PASSPORT IDENTIFICATION NAME
CAMP
With special thanks to Pam Roland and Dr. Ashley Podhradshy of Dakota State University for generously sharing their creation of this passport 1
What is CyberSecurity? Cybersecurity is the body of technologies, processes and
practices designed to PROTECT networks, computers, programs and data from attack, damage or unauthorized access.
2
George Washington University: Washington, DC Computer Science at GW: The Department of Computer Science offers an ABET-accredited Bachelor of Science degree and a Bachelor of Arts degree. Within these two degrees, students have the opportunity to tailor the curriculum to suit their interests and needs through a variety of technical tracks and electives. The undergraduate degree program culminates in a capstone design experience and fundamentals, design methods, tools, and applications, preparing students for exciting and rewarding careers in medicine, films, business, government, engineering, and of course IT.
BA in Computer Science
The Bachelor of Arts (B.A.) program is designed for students who wish to combine computer science with a second major, or with a set of minors, in natural science, liberal arts, or business. The program provides a foundation in computer science, along with lots of room in the curriculum to select courses in other disciplines. Students are required to elect a second major or two secondary fields. As part of a residency requirement, all computer science majors must take a minimum of 30 credits in computer science at GW. The 30 credits include courses that students who participate in a study abroad program take during their approved study abroad.
BS in Computer Science The Bachelor of Science (B.S.) program in computer science is a strong corecomputer science program accredited by ABET, the professional society that accredits engineering programs. The B.S. program provides general education, strength in mathematics and science, communication and an in-depth program in computer science including a 8-credit Senior Design Project that closely models "industrial-strength" project developmentin Cyber Operations designation.
GW was among the first to be awarded an NSA Center of Excellence (CAE) and CAE-R(research) designation 3
Cybersecurity First Principles Principle 1:
Domain Separation
Principle 3:
Resource Encapsulation
Principle 2:
Principle 4:
Process Isolation
Least Privilege
Principle 5:
Layering Principle
Principle 7:
Information Hiding
6:
Principle 8: Principle 9:
Abstraction
Modularity
Simplicity of Design
Principle 10: Minimization
4
Impact of Cybersecurity It’s Personal – Cybersecurity issues affect you. They affect every single person that is on a computer. We must protect ourselves. It’s Business – Information is vulnerable. Cybersecurity affects every business. We must protect business. It’s National Security – Cyber operations is so important in active conflicts. We must have good warriors.
The Wild-est Quotation
It will take a wily mind to unravel this well-known Oscar Wilde quote. Place the letters in each column in one of the empty boxes directly above them. You can only use each letter once. When all of the letters have been placed correctly, this popular Wilde quotation will read across the boxes.
T E T
O H X H
N P E E
E I E
R N R
A I G
M M E I
E N V I 5
S E C
T E S E
A V
T K I E
R O S E
S Y
Principle One
Domain Separation a. In the Robert Frost poem “Mending Fences,” the last line states “Good fences make good neighbors.” Domain separation is like this. b. A domain is a generic term. It could be a region governed by a king; it could be a website, or an area of control. At the Social Security Administration, there are different operational areas and job functions, each having different job responsibilities. In the programming department, there are programmers (developers and maintainers and many more), testers and system administrators. When the developers wish to test their code, they need test data that is similar to the real data, but obviously not live data. The test program must use test data in case the program reacts unexpectedly. Keeping the test data separate from the operational data is one example of domain separation.
c. Inside a computer system, there are also domains. For example, most hardware microprocessors have a supervisor domain (sometimes referred to as a supervisor state or privileged state) and a user domain. In supervisor state, privileged hardware instructions can be executed. An operating system uses these hardware domains to implement mechanisms that protect it from interference by user written programs and purchased applications. The operating system code runs in supervisor state, while the user programs run in the user domain.
6
Image Representation Computer screens are divided up into a grid of small dots called pixels (picture elements). In a black and white picture, each pixel is either black or white. The letter “a� has been magnified above to show the pixels. When a computer stores a picture, all that it needs to know is which dots are black and which are white. 1, 3 - 4, 1 - 1, 4 - 0, 1, 3, 1 - 0, 1, 3, 1 - 1, 4. The picture below shows us how a picture can be represented by numbers. The first line consists of one white pixel, then three black, then one white. Thus the first line is represented as 1, 3. The first number always relates to the number of white pixels. If the first pixel is black, the line will begin with a zero.
