Professional Documents
Culture Documents
Cybr520week1week2printable PDF
Cybr520week1week2printable PDF
Weeks 1 and 2
"Knowing a great deal is not the same as being smart; intelligence is not information alone but also judgment, the
manner in which information is collected and used." Dr. Carl Sagan
Concepts
People are and always will be the weakest link in security - there is no "patch the human". You cannot effectively
manage security without understanding people. We begin with an overview of the course topics of human factors,
social engineering, and leadership, and discuss the two sides of Influence in Security: the positive aspect that
helps sell the security program and its initiatives, and the negative aspect that is used by social engineers for the
disclosure or unauthorized use of technology or data. Then, we move into information gathering as we review
both technical and non-technical ways of gathering information. This is a critical step in hacking/intrusion, social
relationships, and sales. We will check your skills to pull information from multiple sources to create a picture of a
target.
Oh, and we will frighten you so much that you will probably never trust a stranger again:-D
Learn
Formulate the definitions associated with human aspects of security.
Consider relationships between humans and IT and how humans use IT today.
Summarize technical and non-technical techniques for gathering information about a person, business,
or organization.
Research and analyze the steps for collecting information
Read
Hadnagy, Social Engineering, Foreword, Chapters 1 and 2 - make sure you listen to the podcast
episodes listed on p. 5
Cialdini, Influence, Chapter 1
Schneier, "The Psychology of Security", January 18, 2008, http://www.schneier.com/essay-155.html
Google Hacking Demo: http://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf
Google Hacking Database: http://www.hackersforcharity.org/ghdb/
Field Trips
Social-Engineer.com http://www.social-engineer.com/ (the website for the Social Engineering book)
Social-Engineer.org http://www.social-engineer.org/ (the website for the Social Engineering podcast &
newsletter)
Influence at work http://www.influenceatwork.com/ (the website for the Influence book)
Watch (there is a method to our madness - they all relate to Human Aspects of Cybersecurity)
Johnnie Long - No Tech hacking http://www.youtube.com/watch?v=5CWrzVJYLWw
Professor Risk http://www.youtube.com/watch?v=a1PtQ67urG4
Hacking is easy https://vimeo.com/11328554
Selective Attention test http://www.youtube.com/watch?v=vJG698U2Mvo
Count the F's http://www.youtube.com/watch?v=QdwDOL34LIA
The Door Study http://www.youtube.com/watch?v=FWSxSQsspiQ
Awareness test http://www.youtube.com/watch?v=ubNF9QNEQLA
Do
View the video and instructions at http://content.bellevue.edu/cst/cybr/520/id/memory-game/ (make sure you
can see the big arrow in the lower right) - you will be taking a quiz (located in the Weeks 1 and 2
assignment folder) instead of filling out the Word document and turning it in.
"Signaling" (handy extra background information for Weighty Post Option #2)
There is a concept in behavioral economics called "signaling". It doesn't have anything to do with using your
flashers before moving from one lane into another - this signaling is more in the sense of "these are my
beliefs...which more than likely go along with these other beliefs and behaviors" - it's a bit like a bumper sticker.
It's really a literal signal, like a flashy something. Monarch butterflies signal to predators through their coloration
that they don't taste good. Viceroy butterflies taste good, so they adopted Monarch-like coloration to influence
predators to not eat them, too. Someone who drives a Tesla is signaling something different from someone who
drives a Ford 150 Pickup. Here's an interesting Freakonomics podcast episode that mentions signaling in the
case of hybrid automobiles:
http://freakonomics.com/podcast/hey-baby-is-that-a-prius-youre-driving/ (you can listen to the podcast or read the
transcript) One of the scholars interviewed for the podcast has written a piece on signaling:
http://www.overcomingbias.com/2015/05/what-is-signaling.html - and here's one on fashion:
http://www.overcomingbias.com/2015/02/fashion-excuses.html, where he points out that our real motives are
different from the ones we admit to.
The profile pictures and banner images we choose for social media are signaling our affiliation with something, an
idea or a group....some more subtly than others. One can probably size up a person's politics in a few questions
about things that have nothing to with politics (in fact, Time magazine did just that recently:
http://labs.time.com/story/can-time-predict-your-politics/). One would do this so one would know what topics of
conversation to avoid, because nothing, including facts, ever changes anyone's mind about political opinions,
which are arrived at through non-logical/emotional means. Even if one enjoys a spirited debate, one will try to
steer clear of things that people are likely to take personally - religion is deeply personal, so folks won't have
personal discussions about religion, period. These days, religion tends to highly correlate with politics so folks will
find themselves avoiding political discussions if they detect strong religious beliefs - and folks would pick up on
those beliefs because that person is signaling them through phrases or types of music or jewelry or a sticker on
their car.
