Computer Security Education Resource Collection


Below is a community-sourced collection of resources related to [computer security | cybersecurity | information security] education. This collection is primarily targeted at security instructors looking for course materials. To suggest additional materials or updates/corrections (including tags) please contact tdenning@cs.utah.edu.

Notes:




Name Tags Description
Beginner's Quest (Google CTF)

Welcome to the Beginner's Quest! A few notes before your embark:

  • There are multiple paths that lead through different challenges, to 4 different endings.
  • Only after solving the most difficult challenges do you receive the "winning" ending.
  • Save your flags in case you want to try different branches later, after reaching an ending.
  • Three challenges have two flags, each taking you towards a different path.
  • See the map for an overview of the challenges and paths.
  • Problems vary in both difficulty and time to solve (ie. some might be easier but take more time to do the work for the flag.) You can go back to make different choices if you don't like what is ahead.

Build it Break it Fix it

The Build it Break it Fix it security contest aims to teach students to write more secure programs. The contest evaluates participants' abilities to develop secure and efficient programs. The contest is broken up into three rounds that take place over consecutive weekends. During the Build It round, builders write software that implements the system prescribed by the contest. In the Break It round, breakers find as many flaws as possible in the Build It implementations submitted by other teams. During the Fix It round, builders attempt to fix any problems in their Build It submissions that were identified by other breaker teams.

There are currently no public contests planned at this time. We are looking for partners to run BIBIFI in the classroom! We will share our infrastructure and provide support. Contact us at info@builditbreakit.org if you are interested.

C5
About C5

Catalyzing Computing and Cybersecurity in Community Colleges (C5) is a project funded by the National Science Foundation. It supports the creation of a nationwide network of community colleges that have met national standards in cybersecurity education, producing more and better-prepared graduates for the workforce, and ultimately leading to a more secure nation.

C5 seeks to strengthen and expand the number of community colleges across the nation that have earned the NSA/DHS National Center of Academic Excellence (CAE) designation for cybersecurity education. The project supports the CAE Application Assistance Program by matching approved mentee institutions with qualified mentors who assist them with the application process.

C5 also brings together computer science and cybersecurity educators to develop new course content that integrates the two disciplines. The resulting modules can be seamlessly incorporated into existing computing or cybersecurity courses, or bundled to create an introductory cybersecurity-infused computer science course.

The project is administered by Whatcom Community College in Bellingham, Washington. Members of the C5 Leadership Team have extensive experience and expertise and are recognized for their commitment to excellence in cybersecurity and computing education, and for their approach to producing results and successfully managing National Science Foundation projects.

Dr. Vera Zdravkovich — Principal Investigator (PI)
Academic Vice President Emeritus at Prince George's Community College and Senior Advisor for the National CyberWatch Center, Dr. Zdravkovich is a pioneer in CAE2Y and cybersecurity education development projects at community colleges.
zdravkovich@gmail.com

Corrinne Sande — Co-PI: C5 Mentee Program
Director of Computer Science and Information Systems at Whatcom Community College in Bellingham, WA, Ms. Sande has a successful track record managing CyberWatch West, a regional Advanced Technological Education (ATE) center in cybersecurity.
csande@whatcom.edu

Dr. Elizabeth Hawthorne — Co-PI: Cybersecurity Instructional Materials
The chair of the ACM Committee for Computing Education in Community Colleges (CCECC), Dr. Hawthorne is Senior Professor of Computer Science at Union County College in Cranford, NJ.
hawthorne@ucc.edu

Dr. Melissa Dark — Co-PI: Cybersecurity Instructional Materials
Dr. Dark, W.C. Furnas Professor of Technology and Professor in Computer Technology at Purdue University, is Associate Director for Educational Programs at the Center for Faculty Development in Information Assurance Education, CERIAS (Center for Education and Research in Information Assurance and Security).
dark@purdue.edu

CLARK
CLARK is a digital library that hosts a diverse collection of cybersecurity Learning Objects. It was created because there is a demonstrated need for a high-quality and high-availability repository for curricular and ancillary resources in the cybersecurity education community.
The Cyber Security Body Of Knowledge (CyBOK)

A comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector.