[Activity taken from NCWIT.org]
7
You try it:
Make your own:
8
Principle Two
Process Isolation a. A process is a program running in a computer. Processes running in a computer have their own portion of memory called the address space. The address space is an area of memory that only one running program can access. If a word processor, a database and a browser are running on a computer, they are all running in different address spaces. This is done to ensure correct operation, security and protection. The word processor cannot access the memory of the browser or data base. If two processes are running and one of the processes has a problem, that problem should be confined to the process with a problem and not affect the other process.
b. In addition to process isolation, it is also possible to have operating isolation. Programs such as VMWare or Virtual Box enable multiple operating systems to execute on the same computer without interfering with other program. In this context, each OS is viewed as a process, to be kept separate from the other processes (OSs). Program running in each OS, should not be aware of programs running on another OS, nor should they be aware of the existence of another OS.
9
Find the Best Route within The Muddy City Our society is linked by many networks: telephone networks, utility supply networks, computer networks, and road networks. For a particular network there is usually some choice about where the roads, cables, or radio links can be placed. We need to find ways of efficiently linking objects in a network.
Computer scientists call the representations of these networks “graphs”. Real networks can be represented by a graph to solve problems such as designing the best network of roads between local cities, or airplane flights around the country. There are also many other algorithms that can be applied to graphs, such as finding the shortest distance between two points, or the shortest route that visits all the points. Once upon a time there was a city that had no roads. Getting around the city was particularly difficult after rainstorms because the ground became very muddy—cars got stuck in the mud and people got their boots dirty. The mayor of the city decided that some of the streets must be paved, but didn’t want to spend more money than necessary because the city also wanted to build a swimming pool. The mayor therefore specified two conditions:
1. Enough streets must be paved so that it is possible for everyone to travel from their house to anyone else’s house only along paved roads, and 2. The paving should cost as little as possible. Here is the layout of the city. The number of paving stones between each house represents the cost of paving that route. Find the best route that connects all the houses, but uses as few counters (paving stones) as possible. 10
Find the Best Route within The Muddy City (cont.)
What strategies did you use to solve the problem?
[Activity taken from CSUnplugged.org]
11
A Checkered Puzzle Can you place eight checkers on a checkerboard such that no two are in line horizontally, vertically, or diagonally?
12
Principle Three
Resource Encapsulation a. A computer has many resources. A resource can be hardware based such as memory, disk drives, or a monitor. It can also be system objects such as semaphores, a linked list, or shared memory.
b. Encapsulation is an object oriented concept where all data and functions required to use the resource are packaged into a single self-contained component. The goal is to only allow access or manipulation of the resource in the way the designer intended. An example, assume a flag pole is the object. There are fixed methods on how the flag pole is to be used. Put the flag on, take the flag off, raise or lower the flag. Nothing else can be done to the flag pole. c. In addition to controlling what operations can be performed on the resource, the system can also control which users can perform these operations on the resource.
13
Robot Code The question below uses a robot in a grid of squares. The robot is represented as a triangle, which is initially facing toward the right side of the grid. The robot is moved according to the following instructions.
Instruction
Explanation
Move Forward
The robot moves one square forward in the direction it is facing.
Rotate Right
The robot rotates in place 90 degrees clockwise (i.e., makes an in-place right turn).
Rotate Left
The robot rotates in place 90 degrees counterclockwise (i.e., makes an in-place left turn).
REPEAT n TIMES
The block of instructions contained between the braces { repeated n times.
} is
Consider the following incorrect program, which is intended to move the robot around the perimeter of the grid below, as indicated by the arrows.
Which lines of code should be removed so that the program will work as intended? Select two answers. (A) Line 2 (B) Line 3 (C) Line 4 (D) Line 5 AB
14
Cryptography What is Cryptography? Cryptography is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it.
Puzzle1: Can you decipher these quotes from the works of Dr. Seuss? “R wl mlg orpv tivvm vtth zmw szn. R wl mlg orpv gsvn Hzn R Zn.”
“R zn gsv Olizc, R hkvzp uli gsv givvh.
R hkvzp uli gsv givvh, uli gsv givvh szev ml glmtfvh.”
Hint: This uses the Atbash Cipher, which is a substitution cipher that reverses the letters of the alphabet. In other words, A = Z, B = Y, C = X, etc.
