Below is a community-sourced collection of resources related to [computer security | cybersecurity | information security] education. This collection is primarily targeted at security instructors looking for course materials. To suggest additional materials or updates/corrections (including tags) please contact firstname.lastname@example.org.
Last updated: October 2019
Catalyzing Computing and Cybersecurity in Community Colleges (C5) is a project funded by the National Science Foundation. It supports the creation of a nationwide network of community colleges that have met national standards in cybersecurity education, producing more and better-prepared graduates for the workforce, and ultimately leading to a more secure nation.
C5 seeks to strengthen and expand the number of community colleges across the nation that have earned the NSA/DHS National Center of Academic Excellence (CAE) designation for cybersecurity education. The project supports the CAE Application Assistance Program by matching approved mentee institutions with qualified mentors who assist them with the application process.
C5 also brings together computer science and cybersecurity educators to develop new course content that integrates the two disciplines. The resulting modules can be seamlessly incorporated into existing computing or cybersecurity courses, or bundled to create an introductory cybersecurity-infused computer science course.
The project is administered by Whatcom Community College in Bellingham, Washington. Members of the C5 Leadership Team have extensive experience and expertise and are recognized for their commitment to excellence in cybersecurity and computing education, and for their approach to producing results and successfully managing National Science Foundation projects.
Dr. Vera Zdravkovich — Principal Investigator (PI)
Corrinne Sande — Co-PI: C5 Mentee Program
Dr. Elizabeth Hawthorne — Co-PI: Cybersecurity Instructional Materials
Dr. Melissa Dark — Co-PI: Cybersecurity Instructional Materials
CLARK is a digital library that hosts a diverse collection of cybersecurity Learning Objects. It was created because there is a demonstrated need for a high-quality and high-availability repository for curricular and ancillary resources in the cybersecurity education community.
an innovative video game and tool to teach computer and network security concepts
CyberCIEGE enhances information assurance and cyber security education and training through the use of computer gaming techniques such as those employed in SimCity™. In the CyberCIEGE virtual world, users spend virtual money to operate and defend their networks, and can watch the consequences of their choices, while under attack.
Cyber Security Simulation
In its interactive environment, CyberCIEGE covers significant aspects of computer and network security and defense. Players of this video game purchase and configure workstations, servers, operating systems, applications, and network devices. They make trade offs as they struggle to maintain a balance between budget, productivity, and security. In its longer scenarios, users advance through a series of stages and must protect increasingly valuable corporate assets against escalating attacks.
CyberCIEGE includes configurable firewalls, VPNs, link encryptors and access control mechanisms. It includes identity management components such as biometric scanners and authentication servers. Attack types include corrupt insiders, trap doors, Trojan horses, viruses, denial of service, and exploitation of weakly configured systems. Attacker motives to compromise assets differ by asset and scenario, thereby supporting scenarios ranging from e-mail attachment awareness to cyber warfare.
|Cybersecurity Curricular Guidelines (CSEC 2017)||
ACM/IEEE/AIS SIGSEC/IFIP Cybersecurity Curricular Guideline
The Joint Task Force on Cybersecurity Education (JTF) was launched in September 2015 with the purpose of developing comprehensive curricular guidance in cybersecurity education that will support future program development and associated educational efforts.
The JTF is a collaboration between major international computing societies:
|Cybersecurity Curriculum Framework (CCEI)||
USING THE FRAMEWORK
BACKGROUND ON DEVELOPMENT
THE STRUCTURE OF THE FRAMEWORK
The big ideas are broad, encompassing areas of importance to cybersecurity. That is, they are so important that all aspects of cybersecurity are affected by them. When writing a curriculum that maps to the framework, the scope of these ideas will be intertwined in lessons throughout the entire curriculum. The big ideas, in conjunction with a cybersecurity mindset, should drive how we teach so that students have enduring knowledge of at course completion. Underlying the big ideas are a set of essential questions. These questions illicit a response from students that displays a breadth and depth of knowledge within each big idea to ensure that a comprehensive understanding of the topic is acquired.
This summative knowledge base is listed under each big idea as an enduring understanding statement(s). Enduring understandings are statements summarizing important ideas and core processes that are central to cybersecurity and have lasting value beyond the classroom. Enduring understandings synthesize what students should understand as a result of knowing about and doing cybersecurity. Enduring Understandings are lasting and nearly unchanging. Course assessments should directly address these understandings. Projects developed should aim to produce artifacts that depict both the big ideas and the enduring understanding statements.
Learning objectives (LO) lie beneath enduring understanding statements within the framework and each enduring understanding has least one learning objective. Learning objectives work in tandem with the cybersecurity mindset by requiring students to complete tasks that will prepare students to successfully understand the defense of a system. Completed LOs give students the working knowledge needed in order to create a lasting knowledge (enduring understanding) of cybersecurity. LOs are written as action statements where students are to complete tasks in order for completion and mastery.
