Transcription
Cybersecurity Fundamentals6302/36 weeksTable of ContentsAcknowledgments. 1Course Description. 2Task Essentials Table . 2Curriculum Framework . 4Exploring Cybersecurity Fundamentals . 4Examining Computer Networks as a Foundational Element of Cybersecurity . 11Understanding Cyber Threats and Vulnerabilities . 17Exploring Ethics as it Relates to Cybersecurity . 23Exploring Data Privacy . 27Examining Data Security as it Relates to Cybersecurity . 30Securing Operating Systems . 35Programming as a Component of Cybersecurity . 40Exploring Cybersecurity Implications for Current and Emerging Technologies . 44Exploring Cybersecurity Careers . 45Preparing for Industry Certification . 47SOL Correlation by Task . 49Teacher Resources . 53Appendix: Credentials, Course Sequences, and Career Cluster Information . 63AcknowledgmentsThe components of this instructional framework were developed by the following curriculumdevelopment panelists: Julie Back, STEM Education Program Specialist, Department of EducationalFoundations and Leadership, Old Dominion UniversityDiana Bohuslov, Instructor, Battlefield High School, Prince William County PublicSchoolsDr. Darrell Carpenter, Director, Center for Cyber Security, Longwood University,LongwoodErnest Compton, Instructor, Pulaski County High School, Pulaski County Public SchoolsDr. Charles Gardner, Director of Curriculum, CYBER.ORG, Bossier City, LAChristopher Long, Instructor, South County High School, Fairfax County Public SchoolsJennifer Marden, Instructor, Loudoun County High School, Loudoun County PublicSchoolsDr. David Raymond, Director, Virginia Cyber Range, Virginia TechKristi Rice, Instructor, Spotsylvania High School, Spotsylvania County Public SchoolsKatrina Riggleman, Instructor, Riverbend High School, Spotsylvania County PublicSchoolsShawn Thomas, Security Manager, Verizon Media, AshburnCorrelations to the Virginia Standards of Learning were reviewed and updated by the following: Leslie R. Bowers, English Teacher (ret.), Newport News Public Schools1
Vickie L. Inge, Mathematics Committee Member, Virginia Mathematics and ScienceCoalitionAnne F. Markwith, New Teacher Mentor (Science), Gloucester County Public SchoolsMichael L. Nagy, Social Studies Department Chair, Rustburg High School, CampbellCounty Public SchoolsThe framework was edited and produced by the CTE Resource Center: Leanne Forbes Tipton, Writer/EditorKevin P. Reilly, Administrative CoordinatorVirginia Department of Education StaffJudith Sams, Specialist, Business and Information Technology Education and Related ClustersDr. J. Anthony Williams, Curriculum and Instruction CoordinatorDr. David S. Eshelman, Director, Workforce Development and InitiativesGeorge R. Willcox, Director, Operations and AccountabilityOffice of Career, Technical, and Adult EducationVirginia Department of EducationCopyright 2021Course DescriptionSuggested Grade Level: 9 or 10 or 11 or 12Cybersecurity affects every individual, organization, and nation. This course focuses on theevolving and pervasive technological environment with an emphasis on securing personal,organizational, and national information. Students will be introduced to the principles ofcybersecurity, explore emerging technologies, examine threats and protective measures, andinvestigate the diverse high-skill, high-wage, and high-demand career opportunities in the fieldof cybersecurity. Exciting opportunities will be presented to use interactive current resources inthe study of cybersecurity such as Virginia Cyber Range, Virginia Space Grant Consortium, andCyber.Org. Students will have the opportunity to prepare for success on related industrycertifications aligned to the course content.Task Essentials Table Tasks/competencies designated by plus icons ( ) in the left-hand column(s) are essentialTasks/competencies designated by empty-circle icons ( ) are optionalTasks/competencies designated by minus icons ( ) are omittedTasks marked with an asterisk (*) are sensitive.Task6302Task/CompetenciesNumberExploring Cybersecurity Fundamentals39Describe cybersecurity.40Describe the critical factors of information assurance.41Define vulnerability and risk.42Explain why organizations need to manage risk.43Identify the concepts of cybersecurity risk management.44Describe cybersecurity threats to an organization.45Describe national and industry standards and regulations that relateto cybersecurity.46Describe the cyberattack surface of various organizations.47Analyze risks affecting critical infrastructure.Examining Computer Networks as a Foundational Element of Cybersecurity48Describe computer components.49Describe a network.2
