Implementation
Course
Course
Cybersecurity
Subjects
Subjects
Career & Technical Education
Cybersecurity
Robotics & Coding
Grade Levels
Grade Levels
10
11
12
Duration (hours)
Duration (Approx hours)
40
Already have a Canvas account? Log In
Overview
In this unit, students will learn how to implement security concepts, focusing on access management, PKI, wireless, and end-to-end security
Standards
CompTIA Security+ (SYO-601) Objectives 3.1 – 3.9
Cyber Connections
Threats and Vulnerabilities
Hardware and Software
Cyber Hygiene
Digital Citizenship
Networks and Internet
Section Title
Lessons
Accordion Items
Title
3.1 - Given a scenario, implement secure protocols
Content
- Protocols - Domain Name System Security Extension (DNSSEC)
- SSH
- Secure/Multipurpose Internet Mail Extensions (S/MIME)
- Secure Real-time Protocol (SRTP)
- Lightweight Directory Access Protocol Over SSL (LDAPS)
- File Transfer Protocol, Secure (FTPS)
- SSH File Transfer Protocol (SFTP)
- Simple Network Management Protocol, version 3 (SNMPv3)
- Hypertext transfer protocol over SSL/TLS (HTTPS)
- IPSec
- Authentication header (AH)/ Encapsulating Security Payloads (ESP)
- Tunnel/transport
- Secure Post Office Protocol (POP)/ Internet Message Access Protocol (IMAP)
- Use cases
- Voice and video
- Time synchronization
- Email and web
- File transfer
- Directory services
- Remote access
- Domain name resolution
- Routing and switching
- Network address allocation
- Subscription services
Title
3.2 - Given a scenario, implement host or application security solutions
Content
- Endpoint protection
- Antivirus - Anti-malware
- Endpoint detection and response (EDR)
- DLP
- Next-generation firewall (NGFW)
- Host-based intrusion prevention system (HIPS)
- Host-based intrusion detection system (HIDS)
- Host-based firewall
- Boot integrity
- Boot security/Unified Extensible Firmware Interface (UEFI)
- Measured boot
- Boot attestation
- Database
- Tokenization
- Salting
- Hashing
- Application security
- Input validations
- Secure cookies
- Hypertext Transfer Protocol (HTTP) headers
- Code signing
- Whitelisting
- Blacklisting
- Secure coding practices
- Static code analysis
- Manual code review
- Dynamic code analysis
- Fuzzing
- Hardening
- Open ports and services
- Registry
- Disk encryption
- OS
- Patch management
- Third-party updates
- Auto-update
- Self-encrypting drive (SED)/ full-disk encryption (FDE)
- Opal
- Hardware root of trust
- Trusted Platform Module (TPM)
- Sandboxing
Title
3.3 - Given a scenario, implement secure network designs
Content
- Load balancing
- Active/active
- Active/passive
- Scheduling
- Virtual IP
- Persistence
- Network segmentation
- Virtual local area network (VLAN)
- DMZ
- East-west traffic
- Extranet
- Intranet
- Zero Trust
- Virtual private network (VPN)
- Always-on
- Split tunnel vs. full tunnel
- Remote access vs. site-to-site
- IPSec
- SSL/TLS
- HTML5
- Layer 2 tunneling protocol (L2TP)
- DNS
- Network access control (NAC)
- Agent and agentless
- Out-of-band management
- Port security
- Broadcast storm prevention
- Bridge Protocol Data Unit (BPDU) guard
- Loop prevention
- Dynamic Host Configuration Protocol (DHCP) snooping
- Media access control (MAC) filtering
- Network appliances
- Jump servers
- Proxy servers
- Forward
- Reverse
- Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS)
- Signature-based
- Heuristic/behavior
- Anomaly
- Inline vs. passive
- HSM
- Sensors
- Collectors
- Aggregators
- Firewalls
- Web application firewall (WAF)
- NGFW
- Stateful
- Stateless
- Unified threat management (UTM)
- Network address translation (NAT) gateway
- Content/URL filter
- Open-source vs. proprietary
- Hardware vs. software
- Appliance vs. host-based vs. virtual
- Access control list (ACL)
- Route security
- Quality of service (QoS)
- Implications of IPv6
- Port spanning/port mirroring
- Port taps
- Monitoring services
- File integrity monitors
Title
3.4 - Given a scenario, install and configure wireless security settings
Content
- Cryptographic protocols
- WiFi protected access II (WPA2)
- WiFi protected access III (WPA3)
- Counter-mode/CBC-MAC protocol (CCMP)
- Simultaneous Authentication of Equals (SAE)
- Authentication protocols
- Extensible Authentication Protocol (EAP)
- Protected Extensible Application Protocol (PEAP)
- EAP-FAST
- EAP-TLS
- EAP-TTLS
- IEEE 802.1X
- Remote Authentication Dial-in User Service (RADIUS) Federation
- Methods