One of the things this course is designed to accomplish is to make you all realize that anything you say or do or
write or wear or drive or whatever can be used by someone else to gain influence - good or bad. Someone might
do recon on you to make you feel more at ease - to do you a favor at a party, so they can introduce you to
someone who is helpful for your career, or a prospective mate, or merely interesting. Someone might also gain
influence to scam you. It's not hard to learn what language, as it were, certain groups speak. Geek is certainly a
language style. Think how easy it would be for someone to learn enough Geek to infiltrate a geek group. Sports
fans have their own language. Religious groups have theirs - and they are probably the least likely to see it
coming. There was a past CYBR 520 student who did a project on teaching security awareness to a church
group. The class agreed those poor lambs were extraordinarily unprepared for the criminal mischief that is out
there. This shouldn't have to said, but an awesome thing about IT and cybersecurity courses is that anyone's
politics (signaled or otherwise) don't matter in here. Maybe some differences of opinion about, say, the 4th
Amendment will come up, but we can discuss things like that in a measured if intense fashion and still go out and
have metaphorical drinks together.
Meme Challenge
For something fun - that works in concert with DDA and assignment posts - you are challenged to incorporate
appropriate and amusing meme images into your posts. Why? Because we said so. Because memes help
reinforce a point with humor, using recognizable cultural images. Studies have shown that humor aids in the
absorption and retention of information (http://www.apa.org/monitor/jun06/learning.aspx). You can introduce a
potentially controversial topic by presenting it in a meme and get people discussing the topic because they're put
more at ease by the humor. Also, the proofreading skills of the Internet are displayed at their finest when
someone messes up on a meme ;-) If you were to do a meme about an article it could be a visual TL; DR. Last,
it's just more fun to include memes in class.
http://webtrends.about.com/od/reddit/a/Internet-Memes.htm Here is a list of tools you can use to create your own
meme images:
Livememe
Quickmeme
Meme Generator
AutoMotivator
What's in it for you all? Well, outside of the intrinsic benefits of humor and helping others learn more through
humor...nothing else;
sometimes we do things because of the intrinsic value :-)
Weighty Posting
In order to keep discussions lively please choose at least ONE of the weighty questions below and post
your draft to the discussion board no later than the start of Week 2
Compose and submit to the Weeks 1 and 2 Discussion Board, as a reply to the appropriate Weighty Post Option
thread, a structured post (a structured post has an introduction, a conclusion, and a developed body that flows
well generally at least a few paragraphs - at least 250 words), using your own words, on at least one of these
weighty questions:
1. Harmless Internet Surveillance Exercise: Determine someone who you know has an Internet footprint to
create a dossier for (if you can't think of someone, use "Jonathan S. Tuttle" - the one affiliated with Bellevue
University - or contact your professor for the names of friends who are willing to be experimental subjects
heck, you can use your professor if you haven't already done this in your spare time ;-) Here are the steps:
Search the Internet for all information about your subject. You can use the articles on Google Hacking in
this unit's reading to help you. Respond to ALL of the following: 1) What does your subject do for a living?
2) Where did your subject go to school? (this can be high school, college, etc.) 3) What social networks is
your subject on? 4) Where did you go to get information on your subject? (List your sources of information.)
5) List all that you can find about your subject - this could include screen names, birthdates, hobbies,
friends/family/acquaintances, marriage licenses, tax records, etc. (keep it PG-13 or safer) It's optional about
whether you want to give the subject's full name or just provide initials. (No, you may not contact the NSA to
use their file ;-) Write all this up in a post that isn't merely a list of answers. Be engaging - think Buzzfeed or
Cracked.com with more substance and fewer swear words ;-)
http://www.washingtonpost.com/wp-
dyn/content/article/2008/06/15/AR2008061501963.html?sid=ST2008061502199 So, your task is to find as
many of these walking driving advertisements as you can and figure out how what is on their cars could be
used against them by someone bent on developing rapport. (You are not to harm or scare anyone! This is
an observation and analysis exercise - you are not going to use the information against them) Spend a few
days documenting what you find - you can share photos, but if the license plate isn't personalized try to blur
that out - as the previous owner of a vanity plate, "PROF KAR", Professor Karla knew she was fair game. If
you get a chance to engage in conversation with the driver, try developing rapport based on the car's
stickers, but don't be creepy - remember, keep the target safe :-) After you've gathered some data, write up
your observations, at least 250 words, and keep us entertained :-D
3. Create an infographic that explains Bruce Schneier's "The Psychology of Security" to people who know
nothing about the topic. Make sure you cover at least five data points. Post the infographic and explain why
you chose the data points you did. You might find this link useful for the infographic:
http://www.edudemic.com/diy-infographics/
4. Find a Dilbert cartoon strip that relates to social engineering. 1) Attach the cartoon or a link to the cartoon.
2) Pretend the class is filled with clueless Dilbert-boss managers and explain the relevance of the cartoon
to social engineering. 3) Compare the strip's scenario to something you personally have encountered at
work, or, if you haven't been so lucky, interview someone else who has encountered such.
You need to support your Weighty Posts with references to worthy* sources in addition to your book/book
resource site and the Gartner article or video or cartoon you're discussing. The BRUIN library is a great place to
start. Feel free to use worthy* news articles as sources (remembering that they always have a bias, that is),
making sure to list those and all other sources at the bottom of the post (please use more than a URL!).
Quotations by famous people are allowed, as well - you only have to identify the speaker, not the specific work, in
the case of well-known quotations, e.g. "If you reveal your secrets to the wind, you should not blame the wind for
revealing them to the trees." - Kahlil Gibran
*Worthy means the author or the publisher of the source has authority and credibility on the topic, the source has
been QAed through editors or a peer review system, the source is recent or has historical value, the source is
factual and accurate, if the source is an opinion piece, the arguments are backed up with evidence and reasoning
("only a Sith deals in absolutes"), and any facts or stories in the source can be corroborated through another
unrelated source. Determining what is and isn't a good source is an art - it's something you develop over time.
You can also check the Written Assignment rubric in the Syllabus section for more information.
Background (aka "why we are tormenting you thusly" :-D): A great way to curry favor with managers is to make
them look good. Managers often have little time to stay current on developments in technology, particularly longer
articles or thought-provoking lectures. Knowledge, though, is power, and it's important for everyone - and
particularly essential for those in decision-making positions - to know the latest discussions, discoveries, and
dilemmas that are out there. A great skill to hone is the ability to distill a longer item to its essence by summarizing
and analyzing its content and points for another. Pretend your manager needs to have a surprise power lunch
with her or his manager and doesn't have time to get current on the latest developments in cybersecurity and
social engineering. You ride to the rescue, bearing two one-page (250 words) documents, summarizing both an
academic item (since you have access to a University library even as an alumni ;-) and a more popular (yet still
edited) item you found on the Internet.
It's okay to reference classic items, as long as you can point out in your analysis why the item is still relevant or
has historical value.
TL;DR
Academic Item
Choose one academic/scholarly article or presentation, related to cybersecurity or social engineering, from any
relevant academic journal or given by an academic/scholarly person (e.g. Avi Rubin, "All your devices can be
hacked", http://www.ted.com/talks/avi_rubin_all_your_devices_can_be_hacked - you can search the ted.com site
for "professor" and get results). The journals for the ethics classes would work (Ethics and Information
Technology or Computers in Human Behavior.) The journals are available free of charge via the university online
library. The library has also developed a LibGuide for Cybersecurity: http://libguides.bellevue.edu/Cybersecurity
You can get assistance on how to use the online library by visiting the Student Services tab in the main
Blackboard window. We strongly recommend you go through the BUILD IT modules if you are new to the
Bellevue library: http://lib.bellevue.edu/buildit/index.html.
The Pew Research Center Internet, Science & Tech organization (http://www.pewinternet.org/) counts as
academic for the purposes of this assignment.
Note: if you are having trouble gaining access to library resources there are pdf copies of various journal
articles here - ACM and IEEE journal articles, as well as Gartner papers, count as academic for the
purposes of this assignment: https://app.box.com/s/6y09j7i8lmzqewf36qj5
Compose and submit to the Weeks 1 and 2 Discussion Forum - "Summary and Analysis: Academic" thread a
structured post (a structured post has an overall introduction, an overall conclusion, and a developed body that
flows well - generally at least a few paragraphs - at least 250 words, not including the question text itself), using
your own words. Please include, as well:
1. An APA/MLA/Chicago/etc. reference for the item - basically, let your professor and your classmates know
how to find it if we want to read/watch it.