15
Cryptography (cont.) Puzzle 2: Justin Case and Auntie Bellum are fellow con artists who deliver coded messages to each other to communicate. Recently Auntie Bellum was put in jail for stealing a rare and expensive diamond. Only a few days after this, Justin Case sent her a friendly letter asking her how she was. On the inside of the envelope of the letter, he hid a code. Yesterday, Auntie Bellum escaped and left the envelope and the letter inside the jail cell. The police did some research and found the code on the inside of the envelope, but they haven’t been able to crack it. Could you help the police find out what the message is? This is the code:
llwatchawtfeclocklnisksundialcirbetimersool Hint: It was a TIMED escape.
16
Principle Four
Least Privilege a. The principle of least privilege says to allow the minimum number of privileges necessary to accomplish the task.
b. When a person gets a new computer, s/he installs or logs onto the computer using an administrative account. This account has privileges to install software, add users, add hardware, and add and delete almost any program or file. The account is all powerful and must be used wisely. If a person uses a browser to access a website that contains malware and they are running as administrator, it is more likely that malware could be installed. If the person was running as a regular user with minimal privileges, the malware would not have been installed.
17
A Not So Sneaky Square Can you place each of the digits from 1 to 9 in the grid below so that the calculations work across and down as indicated? We’ve given you a few numbers to help you get started!
(NOTE: In Sneaky Squares, the order of operations works from left to right, or top to bottom. For example, 8 + 6 ÷ 2 g 14 ÷2 = 7. The additional is completed before the division as it comes first.)
+ + 9 X
7
-
÷
+ +
÷ 4
X
X
= 20
=0
= 9
= 12
18
=7 =4
Principle Five
Layering a. Layering in computer security implements multiple layers of computer security, each one having to be conquered before moving to the next.
b. Consider a typical Windows-based workstation: At the core, you have a microprocessor of immense complexity with a defined interface (instruction set). Next is a layer of software running on top of the microprocessor that provides a “simple� interface to the operating system developer. This is called the Hardware Abstraction Layer (HAL) and it eliminates the need for the OS developers to understand all the details of the microprocessor implementation. A microkernel then runs on top of the HAL and presents a relatively simple set of kernel calls to the operating system programmers. Thus, the OS programmer does not have to know all the details of the HAL. The OS then runs on top of the microkernel, hiding the kernel complexity and providing application developers with a simple system call interface. Applications run on top of the OS and provide the users with useful services without requiring the user to have any knowledge of the system call interface to the OS.
19
Build-a-Word Bonanza There’s nothing more diverting than a Build-a-Word puzzle. Give this one a whirl. Each row contains the same three-letter word, though its position may change from row to row. A clue is given for each row. Cheap metal Hue
Bad smell Eye part A cocktail Meant to be Disturbing Examine closely Rude
The first cybercrime took place in 1820! Joseph-Marie Jacquard was a textile manufacturer in France. He produced the loom. This device allowed the repetition of a series of steps to weave special fabrics. This brought fear to traditional employees as they felt their livelihood was threatened. They sabotaged this new technology to discourage further use of the technology. 20
Principle Six
Abstraction a. An abstraction is a representation of an object or concept. It could be something such as a door, a speedometer, or a data structure in computer science. Abstraction decouples the design from the implementation. The gauges in an automobile are an abstraction of the performance of a car. A map is an abstraction of the earth.
b. The goal in abstraction, from a computer security viewpoint is to remove any clutter that can distract and possibly be used in an incorrect way. Abstraction only provides the essential details of what is being modeled and provide the minimum information necessary to accomplish the task. c. Essentially, abstraction is about only providing the necessary details, and hiding all the “clutter� and reducing the details to a set of essential characteristics.
21
Hidden Picture Declutter this picture by coloring in the shapes with dots.
22
Principle Seven
Information Hiding a. Information hiding is the technique that does not allow certain aspects of an object to be observed or accessed. Data and information hiding keeps the programmer from having complete access to data structures. It allows access to only what is necessary. b. In computer programming, manipulating a stack requires three operations. Push, pop and view the data item on the top of the stack. Information hiding allows the programmer to not be concerned with how the stack is implemented. The stack could be a linked list, tree structure, or an array. None of the details of how the stack is implemented are necessary.
23
Different or Same? It's all in the Game. Look at the pictures to find ten differences.
