Teach Cyber 2020 logo
September 16, 2021

The Teach Cyber Byte

In this month's Byte, we define the term "Multi-factor Authentication" and examine how it can improve an individual or organization's cybersecurity. If you enjoyed this Byte and know someone else that would, please feel free to forward and share our newsletter!

(Please note: if you forward this to someone else and they click "unsubscribe," you may be unsubscribed from the mailing list.)

Monthly Virtual Lounges are back! See you there!

Check out the information below about the Cybersecurity Inquiry for Students and Teachers Workshop.


1. Unit 3 will be available September 21, 2021
Unit 3 provides an introduction to computer hardware, software, and operating systems. Students explore how hardware and software work together to achieve an overall objective. Students learn how devices communicate across the Internet and explore open source versus proprietary protocols. After these basic building blocks of cyberspace are defined, the unit introduces basic concepts of networks and networking. This unit includes introductory labs to introduce students to basic Linux commands, networking concepts, and Wireshark. Finally, students examine the growth in society’s use of and reliance on computers and networks ranging from health, commerce, national defense, to entertainment and leisure.

2. Other Curriculum Updates
Over the summer, Teach Cyber updated units 1 and 2 and they are now available on the website. The updated files are titled v1.2 to make them easy to recognize. The changes are minor and the change log can be found HERE.
The release schedule for future updates is:
Unit 4 - October
Unit 5 - November
Unit 6 - December
Unit 7 - January
Unit 8 - February
3. Virtual Lounges
Welcome back to the 2021/2022 school year! We hope your year is off to a great start! We will be hosting a series of virtual teacher's lounges again this year. Our first one of the school year is September 23 at 7pm where we will provide an update of what we've been up to this summer, introduce some of the new Teach Cyber team members, present a tentative schedule for future lounge topics, and leave plenty of time for discussion. We hope you can join us. To register to receive the Zoom link, click on the Virtual Lounge Sign-up and provide your information:
4. We are Growing
Meet Judi Emmel. Judi started her career as a junior high school teacher. Judi has had a remarkable career as a public educator and public servant with several high profile roles in cybersecurity at the National Security Agency (NSA). She first worked as a Farsi linguist in a 24-hour watch center, providing support to US Military deployed overseas. She spent the bulk of her career as the NSA spokesperson. She has also done tours at the Office of the Director of National Intelligence and the White House. She retired from NSA last spring and Teach Cyber is fortunate to have her talent and experience to launch and lead our advocacy and state/local relations.
You can contact her at judi.emmel@teachcyber.org.
5. Be A Part of Making Change Happen
Cybersecurity is a fairly new field of study. It started in higher education about 25 years ago at the graduate level. Over the past two decades, cybersecurity programs have grown at the baccalaureate and associate degree levels.
intro to challenge of cybersecurity
And over the past 5 years, cybersecurity units, courses and pathways have been growing at the secondary level. This development is needed; cybersecurity is currently one of the fastest growing career fields in the United States.

There is a lot of work that needs to happen to build cybersecurity pathways that are robust, sustainable, and effective. Teach Cyber's mission is to help nurture the cybersecurity education ecosystem. If you want to be a part of making change happen, please volunteer by email to proponent@teachcyber.org.

6. The Cybersecurity Inquiry for Students and Teachers Workshop co-sponsored by Estrella Mountain Community College and Glendale Community College
Teach Cyber will conduct a session at this virtual workshop designed for students, faculty, and administrators who have an interest in cybersecurity. The workshop is October 22 from 9am-3pm MST, with the Teach Cyber presentation from 12:30-2:30 pm MST. Presentations, discussions, and activities will expose participants to cybersecurity tools and careers. Students are invited to attend the morning session from 9am-11am MST. To register: https://www.eventbrite.com/e/cybersecurity-inquiry-for-students-and-teachers-tickets-167786599235
If you have questions contact Tom Polliard at thomas.polliard@estrellamountain.edu

Thank You to Our New Sponsors

Teach Cyber relies on the generous support of organizations, foundations, and individuals. We'd like to thank our new sponsors:
1. SamTec Cares
2. Central Supply
3. Purdue Federal Credit Union

Samtec Cares
Central Supply

Help Us Help You

Teach Cyber is a project within DARK Enterprises, which is a non-profit organization dedicated to Nurturing a Sustainable Cybersecurity Education Ecosystem.

We can provide US Cyber Range grants, the curriculum, the virtual lounges, etc., through grants and the generous support of foundations, individuals.

There are two ways you can support Teach Cyber today.
  1. Amazon Smile - You shop. Amazon Gives. To donate to Teach Cyber, please use the DARK Enterprises Amazon Smile link: https://smile.amazon.com/ch/47-4951875
  2. Make a direct donation here: https://teachcyber.org/donations-and-partners/ Every dollar counts.

