacker and a link to the attack file that
is sent to the user (administrator). Also, a learner needs to
implement OWASP ZAP on theCyExec.
Connect the Raspberry Pi with this exercise program to a
PC and operate it through CyExec. Connect a display to the
HDMI terminal of the Raspberry Pi. The Raspberry Pi and the
display imitated digital signage.
The attacker uses the packet monitoring tool OWASP ZAP,
text editor, and WebWolf in CyExec. The user (administrator)
Fig. 7. An overview of the attack exercises.
operates the digital signage implemented on the Raspberry Pi
through the browser in CyExec. Figure 8 shows the result screen when succeeded in the
(1) Confirmation of normal operation: change password.
• The user (administrator) inputs the ID and pass-
word into the digital signage web application and
logs in.
• Perform the password change task and confirm
that the password is changed as intended. Per-
form the image upload and confirm that the
aimed image is displayed on the digital signage.
(2) CSRF attack exercise:
Figure 7 shows the flow of the attack exercises.
• The attacker activates OWASP ZAP and in-
tercepts the request sent from the browser to
digital signage when changing the password and Fig. 8. Result screen after changed password by an attacker (learner).
uploading the image in (1) above. Figure 9 shows the original image and the image that was
• Create an attack file based on the intercepted
changed by the successful attack exercise using the CyExec.
content and write the code to realize a CSRF
attack in JavaScript. VI. C ONCLUSION
• Upload the attack file to the trap server using With IoT devices become popular, cyberattacks targeting
WebWolf. The attack is triggered when the user it are increasing, it is urgent to develop human resources that
285
horized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:40:25 UTC from IEEE Xplore. Restrictions ap
[6] S. Norio et al., “Latest Developments of IoT Architecture,” The journal
of the Institute of Electronics, Information and Communication Engi-
neers, Vol. 100, NO. 3, March 2017, pp. 214-221.
[7] The OWASP WebGoat Homepage.
https://owasp.org/www-project-webgoat/
[8] The OWASP Homepage.
https://owasp.org/
[9] OWASP Internet of Things Project-IoT Goat Homepage.
https://www.owasp.org/index.php/OWASP Internet of Things
Project#tab=IoTGoat
[10] OWASP Internet of Things Project-IoT Top10 Homepage.
https://www.owasp.org/index.php/OWASP Internet of Things Project
[11] T. Yaki et al., “Practical Cyber Security Monitoring,” Tokyo, Japan:
CORONA Publishing Co., 2016.
[12] Metasploitable 2 Homepage.
https://metasploit.help.rapid7.com/docs/metasploitable-2
[13] Kali Linux Homepage.
https://www.kali.org/
[14] Kali Linux Tools Listing Homepage.
https://tools.kali.org/tools-listing
286
horized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on August 05,2022 at 07:40:25 UTC from IEEE Xplore. Restrictions ap