Grade Level
Initial ideas
K-12 Cybersecurity Standards
Core Concept: Security (SEC)
Sub Concept: Information Security, Physical Security
Topic(s): Access Control (ACC), Security Controls (CTRL)
Grade Band: 9-12.SEC.ACC Compare and contrast the concepts presented by access control principles, access control modules, and the principle of least privilege access. 9-12.SEC.CTRL Justify the use of Defense in Depth and the need for physical access controls.
Security+ and Identity and Access Management
Identity and Access Management (IAM) is an important topic covered in the Security+ exam. To be successful on the exam, a student should have a good understanding of the following concepts:
Authentication and Authorization:
Different authentication methods, including biometric authentication, multifactor authentication, and single sign-on (SSO)
Authentication protocols, such as Kerberos, RADIUS, and TACACS+
Authorization concepts, including role-based access control (RBAC), mandatory access control (MAC), and discretionary access control (DAC)
Password policies, such as complexity requirements, password length, and password expiration
Identity Management:
Identity management concepts, including identity proofing, identity verification, and identity federation
Identity and access provisioning, deprovisioning, and lifecycle management
Identity and access synchronization and data normalization
Directory services, including Lightweight Directory Access Protocol (LDAP) and Active Directory (AD)
Access Control:
Access control models, including MAC, DAC, and RBAC
Access control technologies, such as firewalls, intrusion prevention systems (IPS), and intrusion detection systems (IDS)
Network segmentation and zoning
Access control methodologies, including least privilege and separation of duties
Identity and Access Services:
Identity as a Service (IDaaS) and cloud-based identity and access management
Federation services, such as Security Assertion Markup Language (SAML) and OAuth
Public key infrastructure (PKI) and digital certificates
Play
Welcome to Unit 5, where we focus on the vital area of Identity and Access Management (IAM) in the exciting world of cybersecurity!
In this unit, each lesson is like a mission in the realm of digital security, with a special focus on IAM – the art of managing who gets access to what in the cyber world. You'll become like a gatekeeper, learning how to control access to information and protect digital assets from unauthorized users.
You'll have a few labs to choose from, each offering a unique challenge in the field of IAM. Whether it's setting up secure access controls, managing user identities, or preventing unauthorized access, you're in for a hands-on learning adventure.
As you progress, share your achievements and learnings with your classmates. It's about teamwork, exchanging knowledge, and celebrating our collective journey in mastering IAM.
Note: Cyber.org has updated their content. These labs can now all be found by going to Cyber.org / Curriculum / High School /
Cybersecurity. Please use the Command F function to easily find the labs on this site.
Lab - File Hashing
Lab - Fuzzing
Lab - Passwords
Learn
Lesson 1 - Foundation of IAM
(1-2 Days)
Objective: By the end of the lesson, students will be able to explain the importance of IAM, and differentiate between Authentication and Authorization.
Introduction:
Brief teacher-led overview of what Identity and Access Management (IAM) is and why it's vital in today's digital world.You can use this infographic to introduce the topic:
Link for image - Tools4Ever
Main Activity: Choice Board for IAM Foundations
The choice board will offer a selection of activities, and students will choose the ones that most appeal to their learning preferences. This approach ensures each student can delve into the topic in a way that resonates with their personal learning style.
1. Visual Learners:
Watch: A curated video detailing the basics of IAM.
Professor Messer - Identity and Access Management
What Is IAM? Identity and Access Management for Beginners (IAM) | IAM for Beginners | Simplilearn
Create: Design an infographic that explains the difference between Authentication and Authorization.
2. Read/Write Learners:
Read: An article or website about the foundational concepts of IAM.
US Department of Defense - Identity and Access Management
8 Best Practices for Identity and Access Management
Write: A brief essay or summary explaining the key takeaways from the reading.
3. Kinesthetic Learners:
Explore: A virtual lab or simulation where they can interact with basic IAM controls.
Construct: A flowchart or diagram showcasing the process of authentication followed by authorization.
EMates - Biometrics
EMates - Configuration Management
4. Auditory Learners:
Listen: To a podcast episode or an expert talk on the foundational concepts of IAM.
Discuss: Participate in a group discussion or debate on the importance of robust IAM systems.
Identity, Governance and Administration
Possible Podcast - ManageEngine’s IAM Podcast Series
Let’s Talk About Digital Identity
5. Social Learners:
Interview: A professional (either arranged by the school or online) about the real-world applications and challenges of IAM. Consider using one of the professionals who has already been in the class to be an industry expert.
Share: Insights from the interview in a short presentation or a forum post.
Assessment:
Students will submit their chosen deliverable (infographic, essay, flowchart, discussion points, or interview insights) for grading. They will also provide a reflection on what they learned, ensuring they touch upon the lesson's key objectives.
