HackMD - Collaborative Markdown Knowledge Base

## Cybersecurity Course Syllabus ### Course description The Cybersecurity course focuses on teaching students the fundamentals of web application security with the aim of providing a foundational level of knowledge matched with offensive and defensive skills developed through hands-on experience. Students will learn the basics of cybersecurity and common vulnerabilities and attacks, receiving hands-on practice in both exploitation techniques and strategies for protecting and hardening applications. Developed in partnership with Facebook, the course introduces a wide range of topics via a combination of sessions, videos, projects, and labs, giving students both a thorough grounding in the details of cybersecurity and an introduction to the broader landscape of information security. ### Prerequisites Students should... - have introductory knowledge of: - engineering and programming - web applications and web development - middleware such as web servers and databases - be pursuing (or have previously completed) a course of study related to computer science that includes: - fundamental CS concepts such as data structures and algorithms - hands-on programming/scripting experience - application development and design ### Time Commitment - In-person class session attendance: Classes meet 1x per week for 2 hour sessions over the 12 week duration of the course. *NOTE:* Session frequency and duration may vary depending on university. - Student's should plan to spend 5-10+ hours outside of class working on coursework. ### Attendance and Coursework Submissions CodePath courses focus on developing student's habits and skills in order to to be successful in the tech industry. Success in industry goes beyond proficiency in technical domains; The ability to be punctual, meet project deadlines and work effectively in a collaborative team are equally important skills. The following policies around attendance and coursework submissions are meant to encourage professional behavior. ### Coursework Weighting All coursework grading and accountability is handled by CodePath. The following table outlines how each coursework section is weighted in calculating a student's final grade. See [Coursework Grading](https://courses.codepath.org/snippets/cybersecurity_university/grading) for a breakdown of scores for individual coursework items. | Weight | Section | Description | | -------- | -------- | -------- | | 20% | Labs | Security Shepherd Platform | | 30% | CTFs | Weekly CTF Platform | | 30% | Assignments | Pen-testing | | 20% | Capstone CTF | Capstone CTF Platform | #### Bonus Points A student can earn bonus points on any coursework by completing the additional items beyond that which is indicated as required (stretch tasks). Weekly CTFs and assignment’s (Unit 8 onwards) bonus points will only be applied within their section and won't increase the impact beyond its designated weight. Only the bonus points gathered from the labs can be applied to the other sections (Weekly CTFs and assignments) and not the other way around. ### Coursework Submissions - **All coursework items** are due on their posted deadlines. - **Three (48 hour deadline extensions)** are allowed for the entire semester, no questions asked. - **If a student uses all 3 deadline extensions**, all future coursework items will be scored at their respective posted deadlines and will receive a score that corresponds to their level of completion at that time. Any updates to a coursework item after the deadline will not be applied to the score for that coursework item. #### Attendance Incentives - **Perfect Attendance:** Attendance at ALL sessions will result in the addition of 10% points to the final grade. (i.e. a 70% would become an 80% and an 85% would become a 95%) - **Consistent Attendance:** Attendance at at least 1 session for every week **OR** 70% of all sessions of the course will result in the addition of 5% points to the final grade. (i.e. a 70% would become a 75% and an 85% would become a 90%) #### CodePath Requirements for Course Completion CodePath holds all professional and college students to the same high bar of quality coursework and professionalism. In order to be considered CodePath alumni and receive recognition for successful completion of the course from CodePath, **students must complete the course with a final grade of 60% or above**. Students meeting the above requirements will: 1. Receive a (digital) CodePath certificate of completion. 1. Be considered CodePath alumni and gain access to alumni networks. 