Web Content Display Web Content Display

fingerprint  Incorporating CyberCIEGE into an Introductory Cyber Security Course

3/24/17

This syllabus identifies specific CyberCIEGE scenarios and tutorial videos that could be included within selected modules of an introductory cyber security course.  The seven modules identified below are a notional organization of  material contained in typical cyber security courses.  This syllabus does not attempt to cover all such material, rather the purpose is to identify which elements of CyberCIEGE could be deployed within selected instruction modules. It is expected that traditional lecture and/or reading assignments would cover material not included below, and would also provide introduction and context to much of the CyberCIEGE material.

Table 1 identifies the modules and approximates the amount of CyberCIEGE tutorial video and scenario play time that might be required for each.   While a natural strategy is to incorporate CyberCIEGE scenarios as labs to augment lecture presentations, an alternate approach  is to more tightly integrate CyberCIEGE into the instructional material, and thus blur the distinction between labs and subject matter presentations.  For example, scenarios might be covered using the following sequence:
1) Lecture or assigned reading of related material.
2) Assignment of a scenario for individual exploration at the student's own pace.
3) Group review of the scenario decision points and consequences (e.g., in the style of case studies).

Note that since CyberCIEGE scenarios are intended to provide a context for experiencing consequences of choices, the  scenarios don't always stick to a given topic.  This becomes particularly true as students advance to the cryptography scenarios which are designed to illustrate the role and limits of cryptography within selected environments.
 
Table 1: Instructional module summary and links to individual modules
Instruction Module Name Approximate
number of tutorial
minutes
Approximate
number of total
scenario minutes
Introduction to Information Assurance and Security Policies 13 30
Identification and Authentication 0 45
Access Control and Malicious Software 12 75
Basic Network Security 11 105
System Assurance, certification and accreditation 4 45
Applied Cryptography 14 1001
Public Key Infrastructure and Identify Management  (often part of intermediate cyber security courses). 16 360
Totals (minutes) 69 760

The tables below identify the CyberCIEGE material that can contribute to course content for each of the modules.  The tables include links to tutorial movies and scenario lab manuals.  The tables include an estimate of the amount of time (in minutes) that students would be expected to spend on the material.
 

Instruction Module:  Introduction to Information Assurance and Security Policies

Link to movie or
lab manual
Description of movie or game scenario Tutorial
Duration
Scenario
Duration
Movie link

The “Introduction to CyberCIEGE” movie describes risk management in terms of threats and vulnerabilities and potential impact of vulnerability mitigation decisions on enterprise productivity.  These concepts are then placed in the context of the game and the choices the player makes.

4  
lab manual link
lab manual link

The "Stop Worms" scenario is an extremely simple scenario (a few minutes) that illustrates risks of email attachments and the need for risk management (i.e., you can’t just ban email attachments).  This scenario can be followed up with the “Life with Macros” scenario which introduces the use of technical mechanisms to aid in the protection of assets.  These scenarios also give the student a brief introduction to the game mechanics.

  10
Movie link

The “Security Policy” movie describes how computer systems can only be said to be secure with respect to some policy.  It then distinguishes between different modes of access and types of policies.  It briefly introduces differences between mandatory policies and discretionary policies.

8  
lab manual link

The Introduction scenario walks the player through CyberCIEGE mechanics (e.g., buying computers and connecting them to networks), while illustrating selected vulnerabilities such as opening email attachments.  The scenario also highlights the need for user training and introduces physical security.

  20
Totals 12 30
 

Instruction Module:  Identification and Authentication

Link to movie or
lab manual
Description of movie or game scenario Tutorial
Duration
Scenario
Duration
lab manual link

The Passwords scenario illustrates the need for a suitable password policy.  It is a simple scenario that  includes guessable passwords, the need for user training, and use of mechanisms to enforce policies (e.g., automatic screen locks).

  10
No lab manual

The "Down Time" scenario is a simple training and awareness scenario that illustrates potential pitfalls of using an Internet caf? by an industrial spy.

  10
lab manual link

The “User Identification” scenario explores challenges associated with identifying users to computers.  This is the first substantive scenario that requires students to take a broader view of security policy enforcement.  The scenario illustrates the utility of authentication servers and requires the student to make a decision to enable individual accountability.  The latter 2 phases of this scenario begin to address access control, and are covered in the following instruction module.  [TBD: Move web server malware attack to after one-time password.]

  20
Totals 0 45
 

Instruction Module:  Access Control and Malicious Software

Link to movie or
lab manual
Description of movie or game scenario Tutorial
Duration
Scenario
Duration
Movie link

The malicious software movie describes what malicious software is and how it works.  Discretionary access control enforcement mechanisms (i.e., ACLs) are introduced and the movie illustrates how malicious software can work around the mechanisms thereby defeating user intent.  The movie also illustrates how trap doors can subvert the intent of mandatory access control mechanisms.

7  
lab manual link

The Final phases of the “User Identification” scenario illustrates use of ACL’s to limit the damage done by a rouge application and it includes an example of using a group policy to provide access to authorized users who lack individual system accounts.

  15
lab manual link

The "Physical Security" scenario looks at access control in the context of physical security where some users are not necessarily authorized to view all information processed within a facility.  The scenario re-enforces the concept of security policies by encouraging the student to understand the value of different assets and the authorizations of different users.