2. TL;DR
3. Why you chose this item.
4. A brief summary of the main points that the author made in the item.
5. An analysis of the item. Points to address (all 7 of them):
1. Did the author have a clear purpose for the item? What makes you believe so?
2. Was this purpose accomplished? How?
3. Did the author present compelling evidence to support main points?
4. Does the item have gaps? What sort?
5. Did the author present the information in a way that readers would find appealing? In what way?
6. Is the world a better place for this item being written/given? How?
7. How does this item relate to the real world, either business-wise, or personally? If it doesn't, state
why.
You don't have to write in a boring and stilted academic style in your summary and analysis - it's all right (and
encouraged!) to write in an engaging style! It's recommended that you do make a clear distinction between the
summary and analysis sections of the paper, if only to remember to address all 7 points of the analysis
assignment.
Non-Academic Item
Choose one item, related to cybersecurity or social engineering, from any worthy (see page 3 for the definition of
worthy) edited/QAed online source, such as MIT Technology Review, Wired, Ars Technica, TechDirt, Atlantic, The
New York Times, The Washington Post, Christian Science Monitor Passcode, CNET, CSO, Information Security,
SC, Security (that is not an exhaustive list), a TED Talk (http://www.ted.com/ - you can also find TED Talks on
YouTube) by anyone (e.g. James Lyne, "Everyday cybercrime — and what you can do about it",
http://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it), or some of the
films from the library's extensive film collections, Films on Demand, Alexander Street, and Kanopy. Look for their
Computer Science & IT collections. An example is "Cyberwar Threat"
Compose and submit to the Weeks 1 and 2 Discussion Forum - "Summary and Analysis: Non-Academic" thread a
structured post (a structured post has an overall introduction, an overall conclusion, and a developed body that
flows well - generally at least a few paragraphs - at least 250 words, not including the question text itself), using
your own words. Please include, as well:
1. An APA/MLA/Chicago, etc. reference for the item - basically, let your professor and your classmates know
how to find it if we want to read/watch it.
2. TL;DR
3. Why you chose this item.
4. A brief summary of the main points that the author made in the item.
5. An analysis of the item. Points to address (all 7 of them):
1. Did the author have a clear purpose for the item? What makes you believe so?
2. Was this purpose accomplished? How?
3. Did the author present compelling evidence to support main points?
4. Does the item have gaps? What sort?
5. Did the author present the information in a way that readers would find appealing? In what way?
6. Is the world a better place for this item being written/given? How?
7. How does this item relate to the real world, either business-wise, or personally? If it doesn't, state
why.
Again, you don't have to write in a boring and stilted academic style in your summary and analysis - it's all right
(and encouraged!) to write in an engaging style!
It's recommended that you do make a clear distinction between the summary and analysis sections of the paper, if
only to remember to address all 7 points of the analysis assignment.
We hope you see that keeping a journal is a good way to collect your thoughts on different topics. Journaling is a
great way to improve your writing skills.
Please do write in this regularly - we want you to reflect as the class is going on, not wait until the end. The entire
journal counts for 10% of your overall grade. You are evaluated on quality and quantity of journal entries. Graded
as Complete/Incomplete, where a B or higher is Complete.
Here's a suggestion for Weeks 1 and 2: Watch this video, "19 Simple Psychological Tricks That Actually Work"
https://www.youtube.com/watch?v=l4tWdTmYZoM and try out as many of the tips as you feel comfortable trying
or have occasional to try. What happened?
All
students will play
Designated Devil's Advocate (DDA). The role of Devil's Advocate is to challenge posts - be skeptical and find
holes in the logic or facts - even if the DDA happens to agree with the poster's point. The purpose of the exercise
is to make the posters and the DDA engage in deeper and more critical thinking. Devil's Advocates are used in
business to prevent "groupthink".
(Although your post will be anonymous to your fellow students, your professor can tell who has posted what,
when, and where, so behave ;-)
If you forget and don't check the Post message as Anonymous box and you press submit, you can still edit your
post after the fact, but anyone with the subscription feature turned on will see who is behind your DDA Secret
Agent Code Name (explained below). That shouldn't be a problem (because we're all being polite :-) but it can be
embarrassing. We had an Agent Piranha blow his cover after only 30 minutes one term and he needed to select a
new DDA Secret Agent Code Name. A best practice is to check the box before typing in anything.
If you choose not to post as Anonymous it's helpful to your professor and your classmates if you can identify in
your post that you are playing Devil's Advocate.