CyBOK will be a guide to the body of knowledge—the knowledge that it codifies already exists in literature such as textbooks, academic research articles, technical reports, white papers and standards. The project’s focus is, therefore, on mapping established knowledge and not fully replicating everything that has ever been written on the subject.

The CyBOK project team have undertaken an extensive exercise involving a mapping and analysis of relevant texts as well as a range of community consultations via workshops, an online survey, interviews and position papers. These activities have provided an in-depth understanding of the community’s collective view of the top-level Knowledge Areas (KAs) that should be in the scope of CyBOK. Following these consultations and various inputs, the 19 top level KAs were distilled and these will inform the scope of CyBOK.

The project, funded by the National Cyber Security Programme, is led by the University of Bristol's Professor Awais Rashid, along with other leading cyber security experts - including Professor Andrew Martin, Professor George Danezis, Professor Emil Lupu and Dr Howard Chivers.

CyberCIEGE
CyberCIEGE
an innovative video game and tool to teach computer and network security concepts

CyberCIEGE enhances information assurance and cyber security education and training through the use of computer gaming techniques such as those employed in SimCity™. In the CyberCIEGE virtual world, users spend virtual money to operate and defend their networks, and can watch the consequences of their choices, while under attack.

Cyber Security Simulation
In its interactive environment, CyberCIEGE covers significant aspects of computer and network security and defense. Players of this video game purchase and configure workstations, servers, operating systems, applications, and network devices. They make trade offs as they struggle to maintain a balance between budget, productivity, and security. In its longer scenarios, users advance through a series of stages and must protect increasingly valuable corporate assets against escalating attacks.

CyberCIEGE includes configurable firewalls, VPNs, link encryptors and access control mechanisms. It includes identity management components such as biometric scanners and authentication servers. Attack types include corrupt insiders, trap doors, Trojan horses, viruses, denial of service, and exploitation of weakly configured systems. Attacker motives to compromise assets differ by asset and scenario, thereby supporting scenarios ranging from e-mail attachment awareness to cyber warfare.
Cybersecurity Curricular Guidelines (CSEC 2017)
ACM/IEEE/AIS SIGSEC/IFIP Cybersecurity Curricular Guideline

The Joint Task Force on Cybersecurity Education (JTF) was launched in September 2015 with the purpose of developing comprehensive curricular guidance in cybersecurity education that will support future program development and associated educational efforts.

The JTF is a collaboration between major international computing societies:

  • Association for Computing Machinery (ACM)
  • IEEE Computer Society (IEEE CS)
  • Association for Information Systems Special Interest Group on Security (AIS SIGSEC)
  • International Federation for Information Processing Technical Committee on Information Security Education (IFIP WG 11.8)
The JTF grew out of the foundational efforts of the Cyber Education Project (CEP).

Cybersecurity Curriculum Framework (CCEI)

THE NEED
As more high school teachers integrate cybersecurity into their classrooms, the need for a coherent curriculum framework becomes more pressing. A curriculum framework sets the parameters, directions and standards for curriculum policy and practice. It is a means of organizing and managing content (policies, procedures, concepts and so on) in a systematic way. A curriculum framework is important because it enables educators to effectively plan properly sequenced activities so as to provide learning opportunities targeting desired learning outcomes. Curriculum developers and teachers seek to ensure that students develop a base of knowledge, skills, attitudes, beliefs and values that will enable them to function successfully in cybersecurity college programs and careers.

USING THE FRAMEWORK
Curriculum designed using this framework should appeal to students who have a broad range of interests and a variety of backgrounds. As cybersecurity becomes a part of nearly every aspect of society, an important prerequisite is interest, the ability to problem-solve, and a curious nature. The intent is that a course based on this framework will entice students into the field of cybersecurity, by exposing them to the diverse opportunities available.

BACKGROUND ON DEVELOPMENT
The framework used for Introduction to Cybersecurity was modeled after the AP Computer Science Principles curriculum framework, which in turn was based on the Understanding by Design® (Wiggins and McTighe) model. It was designed by educators from high school and higher education, who collectively have vast experience teaching computer science and cybersecurity. Feedback was sought across the country from high school educators teaching computer science and/or cybersecurity courses, cybersecurity educators from higher education institutions, and members of government and industry that have a need for highly skilled workers. This document guides curriculum in that it expresses what should be taught rather than how to teach it and provides students with a visible guide to successfully complete the course. Introduction to Cybersecurity is intended to be equivalent to an intro course in cybersecurity at either a community college or university.

