Topic 4d – Cybersecurity

The network connects everything. That includes the threats.

Learning Objectives

By the end of this topic, you should be able to:

Learning Activities

To help you meet the learning objectives, we have prepared a combination of readings, activities, and videos.

Course Readings

These reading were designed to introduce the course topics to an audience of educators. They should be considered "required" and read in order.

Supplemental Readings

Some participants find it helpful to read about a topic from a source written for a slightly more technical audience. These supplemental readings cover similar material as the course readings but may not fully align with the course learning objectives. Use them as an optional complement to your study, not a substitute for the course readings.

Lesson Videos

These videos support the readings above and may present the material with some deeper connections and worked examples.

Activity

When I teach this class in a face to face environment I often give students the following handout and ask them to discuss which defenses are effective against which threats. This is as much a "checking for understanding" as it is a full blown activity. But I include it here for your study.

Checking for Understanding, Questions

Defining the Threats

  1. What is malware? Why is it considered an umbrella term rather than a specific threat type?
  2. What is the key difference between a virus and a worm? If a piece of malware is spreading across a school network without any teachers or students opening files, which type is it more likely to be?
  3. What makes a Trojan horse different from both a virus and a worm? What does the user typically do that allows a Trojan to get onto their system?
  4. Spyware and a Trojan horse can both steal information. What distinguishes them from each other?
  5. Phishing is sometimes described as attacking the human rather than the machine. What does that mean, and why does it make phishing particularly difficult to defend against with technical tools alone?
  6. What is the goal of a denial of service attack? How does a distributed denial of service (DDoS) attack differ from a simple DoS attack?

Classifying Scenarios

For each scenario below, identify which threat type it describes and explain the feature of the scenario that led to your classification.

  1. A teacher receives an email that appears to be from their bank, saying their account has been suspended. The email includes a link to a login page where they are asked to verify their credentials.
  2. A student downloads a free homework timer app from an unofficial website. The app works as advertised, but it also silently sends every URL the student visits to a remote server.
  3. A new piece of malicious code enters the district network through an unpatched server and automatically copies itself to every other unpatched machine on the network within minutes, without any human interaction.
  4. A school's gradebook system becomes completely unreachable during report card season. Investigation reveals that the server is being flooded with thousands of fake requests per second from thousands of different IP addresses.
  5. A teacher opens a PDF attachment from an unrecognized sender. The PDF exploits a vulnerability in the PDF reader to install malicious software that gives the attacker remote access to the teacher's computer.

Defenses and Firewalls

  1. Explain what a firewall does in plain language. Use an analogy to help illustrate how it works.
  2. A school's firewall is configured to block all traffic on port 25 (SMTP) from devices inside the school network. What kind of threat does this configuration help prevent?
  3. A colleague says: "I have antivirus software, so I do not need to worry about phishing." How would you respond?
  4. For each of the following threats, name the single most important defense and explain why it specifically addresses that threat: worms, phishing, Trojans, denial of service.
  5. Why is keeping regular backups particularly important as a defense against ransomware? What property of those backups matters most?

Checking for Understanding, Answers

You can compare your answers to the following answer key.

Show Answer Key

Defining the Threats

  1. Malware (malicious software) is any software designed to damage, disrupt, or gain unauthorized access to a computer system. It is an umbrella term because it encompasses many distinct types — viruses, worms, Trojans, spyware, ransomware, adware — which differ significantly in how they spread, what they do, and how they are defended against. Calling something "malware" identifies it as malicious but says nothing about its specific behavior.
  2. A virus attaches itself to or hides inside a legitimate file and requires a human action (opening, executing, or sharing that file) to spread. A worm is self-replicating and spreads autonomously across a network by exploiting vulnerabilities, with no human interaction required. Malware spreading across a school network without anyone opening files is almost certainly a worm — its spread mechanism does not depend on user behavior.
  3. A Trojan horse disguises itself as legitimate, useful software. Unlike a virus or worm, it does not self-replicate or spread automatically — it relies entirely on the user voluntarily installing it, believing it to be something benign (a free game, a utility, a codec). Once installed, it performs its malicious payload (opening a backdoor, stealing data, etc.) while the user remains unaware.
  4. Spyware is specifically designed to monitor and collect information about the user (browsing history, keystrokes, passwords) and send it to a third party, often for advertising or identity theft. A Trojan horse is a delivery mechanism — it disguises itself to get installed, and its payload could be anything: stealing data, creating a backdoor, downloading other malware, etc. A Trojan that steals data is behaving like spyware, but spyware does not have to arrive as a Trojan — it can be bundled with legitimate software (as an undisclosed component) or installed through a drive-by download.
  5. Phishing exploits human psychology rather than technical vulnerabilities: it tricks users into voluntarily providing credentials, clicking malicious links, or installing malware by impersonating a trusted entity. Technical defenses (firewalls, antivirus software) protect against known malicious code and traffic patterns, but they cannot reliably distinguish a fake login page from a real one if the user navigated there willingly. The only fully effective defense involves training humans to recognize the warning signs.
  6. A denial of service (DoS) attack aims to make a service unavailable to its intended users by overwhelming it with traffic or requests until it cannot respond to legitimate ones. A distributed DoS (DDoS) attack uses thousands or millions of compromised machines (a botnet) to send the flood simultaneously, making it far harder to block — since the traffic comes from many different IP addresses, simply blocking one source does nothing.