DDA Code Names - Now Required if Posting as Anonymous
If you have chosen to post as Anonymous, you are required to use your DDA Secret Agent Code Name (which
you select through the "DDA Secret Agent Code Name Request" tool*, located in the main Assignments folder)
when you are posting in your DDA capacity. This helps you keep track of how many DDA posts you've made,
because you can search by that code name. This also adds more excitement to the class, as you can feel like a
Cold War Spy. You may include the Secret Agent DDA Code Name in the subject line or in the body of the post
(or both).
There is a list of suggested "dangerous critter" (animals, mythical characters, microbes, etc.) names in the DDA
Secret Agent Code Name Request tool, but you are free to choose any name you want, dangerous or otherwise.
If nothing on the list strikes your fancy, try this Code Name Generator: http://www.codenamegenerator.com/ - one
probably doesn't want to run across an "Aurulent Titanium Hyrax" (in a dark alley, late at night, with a full wallet).
If your DDA post does not include your DDA Secret Agent Code Name you will NOT receive credit for the DDA
post. You have the ability to edit your posts, so if you forget, you can go back and put in your identity.
*Your Secret Agent Code Name request needs to be confirmed by your professor (in case of request
collisions). Please check the top of the gradebook for your code name.
Grading
An initial DDA post needs to ask a question. If there isn't a question it's not a DDA post. Subsequent dialog
doesn't have to continue questioning.
When acting as DDA, it might be helpful if you think of how you would have answered the question and then find
the difference between the two – ask if the original poster thought of x, y, and z. Or, you can find a current worthy
article (Internet or the BRUIN library) that deals with the topic and ask if the original poster had run across that
and if its information or conclusions would have altered his or her findings. You can always ask if the original
poster has experienced the issue on his or her own. These are not the only types of DDA activities, by any
means. Feel free to improvise!
It is perfectly acceptable to perform basic peer review observations in your DDA role. If someone needs
to proofread better, you may address that. If you have questions about their sources and whether they
are "worthy", you may address that. If you think someone hit the submit button accidentally early (i.e. the
post isn't at least 250 words), you may address that.
Another option is to look at the tips for posts (see the Wikialien's Lair area of the classroom); if those weren't
addressed, you, as the DDA, can ask:
Your DDA performance is 30% of your overall grade, so make it count! The base expectation is 20 DDA posts
during the term (i.e. at least 20 times during the current term that you have posted a DDA post that includes at
least one question per post), but you are welcome to make as many as you like. If you're having a blast posting as
"Secret Agent Cholera" you don't have to stop when you reach 20!
Please try to read other DDA posts (you can tell because the posts will have Anonymous as the author and a
DDA Secret Agent Code Name somewhere) before making your DDA post. It's not good if students start to feel
like they are being tag-teamed by raptors ;-)
When someone has DDAed your post, understand that the DDA is not attacking you personally, but helping to
strengthen your argument by pointing out how it can be better. It is not intended to be a comment on your value
as a person and it is not intended to be rude or snarky or hostile.
It might be helpful for the class to see the DDAs as
looking like this adorable giant panda cub:
"For me, the DDA assignment was a license to ask the questions that I would have otherwise filtered and/or
avoided asking, even though they should be asked. Basically, if I felt any hesitation in a normal response, I would
switch it to a DDA. When I first learned about DDA responses, I thought the idea was kind of corny, but quickly
learned that they can really add spark to the conversation."
"There is nothing wrong with being a little bit of an antagonist. The DDA is intended to get people using their
heads and stirring the pot a little. Post the questions that stir debate; the best ones are the ones that are
completely contrary to what you believe is right. An extreme example: most people agree that stealing a car is
wrong. So pose the question, 'If someone is dumb enough not to properly secure their car, would it not teach
them a lesson by taking it? Besides, isn't that what insurance is for?'"
"A DDA must be willing to go against the grain of majority thinking. Simply arguing for the sake of it won't do; one
must understand the problem and become the bad or unpopular solution. There will be those that will side with
the DDA, and those that will argue against the DDA....to make someone believe the DDA is the "anti-them" and
stimulate conversation at the same time should be the goal of the DDA. You are the bad-guy in wrestling. You are
the guy played by James Woods in movies. You are the person that makes the other students remember you
when you leave the class because of your comments against what they think. You must own the DDA position in
order to perform it well!"
The second is a choice between doing a Social Engineering PSA (Public Service Announcement)
or a Phishing Campaign. Either option will be amazingly fun.
Both sets of your final projects are due by the end of the term.
Please let your professor know if you have any questions about any parts of the assignment. You can use the
"Ask the Professor Anything" discussion board.