Thursday, June 21, 2018

What Do You Want In A Cyber Self Defense Course?

Your company, agency, whatever has hired an intern from the Mercyhurst intel program that has just completed their freshman year.  What do you want them to know about cyber?

That is one of the questions I will be wrestling with this summer.  I am teaching a new course in the fall called "Cyber Self Defense".  Nobody told me I had to teach this course.  Nope!  I volunteered (!) to teach this course.

You see, we have consistently noted that many of our first year students come to us with a pretty poor understanding of cyber related risks and how to minimize them.  The intent of this course is not to turn them all into white hat hackers.  All I really hope to do in the time I have is to make them into knowledgeable users.   
Its like the old joke about the two guys and the bear.  The first guys says, We will never outrun that bear!"  And the second guy goes, "I don't have to outrun the bear.  I just have to outrun you!"  I want to create users that can, at least, outrun the other guy.
We wanted to teach this class at the Freshman level because that is where we think it would be most useful.  It gives the students 3 more years to increase or at least use these skills and an educated user base will only help our own network become more secure.  If this first class goes well, I think I would recommend that it become a requirement for all intel students.

As the obvious wonderfulness of this offering became increasingly apparent, the question naturally arose, "Who will teach this magical, extraordinary course?"  Those of you of a certain age will remember the old Life cereal commercial lovingly preserved by YouTube (above).  Suffice it to say, I get to play the role of "Mikey" in the 2018 remake...

So I throw it out to you, Gentle Readers, what skills would you expect, what abilities would you want to see in that 18 year old intern you just hired for the summer?  I am looking for tools, tips, tricks, websites, sources, absolutely-must-cover topics, don't-waste-your-time topics and everything in between.  Free software and resources will be most appreciated but making students pay to get something that gives a big bang for the buck is also OK.

Here are a few details about the class to help you think through the problem.  It is a MWF class and each class lasts 50 minutes for 15 weeks.  I have access to a computer lab but I think I want the class to mostly be about their own devices - specifically cell phones and laptops (which virtually all students have).  We don't have a standard when it comes to these devices so we will likely have a mix of Apple and Windows, Android and IOS (With Windows and Android machines likely being in the majority).

Here are my initial thoughts:
  • First couple of weeks:  Focus on cleaning up and maintaining their own devices.  My assumption is that at least some of these students will come in with malware or viruses on their system already. Almost all will come in with some sort of factory installed bloatware and I doubt if any of their browser caches have ever been emptied.  The goal here would be to clean all of this up and to teach them how to maintain their devices
  • Next couple of weeks.  Focus on likely attack profiles and how to deal with situations where some sort of hack is more likely (e.g. coffee shops and airports).  Things like phishing and social engineering would get covered here.
  • Mid course.  Focus on privacy.  Talk about how info on the web gets passed around and used.  Talk about how to protect yourself from oversharing and what to do if you do get hacked.
  • Next couple of weeks.  Focus on advanced topics (e.g. Proxy servers, VPNs, Linux, etc).  Should they build their own computer?  
  • Final couple of weeks.  Talk about how to diagnose/help others with problems.  One of the most powerful tests of learning is seeing if the student can transfer their knowledge to new situations.  I want this kind of thing to be part of the final exam somehow.
I want this to be a project based course that gives students lots of hands on with their own devices but also gives them enough conceptual knowledge to be able to integrate new stuff as it comes along. 

I have a bunch of other half formed thoughts but I welcome your input and feedback first.  You can either drop it in the comments below (or in any of the social media where this will be posted) or you can just send me a note at kwheaton at mercyhurst dot edu.

Many thanks, hive mind!  Many thanks!


Unknown said...

Perhaps upon successful completion of the course, every student gets a custom slipcover for their webcam on their laptop.

Maybe get a guest presentation from NCFTA down in Pittsburgh.

Ben said...

Hey Kristan,
Ben here - I love this initiative. Especially because more and more traditional intelligence operators are likely to fall foul of emerging IT threats, and specifically information security.

When I say traditional; intelligence operators. I'm talking about the people who live and work in the world of intelligence but aren't astute techies, or perhaps don't know the first thing about cyber threats, and more importantly cyber protection.

For example, I know many people who glaze over as soon as you mention computers and protection because it's an unknown world.

I would probably want to know about INFOSEC as a priority - so this would include limiting the ability of people can see/read and find on me on the open web. The 'basics', i.e. week 1 should be just that, the basics -

Privacy, Security and general awareness - perhaps some case studies of fraudulent or stolen identity, and how easy you're information could be stolen or misappropriated - this could lead into incrimination, or the ability of nefarious actors to profile or even attempt to recruit others, possibly relevant for your readers and your students 'future careers',

I can't speak to the specifics of the other elements, because I simply don't know. But if you were able to boil the threats and information down into a simple easy to understand way and show people what to do - ie you do it first and either record or step others through - this would be great for your students (and others like me).

Would be interested in seeing the content, if you decide to make it public -

All the best,


Unknown said...

I recently graduated with a MS in Cybersecurity and think this is a DEFINITE requirement for future intelligence leaders. My first class focused on the book Principles of Information Security, 5th Ed., ISBN: 9781285448367, which was a great introduction to the world of INFOSEC/Cyber. It has plenty of practical exercises in at the end of each chapter to get students using VirtualBox, Wireshark, nmap, and other tools of the trade. It also opens up their eyes to VAST world of cyber and what it encompasses. What you've laid out is good, and those may be good things to cover in class to get a hands-on and how to do some of the practical things, but the book is a good supplement to back it up.

Kristan J. Wheaton said...

Thanks for the comments and suggestions, y'all! I am still building the course but this is great stuff!