50515253Describe a wired network.Describe a wireless network.Compare wired and wireless networks.Compare networking conceptual models.545556Discuss services and potential vulnerabilities.Differentiate between network types.Describe the concept of the Internet as a network of connectedsystems.57Identify networking protocols.Understanding Cyber Threats and Vulnerabilities58Differentiate between a cyber threat and a vulnerability.59Describe types of cyber threats.60Analyze types of current cyber threats.61Describe the concept of malware and the techniques to guardagainst it.62Identify the perpetrators of different types of malicious hacking.63Describe the characteristics of vulnerabilities.64Identify the prevention of and protections against cyber threats.65Identify the cyber risks associated with bring your own device(BYOD) opportunities on computer networks.Exploring Ethics as it Relates to Cybersecurity66Differentiate between ethics and laws.67Distinguish among types of ethical concerns.68Define cyberbullying.69Identify actions that constitute cyberbullying.70Identify possible warning signs of someone being cyberbullied.71Demonstrate net etiquette (i.e., netiquette) as it relates tocybersecurity.72Identify laws applicable to cybersecurity.Exploring Data Privacy73Explain the concept of “personally identifiable information.”74Explain why personal data is valuable to both an individual and toorganizations (e.g., governments, businesses) that collect it, analyzeit, and make decisions based on it.75Explain the techniques used to collect personal data through socialmedia, web tracking, and mobile devices.76Identify ways to control and protect personal data.77Analyze the social and legal significance of the ongoing collectionof personal digital information.Examining Data Security as it Relates to Cybersecurity78Distinguish between data, information, and knowledge.79Identify the most common ways data is collected.80Identify the most common ways data can be stored.81Explain the difference between data at rest, data in transit, and databeing processed.82Identify the most common ways data is used.83Discuss how data can be compromised, corrupted, or lost.84Explain how businesses and individuals can protect themselvesagainst threats to their data.Securing Operating Systems85Define the function of a computer operating system.86Identify the components of an operating system.87List types of operating systems.88Identify examples of widely used desktop and server operatingsystems.89Evaluate the potential vulnerabilities, threats, and common exploitsto an operating system.90Identify best practices for protecting operating systems.3
91Evaluate critical operating system security parameters.92Describe security and auditing logs.93Describe the role of a system backup.94Define virtualization technology.95Identify advantages and disadvantages of using virtual machines.Programming as a Component of Cybersecurity96Identify representation of data at lowest levels.97Define programming in the context of cybersecurity.98Differentiate between computer programming languages.99Describe Python100Demonstrate Linux.101Evaluate common programming flaws that lead to vulnerabilities.102Identify best practices in secure coding and design.Exploring Cybersecurity Implications for Current and Emerging Technologies103Identify ubiquitous computing.104Description security and privacy implications of ubiquitouscomputing.Exploring Cybersecurity Careers105Research career opportunities for cybersecurity professionals.106Examine the Career Clusters affected by current and emergingtechnology.107Identify the educational pathways for emerging cybersecurityprofessionals.108Identify career paths and job titles within the cybersecurity and/orcyber forensics industry and Career Clusters.109Research the cyber threats and security measures related to careerpathways.Preparing for Industry Certification110Identify testing skills and strategies for a certification examination.111Describe the process and requirements for obtaining industrycertifications related to the Cybersecurity Fundamentals course.112Demonstrate the ability to complete selected practice examinations.113Successfully complete an industry certification examinationrepresentative of skills learned in this course.Curriculum FrameworkExploring Cybersecurity FundamentalsTask Number 39Describe cybersecurity.DefinitionDescription should state that cybersecurity is the protection of information and data from risksassociated with threats, attacks, hazards, or physical damage. Risks may include, but are notlimited to information systems (e.g., networks, hardware, software)the human elementphysical elementsfrom risks associated with threats, attacks, hazards, or physical damage.FBLA Competitive Events and Activities AreasBusiness Knowledge and Skills4