Essential knowledge (EK) statements provide clarity on the learning objectives by offering specific statements of fact that students should know at the end of the course. These EK statements are written as flexible and may be changed when new technologies are created.
Education Materials Overview
DETERLab offers excellent support for teaching. Instructors can:
|EDURange: A Cybersecurity Playground||
Teaching cybersecurity or computer networking in the classroom? Our suite of exercises can help supplement your lectures, labs, and other activities. EDURange provides rapid feedback to students and faculty, aiding in the assessment of student learning. By providing interactive, competitive exercises, it enhances the quality of instructional material while increasing active learning for students.
Fully packaged Linux-based computer science lab exercises with an initial emphasis on cybersecurity
Labtainers include more than 40 cyber lab exercises and tools to build your own. Import a single VM appliance or install on a Linux system and your students are done with provisioning and administrative setup, for these and future lab exercises.
Labtainers provide controlled and consistent execution environments in which students perform labs entirely within the confines of their computer, regardless of the Linux distribution and packages installed on the student's computer or VM. The only requirement is that the Linux system supports Docker. See Labtainers Papers below for additional information about the framework.
Labtainers includes over forty-five lab exercises summarized here. The framework is free and open, making it easy for educators to create and share their own Labtainer exercises. Please refer to the Lab Designer User Guide for details on using the framework to create and adapt lab exercises. Labtainers code and data is managed on GitHub. Consider contributing your new labs via GitHub pull requests.
|NIST NICE Cybersecurity Workforce Framework||
The Executive Order (EO) on America’s Cybersecurity Workforce encourages widespread adoption of the NICE Framework, and highlights its voluntary integration into existing education, training, and workforce development efforts undertaken by State, territorial, local, tribal, academic, non‑profit, and private-sector entities. The EO also directs that the NICE Framework be used as a reference for related federal government efforts, including as a basis for developing skill requirements for the federal cybersecurity rotational assignment program and the federal cybersecurity competition proposed by the Executive Order.
The NICE Framework is comprised of the following components:
Currently, there are 10 web application security scenarios available.
You can choose to start from the one that you find most appealing, although we suggest to follow the order presented on the first page. We intend to expand the available challenges with additional scenarios that involve cryptography, and even vulnerable systems implemented in download-able virtual machines.
Nevertheless, the OWASP Hackademic Challenges have been mainly developed to be used in a live classroom environment. Experience has shown increased interest and engagement from students that actually get to practice application security and see how things work in a realistic environment.
|OWASP Top Ten||
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!
|Security Education Companion||
SEC is a resource for people teaching digital security to their friends and neighbors.
If you are new to digital security, want tutorials for privacy-protecting tools, or want translated guides in 11 languages, head to Surveillance Self-Defense (SSD).
Started in 2002, funded by a total of 1.3 million dollars from NSF, and now used by over a thousand educational institutes worldwide, the SEED project's objective is to develop hands-on laboratory exercises (called SEED labs) for computer and information security education and help instructors adopt these labs in their curricula.
Easy Lab Setup
30+ SEED Labs
TableTop Security is a multi-institutional initiative that explores novel and creative ways to incorporate cybersecurity topics into existing curricula through games.
|Tabletop Security Games & Cards||
Games teach. Games provide engagement and repetition, which help people learn. Many people have crafted games with explicit security learning goals. These are 'serious games,' or 'games with a purpose.' There have been academic workshops with a focus on using games to enhance learning.
This page started as a list of tabletop games that touch on information security. It has evolved to be scoped to physical things: discussion-prompting cards are included, software, including CTFs, are excluded. I'm not aware of an attempt to catalog software games with a security teaching goal.
|The Security Cards: A Security Threat Brainstorming Toolkit||
The Security Cards encourage you to think broadly and creatively about computer security threats. Explore with 42 cards along 4 dimensions (suits):
Human Impact (9 cards)
Adversary's Motivations (13 cards)
Adversary's Resources (11 cards)
Adversary's Methods (9 cards)
We all learn in different ways: in a group, by yourself, reading books, watching/listening to other people, making notes or things out for yourself. Learning the basics & understanding them is essential; this knowledge can be enforced by then putting it into practice.
Over the years people have been creating these resources and a lot of time has been put into them, creating ''hidden gems' of training material. However, unless you know of them, its hard to discover them. So VulnHub was born to cover as many as possible, creating a catalogue of 'stuff' that is (legally) 'breakable, hackable & exploitable' - allowing you to learn in a safe environment and practise 'stuff' out. When something is added to VulnHub's database it will be indexed as best as possible, to try and give you the best match possible for what you're wishing to learn or experiment with. We will also ask for permission from the original source to mirror the material and to preserve the resources.
We hope that the community will come together to help each other learn, either by making new material or providing walkthroughs/solutions for existing solutions to help other people.
You can watch someone else... Then follow along at the same time... Afterwards set it up yourself & then try to do it (so you have an insight into the system - white box testing)... Finally you can start on an unknown source (black box testing)... ...and if you get stuck you can always ask for a nudge!