Syllabus - Center for Cybersecurity and Cyber Operations
Incorporating CyberCIEGE into an Introductory Cyber Security Course
3/24/17
This syllabus identifies specific CyberCIEGE scenarios and tutorial videos that could be included within selected modules of an introductory cyber security course. The seven modules identified below are a notional organization of material contained in typical cyber security courses. This syllabus does not attempt to cover all such material, rather the purpose is to identify which elements of CyberCIEGE could be deployed within selected instruction modules. It is expected that traditional lecture and/or reading assignments would cover material not included below, and would also provide introduction and context to much of the CyberCIEGE material.
Table 1 identifies the modules and approximates the amount of CyberCIEGE tutorial video and scenario play time that might be required for each. While a natural strategy is to incorporate CyberCIEGE scenarios as labs to augment lecture presentations, an alternate approach is to more tightly integrate CyberCIEGE into the instructional material, and thus blur the distinction between labs and subject matter presentations. For example, scenarios might be covered using the following sequence:
2) Assignment of a scenario for individual exploration at the student's own pace.
3) Group review of the scenario decision points and consequences (e.g., in the style of case studies).
Note that since CyberCIEGE scenarios are intended to provide a context for experiencing consequences of choices, the scenarios don't always stick to a given topic. This becomes particularly true as students advance to the cryptography scenarios which are designed to illustrate the role and limits of cryptography within selected environments.
Instruction Module Name | Approximate number of tutorial minutes |
Approximate number of total scenario minutes |
Introduction to Information Assurance and Security Policies | 13 | 30 |
Identification and Authentication | 0 | 45 |
Access Control and Malicious Software | 12 | 75 |
Basic Network Security | 11 | 105 |
System Assurance, certification and accreditation | 4 | 45 |
Applied Cryptography | 14 | 1001 |
Public Key Infrastructure and Identify Management (often part of intermediate cyber security courses). | 16 | 360 |
Totals (minutes) | 69 | 760 |
The tables below identify the CyberCIEGE material that can contribute to course content for each of the modules. The tables include links to tutorial movies and scenario lab manuals. The tables include an estimate of the amount of time (in minutes) that students would be expected to spend on the material.
Instruction Module: Introduction to Information Assurance and Security Policies |
|||
Link to movie or lab manual |
Description of movie or game scenario | Tutorial Duration |
Scenario Duration |
The “Introduction to CyberCIEGE” movie describes risk management in terms of threats and vulnerabilities and potential impact of vulnerability mitigation decisions on enterprise productivity. These concepts are then placed in the context of the game and the choices the player makes. |
4 | ||
The "Stop Worms" scenario is an extremely simple scenario (a few minutes) that illustrates risks of email attachments and the need for risk management (i.e., you can’t just ban email attachments). This scenario can be followed up with the “Life with Macros” scenario which introduces the use of technical mechanisms to aid in the protection of assets. These scenarios also give the student a brief introduction to the game mechanics. |
10 | ||
The “Security Policy” movie describes how computer systems can only be said to be secure with respect to some policy. It then distinguishes between different modes of access and types of policies. It briefly introduces differences between mandatory policies and discretionary policies. |
8 | ||
The Introduction scenario walks the player through CyberCIEGE mechanics (e.g., buying computers and connecting them to networks), while illustrating selected vulnerabilities such as opening email attachments. The scenario also highlights the need for user training and introduces physical security. |
20 | ||
Totals | 12 | 30 |
Instruction Module: Identification and Authentication |
|||
Link to movie or lab manual |
Description of movie or game scenario | Tutorial Duration |
Scenario Duration |
The Passwords scenario illustrates the need for a suitable password policy. It is a simple scenario that includes guessable passwords, the need for user training, and use of mechanisms to enforce policies (e.g., automatic screen locks). |
10 | ||
No lab manual |
The "Down Time" scenario is a simple training and awareness scenario that illustrates potential pitfalls of using an Internet caf? by an industrial spy. |
10 | |
The “User Identification” scenario explores challenges associated with identifying users to computers. This is the first substantive scenario that requires students to take a broader view of security policy enforcement. The scenario illustrates the utility of authentication servers and requires the student to make a decision to enable individual accountability. The latter 2 phases of this scenario begin to address access control, and are covered in the following instruction module. [TBD: Move web server malware attack to after one-time password.] |
20 | ||
Totals | 0 | 45 |
Instruction Module: Access Control and Malicious Software |
|||
Link to movie or lab manual |
Description of movie or game scenario | Tutorial Duration |
Scenario Duration |
The malicious software movie describes what malicious software is and how it works. Discretionary access control enforcement mechanisms (i.e., ACLs) are introduced and the movie illustrates how malicious software can work around the mechanisms thereby defeating user intent. The movie also illustrates how trap doors can subvert the intent of mandatory access control mechanisms. |
7 | ||
The Final phases of the “User Identification” scenario illustrates use of ACL’s to limit the damage done by a rouge application and it includes an example of using a group policy to provide access to authorized users who lack individual system accounts. |
15 | ||
The "Physical Security" scenario looks at access control in the context of physical security where some users are not necessarily authorized to view all information processed within a facility. The scenario re-enforces the concept of security policies by encouraging the student to understand the value of different assets and the authorizations of different users. |
20 | ||
The "Multilevel Components" movie introduces label-based access control within the context of a simple multilevel server. | 5 | ||