Cyber SecurityHealthcare AdministrationIntroduction to Information TechnologyNetwork DesignNetworking InfrastructureTask Number 40Describe the critical factors of information assurance.DefinitionDescription should include explaining that the CIA triad model provides the baseline standard of evaluating andimplementing information security measures on any systemstating that each component in the CIA triad has designated goals that provide distinctrequirements, and that each goal provides an essential component of information securitymeasuresidentifying the goals within the CIA triad and defining the terms as they apply tocybersecurityo confidentiality―ensures that data are only accessed by authorized person(s)through security measures such as usernames and passwords and access controllists (ACL)o integrity―ensures the data are trusted. This means data must be guarded againstunauthorized changes; methods of ensuring integrity include data permissions andencryptiono availability―provides solutions to ensure that systems can be accessed whenrequested; this includes providing deploying system protections and properhardware maintenance and system patching.Additional components should include authentication―process in which credentials are provided to verify the identity of anentity (e.g., user, system)nonrepudiation―a cryptologic technique that provides the proof of the integrity andorigin of data.FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsBusiness EthicsBusiness LawCyber SecurityHealthcare AdministrationIntroduction to Information TechnologyNetwork DesignNetworking Infrastructure5
Task Number 41Define vulnerability and risk.DefinitionDefinition should state that vulnerability refers to a flaw in a system that can leave it open to attack; may also refer toany type of weakness in a computer system, in a set of procedures, or in anything thatleaves information security exposed to a threat.*risk is the likelihood that a vulnerability will occur and that a loss occurs if thatvulnerability is exploited.*Technopedia ).FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsBusiness EthicsBusiness LawCyber SecurityE-businessHealthcare AdministrationIntroduction to Information TechnologyManagement Decision MakingManagement Information SystemsNetwork DesignNetworking InfrastructureWebsite DesignTask Number 42Explain why organizations need to manage risk.DefinitionExplanation should include the following: Unmanaged risk can cause loss.Every organization is vulnerable to common and unique types of threats.Organizations must identify vulnerable areas, along with the potential for actual threats,so they can plan operations to reduce the effects of those threats.Because all threats cannot be completely eliminated, organizations must address responses tothreats and plans for continuous business operations.FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsBusiness EthicsBusiness LawCyber Security6
Healthcare AdministrationIntroduction to Information TechnologyManagement Decision MakingManagement Information SystemsNetwork DesignNetworking InfrastructureTask Number 43Identify the concepts of cybersecurity risk management.DefinitionIdentification should include defining risk management as the process of identifying possible vulnerabilities andquantifying potential risk as it pertains to systemsaddressing risk management strategies, including but not limited too risk mitigation―reducing an organization’s exposure to the risko risk transfer―transferring the risk to another company, such as an insurance firmo risk avoidance―avoiding the possibility of the risk (e.g., a retailer discontinuespersonal data collection of customers to avoid the risk that the data could bestolen)o risk acceptance―understanding and accepting the risks associated with use of asystem or feature; this often happens when the cost of mitigation outstrips thepotential loss associated with the risk.FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsBusiness EthicsBusiness LawCyber SecurityE-businessHealthcare AdministrationIntroduction to Information TechnologyManagement Decision MakingManagement Information SystemsNetwork DesignNetworking InfrastructureWebsite DesignTask Number 44Describe cybersecurity threats to an organization.7