Image compliments of Parmer at Binghamton University, New York
Principle Eight
Modularity a. Modular programming is a software design technique that emphasizes separating the functionality of a program into independent, interchangeable modules. Each module contains everything necessary to execute a unique part of the desired functionality through well designed interfaces. (Wikipedia.org) These well defined interfaces provide all the detail needed for one module to replace another and achieve the needed results.
b. In the 1980s and 1990s, desktop computers were more of a hobbyist effort. Computers could be modified to add hardware and increase performance. Memory could be added. There were different sound and video cards available. Disk drives came in different sizes. All of the components depended on having a well defined interface. Thus if a component from one manufacturer failed, it was easy to get another part from another manufacturer and replace it. Modularity allowed parts with the same interfaces to be interchangeable with others.
c. Current mobile phones are a good example of devices that are not modular. If a part breaks, the device will most likely have to be replaced. The Apple iPhone is a good example of this concept. If a hardware part breaks, it cannot easily be fixed.
25
Computer Security and Risks
EclipseCrossword.com
26
Principle Nine
Simplicity of Design a. When designing a product, hardware of software, simplicity should be a goal. Simplicity is a design principle at Apple, especially with the iPhone. There is a single button. People understand how to use the device without having to read a manual. All unnecessary complexity has been removed.
b. Simplicity allows a person to better understand hardware and software. Without the clutter of unnecessarily complicated code and interfaces, the software will be more understandable by people that will update the code when requirements change. It will be easier to understand by the testers and they will be able to spot problems sooner. By keeping software as simple and as focused as possible, the reliability and security is greatly increased.
27
Design Interfaces You don’t need to go far to find a frustrated computer user. Often it will be because they find the interface difficult to use. Designing good interfaces has become an important industry, and successful products often depend on having excellent interfaces. Design a cell phone interface that would be perfect for you. when you are finished, share your drawing with some close by. How is yours different from the other person? What would you now add to your phone? What would you change about theirs?
28
Principle Ten
Minimization a.
The attack surface of an application are the places in a program where users and other programs can enter and extract data. As software increases in size, the ability to secure the program becomes more difficult due to the sheer size and increased complexity of the software.
b.
The goal of minimization is to simplify and decrease the number of ways that software can be exploited. This can include turning off ports that are not needed, reduce the amount of code running, use the concept of least privilege and turn off unneeded features.
You have the best defense for cyber security – a brain, a heart, courage, and relationships!
29
There is one way through this maze-can you find it?
30
Quiz: Separate Cyber Security Fact From Fiction 1) Who are most likely to launch successful cyber terrorist attacks against classified networks and critical infrastructure? a)
nation-states
d)
al Qaeda
a)
health care
b) c)
Russian hackers Chinese hackers
2) What industry suffers the most data breaches? b) c)
d)
financial
retail
restaurants
3) How many credit card numbers were stolen in the largest known cyber theft? a)
10 million
d)
215 million
b) c)
90 million
130 million
31
Quiz: Separate Cyber Security Fact From Fiction (cont.) 4) What percentage of employees steal proprietary corporate data when they quit or are fired? a)
7%
d)
59%
b) c)
23% 45%
5) which U.s. official nearly fell for an identity-theft phishing attack? a)
b) c)
d)
FBI Director Robert Mueller
Supreme Court Justice Anthony M. Kennedy CIA Director Lean Panetta
President Barack Obama
6) which Country’s military hacked into computers in the office of U.S. Secretary of Defense Robert Gates? a)
b) c)
d)
China Iran
North Korea
United States
32
Quiz: Separate Cyber Security Fact From Fiction (cont.) 7) What is the most hostile country on the Internet, based on attacks launched there? a)
China
d)
India
b) c)
Russia
United States
8) What TCP port is attacked most often? Port Number / name 22 ssh 23 telnet 25 smtp 27 nsw-fe 29 msg-icp 31 msg-auth 33 dsp 37 time 38 rap 39 rlp 41 graphics 42 nameserver 42 name
33
Description SSH Remote Login Telnet Simple Mail Transfer Nsw User system Fe MSG ICP MSG Authentication Display Support Protocol Time Route Access Protocol Resource Location Protocol Graphics Host Name server Host Name server
Quiz: Separate Cyber Security Fact From Fiction (cont.) 9)
Israel considers cyber warfare as the best tool to blunt the aggression of what Mideast neighbor? a)
b) c)
d)
Iraq
Iran
Syria
Saudi Arabia
10) What is the most common type of attack used on Web sites? a)
b)
c)
d)
denial of service
session hijacking
cross-site scripting
HTML code injection
34
George Washington University
Our University actively engages Washington, D.C., and the world. Our location in the heart of Washington places us at the core of U.S. government, policy and law. We sit where the worlds of science, technology, media and the arts converge. Our students and faculty have the unparalleled opportunity to study and work alongside leaders and practitioners in every discipline, to take part in the interchanges that shape our community and the world.