THE STRUCTURE OF THE FRAMEWORK
The framework has four levels: big ideas, enduring understandings, learning objectives, essential knowledge statements.

The big ideas are broad, encompassing areas of importance to cybersecurity. That is, they are so important that all aspects of cybersecurity are affected by them. When writing a curriculum that maps to the framework, the scope of these ideas will be intertwined in lessons throughout the entire curriculum. The big ideas, in conjunction with a cybersecurity mindset, should drive how we teach so that students have enduring knowledge of at course completion. Underlying the big ideas are a set of essential questions. These questions illicit a response from students that displays a breadth and depth of knowledge within each big idea to ensure that a comprehensive understanding of the topic is acquired.

This summative knowledge base is listed under each big idea as an enduring understanding statement(s). Enduring understandings are statements summarizing important ideas and core processes that are central to cybersecurity and have lasting value beyond the classroom. Enduring understandings synthesize what students should understand as a result of knowing about and doing cybersecurity. Enduring Understandings are lasting and nearly unchanging. Course assessments should directly address these understandings. Projects developed should aim to produce artifacts that depict both the big ideas and the enduring understanding statements.

Learning objectives (LO) lie beneath enduring understanding statements within the framework and each enduring understanding has least one learning objective. Learning objectives work in tandem with the cybersecurity mindset by requiring students to complete tasks that will prepare students to successfully understand the defense of a system. Completed LOs give students the working knowledge needed in order to create a lasting knowledge (enduring understanding) of cybersecurity. LOs are written as action statements where students are to complete tasks in order for completion and mastery.

Essential knowledge (EK) statements provide clarity on the learning objectives by offering specific statements of fact that students should know at the end of the course. These EK statements are written as flexible and may be changed when new technologies are created.

DETERLab

Education Materials Overview
DETERLab is dedicated to supporting cyber security education. Since its inception, DETERLab has been used by 358 research projects, from 262 institutions and involving 918 researchers, from 203 locations and 46 countries.

DETERLab offers excellent support for teaching. Instructors can:

  • Benefit from a large collection of publicly available teaching materials
  • Automatically create student accounts
  • Upload class materials
  • Assign homework/projects to students
  • Track student progress on assignments
  • Download assignments for grading
  • Help students directly with many issues, without involving DETERLab staff
Students benefit from using DETERLab, too. They develop practical skills in cybersecurity, networking, operating system administration, and coding. These skills make a big difference in job search!

EDURange: A Cybersecurity Playground

Teaching cybersecurity or computer networking in the classroom? Our suite of exercises can help supplement your lectures, labs, and other activities. EDURange provides rapid feedback to students and faculty, aiding in the assessment of student learning. By providing interactive, competitive exercises, it enhances the quality of instructional material while increasing active learning for students.

EDURange Scenarios
Our central focus is on creating exercises, which we call scenarios, that support and nurture the development of analysis skills rather than memorized scripts, recipes, or standard command line and GUI settings for a particular tool. Though some scenarios revolve around using a specific tool, the main learning goal is the development of the analytical skills and understanding of the complex system which that tool acts upon.

Engaging
Whether through story-based design or the pursuit for the next checkpoint in a series of incremental challenges, our scenarios are fun and keep students absorbed. The intrigue of our scenarios help students stay actively interested in their own learning process.

Analytical
Not only do our scenarios pose challenges, but they do so in a way to encourage analytical thinking. Students learn how to develop their own building blocks to be further used as a scenario progresses. We also provide assignment questions and discussion questions to continue the investigative thinking post-scenario.

Supportive
While maintaining a balance between challenging and accessible, we provide students with suggestions and examples as they work through scenarios. Our student manuals also list helpful tools for each scenario.

Hack This Site

Hack This Site is a free training ground for users to test and expand their hacking skills. Our community is dedicated to facilitating an open learning environment by providing a series of hacking challenges, articles, resources, and discussion of the latest happenings in hacker culture. We are an online movement of artists, activists, hackers and anarchists who are organizing to create new worlds.