DefinitionDescription should include understanding that an action might exploit a vulnerability to breach security and causepotential harmunderstanding that threats come from many sourceso emailo social engineeringo insider threatso network threatso physical threats such as fire or floodso threats stemming from software systems or user actions.Teacher resource:CYBER.ORG Cyber Business Module: How Businesses Secure ess)FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsBusiness EthicsBusiness LawCyber SecurityE-businessHealthcare AdministrationIntroduction to Information TechnologyManagement Decision MakingManagement Information SystemsNetwork DesignNetworking InfrastructureWebsite DesignTask Number 45Describe national and industry standards and regulationsthat relate to cybersecurity.DefinitionDescription should include, but not be limited to, the following: Standards and regulations are determined based on the data each stores.Standards―a set of best practices that have been created to guide an organization’spolicies, procedures, and practices, rather than requirements to adhere to specific rules.For example, Payment Card Industry Data Security Standard (PCI DSS) is an informationsecurity standard for organizations that accept payment cards.Regulations―requirements by a government agency that must be followed. For example,in the healthcare industry, any system or user that has access to personal healthinformation must follow the regulations set forth in the Health Insurance Portability andAccountability Act (HIPAA).8
FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsBusiness EthicsBusiness LawCyber SecurityE-businessHealthcare AdministrationIntroduction to Information TechnologyManagement Decision MakingManagement Information SystemsNetwork DesignNetworking InfrastructureWebsite DesignTask Number 46Describe the cyberattack surface of various organizations.DefinitionDescription should include a definition of threat modeling and the concepts that the attack surface includes all areas of an organization that can be penetrated orthreatenedcompanies may have differing levels of vulnerability due to their integration oftechnology.For example, a company that processes payments via an Internet site increases the vulnerabilityof threats against the payment processing system from attackers anywhere in the world. Acompany that does not collect information via the Internet would have much less vulnerabilityfrom that attack avenue.Teacher resource:CYBER.ORG Cyber Business Module: How Businesses Secure InformationFBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsBusiness EthicsBusiness LawCyber SecurityE-businessHealthcare AdministrationIntroduction to Information TechnologyManagement Decision MakingManagement Information Systems9
Network DesignNetworking InfrastructureWebsite DesignTask Number 47Analyze risks affecting critical infrastructure.DefinitionAnalysis should include defining critical infrastructure as including assets critical to the functioning of a societyand economydescribing the 16 critical infrastructure sectors found in Cybersecurity and InfrastructureSecurity Agency (CISA) and the effect their incapacitation or destruction would have onsecurity, national economic security, national public health, and safetyevolving threats, including, but not limited too cyber threatso acts of terrorismo pandemicso extreme weathero accidents or technical failuresrelating evolving threats to the 16 critical infrastructure sectors.Teacher resource:Critical Infrastructure Sectors, Cybersecurity and Infrastructure Security AgencyFBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsBusiness EthicsBusiness LawCyber SecurityE-businessHealthcare AdministrationHospitality and Event ManagementIntroduction to Information TechnologyManagement Decision MakingManagement Information SystemsNetwork DesignNetworking InfrastructureSports and Entertainment ManagementWebsite Design10
Examining Computer Networks as aFoundational Element of CybersecurityTask Number 48Describe computer components.DefinitionDescription should include casemotherboardcentral processing unit (CPU)random access memory (RAM)hard drivepower supplyports.FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsComputer Problem SolvingIntroduction to Information TechnologyTask Number 49Describe a network.DefinitionDescription should include identifying the purpose of a networkthe physical components of a network, including, but not limited too network interface card (NIC)o switcho routero wireless access pointsoftware components of a network, including, but not limited too operating systemso network operating systems or network operations and managemento firewallso network security applications.FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsComputer Problem SolvingCyber SecurityIntroduction to Information TechnologyNetwork Design11