  20
Movie link The "Multilevel Components" movie introduces label-based access control within the context of a simple multilevel server. 5  
lab manual link The "Mandatory Access Controls" scenario requires the student to assign security labels to the two network connections of a multilevel server to enforce a given secrecy policy.  The scenario encourages the student to make incorrect assignments and predict the outcome.   20
lab manual link The "MAC Integrity" scenario  requires the student to understand an integrity policy and to reflect on the kind of  security labels that need to be assigned to network connections.   20
Totals 12 75
 

Instruction Module:  Basic Network Security

Link to movie or
lab manual
Description of movie or game scenario Tutorial
Duration
Scenario
Duration
Movie link

The "Firewalls" movie provides a high level view of the functions of firewalls and intrusion detection mechanisms and it describes some of the limitations of each.  

4  
Movie link

The "Network Filters" movie describes the basic functions of network filters and illustrates their use within the CyberCIEGE game.

3  
lab manual link The "Network Filters" scenario explores issues arising from connecting networks to the Internet and the use of filters to protect assets.   45
Movie link The Patches movie describes the need for a patch management plan. 4  
lab manual link The Patches scenario explores potential implications of different patch management decisions.   15
lab manual link The "PCA" scenario requires the student to deploy and configure a simple Demilitarized Zone (DMZ).  The scenario builds on concepts introduced by the "Network Filters" and  Patches scenarios.   45
Totals 11 105
 

Instruction Module:  System Assurance, certification and accreditation

Link to movie or
lab manual
Description of movie or game scenario Tutorial
Duration
Scenario
Duration
Movie link

The assurance movie describes the need to support objective assessment of security policy enforcement mechanisms.  It describes the impact of complexity on the ability to achieve assurance and it illustrates how the amount of assurance needed for a system depends in part on the policies being enforced.

4  
No lab manual

The Genes R Us scenario...

  45
Totals 4 45
 

Instruction Module:  Applied Cryptography

Link to movie or
lab manual
Description of movie or game scenario Tutorial
Duration
Scenario
Duration
Movie link

The Encryption movie introduces the application of encryption to protect communications over networks.  It provides an overview of the use of encryption at different levels of a protocol stack.

6  
lab manual link

The "Link Encryption" scenario requires the student to deploy simple link encryptors to protect traffic between two sites via a dedicated communications link.  The scenario includes a "key management" decision and illustrates the need to consider assurance when deploying cryptographic solutions.

  20
Movie link The Symmetric and public key cryptography movie describes differences between the use of shared secrets and public key cryptography. 3  
lab manual link The "Key Types" scenario illustrates some of operational differences between use of shared secrets and public key cryptography.  It also presents the student with a problem related to the exchange of clear text password hashes over a legacy network.   20
Movie link The "Network Authentication Through Cryptography" movie describes how cryptographic mechanisms can be used to establish the sources of data. 5  
Movie link The "CyberCIEGE VPN Connection Profiles" movie describes how VPNs are configurable to provide different kinds of protection depending on who the remote party is.  The movie illustrates the risks of permitting  connections to the Internet while also providing connections to protected networks. And it illustrates how to define connection profiles within the CyberCIEGE game.    
lab manual link The "Introductory VPNs" scenario requires the student to deploy VPN gateways and VPN clients.  It explores the risks of enabling connections to the Internet and protected networks.  The scenario progresses through a series of threats beginning with traffic interception, followed by malicious software on protected networks and finally malicious software on the protection mechanisms themselves (e.g., a VPN gateway).   60
Totals 14 1001
 

Instruction Module:  Public Key Infrastructure and Identify Management  (often part of intermediate cyber security courses).

Link to movie or
lab manual
Description of movie or game scenario Tutorial
Duration
Scenario
Duration
Movie link

The "PKI" movie describes public key infrastructure use within a simple e-commerce example and illustrates potential pitfalls of PKI implementations.

13  
Movie link The "CyberCIEGE PKI Installed Roots" movie reinforces the meaning of an "installed root" in a PKI context and describes how to manage installed roots in the CyberCIEGE game.  This movie is intended for viewing as part of playing the "Advanced VPNs" scenario. 3  
lab manual link

The "Advanced VPNs" scenario is similar to the "Introductory VPNs" scenario except the student may choose to deploy either symmetric key or PKI based key management.  The scenario requires the student to make a choice related to cross certification and certificate policies to enable e commerce with a business partner.

  60
lab manual link The "Hard Rain" scenario explores the use of email encryption and signing to protected email from unauthorized disclosure and modification.  It confronts the student with an environment in which potentially malicious insider users have administrative access to a company email server.  The scenario illustrates differences between email encryption and signing.   60
lab manual link The "ParaZog" scenario  illustrates the use of smartcard-base email encryption to protect email assets from unauthorized disclosure.  The scenario also illustrates risks of sharing smartcards across networks of different sensitivities.   60
lab manual link The "Angle Locks" scenario explores the use of SSL to authenticate web sites and to authenticate users.  Smart-card based TLS authentication is incorporated into the scenario.   60
lab manual link "Identity Database" scenario requires players to protect an identity database that is used in the generation of smart card IDs. The scenario does not address smart cards per se; rather it highlights some issues related to protecting a centralized database that is accessed by a variety of users.   60
lab manual link The "Who are you" scenario illustrates several issues related to maintaining information about the identity of users. The scenario is built around authorized user and visitor access to a physical military base. Several identity management issues are explored, including the establishment of access policies, different mechanisms for identifying people, and risks associated with using computers to manage identity information.   60
Totals 16 360

1 If the course does not include a PKI & Identity Management module, one of the PKI scenarios (e.g, "Advanced VPNs" or "Hard Rain") could be included here.