"Multi-factor Authentication (MFA)"

If you've ever logged into an online account or needed a security badge in order to enter a locked building, you've used authentication. Authentication techniques are the technologies that prove you are who you say you are, and for most of us, that's just a username and password. These two pieces of information may seem sufficient to keep our information safe online, but unfortunately, this isn't always the case. People generally use the same username and e-mail for all of their online accounts, and passwords can be brute forced, leaked, and cracked. To make matters worse, people tend to reuse passwords, so if the password for one individual's account gets leaked, all of their accounts are jeopardized [1].
Kill Chain (WoW)
That's why an increasing number of organizations and websites today are supporting multi-factor authentication (MFA), a security enhancement that requires two or more verification factors to access an online account, resource, or application. You may also hear it called Two-factor Authentication, or "2FA," but the underlying principle for these technologies is the same. By requiring the use of one or more additional verification methods (known as "factors"), MFA dramatically decreases the likelihood and severity of a successful cyberattack. For this reason, MFA should be a core element of any organization's identity and access management (IAM) policies [2].

MFA protects your data where simple passwords might fail by establishing multiple layers of security. For instance, if your second factor of authentication is a one-time password (OTP) sent to your phone, an attacker would need to steal or compromise both your password and your phone to break into your account. Whether it's required to access your building or website, MFA's defense-in-depth approach adds at least one more barrier to breach before an attack is successful. You should use MFA wherever possible, especially for sites that store your most sensitive data, e.g. your personal e-mail, health information, and bank account.
Kill Chain (WoW)
While some services require you to use MFA on your account, many websites offer it as an option that you can enable—but you must take the initiative to turn it on [3]. There are four general categories of authentication factors that you can use [4]:
  • Knowledge - factors you know, such as a personalized security question or memorized PIN.
  • Possession - factors you have, such as a badge, smartphone, or USB security token.
  • Inherence - factors you "are," such as your fingerprint, voice, or iris.
  • Location - somewhere you are, such as being hard wired into your company's network rather than connecting wirelessly.
Additionally, there's a popular subset of MFA known as adaptive authentication. Rather than requiring multiple authentication factors every time you try to log in, adaptive authentication considers your current context and your organization's policies during authentication. Using adaptive authentication, if you log in from inside the company office one day, but then from Russia the next, this is obviously a sign of elevated risk and you'll be required to supply your MFA factor(s) [5]. This technology is best suited for low-risk scenarios where an organization wants to optimize their security while also ensuring employee and customer convenience [6].

It’s becoming clear that passwords alone are an insufficient means of authentication, but MFA is an important tool you can use to improve your personal cybersecurity. For businesses and organizations, enabling MFA can also help you comply with national and international security policies and frameworks. The Payment Card Industry Data Security Standard (PCI-DSS), for instance, requires that MFA be used in accessing systems that process payment transactions. MFA can also be used to help comply with other policies, such as the Health Insurance Portability and Accountability Act (HIPAA) and the European Union's Revised Payment Services Directive (PSD2), which are policies intended to protect individuals' sensitive health and financial information. Some organizations, such as FIDO, advocate for MFA without passwords altogether, arguing that knowledge-based factors have repeatedly proven to be vulnerable [7]. The consortium's FIDO2 standard defines a common way for online services to implement MFA using security keys and biometrics without passwords [6]. We may be a long way from a passwordless society, but enabling MFA is always a big step towards increased security.
Kill Chain
If you want to start enabling MFA yourself, check out apps such as Authy, Google Authenticator, and Microsoft Authenticator. It's important to note, though, that MFA isn't always perfectly secure. In 2019, 23 million YouTube influencers were hacked despite employing MFA because an attacker found a way to intercept YouTube's two-factor authentication codes using SMS. MFA tokens sent over SMS are also vulnerable to sim-swap attacks, where an attacker uses social engineering to change their target's phone number so that any of the text messages intended for the victim would be sent to the attacker instead [8]. Despite these vulnerabilities, enabling MFA will almost always make you more secure than if you didn't have it on. So while MFA can occasionally be an inconvenience if your phone dies or gets lost, the pros of an easy-to-use feature that dramatically improves your security far outweigh the cons.
You can find more information about password cracking and the asymmetric cryptography used to protect passwords in the "Intro to the Challenge of Cybersecurity" course, Unit 5, Lesson 3 (free to registered users).

Additionally, students can refer to Unit 5, Lessons 1 and 5 to learn more about access control and defense-in-depth, respectively.
[1] Telesign. (2015, June). "Telesign Consumer Account Security Report." https://www.telesign.com/resources/research-and-reports/telesign-consumer-account-security-report/

[2] National Institute of Standards and Technology. (2020, January 22). "Identity and Access Management Roadmap." https://www.nist.gov/topics/identity-access-management/identity-and-access-management-roadmap

[3] National Institute of Standards and Technology. (2016, June 28). "Back to Basics: Multi-factor Authentication (MFA)." https://www.nist.gov/itl/applied-cybersecurity/tig/back-basics-multi-factor-authentication

[4] OneLogin. (2021). "What is Multi-Factor Authentication (MFA) and How Does it Work?" https://www.onelogin.com/learn/what-is-mfa

[5] TechTarget. (2021, May). "Multifactor Authentication (MFA)." https://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA

[6] McKeown, Emily. (2020, September 3). “What Is Multi-factor Authentication (MFA)?” PingIdentity. https://www.pingidentity.com/en/company/blog/posts/2017/what-is-multi-factor-authentication-mfa.html

[7] FIDO Alliance. (2021). "What is FIDO?" https://fidoalliance.org/what-is-fido/

[8] BrainStation. (2021). "Two Factor Auth (2FA)" https://brainstation.io/cybersecurity/two-factor-auth

Teach Cyber 2020 logo