Below is a community-sourced collection of resources related to [computer security | cybersecurity | information security] education. This collection is primarily targeted at security instructors looking for course materials. To suggest additional materials or updates/corrections (including tags) please contact firstname.lastname@example.org.
|Beginner's Quest (Google CTF)||
Welcome to the Beginner's Quest! A few notes before your embark:
|Build it Break it Fix it||
The Build it Break it Fix it security contest aims to teach students to write more secure programs. The contest evaluates participants' abilities to develop secure and efficient programs. The contest is broken up into three rounds that take place over consecutive weekends. During the Build It round, builders write software that implements the system prescribed by the contest. In the Break It round, breakers find as many flaws as possible in the Build It implementations submitted by other teams. During the Fix It round, builders attempt to fix any problems in their Build It submissions that were identified by other breaker teams.
There are currently no public contests planned at this time. We are looking for partners to run BIBIFI in the classroom! We will share our infrastructure and provide support. Contact us at email@example.com if you are interested.
Catalyzing Computing and Cybersecurity in Community Colleges (C5) is a project funded by the National Science Foundation. It supports the creation of a nationwide network of community colleges that have met national standards in cybersecurity education, producing more and better-prepared graduates for the workforce, and ultimately leading to a more secure nation.
C5 seeks to strengthen and expand the number of community colleges across the nation that have earned the NSA/DHS National Center of Academic Excellence (CAE) designation for cybersecurity education. The project supports the CAE Application Assistance Program by matching approved mentee institutions with qualified mentors who assist them with the application process.
C5 also brings together computer science and cybersecurity educators to develop new course content that integrates the two disciplines. The resulting modules can be seamlessly incorporated into existing computing or cybersecurity courses, or bundled to create an introductory cybersecurity-infused computer science course.
The project is administered by Whatcom Community College in Bellingham, Washington. Members of the C5 Leadership Team have extensive experience and expertise and are recognized for their commitment to excellence in cybersecurity and computing education, and for their approach to producing results and successfully managing National Science Foundation projects.
Dr. Vera Zdravkovich — Principal Investigator (PI)
Corrinne Sande — Co-PI: C5 Mentee Program
Dr. Elizabeth Hawthorne — Co-PI: Cybersecurity Instructional Materials
Dr. Melissa Dark — Co-PI: Cybersecurity Instructional Materials
CLARK is a digital library that hosts a diverse collection of cybersecurity Learning Objects. It was created because there is a demonstrated need for a high-quality and high-availability repository for curricular and ancillary resources in the cybersecurity education community.
|The Cyber Security Body Of Knowledge (CyBOK)||
A comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector.
CyBOK will be a guide to the body of knowledge—the knowledge that it codiﬁes already exists in literature such as textbooks, academic research articles, technical reports, white papers and standards. The project’s focus is, therefore, on mapping established knowledge and not fully replicating everything that has ever been written on the subject.
The CyBOK project team have undertaken an extensive exercise involving a mapping and analysis of relevant texts as well as a range of community consultations via workshops, an online survey, interviews and position papers. These activities have provided an in-depth understanding of the community’s collective view of the top-level Knowledge Areas (KAs) that should be in the scope of CyBOK. Following these consultations and various inputs, the 19 top level KAs were distilled and these will inform the scope of CyBOK.
The project, funded by the National Cyber Security Programme, is led by the University of Bristol's Professor Awais Rashid, along with other leading cyber security experts - including Professor Andrew Martin, Professor George Danezis, Professor Emil Lupu and Dr Howard Chivers.
an innovative video game and tool to teach computer and network security concepts
CyberCIEGE enhances information assurance and cyber security education and training through the use of computer gaming techniques such as those employed in SimCity™. In the CyberCIEGE virtual world, users spend virtual money to operate and defend their networks, and can watch the consequences of their choices, while under attack.
Cyber Security Simulation
In its interactive environment, CyberCIEGE covers significant aspects of computer and network security and defense. Players of this video game purchase and configure workstations, servers, operating systems, applications, and network devices. They make trade offs as they struggle to maintain a balance between budget, productivity, and security. In its longer scenarios, users advance through a series of stages and must protect increasingly valuable corporate assets against escalating attacks.
CyberCIEGE includes configurable firewalls, VPNs, link encryptors and access control mechanisms. It includes identity management components such as biometric scanners and authentication servers. Attack types include corrupt insiders, trap doors, Trojan horses, viruses, denial of service, and exploitation of weakly configured systems. Attacker motives to compromise assets differ by asset and scenario, thereby supporting scenarios ranging from e-mail attachment awareness to cyber warfare.
|Cybersecurity Curricular Guidelines (CSEC 2017)||
ACM/IEEE/AIS SIGSEC/IFIP Cybersecurity Curricular Guideline
The Joint Task Force on Cybersecurity Education (JTF) was launched in September 2015 with the purpose of developing comprehensive curricular guidance in cybersecurity education that will support future program development and associated educational efforts.