Classifying Scenarios

  1. Phishing. The key feature: the email impersonates a trusted institution (the bank) and directs the victim to a fake login page to steal credentials. No malicious software is installed — the attack works by deceiving the human into voluntarily entering their information.
  2. Trojan horse / spyware. The app presents itself as legitimate (a homework timer that actually works) while concealing malicious functionality (silently transmitting browsing data). The spyware behavior (collecting and transmitting user activity) is delivered via a Trojan mechanism (disguised as a useful app). Either classification is acceptable; the key features are the deceptive packaging and the covert data collection.
  3. Worm. The key feature: the code spreads autonomously across the network by exploiting an unpatched vulnerability, with no human interaction required. No one opened a file or clicked a link — the worm copied itself without any user involvement.
  4. Distributed Denial of Service (DDoS). The key features: the server is flooded with fake requests (not real users trying to access it), and the traffic originates from thousands of different IP addresses — indicating a botnet. The goal is to make the gradebook unavailable by exhausting the server's resources.
  5. Trojan horse. The key feature: the malicious payload was hidden inside what appeared to be a legitimate document (a PDF). The teacher voluntarily opened the file, believing it to be harmless, and the malicious code exploited a vulnerability to install itself. The attack relied on social engineering (sending a plausible-looking attachment) to get the user to do the installation.

Defenses and Firewalls

  1. A firewall is a system that monitors and controls incoming and outgoing network traffic based on a set of rules, blocking traffic that does not meet the criteria. Analogy: a firewall is like a security guard at a building entrance who checks IDs and bags. Visitors (packets) that match an approved profile (matching rules for source, destination, port, and protocol) are let through; those that do not are turned away. Like a security guard, a firewall only controls what passes through the door — it cannot help if a threat is already inside or arrives via an unmonitored entrance.
  2. Blocking outbound port 25 (SMTP) from internal devices prevents compromised machines inside the school network from sending spam or phishing emails directly. This is a defense against the school's own devices being used as part of a botnet to send mass unsolicited email. Legitimate email from users goes through the school's designated mail server (which is allowed to use port 25), not directly from individual devices.
  3. Antivirus software detects and blocks known malicious code. Phishing does not install malicious code (in its basic form) — it tricks the user into voluntarily surrendering credentials on a fake website. Antivirus software has no way to distinguish a fake login page from a real one if the user navigated there willingly. The colleague is protected against one category of threat but entirely unprotected against another. Phishing awareness training, recognizing warning signs, and verifying URLs before entering credentials are the appropriate defenses for phishing.
    • Worms: keeping software patched and updated. Worms exploit known vulnerabilities in unpatched software; once a patch exists, the attack vector is closed.
    • Phishing: user awareness training. Phishing attacks the human decision-maker; technical tools can help filter known phishing sites, but training users to recognize the warning signs is the most direct defense.
    • Trojans: downloading software only from trusted, official sources and being skeptical of free applications from unknown sites. Trojans succeed because users install them voluntarily; the defense is exercising judgment before installing anything.
    • Denial of service: rate limiting, traffic filtering, and using a CDN or DDoS mitigation service. The goal is to absorb or filter the flood of fake traffic before it reaches the target server.
  4. Ransomware encrypts the victim's files and demands payment for the decryption key. Regular backups mean the victim can restore their files from a backup rather than paying the ransom. The property that matters most is that the backups must be offline or isolated — ransomware often attempts to spread to connected drives and network shares, so a backup on an always-connected external drive or network folder may also be encrypted. Backups stored offline (disconnected drives) or in a separate cloud account that the ransomware cannot reach are the only reliable recovery option.

Extend Your Learning

The following resources go a little deeper on topics we touched on but did not fully explore in the readings. These are entirely optional — none of this material appears on the Competency Demo — but each one is a natural "next question" from something covered this week.

  • Ransomware and schools
    Ransomware attacks on school districts have become common enough that CISA publishes guidance specifically for K–12 institutions. This CISA fact sheet covers what ransomware is, how attacks typically unfold in school environments, and the specific steps districts can take to prepare and respond.
    Ransomware Guide — CISA (PDF)
  • Social engineering beyond phishing
    Phishing is one form of social engineering, but there are others: pretexting (fabricating a scenario to extract information), baiting (leaving infected USB drives where targets will find them), and vishing (phone-based phishing). This overview from the SANS Institute covers the major social engineering techniques and why they remain so effective despite widespread awareness.
    Social Engineering — SANS Institute
  • Zero-day vulnerabilities
    A zero-day vulnerability is a software flaw unknown to the vendor that therefore has no patch. Attackers who discover zero-days can exploit them until the vendor learns of the problem and releases a fix. This article from Kaspersky covers what zero-days are, how they are discovered and traded, and why the "keep software updated" defense has limits.
    What is a Zero-Day Exploit? — Kaspersky
  • Teaching cybersecurity to students
    Phishing simulations, password hygiene lessons, and discussions of real-world attacks are all used in K–12 cybersecurity education. Common Sense Media's Digital Citizenship curriculum includes age-appropriate cybersecurity modules for elementary through high school that connect to the concepts from this topic.
    Digital Citizenship Curriculum — Common Sense Media