1. Gain full access to the CodePath career center and be eligible for mentorship opportunities with CodePath professional alumni. #### Courses Offered for College Credit For students taking a CodePath course for credit at their college, the professor of record at the college for which the course is being taken will have full discretion and the final decision for any grades a student receives in the course at their college. Students should defer to their college for specific add/drop, course withdrawal and grading policies. - CodePath will provide the professor of record with all grades and student data from the course. - The final grade given to a student at their college is decided by the professor of record for the course and is independent of the final grade determined by CodePath. ### Reporting #### Grade Book - **Non-credit courses:** Students will receive weekly updates of their individual grades via email from the CodePath operations team. - **For-credit courses:** - CodePath will maintain a grade book for the course visible only to relevant CodePath staff and the professor of record for the given college. - The delivery methods and frequency of student grade reports will be determined by the professor of record and may include direct reports from CodePath or internal college platforms like Blackboard, Canvas, etc. ### Student Privacy CodePath adheres to best practices and complies with all regulations regarding student information and data privacy as outlined by FERPA. - Private student information and assessment data will only be shared with relevant team members within the CodePath organization and the professor of record for the participating college. - Students who wish to have their data shared with any 3rd parties must grant CodePath explicit consent of such data sharing. - Public facing leaderboards, such as Cybersecurity Capture the Flag Competitions, will use aliases and not contain student identifiable information. ## Course Content ### Unit 1 - Data Exposures Reading: * Security Introduction * Castles and Heist Films * Fundamental Security Principles * Request methods and headers * Attack: URL Manipulation * Attack: Insecure Direct Object Reference Lab: * Hands on with URL Manipulation and IDOR ### Unit 2 - Cookie and Session Based Attacks Reading: * Attack: Faked Requests * Cookies and Sessions * Attack: Cookie Theft and Manipulation * Attack: Cross-Site Request Forgery (CSRF) * Attack: Session Hijacking * Attack: Session Fixation Lab: * Hands on with CSRF exploits * Learn design pattern for implementing CSRF tokens * Hands on with Session Hijacking and Session Fixation exploits Assignment: * Capture The Flag (CTF): CSRF exploits ### Unit 3 - Cross-Site Scripting Reading: * Attack: Cross-Site Scripting (XSS) * Sanitizing outgoing data * Attack: Clickjacking Lab: * Hands on with XSS and clickjacking exploits Assignment: * Capture The Flag (CTF): XSS and clickjacking exploits ### Unit 4 - Malicious Input Reading: * Attack: SQL Injection (SQLI) * Validating input * Sanitizing incoming data * Attack: File Upload Abuse * Attack: Remote Code Execution Lab: * Hands on with SQLI and RCE exploits Assignment: * Capture The Flag (CTF): SQLI and RCE exploits ### Unit 5 - Cryptography Reading: * Encryption * Attack: Brute Force Attack * Attack: Dictionary Attack Lab: * Identify and exploit weak cryptographic protection * Identify and exploit poorly-implemented crypto * Using PGP / GPG Assignment: * Capture The Flag (CTF): Identify and exploit weak cryptographic protection and poorly-implemented crypto ### Unit 6 - User Authentication Reading: * User Authentication * Strong Passwords * Password Managers * Multi-Factor Authentication * Attack: Username Enumeration * Attack: Credential Theft * Phishing * Data breaches * Attack: Privilege Escalation Lab: * Login page vulnerabilities and exploits * Password reset vulnerabilities and exploits * Hash cracking with `hashcat` ### Unit 7 - White Hat, Black Hat Reading: * Attack: Footprinting, Enumeration, and Fingerprinting * Code Reading and Analysis Lab: * Understanding VMs and containers * Setting up WordPress in a VM/container * Setting up Kali in a VM/container * Using `wpscan` to discover and recreate known WP issues Assignment: * Research vulnerabilities in older WP versions * Recreate exploits using Kali and other tools * Documenting research and submitting proof of work ### Unit 8 - Better Tools, Better Targets Lab: * Using Metasploit to attack WP * Using Meterpreter and reverse shells * Using `sqlmap` ### Unit 9 - Social Engineering Reading: * Social Engineering Strategies * Case Studies * Attack: Social Engineering - Pretexting * Attack: Social Engineering - Baiting * Attack: Social Engineering - Phishing * Attack: Social Engineering - Quid Pro Quo * Attack: Social Engineering - Tailgating * Insider Threats, Contractors Lab: * Using Social Engineering Toolkit * Phishing via email * Fake Login page * Simulated Phishing Exercise ### Unit 10 & 11 - NetSec Reading: * Netsec Crash Course * Firewalls * Intrusion Detection Systems * Risk Assessment * Penetration Testing * Threat Monitoring * Incident Response Lab: * Basic networking tools * Basic packet analysis * Installing and using Wireshark * Malware traffic analysis * WiFi Cracking Assignment: * Build a Honeypot * Intrusion Detection ### Unit 12 & 13 - Capture The Flag * Mutli-week, multi-team CTF competition * Live web targets at various difficulties * Student-supplied targets * Quiz questions ## Course Resources During this course, students should be aware of the following pages and resources: - [Security Guides](http://guides.codepath.org/websecurity) - This includes a series of references to reinforce key concepts and topics ## Support Channels: - **[support.codepath.org](http://support.codepath.org)** <img src=http://i.imgur.com/NhG6t19.png title="Question Mark" width=20> - Browse our ever expanding FAQ based on topic or search by keyword - Send us a message 📬