Cybersecurity Learning in Secondary Education

Transcription

1 Cybersecurity Learning in Secondary Education Mandy Galante Teacher of Technology Red Bank Regional High School with perspectives from Scott Costello, Parent Connor Costello, Student

2 A little about RBR s programs Red Bank Regional is a public high school with embedded specialized Academies. Every student selects a core strand as a major. Choices are: Visual and Performing Arts International Baccalaureate Graphic Communications Finance/Business Math and Science Humanities and Social Science Sports Medicine & Management Engineering Information Technology Cybersecurity < Gasp! >

3 Why teach this in high school? These students will be the first to lead digital lives so the most basic goal of teaching cybersecurity is: Develop a generation of digital users with SAFE computing habits M. Galante

4 Why Cybersecurity? Need for a cyber workforce Help students discover talent Direct towards choosing this as a college major or as a career Best case for teaching cybersecurity - students can t know they want to do this unless they have a chance to be exposed to it.

5 Parent - why Cybersecurity? Own path to career took many turns High school interests were towards Electronics BUT after an internship decided that wasn t the right fit. In college interest evolved towards Math & Physics A trip to the Giant s Causeway in Ireland sparked an interest in Geology... Which led to a career in Cartography

6 Parent - why Cybersecurity? You will be great at the things that you can t not do. - Adam Savage, Mythbusters Want this for my son - to study something he likes so much that he will develop self-motivation and drive. The more he is exposed to in school, the more likely he is to find his thing.

7 Student - why Cybersecurity? Originally entered RBR with an interest in the Engineering program - they had the coolest toys! Hands-on projects have a lot of appeal to me Creating objects with a 3D Printer Making a scale model Trebuchet

8 Student - why Cybersecurity? As a student, I m looking for a subject where I want to learn... which means something with a fun factor. Engineering had cool toys, but the actual topic was not fun/interesting to me. Saw a nearby classroom that had kids with their hands deep inside PCs installing motherboards. Computers + Hands-on = FUN

9 Cybersecurity topics & tools Social Engineering Phishing, spear phishing, pharming Impersonation, piggybacking, shoulder surfing Network Recon Whois Nmap scans OS Fingerprinting Authentication Strong Passwords Tokens / Biometrics Hashing passwords CHAP / Kerberos RADIUS

10 Cybersecurity topics & tools Attacks Password Cracking Man in the Middle Hijack / Replay IP spoofing DOS/DDOS DNS poisoning WEP & WPA Crack Tool examples BackTrack (Kali) John the Ripper Cain & Abel Metasploit Kismet & Aircrack

11 Cybersecurity topics & tools Defensive Techniques System hardening Patching & Updates Firewalls IDS / IPS Vulnerability Assessment Protocol Analyzers Cryptography Hashing Symmetric Asymmetric Public Key Infrastructure Digital Signatures

12 Cybersecurity topics & tools Online attacks Secure Access Access Control Lists IPSEC & VPNs SSH / SSL BCP / Data Recovery Buffer overflows Active X Cross-site scripting SQL Injection Fuzzing Browser proxies Backups Hot sites RAID

13 Digital Forensic Topics Drive acquisition & Write blocking & Imaging Hashing for file integrity Volatile data / memory acquisition File systems and Data Recovery File Signatures & File Carving Steganography Network capture analysis Metadata analysis

14 Digital Forensic Tools FTK Imager Volatility Foremost / Scalpel Truecrypt The Sleuth Kit Autopsy Network Miner Exiftool Forensic Toolkit Bulk Extractor OSF Mount And a LOT of LINUX command line tools

15 Parent - Cyber Curriculum My own experience with learning was constricted by required tools and techniques. We were not permitted to reach the correct answer by using our own methods The lab-based learning offers my son the opportunity to see that there are many ways to do things right.

16 Parent - Cyber Curriculum The IT curriculum has offered many opportunities for students to use their minds creatively to problem solve. In the real world, the expectation is that you will take initiative to find answers. As my son has moved up to the advanced topics such as Cybersecurity, I see that the labs provide him with fewer detailed instructions and he is pushed to be more self-reliant to reach goals.

17 Student - Cyber Curriculum Learning works best for me when I can follow where my interests develop, rather than having set objectives My favorite example of this is Code Academy, an online website to teach yourself programming

18 Student - Cyber Curriculum My cyber courses have fit my learning style which is that I like to learn by doing. As a student, I want to be able to experiment and actually use the tools we study - because I really just don t get it until I try it, even if it doesn t work. Cyber professionals DO experiment to adapt their tools and methods. It makes sense because there are always going to be new ways to program and hackers are always going to create new exploits.

19 The RBR Cyber learning path CompTIA Net+ Syracuse U Credit Intro to Comp Systems Networking Cybersecurity Digital Forensics Computer Science Java, C# Mobile apps

20 CYBERSECURITY - CODE OF BEHAVIOR It is the responsibility of every student in Honors Cybersecurity to maintain and uphold the Code of Behavior on or off school grounds. Authentication: Usernames/ Passwords / IDs Do Not impersonate Do Not steal Files / Folders - Do Not steal / change / destroy / move Do Not enter or access Do Not publicize Network - Do Not crash or hog bandwidth - Do Not bypass network controls - Do Not eavesdrop Device - Do Not install Do Not reconfigure Do Not play jokes

21 Ethics in Cyber Learning I have two years to learn the character of potential Cybersecurity students. ONLY students that have earned my trust are accepted into the Cybersecurity course. Students AND parents must sign the Code of Behavior. The agreement holds for the entire time the student is at RBR - until the minute they graduate!

22 Parent - Ethics in Cyber Learning View #1 - As a parent, I appreciate the support to make my son a proper member of the digital community. View #2 - Is the agreement truly enforceable? Not sure, but I know it will make him think twice before trying something questionable. View #3 - As an employee, I have been expected to follow codes of behavior that help maintain the digital safety of the organization. This is a reality and it is a positive for my son to experience it early.

23 Student - Ethics in Cyber Learning The ethics agreement makes it very clear what we are allowed to do with what we learn in Cybersecurity. There is no gray area to argue about, so that makes it easy to follow. Why do I follow it when it might be fun to try stuff that seems harmless? I don t want to be kicked out of the class - and I also don t want the school to remove the Cybersecurity course.

24 Proof of concept CompTIA certifications earned by students 49 Network+ and 30 Security+ AFA Cyber Patriot Challenge National Champions 2011 NJ State Champions 2012, 2013, 2014 NYU-Poly CSAW High School Forensics First place team 2012, Second Place team 2013 Finalist teams all four years of contest Cyber Aces / Net Wars 1 st and 4 th place NJ Governor s Cyber Challenge Future Business Leaders of America Nationals nd place Cybersecurity, 8 th place Game Programming

25 Where are they now Colleges: Carnegie Mellon Stevens Yale - Georgia Tech Rochester Institute of Technology Elon - Rutgers Virginia Tech NJIT Quinnipiac Emerson Companies: Booz Allen - IBM - US Army -Credit Suisse Google Not just majoring in technology - medical, finance, engineering, communications all these fields will benefit from secure digital habits

26 Conclusion Teaching Cybersecurity is about teaching responsibility