Networking InfrastructureTask Number 50Describe a wired network.DefinitionDescription should include defining wired network as a network in which all components are connected with fiberoptic cables most common wired networks use cables connecting a computer to Ethernetports on a network routerciting examples of wired networks (e.g., copper wire, fiber optic)identifying the Institute of Electrical and Electronics Engineers (IEEE) 802 standards andrecommended practices, particularly 802.1 and 802.3.FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsComputer Problem SolvingCyber SecurityIntroduction to Information TechnologyNetwork DesignNetworking InfrastructureTask Number 51Describe a wireless network.DefinitionDescription should include defining wireless network as a computer network in which connections are made withoutcomputer cables.Explaining the basis of wireless transmissions is radio waves (e.g., radio waves connectdevices to the Internet and to a business network and its applications)explaining 802.11 wireless local area network standardsexplaining authentication types.FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsComputer Problem SolvingCyber SecurityIntroduction to Information TechnologyNetwork DesignNetworking Infrastructure12
Task Number 52 (Optional)Compare wired and wireless networks.DefinitionComparison should include the cost of a network installationthe cost to operate and maintain a networknetwork speednetwork reliabilitynetwork security.FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsComputer Problem SolvingCyber SecurityIntroduction to Information TechnologyNetwork DesignNetworking InfrastructureTask Number 53Compare networking conceptual models.DefinitionComparison should include the following models: Open Systems Interconnect (OSI)―seven-layer model that describes communicationbetween systems. The layers are as follows:o Applicationo Presentationo Sessiono Transporto Networko Data linko PhysicalInternet (Transmission Control Protocol [TCP]/Internet Protocol [IP])―a four-layermodel that describes communication between systems. The layers are as follows:o Applicationo Transporto Interneto NetworkFBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsComputer Problem Solving13
Cyber SecurityIntroduction to Information TechnologyNetwork DesignNetworking InfrastructureTask Number 54Discuss services and potential vulnerabilities.DefinitionDiscussion should include defining the term service as an application running on a computerunderstandingo Domain Name System (DNS)o email serviceso printing serviceso file distribution systems and serviceso directory serviceso http serviceso wireless sensor network.FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsComputer ApplicationsComputer Problem SolvingCyber SecurityDatabase Design and ApplicationIntroduction to Information TechnologyNetwork DesignNetworking InfrastructureSpreadsheet ApplicationsWord ProcessingTask Number 55Differentiate between network types.DefinitionDifferentiation may include the following: Local Area Networks (LAN)―a collection of computers, peripherals, and other devicesthat communicate across a network (e.g., wire, fiber optic, wireless) in a single networksegment; LANs differ from Wide Area Networks (WANs) in their reliance on localaddressing schemes and their ability to operate without knowledge of neighboringnetworks.14
LANs rely on local addressing and local network communications protocols (e.g.,Address Resolution Protocol [ARP] that are the core differentiator between aLAN and a WAN; LANs are often characterized as being small in size, such asbeing contained within a room or a building.o LANs are frequently referred to by other terms that indicate their tendency forlimited size, such as Personal Area Network (PAN), Home Area Network (HAN),or Storage Area Network (SAN).o LANs use addressing schemes (e.g., Media Access Control [MAC] addressing)for communication.Wide Area Networks―a network of LANs; WANs are primarily focused on routingtraffic between local network segments and use technologies and protocols that differfrom those employed by LANs.o The Internet is the most widely known example of a wide area network.o While WANs are sometimes characterized in terms of size as having regional,national, or global scope, the difference in the technologies used is the coredifferentiator between LANs and WANs.o WANs are frequently referred to by other terms that describe the scope of aspecific implementation, such as Campus Area Network (CAN), MetropolitanArea Network (MAN), or Global Area Network (GAN).o WANs most commonly route traffic at the