The "Mandatory Access Controls" scenario requires the student to assign security labels to the two network connections of a multilevel server to enforce a given secrecy policy. The scenario encourages the student to make incorrect assignments and predict the outcome. | 20 | ||
The "MAC Integrity" scenario requires the student to understand an integrity policy and to reflect on the kind of security labels that need to be assigned to network connections. | 20 | ||
Totals | 12 | 75 |
Instruction Module: Basic Network Security |
|||
Link to movie or lab manual |
Description of movie or game scenario | Tutorial Duration |
Scenario Duration |
The "Firewalls" movie provides a high level view of the functions of firewalls and intrusion detection mechanisms and it describes some of the limitations of each. |
4 | ||
The "Network Filters" movie describes the basic functions of network filters and illustrates their use within the CyberCIEGE game. |
3 | ||
The "Network Filters" scenario explores issues arising from connecting networks to the Internet and the use of filters to protect assets. | 45 | ||
The Patches movie describes the need for a patch management plan. | 4 | ||
The Patches scenario explores potential implications of different patch management decisions. | 15 | ||
The "PCA" scenario requires the student to deploy and configure a simple Demilitarized Zone (DMZ). The scenario builds on concepts introduced by the "Network Filters" and Patches scenarios. | 45 | ||
Totals | 11 | 105 |
Instruction Module: System Assurance, certification and accreditation |
|||
Link to movie or lab manual |
Description of movie or game scenario | Tutorial Duration |
Scenario Duration |
The assurance movie describes the need to support objective assessment of security policy enforcement mechanisms. It describes the impact of complexity on the ability to achieve assurance and it illustrates how the amount of assurance needed for a system depends in part on the policies being enforced. |
4 | ||
No lab manual |
The Genes R Us scenario... |
45 | |
Totals | 4 | 45 |
Instruction Module: Applied Cryptography |
|||
Link to movie or lab manual |
Description of movie or game scenario | Tutorial Duration |
Scenario Duration |
The Encryption movie introduces the application of encryption to protect communications over networks. It provides an overview of the use of encryption at different levels of a protocol stack. |
6 | ||
The "Link Encryption" scenario requires the student to deploy simple link encryptors to protect traffic between two sites via a dedicated communications link. The scenario includes a "key management" decision and illustrates the need to consider assurance when deploying cryptographic solutions. |
20 | ||
The Symmetric and public key cryptography movie describes differences between the use of shared secrets and public key cryptography. | 3 | ||
The "Key Types" scenario illustrates some of operational differences between use of shared secrets and public key cryptography. It also presents the student with a problem related to the exchange of clear text password hashes over a legacy network. | 20 | ||
The "Network Authentication Through Cryptography" movie describes how cryptographic mechanisms can be used to establish the sources of data. | 5 | ||
The "CyberCIEGE VPN Connection Profiles" movie describes how VPNs are configurable to provide different kinds of protection depending on who the remote party is. The movie illustrates the risks of permitting connections to the Internet while also providing connections to protected networks. And it illustrates how to define connection profiles within the CyberCIEGE game. | |||
The "Introductory VPNs" scenario requires the student to deploy VPN gateways and VPN clients. It explores the risks of enabling connections to the Internet and protected networks. The scenario progresses through a series of threats beginning with traffic interception, followed by malicious software on protected networks and finally malicious software on the protection mechanisms themselves (e.g., a VPN gateway). | 60 | ||
Totals | 14 | 1001 |
Instruction Module: Public Key Infrastructure and Identify Management (often part of intermediate cyber security courses). |
|||
Link to movie or lab manual |
Description of movie or game scenario | Tutorial Duration |
Scenario Duration |
The "PKI" movie describes public key infrastructure use within a simple e-commerce example and illustrates potential pitfalls of PKI implementations. |
13 | ||
The "CyberCIEGE PKI Installed Roots" movie reinforces the meaning of an "installed root" in a PKI context and describes how to manage installed roots in the CyberCIEGE game. This movie is intended for viewing as part of playing the "Advanced VPNs" scenario. | 3 | ||
The "Advanced VPNs" scenario is similar to the "Introductory VPNs" scenario except the student may choose to deploy either symmetric key or PKI based key management. The scenario requires the student to make a choice related to cross certification and certificate policies to enable e commerce with a business partner. |
60 | ||
The "Hard Rain" scenario explores the use of email encryption and signing to protected email from unauthorized disclosure and modification. It confronts the student with an environment in which potentially malicious insider users have administrative access to a company email server. The scenario illustrates differences between email encryption and signing. | 60 | ||
The "ParaZog" scenario illustrates the use of smartcard-base email encryption to protect email assets from unauthorized disclosure. The scenario also illustrates risks of sharing smartcards across networks of different sensitivities. | 60 | ||
The "Angle Locks" scenario explores the use of SSL to authenticate web sites and to authenticate users. Smart-card based TLS authentication is incorporated into the scenario. | 60 | ||
"Identity Database" scenario requires players to protect an identity database that is used in the generation of smart card IDs. The scenario does not address smart cards per se; rather it highlights some issues related to protecting a centralized database that is accessed by a variety of users. | 60 | ||
The "Who are you" scenario illustrates several issues related to maintaining information about the identity of users. The scenario is built around authorized user and visitor access to a physical military base. Several identity management issues are explored, including the establishment of access policies, different mechanisms for identifying people, and risks associated with using computers to manage identity information. | 60 | ||
Totals | 16 | 360 |
1 If the course does not include a PKI & Identity Management module, one of the PKI scenarios (e.g, "Advanced VPNs" or "Hard Rain") could be included here.