The JTF is a collaboration between major international computing societies:
|Cybersecurity Curriculum Framework (CCEI)||
USING THE FRAMEWORK
BACKGROUND ON DEVELOPMENT
THE STRUCTURE OF THE FRAMEWORK
The big ideas are broad, encompassing areas of importance to cybersecurity. That is, they are so important that all aspects of cybersecurity are affected by them. When writing a curriculum that maps to the framework, the scope of these ideas will be intertwined in lessons throughout the entire curriculum. The big ideas, in conjunction with a cybersecurity mindset, should drive how we teach so that students have enduring knowledge of at course completion. Underlying the big ideas are a set of essential questions. These questions illicit a response from students that displays a breadth and depth of knowledge within each big idea to ensure that a comprehensive understanding of the topic is acquired.
This summative knowledge base is listed under each big idea as an enduring understanding statement(s). Enduring understandings are statements summarizing important ideas and core processes that are central to cybersecurity and have lasting value beyond the classroom. Enduring understandings synthesize what students should understand as a result of knowing about and doing cybersecurity. Enduring Understandings are lasting and nearly unchanging. Course assessments should directly address these understandings. Projects developed should aim to produce artifacts that depict both the big ideas and the enduring understanding statements.
Learning objectives (LO) lie beneath enduring understanding statements within the framework and each enduring understanding has least one learning objective. Learning objectives work in tandem with the cybersecurity mindset by requiring students to complete tasks that will prepare students to successfully understand the defense of a system. Completed LOs give students the working knowledge needed in order to create a lasting knowledge (enduring understanding) of cybersecurity. LOs are written as action statements where students are to complete tasks in order for completion and mastery.
Essential knowledge (EK) statements provide clarity on the learning objectives by offering specific statements of fact that students should know at the end of the course. These EK statements are written as flexible and may be changed when new technologies are created.
Education Materials Overview
DETERLab offers excellent support for teaching. Instructors can:
|EDURange: A Cybersecurity Playground||
Teaching cybersecurity or computer networking in the classroom? Our suite of exercises can help supplement your lectures, labs, and other activities. EDURange provides rapid feedback to students and faculty, aiding in the assessment of student learning. By providing interactive, competitive exercises, it enhances the quality of instructional material while increasing active learning for students.
|Hack This Site||
Hack This Site is a free training ground for users to test and expand their hacking skills. Our community is dedicated to facilitating an open learning environment by providing a series of hacking challenges, articles, resources, and discussion of the latest happenings in hacker culture. We are an online movement of artists, activists, hackers and anarchists who are organizing to create new worlds.
Fully packaged Linux-based computer science lab exercises with an initial emphasis on cybersecurity
Labtainers include more than 40 cyber lab exercises and tools to build your own. Import a single VM appliance or install on a Linux system and your students are done with provisioning and administrative setup, for these and future lab exercises.
Labtainers provide controlled and consistent execution environments in which students perform labs entirely within the confines of their computer, regardless of the Linux distribution and packages installed on the student's computer or VM. The only requirement is that the Linux system supports Docker. See Labtainers Papers below for additional information about the framework.
Labtainers includes over forty-five lab exercises summarized here. The framework is free and open, making it easy for educators to create and share their own Labtainer exercises. Please refer to the Lab Designer User Guide for details on using the framework to create and adapt lab exercises. Labtainers code and data is managed on GitHub. Consider contributing your new labs via GitHub pull requests.
|NIST NICE Cybersecurity Workforce Framework||
The Executive Order (EO) on America’s Cybersecurity Workforce encourages widespread adoption of the NICE Framework, and highlights its voluntary integration into existing education, training, and workforce development efforts undertaken by State, territorial, local, tribal, academic, non‑profit, and private-sector entities. The EO also directs that the NICE Framework be used as a reference for related federal government efforts, including as a basis for developing skill requirements for the federal cybersecurity rotational assignment program and the federal cybersecurity competition proposed by the Executive Order.
The NICE Framework is comprised of the following components:
In the spirit of OpenCourseWare and the Khan Academy, OpenSecurityTraining.info is dedicated to sharing training material for computer security classes, on any topic, that are at least one day long.
All material is licensed with an open license like CreativeCommons, allowing anyone to use the material however they see fit, so long as they share modified works back to the community.
We highly encourage people who already know these topic areas to take the provided material and pursue paid and unpaid teaching opportunities.
The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games. To find out more about a certain wargame, just visit its page linked from the menu on the left.
Currently, there are 10 web application security scenarios available.
You can choose to start from the one that you find most appealing, although we suggest to follow the order presented on the first page. We intend to expand the available challenges with additional scenarios that involve cryptography, and even vulnerable systems implemented in download-able virtual machines.
Nevertheless, the OWASP Hackademic Challenges have been mainly developed to be used in a live classroom environment. Experience has shown increased interest and engagement from students that actually get to practice application security and see how things work in a realistic environment.
|OWASP Juice Shop||
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!
|OWASP Top Ten||
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.
picoCTF is a free computer security game targeted at middle and high school students, created by security experts at Carnegie Mellon University. The game consists of a series of challenges centered around a unique storyline where participants must reverse engineer, break, hack, decrypt, or do whatever it takes to solve the challenge.