Our History The George Washington University was created in 1821 through an Act of Congress, fulfilling George Washington’s vision of an institution in the nation’s capital dedicated to educating and preparing future leaders. Today, GW is the largest institution of higher education in the District of Columbia. We have more than 26,000 students—from all 50 states, the District and 130 countries—studying a rich range of disciplines: from forensic science and creative writing to international affairs and computer engineering, as well as medicine, public health, the law and public policy. GW comprises three campuses—Foggy Bottom and Mount Vernon in Washington, D.C., and the GW Virginia Science and Technology Campus in Ashburn, Va.—as well as several graduate education centers . 35
About the Presenters Camp Director: Dr. Shelly Heller is a Professor of Computer Science at the George Washington University. For the last 13 years she directed the freshmen academic/residential Women’s Leadership Program. Dr. Heller was names on of Diversity Magazine’s 2015 100 influence women in STEM. She is the holder of many grants and awards related to bringing and retain women in the STEM field including an SFS Scholarship program and Pay It FORWARD, an ADVANCE grant. She is the editor of the Computers & Education Journal and co-editor of FORWARD to Professorship in STEM: Inclusive Faculty Development Strategies That Work. Contact: sheller@gwu.edu Curriculum Designer: Dr. Portia Pusey loves technology. For work, she leads projects that help people use technology to teach and learn better. Cybersecurity is important to Portia because she wants to help our nation’s citizens to learn how to make the places where we all work, learn, and play safer. Employers and our government need people trained to do cybersecurity jobs; Portia enjoys providing opportunities to learners of every age to experience the work of the many different types of cybersecurity workers. For fun, Portia gardens and golfs, but on rainy days she enjoys playing video games and sharing cute animal memes with her friends. Contact: edrportia@gmail.com
Teachers: Shade Akeleke
and Vernecia Griffin 36
Passport Stamp Page Collect your passport stamps based on identifying the basic principles you see on your field trips to the Data Center, Cryptologic Museum and the Spy Museum. Write down examples of what you saw. 1 – Domain Separation 2 – Process Isolation 3 – Resource Encapsulation 4 – Least Privilege 5 – Layering 6 – Abstraction 7- Information Hiding 8- Modularity 9 – Simplicity of Design 10 - Minimization
37
Passport Stamp Page Collect your passport stamps based on identifying the basic principles based on what you read in the newspaper or heard on radio, TV or in a video. Write down examples of what you saw or heard. 1 – Domain Separation 2 – Process Isolation 3 – Resource Encapsulation 4 – Least Privilege 5 – Layering 6 – Abstraction 7- Information Hiding 8- Modularity 9 – Simplicity of Design 10 - Minimization
38
Center of Excellence Be a technology leader in any field.
GW CyberCorps: Scholarship For Service Each fall, approximately a dozen students pursue their bachelor's, master's, and doctoral degrees with federal funding from the National Science Foundation and the Department of Homeland Security. These grants are part of GW's Partnership in Securing Cyberspace through Education and Service (PISCES) program. Federal funding provides full scholarships (tuition, books, stipend, and professional development allowance) for students to study cybersecurity at GW for up to three years. After completing their coursework, students will help protect the nation's information infrastructure by working as security experts in a government agency for at least the amount of time they have been supported by this program. Since 2002, 78 students have graduated with help from this program, earning degrees in computer science, cybersecurity, electrical engineering, engineering management, forensic sciences, business administration, information systems technology management, national security studies, and public policy.
www.seas.gwu.edu/cybercorps
About GenCyber The GenCyber program provides summer cybersecurity camp experiences for students and teachers at the K-12 level. The goals of the program are to help all students understand correct and safe on-line behavior, increase diversity and interest in cybersecurity and careers in the cybersecurity workforce of the Nation, and improve teaching methods for delivering cybersecurity content in K-12 computer science curricula. Our vision is for the GenCyber program to be part of the solution to the Nation’s shortfall of skilled cybersecurity professionals. Ensuring that enough young people are inspired to direct their talents in this area is critical to the future of our country’s national and economic security as we become even more reliant on cyber-based technology in every aspect of our daily lives.
To ensure a level playing field, GenCyber camps are open to all student and teacher participants at no cost. Funding is provided jointly by the National security Agency and the National science Foundation.
Resources
gen-cyber.com
Middle School Girls Camp at George Washington University http://tinyurl.com/jvxpfct