Labtainers

Fully packaged Linux-based computer science lab exercises with an initial emphasis on cybersecurity

Labtainers include more than 40 cyber lab exercises and tools to build your own. Import a single VM appliance or install on a Linux system and your students are done with provisioning and administrative setup, for these and future lab exercises.

  • Consistent lab execution environments and automated provisioning via Docker containers
  • Multi-component network topologies on a modestly performing laptop computer (50 second Demo)
  • Automated assessment of student lab activity and progress
  • Individualized lab exercises to discourage sharing solutions

Labtainers provide controlled and consistent execution environments in which students perform labs entirely within the confines of their computer, regardless of the Linux distribution and packages installed on the student's computer or VM. The only requirement is that the Linux system supports Docker. See Labtainers Papers below for additional information about the framework.

Labtainers includes over forty-five lab exercises summarized here. The framework is free and open, making it easy for educators to create and share their own Labtainer exercises. Please refer to the Lab Designer User Guide for details on using the framework to create and adapt lab exercises. Labtainers code and data is managed on GitHub. Consider contributing your new labs via GitHub pull requests.

Malware Unicorn Reverse Engineering Workshops

(Description copied in April 2020)

  • MacOS Dylib Injection
  • Reverse Engineering 101
  • Reverse Engineering 102
  • Flareon 6 2019 Writeups
  • Anti-Analysis Techniques
NIST NICE Cybersecurity Workforce Framework

About
The NICE Framework, NIST Special Publication 800-181, is a national focused resource that categorizes and describes cybersecurity work. The NICE Framework establishes a taxonomy and common lexicon that describes cybersecurity work and workers irrespective of where or for whom the work is performed. The NICE Framework is intended to be applied in the public, private, and academic sectors.

The Executive Order (EO) on America’s Cybersecurity Workforce encourages widespread adoption of the NICE Framework, and highlights its voluntary integration into existing education, training, and workforce development efforts undertaken by State, territorial, local, tribal, academic, non‑profit, and private-sector entities. The EO also directs that the NICE Framework be used as a reference for related federal government efforts, including as a basis for developing skill requirements for the federal cybersecurity rotational assignment program and the federal cybersecurity competition proposed by the Executive Order.

The NICE Framework is comprised of the following components:

  • Categories (7) – A high-level grouping of common cybersecurity functions.
  • Specialty Areas (33) – Distinct areas of cybersecurity work.
  • Work Roles (52) – The most detailed groupings of cybersecurity work comprised of specific knowledge, skills, and abilities required to perform tasks in a work role.

Audience

  • Employers, to help assess their cybersecurity workforce, identify critical gaps in cybersecurity staffing, and improve position descriptions;
  • Current and future cybersecurity workers, to help explore Tasks and Work Roles and assist with understanding the KSAs that are being valued by employers for in-demand cybersecurity jobs and positions. The NICE Framework also enables staffing specialists and guidance counselors to use the NICE Framework as a resource to support these employees or job seekers;
  • Training and certification providers seeking to help current and future members of the cybersecurity workforce gain and demonstrate the KSAs;
  • Education providers who use the NICE Framework as a reference to develop curriculum, courses, seminars, and research that cover the KSAs and Tasks described; and
  • Technology providers who can identify cybersecurity Work Roles and specific Tasks and KSAs associated with the services and hardware/software products they supply.

OpenSecurityTraining.info

In the spirit of OpenCourseWare and the Khan Academy, OpenSecurityTraining.info is dedicated to sharing training material for computer security classes, on any topic, that are at least one day long.

All material is licensed with an open license like CreativeCommons, allowing anyone to use the material however they see fit, so long as they share modified works back to the community.

We highly encourage people who already know these topic areas to take the provided material and pursue paid and unpaid teaching opportunities.

OverTheWire Wargames

The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games. To find out more about a certain wargame, just visit its page linked from the menu on the left.

OWASP Hackademic

Description
The Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.

Currently, there are 10 web application security scenarios available.

You can choose to start from the one that you find most appealing, although we suggest to follow the order presented on the first page. We intend to expand the available challenges with additional scenarios that involve cryptography, and even vulnerable systems implemented in download-able virtual machines.

Target Group
Anyone can use the OWASP Hackademic Challenges to test one's knowledge and skills.

