Skip to content

Intro to Cybersecurity Lesson Plan

Jump to bottom
Alan edited this page Feb 22, 2017 · 3 revisions

INTRO TO CYBERSECURITY

Suggested Format for Delivery

Intro: 15-30 mins

  • Why do we need cybersecurity? [grok]
    • In our personal lives, being unaware of security threats can lead to our money and things being stolen, being impersonated online, and our devices being used to do things without our knowledge (ie bitcoin mining)
    • In a work or school setting, this is of even more concern. Think about how much data your school needs to keep secure--what must remain confidential? If school IT wasn't secure, someone could go in and change your grades, or find your address and go creep on you.
    • With businesses, they have even more at stake. Financial details can be used to steal money from businesses or their customers. Hospitals must keep your medical information private--imagine if you'd had a really embarrassing health problem and that data got leaked.
  • What does cybersecurity entail? [know-about]
    • Very little of cybersecurity involves coding - most of what you will need to grasp cybersecurity is an understanding of how your network and your operating system work.
    • You'll be thinking about how people could get into a system, what they might gain from breaking in, and what you or your organization stand to lose.
    • You'll learn to outsmart attackers and strategize how to counter them.
    • To be effective at cybersecurity, you must understand how common threats are made. Because you'll be familiarizing yourself with ways people can break into systems in potentially illegal ways, you must sign a code of conduct before we go any further.

Code of Conduct: ~15mins [grok] ###Students MUST grok the code of conduct and why it is important before continuing.

Explanation: Common Attack Methods: 30-45mins

  • Social engineering [teach]
    • The oldest and least technical way of gaining unauthorized information.
    • Social engineering covers any method that involves gaining or abusing people's trust to obtain passwords, permissions, or sensitive data.
    • Generally, this requires the least effort to exploit, and can cast a wider net than traditional hacking.
    • Real-world example: The "Grandma, I'm in jail and I need bail money!" call
    • Real-world example: The "Hi, this is Windows Support and there's something wrong with your computer. With remote access, we can fix it for you" call
    • You're probably quick to realize the above examples are scams - but they target as many people as possible, especially people who are older and not as experienced with computers. That way, they get at least a few victims.
    • But what if your friend forgot their login for something and said "hey, can I use your account?" Like, a really good friend you know wouldn't do anything bad with it.
    • What if it was from your friend's email address, but it wasn't them? Would you know how to check if it was really them?
    • Situations like these are everywhere. The point is not to stop trusting people, but to understand the signs that someone is impersonating or abusing trust to get something out of you.
  • Are security questions really secure? [teach]
    • You've seen security questions before: "what is your mother's maiden name", etc.
    • With the popularity of social media, these questions are no longer secure. Information used in security questions is commonly available on sites like Facebook.
    • Houses and hotel rooms are broken into and robbed when people post on social media that they're on vacation--especially if an address is posted there as well.
    • Making this information private doesn't necessarily protect you--exploits like this may be perpetuated by "friends" or acquaintances in your network to whom these are visible.
    • Always be careful who you add and what you share on these sites.
  • Phishing [teach]
    • Phishing is a specific type of social engineering designed to get your password.
    • Most stolen passwords aren't from being cracked--they're from some form of phishing.
    • Example of a phishing email: an email from Amazon, Google or PayPal addressing you as "Dear Valued Customer". These companies always use the name that's associated with your account. A generic salutation indicates a mass mailing from a faker.
    • Example: "You've won this contest (that you don't remember eve entering)! We need some info from you to claim your prize".
    • "Spear-phishing" is when attackers go as far as building a fake website that looks legit enough at first glance.
    • Example: a fake Gmail login hosted on "g00gle.com"
    • Fake websites may use inconsistent fonts or outdated logos.
    • Russian/Cyrillic letters are now allowed in domain names: look closely for any variation in text style in the URL that may indicate that you're on a fake website.
  • Fake Antivirus [know-about]
    • Mostly seen on Windows/Mac. These are thankfully rare on Linux systems, as anyone using Linux is generally knowledgeable enough about computers to avoid them.
    • Still, it's a popular way to fake trust and con people. Know how to recognize them in the wild.
    • Fake antiviruses will generally alert you to a bunch of infections on your computer, then refuse to clean them unless you pay for the full version of the software.
    • These will not actually remove anything, as the alerts are fake. Many fake antiviruses contain real malware - blocking you from certain websites, killing task manager or activity monitor when you try to end the process, etc.
  • Ransomware/Blackmail [know-about]
    • Ransomware is the violent side of social engineering.
    • Ransomware often pretends to be made by the FBI, and claims it is locking down your device because they have found something illegal. Some threaten you with blackmail or jail time if you don't pay their fee.
    • Ransomware destroys or encrypts all the files on your disk, and then demands a fee of several hundred dollars to restore your files.
    • Unlike the fake antiviruses, these programs are NOT lying when they say they've locked up your files.
    • These usually ask for money through "untraceable" payment methods like MoneyPak, Green Dot or Western Union. Even if you pay them, they will claim that it got lost in the mail or something and charge additional fees--and they probably will not bother to restore your files.
    • The best thing to do with ransomware is to look for a decryption tool, or, failing that, just get a new machine and move on. If your files are destroyed, it's unlikely the attackers even got to them.

Exercise: ~45 minutes to 1 hour

  • Students will work together to devise an example of a social engineering exploit which aims to get a user's password or security question.
  • Students must think critically about what makes an attempt at social engineering convincing - no "Just give me your password!!!"
  • In creating this example, students should be able to teach others what to look for in suspicious emails, sites, or calls.

Clone this wiki locally