Intro to Cyber Dr. Haitao Xu | Interactive Teaching Syllabus

Interactive Undergraduate Security Console (RISK → NET → IAM → OPS → REPORT → back to RISK)

RISK NET IAM OPS RPT foundations traffic identity response report informs next risk plan
1. CIA Triad Trade-off Lab
Concept
Goal: Feel the tension: raising Confidentiality/Integrity can reduce Availability (friction, latency, downtime).
Balanced
CIA
Simulated system knobs
Security Controls: Moderate
Availability Impact: Low
i Key notes (click to collapse)
  • Confidentiality protects data from unauthorized disclosure (encryption, access control).
  • Integrity prevents unauthorized modification (hashing, signatures, change control).
  • Availability ensures access when needed (redundancy, rate-limits, DR).
  • Security is an optimization problem: maximize risk reduction under cost + usability constraints.
FrictionlessLocked-Down
2. Quantitative Risk (SLE / ARO / ALE)
Math
ALE = SLE × ARO. Use numbers to avoid “security theater.”
Asset Value (AV)
Exposure Factor (EF %)
Annual Rate of Occurrence (ARO)
Control Cost (annual, optional)
Computed
SLE: $5,000
ALE: $5,000/yr
ROI hint: Worth considering
i Decision rules
  • SLE = AV × EF
  • ALE helps rank risks; then validate with real incident history (and uncertainty).
  • If control cost > expected loss reduction → it may be overkill.
  • Document assumptions: EF and ARO are estimates, not gospel.
3. Attack Surface Builder
Strategy
Rule: Fewer exposed services → fewer exploitable paths. “If you don’t need it, disable it.”
Toggle services
Risk signal
Exposure score:
Status:
i Hardening checklist
  • Turn off legacy protocols (FTP/Telnet) → use SFTP/SSH.
  • Internet-facing RDP is high-risk; prefer VPN + MFA + allowlist.
  • Expose only necessary ports; monitor with logs + IDS.
4. Defense-in-Depth Simulator
Architecture
Layers: Physical → Network → Host → App → Data. Attackers must break multiple barriers.
Attacker progress: 0 / 5
Run “Breach” to see which layer stops it
i What to teach here
  • Each layer has different controls (e.g., WAF vs EDR vs encryption).
  • When a layer fails, logs should still help you detect/contain.
  • Do not rely on a single “magic product.”
1. Packet Sniffer (HTTP vs HTTPS)
Wireshark
Lesson: HTTP leaks credentials; HTTPS protects content (but metadata like domain can still show).
Listening on eth0…
i Deep notes
  • HTTPS uses TLS: encryption + integrity + server authentication (certs).
  • Even with HTTPS, you can still observe IP/port/timing; and DNS may leak without DoH/DoT.
  • Always prefer HSTS, modern ciphers, and disable legacy TLS.
2. TCP Three-Way Handshake
TCP/IP
SYN → SYN-ACK → ACK. Reliable setup; also where SYN floods attack.
ClientServer
State: CLOSED
i Important details
  • TCP reliability: sequence numbers + ACKs + retransmission.
  • SYN flood: attacker sends SYNs without completing ACK; mitigations include SYN cookies.
  • UDP is connectionless; different threat model (spoofing, amplification).
3. Firewall ACL (Default Deny)
Config
Practice: Allow only required ports; log denies; review rules regularly.
Web Server
Rule: ALLOW on port 80
i Best practices
  • “Default deny” + explicit allow rules reduces accidental exposure.
  • Use separate rulesets for inbound vs outbound; keep documentation.
  • Pair firewall rules with monitoring (alerts on unusual denies).
4. DDoS Load Simulator
Availability
Concept: Availability fails when resources exhaust. Defense = rate limits + CDN + WAF + autoscale + scrubbing.
🖥️
Status: Healthy
CPU load
Bot count: 300
i Defense toolbox
  • Rate limiting & request shaping at edge.
  • CDN to absorb bursts; cache static assets.
  • Anycast + scrubbing services for volumetric attacks.
  • Measure: RPS, p95 latency, saturation, error rate.
1. Hashing (SHA-256, WebCrypto)
Crypto
Hash ≠ encryption. One-way digest. Store passwords with slow hashes (bcrypt/argon2) + salt.
SHA-256 digest (hex)
i What students should remember
  • Passwords: use slow password hashing (argon2/bcrypt/scrypt), not plain SHA-256.
  • Hashes help verify integrity (download checksums, log integrity).
  • Collision resistance and preimage resistance are key properties.
2. Salting (Defeat Rainbow Tables)
Crypto
Same password + different salt ⇒ different hash. Attackers can’t reuse precomputed tables.
Click “Generate salts”
i Implementation note
  • Salt must be random and stored with the hash (not secret).
  • Use unique salt per user; add pepper (optional secret) only if you manage secrets well.
3. MFA (Token + Time Window)
Auth
Something you have. Even if password leaks, attacker needs the second factor.
------
refresh in s
i MFA bypasses (teach attackers too)
  • Phishing proxies can steal OTP; prefer FIDO2/WebAuthn for strong phishing resistance.
  • Push fatigue: train users; add number matching; rate-limit prompts.
  • Backup codes must be protected like passwords.
4. RBAC Permission Check
Policy
Least privilege: grant only what’s needed; review roles regularly.
📁
DENIED
Reason: role lacks permission
i RBAC vs ABAC
  • RBAC: permissions bound to roles (simple, scalable).
  • ABAC: decisions from attributes (context-aware; more complex).
  • Always log authorization decisions for auditing.
1. SOC Monitor (Find the IoC)
Detection
Task: Scan logs, spot an IoC (hash/IP/user-agent), then respond.
i Detection workflow
  • Start from baseline: what’s “normal” for this system?
  • Correlate: auth logs + DNS + process creation + network connections.
  • Prioritize: severity, blast radius, and business impact.
2. Ransomware Impact (Files → Encrypted)
Malware
Observe: encryption locks data. The best “cure” is immutable backups + containment.
Click a file to “encrypt” it
i Key ideas
  • Ransomware often spreads via stolen creds + lateral movement.
  • Prevention: patching, least privilege, EDR, macro controls, segmentation.
  • Recovery: follow 3-2-1 backups, test restores, keep backups offline/immutable.
3. Containment (Isolate Host)
Response
Contain fast: stop spread, preserve evidence, keep business running.
Network
Status: Online
Isolation reduces lateral movement but may disrupt services.
i Response steps
  • Containment: isolate host / block IoCs / rotate creds.
  • Eradication: remove persistence, patch root cause.
  • Recovery: validate integrity; watch for reinfection.
4. Recovery (3-2-1 + Immutable)
Backup
3-2-1: 3 copies, 2 media, 1 offsite. Add immutable to survive ransomware.
💽
Data: Corrupt
Restore confidence
i What “good” looks like
  • Backups tested with regular restore drills.
  • Immutable snapshots + access controls on backup system.
  • RTO/RPO defined (business requirement).
Report Builder
Executive-ready + Technical details
i Reporting tips
  • Separate Executive Summary (BLUF) from Technical Findings.
  • Include: impact, likelihood, evidence, CVSS (if applicable), remediation owners + dates.
  • Be precise with scope to avoid legal ambiguity.
Preview
1
2
3
4
5