Security Class

Well... (we *)code_monkeys_t think that security is fundamentally a software engineering issue.

So, what is taught in a security course should be streamlined to the target audience. Programmers need to be taught to harden their software, squashing ill-conceived logic and scrutinizing memory interaction wherever it should occur. System Administrators need to focus on site policy and the details of how to respond to impending doom when it comes a rap tap tapping. Etc., etc., ad nauseum...

-- spurious

have them network the room and set it up for a wargame, half the class can practice logging and network security practices while the other half of the class trys to gain access.

I am trying to get a similar class started in my High School, so far the reactions have been pretty good and I have been looking for a good curriculum to hand in to the school board so I have started keeping a notebook of everything from security advisories to tutorials on TCP/IP. So far with a friend we have come up with is starting to be the beginning of what could be the curriculum for a 2 semester class.

First semester:

First week, will be spent disscussing why security should be implemented in a business and home environment. Discuss the difference in how the networks will differ and what resources one will have over the other. Also give a brief introduction to a handful of operating systems students mayhave never had access to before. (I am thinking of donating a box with Slackware on it, and also one with OpenBSD). Explain how they will differ in the practices used to administer them.

Second Week, give an introduction to TCP/IP and show how logging works on each system. Highlight some common tools that can be used in scanning networks and show the students how they are able to retrieve the information they do. Also givesome basic information about some good firewalls for Windows while at the same time show them how to write some basic firewall rules under *nix to stop some of the malicious traffic. Discuss why it is important to have virii scanners and adware/spyware removers. Discuss some of the common methods that attackers try to get you to install a virus (email, d/l...etc).

Week three and four, start the week out with a lecture on choosing good passwords. For this an activity could be setup to have all of the students have a user name and a password on a box and then show them how secure their passwords really are by using a cracker against them. This actually might be good to do before the lecture. Show them how to shadow passwords on a *nix system.
At this point have teams picked out for a wargame. Have both teams install an OS on two boxes apiece and have one team securing and the other breaking in. Allow the teams 2 days to get all of the necessary tools and software together and then the rest of the week to get it all installed and configured. When time is up have the kids practice attacking and logging. At the end highlight how certain things could have been fixed to prevent the break in. At the end have them reformat the computers and start over but this time swithching roles.

Week five, give an introduction to the different types of denial of service attacks. Anything ranging from buffer overflows to ping floods. This is also probably an overdue time to inform them about security updates and patches. Show them how each denial of service condition can be prevented.

This is as far as we got on it. I hope maybe it will help you with setting up your class. Good luck.

I want to go to your high school!!! The best thing we have at our school is VBS...

I would like to thank you all for your help. Its going to take me a while longer to create the outline for i got alot of good pointers from these posts. Hopefully i will have a more detailed outline by next weekend and i will post it up and we can take it from there. With everyones input, hopefully we'll have a good outline for alot of people to follow. Again thank you everyone for your help.

Well wanted to apologize for not posting the outline yet, but soon....