Unit 5 – Lesson 3 – “Asymmetric Cryptography”
11 Days
Shifting from symmetric to asymmetric cryptography, this lesson takes students on a deeper dive beginning with the concept of public key cryptography to round out the use of cryptography as a mechanism to maintain confidentiality. The lesson shifts to the connection that cryptography has to ensure integrity through the study of hash functions, before making a final shift to the study of digital signatures.
Unit 5 – Lesson 2 – “Symmetric Cryptography”
4 Days
This lesson focuses on symmetric key cryptography, beginning with an overview of what cryptography is and the fundamental ideas of symmetric encryption. This sets the stage for later in the unit when students learn about asymmetric cryptography. Students will begin with learning about basic ciphers and a historical perspective providing context for the field of cryptography beyond the use of modern computers. Students will learn about modern symmetric ciphers and, by the end of the lesson, they will be comfortable encrypting and decrypting using a variety of techniques.
Unit 5 – Lesson 1 – “Data Controls”
4 Days
As students learned in Unit 4, data is a complex topic. This lesson introduces students to controls used for protecting data and begins the dive into more advanced controls explored throughout this unit. First, the focus is on refining student understanding of authentication, authorization, identification, and access control. Students learn about types of access control, including Role Based Access Control (RBAC), Mandatory Access Control (MAC), and Discretionary Access Control (DAC). The lesson concludes with an investigation into where various controls can go wrong with faulty authentication, authorization and/or access control.
Unit 5 – Lesson 8 – “Impact of Failure – Responsiveness to Change”
2 Days
This lesson is meant to help students to see that all of the controls from this unit come together to form a complex system that has weak points. Students are tasked with working in groups to take the context of an organization and outline which controls and structures they will need in which places, drawing from their learning throughout Unit 5 and prior. Students create a graphical representation of the system and place controls where appropriate, present to the class, and revise to demonstrate that cybersecurity is an ever-changing process and the most secure systems are responsive to change.
Unit 5 – Lesson 7 – “Software and Hardware Controls”
4 Days
In this lesson, the focus is on the software and hardware controls (secure design and secure software development lifecycle, static and dynamic software analysis, vulnerability management, and hardening of Operating Systems (OS) and software applications) that are in place to fix vulnerabilities and defend from exploits. Students will conduct a hands-on lab with OS hardening.
Unit 5 – Lesson 5 – “Physical Controls”
2 Days
This lesson focuses on physical controls as the first layer of a defense-in-depth strategy for data protection in cyberspace. Students will have the opportunity to review and examine physical access control policy and identify the common physical controls used for policy implementation and enforcement.
Unit 4 – Lesson 9 – “Data – Humans”
2 Days
The easiest way for an adversary to misuse a system is to deceive and lure people to unwittingly yield their credentials or install malicious software. Targeting people to give access to an adversary without them knowing about it is called social engineering. Social engineering takes advantage of the fact that people do not always know what is the proper security behavior in a situation. Therefore, system designers work to create usable security adaptations to systems to help people intuitively recognize a social engineering attempt or any malicious attempt by an adversary. This lesson will explore the weakest link in cybersecurity – humans – and provide hands-on experience in creating social engineering campaigns.
Unit 4 – Lesson 8 – “Data – Cyber-Physical Systems”
3 Days
Cyber-Physical Systems (CPS) allow people to act in the physical space by using cyberspace to decide and often automate the best possible action. Smart grids, industrial control systems (heating, cooling, factory automation), critical infrastructure (hospitals, financial sector, transportation, water systems) and Internet-of-Things or IoT (smart televisions, digital assistants, smart appliances) are examples of CPS. Because an adversary can cause harm both in the physical world and in cyberspace, it is important to understand the vulnerabilities, attacks, and consequences of insecure controls and policies for cyber-physical systems. This lesson will explore common vulnerabilities in cyber-physical systems and provide hands-on experiences in exploring IoT vulnerabilities.
Unit 4 – Lesson 7 – “Data – Networks”
4 Days
Data in transit is also a target for adversaries. The adversary can misuse this data at every level of the protocol stack that implements the network over which the data is transiting. Protections must be in place to prevent adversaries from creating malicious traffic and exploiting systems using this malicious traffic. This lesson will explore common network vulnerabilities and provide hands-on experiences in advanced port scanning, and email tracking.
Unit 4 – Lesson 6 – “Data – Hardware”
3 Days
To run software, hardware is essential in every data state. As with software, the hardware can behave unexpectedly. Adversaries try to misuse the hardware by taking advantage of the hardware’s unexpected behavior, bypassing security controls, or use of side channels. This lesson will explore common hardware vulnerabilities and provide hands-on experiences in creating backdoor programs.