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.
Why the name "WebGoat"? Developers should not feel bad about not knowing security. Even the best programmers make security errors. What they need is a scapegoat, right? Just blame it on the 'Goat!
What is pwnable.kr?
How do I play?
|Seattle in the Classroom||
The Internet is a large and complex collection of machines. Learning Internet protocols and network characteristics is a challenge for students in part due to the diversity of Internet devices. Seattle makes learning about the Internet easy by providing students with a simple to learn Python-based language and a tool-rich environment that simplifies distributed deployment and monitoring of programs running across Internet hosts. Seattle can help instructors augment lectures with real-world, hands-on assignments across thousands of computers. Seattle has been used in dozens of classes at universities around the world. The Seattle team is dedicated to helping instructors get started with using Seattle in the classroom.
|SecKnitKit (Security Knitting Kit)||
To computer science faculty who have had no prior experience in teaching security, we offer security modules (with lecture slides/notes, quizzes, active learning exercises) to integrate into computer science courses such as Software Engineering, Database Management Systems, Operating Systems, and Networks.
If you are interested in adopting ANY of these materials for your CS course(s), please SUBMIT your interest with contact information HERE. We will send you credentials to access the modules shortly after.
You can find a list of the exercise modules for each subject area with brief overview below. In addition to these exercise modules complete with virtual image, each subject area contains at least two sets of lecture modules (slides with notes), and assessment Q&A.
Hope we can help you in adopting security into your CS curriculum.
For authorized participants only:
|Secure WEb dEvelopment Teaching (SWEET)||
SWEET (Secure WEb dEvelopment Teaching) is a set of portable teaching modules for secure web development. SWEET features eight teaching modules, six project modules and a virtualized web development platform that allows instructors to conduct hands-on laboratory exercises. The purpose of this project is to enhance the learning experience of computing students through standardized teaching modules and environment in secure web development. We have adopted this teaching tool to introduce web security concepts in both undergraduate and graduate courses. Each SWEET teaching module will be enough for a three-hour class containing lecture materials and hands-on laboratory exercises that are relevant to the contents in the lectures.
|Security Cards: A Security Threat Brainstorming Toolkit||
The Security Cards encourage you to think broadly and creatively about computer security threats. Explore with 42 cards along 4 dimensions (suits):
Human Impact (9 cards)
Adversary's Motivations (13 cards)
Adversary's Resources (11 cards)
Adversary's Methods (9 cards)
|Security Injections (Cyber4All@Towson)||
Despite the critical societal importance of computer security, security is not well integrated into the undergraduate computing curriculum. Undergraduate classes or security tracks treat security issues as separable topics like database or software engineering, as opposed to fundamental issues that pervade all aspects of software development.
Security Injections are strategically-placed security-related modules for existing undergraduate classes. The combination of lab exercises and student-completed checklists in these security injections has helped us teach security across the curriculum without adding extra pressure on already-overburdened undergraduate degree programs.
Started in 2002, funded by a total of 1.3 million dollars from NSF, and now used by over a thousand educational institutes worldwide, the SEED project's objective is to develop hands-on laboratory exercises (called SEED labs) for computer and information security education and help instructors adopt these labs in their curricula.
Easy Lab Setup
30+ SEED Labs
TableTop Security is a multi-institutional initiative that explores novel and creative ways to incorporate cybersecurity topics into existing curricula through games.
|Tabletop Security Games & Cards||
Games teach. Games provide engagement and repetition, which help people learn. Many people have crafted games with explicit security learning goals. These are 'serious games,' or 'games with a purpose.' There have been academic workshops with a focus on using games to enhance learning.
This page started as a list of tabletop games that touch on information security. It has evolved to be scoped to physical things: discussion-prompting cards are included, software, including CTFs, are excluded. I'm not aware of an attempt to catalog software games with a security teaching goal.
We all learn in different ways: in a group, by yourself, reading books, watching/listening to other people, making notes or things out for yourself. Learning the basics & understanding them is essential; this knowledge can be enforced by then putting it into practice.
Over the years people have been creating these resources and a lot of time has been put into them, creating ''hidden gems' of training material. However, unless you know of them, its hard to discover them. So VulnHub was born to cover as many as possible, creating a catalogue of 'stuff' that is (legally) 'breakable, hackable & exploitable' - allowing you to learn in a safe environment and practise 'stuff' out. When something is added to VulnHub's database it will be indexed as best as possible, to try and give you the best match possible for what you're wishing to learn or experiment with. We will also ask for permission from the original source to mirror the material and to preserve the resources.
We hope that the community will come together to help each other learn, either by making new material or providing walkthroughs/solutions for existing solutions to help other people.
You can watch someone else... Then follow along at the same time... Afterwards set it up yourself & then try to do it (so you have an insight into the system - white box testing)... Finally you can start on an unknown source (black box testing)... ...and if you get stuck you can always ask for a nudge!