- Pre-shared key (PSK) vs. Enterprise vs. Open
- WiFi Protected Setup (WPS)
- Captive portals
- Installation considerations
- Site surveys
- Heat maps
- WiFi analyzers
- Channel overlays
- Wireless access point (WAP) placement
- Controller and access point security
Title
3.5 - Given a scenario, implement secure mobile solutions
Content
- Connection methods and receivers
- Cellular
- WiFi
- Bluetooth
- NFC
- Infrared
- USB
- Point-to-point
- Point-to-multipoint
- Global Positioning System (GPS)
- RFID
- Mobile device management (MDM) Application management
- Content management
- Remote wipe
- Geofencing
- Geolocation
- Screen locks
- Push notifications
- Passwords and pins
- Biometrics
- Context-aware authentication
- Containerization
- Storage segmentation
- Full device encryption
- Mobile devices
- MicroSD HSM
- MDM/Unified Endpoint Management (UEM)
- Mobile application management (MAM)
- SEAndroid
- Enforcement and monitoring of:
- Third-party application stores
- Rooting/jailbreaking
- Sideloading
- Custom firmware
- Carrier unlocking
- Firmware over-the-air (OTA) updates
- Camera use
- SMS/Multimedia Messaging Service (MMS)/Rich communication services (RCS)
- External media
- USB On-The-Go (USB OTG)
- Recording microphone
- GPS tagging
- WiFi direct/ad hoc
- Tethering
- Hotspot
- Payment methods
- Deployment models
- Bring your own device (BYOD)
- Corporate-owned personally enabled (COPE)
- Choose your own device (CYOD)
- Corporate-owned
- Virtual desktop infrastructure (VDI)
Title
3.6 - Given a scenario, apply cybersecurity solutions to the cloud
Content
- Cloud security controls
- High availability across zones
- Resource policies
- Secrets management
- Integration and auditing
- Storage
- Permissions
- Encryption
- Replication
- High availability
- Network
- Virtual networks
- Public and private subnets
- Segmentation
- API inspection and integration
- Compute
- Security groups
- Dynamic resource allocation
- Instance awareness
- Virtual private cloud (VPC) endpoint
- Container security
- Solutions
- CASB
- Application security
- Next-generation Secure Web Gateway (SWG)
- Firewall considerations in a cloud environment
- Cost
- Need for segmentation
- Open Systems Interconnection (OSI) layers
- Cloud native controls vs. third-party solutions
Title
3.7 - Given a scenario, implement identity and account management controls
Content
- Identity - Identity provider (IdP)
- Attributes
- Certificates
- Tokens
- SSH keys
- Smart cards
- Account types
- User account
- Shared and generic accounts/credentials
- Guest accounts
- Service accounts
- Account policies
- Password complexity
- Password history
- Password reuse
- Time of day
- Network location
- Geofencing
- Geotagging
- Geolocation
- Time-based logins
- Access policies
- Account permissions
- Account audits
- Impossible travel time/risky login
- Lockout
- Disablement
Title
3.8 - Given a scenario, implement authentication and authorization solutions
Content
- Authentication management
- Password keys
- Password vaults
- TPM
- HSM
- Knowledge-based authentication
- Authentication
- EAP
- Challenge Handshake Authentication Protocol (CHAP)
- Password Authentication Protocol (PAP)
- 802.1X
- RADIUS
- Single sign-on (SSO)
- Security Assertions Markup Language (SAML)
- Terminal Access Controller Access Control System Plus (TACACS+)
- Oauth
- OpenID
- Kerberos
- Access control schemes
- Attribute-based access control (ABAC)
- Role-based access control
- Rule-based access control
- MAC
- Discretionary access control (DAC)
- Conditional access
- Privilege access management
- Filesystem permissions
Title
3.9 - Given a scenario, implement public key infrastructure
Content
- Public key infrastructure (PKI)
- Key management Certificate authority (CA)
- Intermediate CA
- Registration authority (RA)
- Certificate revocation list (CRL)
- Certificate attributes
- Online Certificate Status Protocol (OCSP)
- Certificate signing request (CSR)
- CN
- Subject alternative name
- Expiration
- Types of certificates
- Wildcard Subject alternative name
- Code signing
- Self-signed
- Machine/computer
- User
- Root
- Domain validation
- Extended validation
- Certificate formats
- Distinguished encoding rules (DER)
- Privacy enhanced mail (PEM)
- Personal information exchange (PFX)
- .cer
- P12
- P7B
- Concepts
- Online vs. offline
- CA
- Stapling
- Pinning
- Trust model
- Key escrow
- Certificate chaining