Nevertheless, the OWASP Hackademic Challenges have been mainly developed to be used in a live classroom environment. Experience has shown increased interest and engagement from students that actually get to practice application security and see how things work in a realistic environment.

OWASP Juice Shop

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the OWASP VWA Directory.

The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!

Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a “guinea pig”-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.

Translating “dump” or “useless outfit” into German yields “Saftladen” which can be reverse-translated word by word into “juice shop”. Hence the project name. That the initials “JS” match with those of “JavaScript” was purely coincidental!

OWASP Top Ten

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

picoCTF

picoCTF is a free computer security game targeted at middle and high school students, created by security experts at Carnegie Mellon University. The game consists of a series of challenges centered around a unique storyline where participants must reverse engineer, break, hack, decrypt, or do whatever it takes to solve the challenge.

OWASP WebGoat

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.

Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!

pwnable.kr

What is pwnable.kr?
'pwnable.kr' is a non-commercial wargame site which provides various pwn challenges regarding system exploitation. the main purpose of pwnable.kr is 'fun'. please consider each of the challenges as a game. while playing pwnable.kr, you could learn/improve system hacking skills but that shouldn't be your only purpose.

How do I play?
there are flag files corresponding to each challenges (similar to CTF), you need to read it and submit to pwnable.kr to get the corresponding point. in order to read the flag file, you need some skills regarding programming, reverse-engineering, bug exploitation, system knowledge, cryptography. each challenges have author's intended solution, however, there are a lot of unintended solutions as well :) the challenges are divided into four categories.

[Toddler's Bottle] - very easy challenges with simple mistakes.
[Rookiss] - typical bug exploitation challenges for rookies.
[Grotesque] - these challenges are grotesque-y. painful to solve it, but very tasty flag :)
[Hacker's Secret] - intended solution for these challenges involves special techniques.

pwn.college CTF

(Description copied in April 2020)

Welcome to pwn.college BETA!

pwn.college is a first-stage education platform for students (and other interested parties) to learn about, and practice, core cybersecurity concepts in a hands-on fashion. It is designed to take a “white belt” in cybersecurity to becoming a “yellow belt”, able to approach (simple) CTFs and wargames.

The philosophy of pwn.college is “practice makes perfect”. Good luck!

pwn.college is in BETA
Following the open-source philosophy of “release early, release often”, pwn.college is in BETA. This is not yet a polished education platform, but we’re pushing there! Right now, we are working on resolving the following known issues:

  • The module slides are not very useful without video (and demos).
  • Some of the module challenge sets have problems with difficulty scaling (ROP suffers from this especially).
  • Some of the module challenge sets are missing concepts (example: GOT overwrites for memory corruption, actual memory corruption in the kernel).
  • Security doesn’t start and stop with binary analysis! As pwn.college is used in more courses, it’ll acquire more modules.
  • If you have other comments, suggestions, and feedback, please email us at pwn-college@asu.edu!

Who is this for?
Consider hacking as a martial art. Newcomers begin as white belts, with zero security knowledge. Slowly and painfully, they become yellow belts, able to reason about simple security challenges and start down the road of, for example, CTF competitions. Over time, they become more sure in their skills, achieving brown belt status (and able to, for example, contribute to the cybersecurity industry), before finally graduating to hacking masters: black belts.

pwn.college is meant for white belts. If you already know the basics of hacking (and, thus, are a yellow belt), you will find this resource very easy. If you are a brown belt, you will find it quite boring. If you are a black belt, it will put you to sleep.

That being said, just because the material is for beginners does not mean that the concepts are basic. The course tackles complex concepts, up to and including the inner working of OS kernels. Be ready to do some real work!

Who is responsible?
pwn.college was created by Zardus (Yan Shoshitaishvili) and kanak (Connor Nelson) for the CSE 466 course at Arizona State University. It has powered the Fall 2018 and Fall 2019 editions of CSE466, and is moving forward toward changing the world!

