Positive Education: teach practical safety

Can a university prepare a student for work in the IT infrastructure of a modern enterprise? On the one hand, this is the direct task of the educational institution. But on the other hand, we all remember the phrase: “Forget everything that you were taught at the institute,” which students meet at the factory. Alas, education does not always keep up with reality, and especially in the field of information technology, where changes are happening so quickly that it is difficult for a university teacher to keep track of all innovations. This means that a close relationship is needed between teachers and industry practitioners.

This year marks two years of Positive Education, a non-profit program of Positive Technologies. The goal of the project is to contribute to the development of modern, practice-oriented training methods for young professionals in the field of information security. To date, the program involves more than four dozen educational institutions in Russia, including Moscow State University, MSTU, MATI, ENGECON, FEFU, OmSTU.

Over the past academic year, more than 250 students of these universities have been trained on the basis of competitive materials of the international practical safety competitions Capture the Flag (CTF) , Hack Quest and other competitions held by Positive Technologies.

Another opportunity that more than 200 students from various universities introduced this year is the practical use of XSpider and MaxPatrol security monitoring systems . The software is provided free of charge to universities for educational purposes, allowing you to demonstrate penetration tests, vulnerability searches, inventory and configuration analysis of various operating systems, telecommunications equipment, DBMS, ERP-systems, ICS components. Universities also receive methodological assistance in conducting laboratory workshops on web security (XSS, SQLI, Remote Code Execution, WAF bypass techniques) and VoIP security (detection of VoIP devices, attacks on RTP and SIP).

In 2014, MGIU (Moscow), NRNU MEPhI (Obninsk), NSU (Novosibirsk), LSTU (Lipetsk), SSAU (Samara), TUSUR (Tomsk), RSEU (Rostov-on-Don) were added to universities that take advantage of these opportunities. ), KhIIK (Khabarovsk). And in the Moscow MEPhI, a special course on penetration testing and vulnerability analysis is conducted by Positive Technologies employees themselves.

Interestingly, in some cases, the initiative to join the university in the Positive Education program came from students . This is especially pleasant - because it means that the program satisfies the real interest of the younger generation of future specialists.

On the other hand, sometimes teachers complain that Positive Education materials are complex and require additional training. However, we emphasize again: the goal of the program is to introduce students to the real state of affairs in the field of practical safety. We do not specifically complicate anything: this is the real work.

From teacher reviews

OmSTU (Omsk): “We use HackQuest / CTF materials, arrange homework based on them - an analogue of the classic CTF with our own rules, we use cjdns to create a private network. Good materials. Some of the students have a very surprised facial expression. And special thanks for iBank “Big ku $ h”) - the students really like it (one of the laboratory works + fixing vulnerabilities in it). ”

SSAU (Samara):“Tasks are used as training examples in accordance with the directions (Reverse Engineering, Web security, cryptography and system administration). It often happens that after CTF it is difficult to restore the entire infrastructure for the subsequent training of students (that is, part of the tasks cannot be started at home, especially if they contain the server part). The virtual machine images included in the HackQuest / CTF materials partly help solve this problem. ”

VPGU (Vologda): "The materials themselves seem interesting, but for the full use in the educational process, additional training is required - both the teacher and students."

If you are interested in organizing such security courses at your university or in obtaining the training materials mentioned, contact edu @ ptsecurity.com for details .