network layer (i.e., layer 3), whererouting is determined based on IP addresses and the network identifier (i.e.,subnet mask).o FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsComputer Problem SolvingCyber SecurityIntroduction to Information TechnologyNetwork DesignNetworking InfrastructureTask Number 56Describe the concept of the Internet as a network ofconnected systems.DefinitionDescription should include a definition of the Internet as a global system of interconnected computer networks thatuse the Internet Protocol Suite (TCP/IP) to link billions of devices worldwide.the concept that it is a network of networks that consists of millions of private, public,academic, business, and government networks of local to global scope, linked by a broadarray of electronic, wireless, and optical networking technologies.FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsComputer Problem SolvingCyber SecurityIntroduction to Information Technology15
Management Information SystemsNetwork DesignNetworking InfrastructureTask Number 57Identify networking protocols.DefinitionIdentification should include descriptions of application layers protocolsoHypertext Transfer Protocol (HTTP)―an application-layer protocol usedprimarily on the Internet to request and receive web content from servers tobrowsers; a stateless and connectionless protocoloHypertext Transfer Protocol Secure (HTTPS)―a variant of HTTP that adds alayer of security on the data in transit through a secure socket layer (SSL) ortransport layer security (TLS) protocol connectionoFile Transfer Protocol (FTP)―a client/server protocol used for transferring filesto or exchanging files with a host computer; FTP is widely used on the Internetfor moving or transferring files from one computer to anotheroPost Office Protocol (POP)―a type of computer networking and Internet standardprotocol retrieves and extracts email from a remote mail server for access by thehost machine or portable devicetransport layer protocolsoTransmission Control Protocol (TCP)―a transport layer communicationsprotocol used to send network data between hosts; TCP is a connection-orientedprotocol that provides reliable message transmissionoUser Datagram Protocol (UDP)―a transport layer communications protocol usedto send network data between hosts; UDP is referred to as an unreliable protocolbecause it does not guarantee message delivery or in-order message receptionInternet layer protocolsoInternet Protocol (IP)―the primary network protocol by which data is sent fromone computer to another; computers are identified on the internet using InternetProtocol addressesoInternet Control Message Protocol (ICMP)―a part of the Internet protocol suiteused by network devices to send error messages and other operational informationto other devices on the networkoDynamic Host Configuration Protocol (DHCP)―a local network protocol thatautomatically assigns Internet Protocol addresses to network hostsFBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsComputer Problem SolvingCyber SecurityE-businessIntroduction to Information TechnologyManagement Information Systems16
Network DesignNetworking InfrastructureWebsite DesignUnderstanding Cyber Threats andVulnerabilitiesTask Number 58Differentiate between a cyber threat and a vulnerability.DefinitionDifferentiation should include defining asset as it relates to a secure environment (e.g., servers, data, sensitiveinformation)explaining the types of threats (e.g., cyber, terrorism, pandemics, extreme weather,accidents, technical failures)defining vulnerabilityexplainingo how a vulnerability can result in a threato how eliminating vulnerabilities can eliminate a threato what exploits areo how to calculate risk.FBLA Competitive Events and Activities AreasBusiness Knowledge and SkillsCoding and ProgrammingComputer Game & SimulationComputer Problem SolvingCyber SecurityDatabase Design and ApplicationE-businessIntroduction to Information TechnologyManagement Information SystemsNetwork DesignNetworking InfrastructureWebsite DesignTask Number 59Describe types of cyber threats.17
DefinitionDescription should include, but not be limited to authentication (e.g., password attacks, biometrics attacks)social engineering, including phishing and other scamsweb application attacks such as injection attacks and scripting attacksexploitation of o
Exploring Cybersecurity Fundamentals Task Number 39 Describe cybersecurity. Definition Description should state that cybersecurity is the protection of information and data from risks associated with threats, attacks, hazards, or physical damage. Risks may include, but are not limited to informat