The modules of pwn.college
pwn.college is organized as a set of modules covering different topics. Each module has a set of lectures (slides available now, videos coming soon!) and practice problems, auto-generated for each aspiring hacker to practice on. Challenges come in a teaching variety, which will walk you through their own solutions, and a testing variety, which will challenge you with less guidance. Challenges are run directly on pwn.college, and can be launched in practice mode, where you have root access but there is a fake flag, and real mode, where you cannot read the flag without exploiting the challenge. The following modules are currently available at pwn.college:

  • Module 1: Abusing SUID in Linux
  • Module 2: Shellcode
  • Module 3: Sandboxing
  • Module 4: Reversing
  • Module 5: Memory Corruption
  • Module 6: Format Strings
  • Module 7: Return Oriented Programming
  • Module 8: Heap Exploitation
  • Module 9: Kernel Security

Concepts
Aside from directed module, pwn.college contains a wiki-like set of hacking concepts! These are designed to be linked directly from challenge problems.

Further Practice
After you learn the basics of cybersecurity and achieve yellow belt status, you should move on to harder challenges.

Capture The Flags (CTFs) are a great way to practice your hacking skills in a fun and ethical way. The most popular way to find upcoming events is at https://ctftime.org. If you are at ASU, feel free to check out and join ASU’s CTF Team pwndevils at https://pwndevils.com.

Wargames are another great way to practice your hacking skills. Whereas CTFs are short (normally 48 hour) events, wargames are not time-based. You can find a list of wargames at https://github.com/zardus/wargame-nexus.

Contributing
The infrastructure powering pwn.college and the web-facing content are open source, and we welcome pull requests and issues. The modules are closed-source, because they include source code and solution scripts. If you are an educator, or otherwise someone we trust, and are interested in collaborating on the modules themselves, please email us at pwn-college@asu.edu. Likewise, drop us a line if you are interested in collaborating on the slides!

Seattle in the Classroom

The Internet is a large and complex collection of machines. Learning Internet protocols and network characteristics is a challenge for students in part due to the diversity of Internet devices. Seattle makes learning about the Internet easy by providing students with a simple to learn Python-based language and a tool-rich environment that simplifies distributed deployment and monitoring of programs running across Internet hosts. Seattle can help instructors augment lectures with real-world, hands-on assignments across thousands of computers. Seattle has been used in dozens of classes at universities around the world. The Seattle team is dedicated to helping instructors get started with using Seattle in the classroom.

Security

  • Building a reference monitor
  • Attacking a reference monitor

SecKnitKit (Security Knitting Kit)

To computer science faculty who have had no prior experience in teaching security, we offer security modules (with lecture slides/notes, quizzes, active learning exercises) to integrate into computer science courses such as Software Engineering, Database Management Systems, Operating Systems, and Networks.

If you are interested in adopting ANY of these materials for your CS course(s), please SUBMIT your interest with contact information HERE. We will send you credentials to access the modules shortly after.

You can find a list of the exercise modules for each subject area with brief overview below. In addition to these exercise modules complete with virtual image, each subject area contains at least two sets of lecture modules (slides with notes), and assessment Q&A.

Hope we can help you in adopting security into your CS curriculum.

For authorized participants only:

  • Software Engineering
  • Database Management Systems
  • Operating Systems
  • Networks

Secure WEb dEvelopment Teaching (SWEET)

SWEET (Secure WEb dEvelopment Teaching) is a set of portable teaching modules for secure web development. SWEET features eight teaching modules, six project modules and a virtualized web development platform that allows instructors to conduct hands-on laboratory exercises. The purpose of this project is to enhance the learning experience of computing students through standardized teaching modules and environment in secure web development. We have adopted this teaching tool to introduce web security concepts in both undergraduate and graduate courses. Each SWEET teaching module will be enough for a three-hour class containing lecture materials and hands-on laboratory exercises that are relevant to the contents in the lectures.

Security Cards: A Security Threat Brainstorming Toolkit

The Security Cards encourage you to think broadly and creatively about computer security threats. Explore with 42 cards along 4 dimensions (suits):

Human Impact (9 cards)
Human Impact points to the myriad of ways in which human beings can be affected in their lives, from intimate relationships and emotional experience to privacy violations with personal data to widespread societal impacts at the level of the economy, government, and social structure.

Adversary's Motivations (13 cards)
Adversary's Motivations emphasizes the variety of reasons an individual or group might wish to attack a system, from ideological reasons focused on religion, politics, or diplomacy to more self-oriented motivations such as convenience or self promotion.

Adversary's Resources (11 cards)
Adversary's Resources presents an array of different assets that might be at an adversary's disposal, from hardware and software tools to the ability to influence the actions of groups of people, or access to technical or social expertise.

Adversary's Methods (9 cards)
Adversary's Methods explores high-level ways that an adversary might approach attacking a system, from the familiar technological attack to manipulating or coercing people, covering up evidence, or leveraging logistical and bureaucratic processes.

Security Injections (Cyber4All@Towson)

Despite the critical societal importance of computer security, security is not well integrated into the undergraduate computing curriculum. Undergraduate classes or security tracks treat security issues as separable topics like database or software engineering, as opposed to fundamental issues that pervade all aspects of software development.

Security Injections are strategically-placed security-related modules for existing undergraduate classes. The combination of lab exercises and student-completed checklists in these security injections has helped us teach security across the curriculum without adding extra pressure on already-overburdened undergraduate degree programs.

SEED Labs

Started in 2002, funded by a total of 1.3 million dollars from NSF, and now used by over a thousand educational institutes worldwide, the SEED project's objective is to develop hands-on laboratory exercises (called SEED labs) for computer and information security education and help instructors adopt these labs in their curricula.

Easy Lab Setup
Students just need to download our pre-built virtual machine image to their personal computers or run it from a cloud. There is no need for a physical lab space or dedicated computers. All the software we use for the lab environment setup is open-source and free.

30+ SEED Labs
We have developed over 30 labs that cover a wide range of topics in computer and information security, including software security, network security, web security, operating system security and mobile app security. More labs are currently being developed.

SEED Workshops
We have held 11 faculty training workshops in the past, but our funds have already ended. If your organization is interested in sponsoring a training workshop for the faculties in your local community or country, we will be glad to come and deliver such a program.

SEED Books
I have written a textbook based on the SEED labs and my 18 years of teaching experience. The book takes a hands-on approach: for each security principle, specially designed activities are used to help explain the principle. The book is available on Amazon.

TableTop Security
TableTop Security is a multi-institutional initiative that explores novel and creative ways to incorporate cybersecurity topics into existing curricula through games.
Tabletop Security Games & Cards

Games teach. Games provide engagement and repetition, which help people learn. Many people have crafted games with explicit security learning goals. These are 'serious games,' or 'games with a purpose.' There have been academic workshops with a focus on using games to enhance learning.

This page started as a list of tabletop games that touch on information security. It has evolved to be scoped to physical things: discussion-prompting cards are included, software, including CTFs, are excluded. I'm not aware of an attempt to catalog software games with a security teaching goal.

VulnHub

Aim/Goal
To provide materials that allows anyone to gain practical 'hands-on' experience in digital security, computer software & network administration.

Brief History/Purpose
Before you can run, you need to be able to walk. You do so by learning the basics so you can gain of the theory. Once you're up and walking, you need 'something' to run to (Something to aim for) & you need 'somewhere' that's padded with foam to run about in (so it doesn't matter if you fall over). This is where VulnHub comes in.

We all learn in different ways: in a group, by yourself, reading books, watching/listening to other people, making notes or things out for yourself. Learning the basics & understanding them is essential; this knowledge can be enforced by then putting it into practice.

Over the years people have been creating these resources and a lot of time has been put into them, creating ''hidden gems' of training material. However, unless you know of them, its hard to discover them. So VulnHub was born to cover as many as possible, creating a catalogue of 'stuff' that is (legally) 'breakable, hackable & exploitable' - allowing you to learn in a safe environment and practise 'stuff' out. When something is added to VulnHub's database it will be indexed as best as possible, to try and give you the best match possible for what you're wishing to learn or experiment with. We will also ask for permission from the original source to mirror the material and to preserve the resources.

We hope that the community will come together to help each other learn, either by making new material or providing walkthroughs/solutions for existing solutions to help other people.

You can watch someone else... Then follow along at the same time... Afterwards set it up yourself & then try to do it (so you have an insight into the system - white box testing)... Finally you can start on an unknown source (black box testing)... ...and if you get stuck you can always ask for a nudge!


Thank yous for suggestions/additions (alphabetically by last name) include: Raheem Beyah, Matt Bishop, Justin Cappos, Melissa Dark, Kevin Du, Jelena Mirkovic, Ella Moskun, Peter Peterson, Elissa Redmiles, Daniel Votipka.