Closure:
Class discussion where students share some of the most surprising or essential points they learned from their chosen activities. This allows for a rounded understanding as students gain insights from the various choice board tasks.
NetLab+
(2 Days)
NetLabs is an advanced virtual lab environment that allows students to engage in practical, hands-on learning experiences in a controlled, virtual environment. It supports various cybersecurity exercises, including network configuration, security testing, and system administration. To end this Unit, have students log onto NetLabs and complete Lab 03 - .Create and Manage Users in Linux and Windows and Lab 05 - Hashing Tools in Linux and Windows..
Lesson 2 - Authentication Methods
(2-3 Days)
As with the previous lesson, the choice board will offer students multiple avenues to explore the topic of authentication methods based on their learning preferences. Have students choose a DIFFERENT method from lesson 1 to experience learning using a different type of resource.
1. Visual Learners:
Watch: A curated video explaining different authentication methods, including biometric, multifactor, and single sign-on (SSO).
SAML, Single Sign On and Multi-Factor Authentication – Part 1, An Introduction
Professor Messer - Authentication Methods
Create: An illustrated comparison chart showcasing the pros and cons of each authentication method.
2. Read/Write Learners:
Read: A case study or an article focusing on a real-world scenario where a particular authentication method was critical.
Exploring Biometric Authentication: From Basics to Case Studies
From Friction to Flow: Journey in Redefining User Authentication — A Case Study
Write: A reflection on the case study, explaining why the chosen authentication method was suitable for that situation.
3. Kinesthetic Learners:
Explore: An interactive online module or quiz where students identify the authentication method used in various scenarios.
EMates - Access Control
Article - The Evolution of Authentication Methods (use screen read)
Construct: A storyboard or scenario where they have to implement the most suitable authentication method for a hypothetical company.
4. Auditory Learners:
Listen: To an interview or a panel discussion where experts discuss the evolution and importance of authentication methods.
Passwords to Passwordless - Evolution of Authentication
Digital Commerce - Authentication and Access Management with Paul Trulove
Discuss Key insights in breakout sessions or through an online discussion board.
5. Social Learners:
Collaborate: With peers to create a skit or role-play demonstrating the application of different authentication methods.
Share: Their performance or its script, and the insights they gathered from the collaboration.
Assessment:
Students will submit their chosen deliverable (comparison chart, reflection, storyboard, discussion insights, or skit/script) for grading. An added reflection piece on their understanding of authentication methods will also be required.
Closure:
A class-wide sharing session. Students can showcase what they've created or discuss what they've learned. A Q&A session can also be included to clear any doubts.
Extension:
Students can explore emerging trends in authentication methods. For instance, looking into how biometric authentication is evolving with advancements in AI, or the implications of quantum computing on existing authentication protocols.
Article - Tomorrow’s Quantum Computers Threaten Today’s Secrets
Article - Quantum Computing: Implication for Security Professionals
Video - Quantum Computer Threat on Digital Infrastructure
Lesson 3 - Authorization Concepts and Controls
(2-3 Days)
Objective: By the end of the lesson, students will understand various authorization concepts, such as RBAC, MAC, and DAC, and how they're implemented in real-world scenarios.
Introduction:
Brief teacher-led introduction to authorization, the difference between authentication and authorization, and why both are crucial in IAM.
Have students come up with synonyms for Authentication and Authorization.
Image Link - OKTA
Main Activity: Interactive Learning Pathways
For this lesson, students will embark on personalized "learning pathways". Each pathway is a sequence of tasks or activities designed around a specific learner preference.
1. Creative Pathway (for Visual and Artistic Learners)
Infographic Creation: Students will use a digital tool (Canva, Piktochart, etc.) to create infographics that explain the differences and uses of RBAC, MAC, and DAC. Begin by researching, gathering information, organizing thoughts, selecting a platform and creating an infographic.
Create the infographic and share with other students in the class.
2. Collaborative Pathway (for Social Learners)
OPTION 1 - Group Project -: Small groups work together to develop a company's authorization protocol using the concepts learned. Begin by researching known protocols. Identify key steps in the process. Brainstorm how the group will roll out the plan for the company. Develop the plan and illustrate.
OPTION 2 - Group Project - Explore what your school currently has in place with regards to authorization and give recommendations for future policy.
Peer Teaching: Each group gets a sub-topic (e.g., just RBAC or just DAC), becomes an "expert" on it, and teaches it to the class.
3. Investigative Pathway (for Research-Oriented Learners)
Research Assignment: Students will look into the latest advancements or challenges in the field of authorization controls. Research, identify key concepts, and develop a plan to share with the class.
Present Findings: Either through written reports, presentations, or short videos.
Assessment:
Based on the chosen pathway, students will be evaluated on their simulation decisions, discussion contributions, infographics, group projects, or research findings. Each student will also submit a short reflection on what they learned from their chosen pathway and how they see the application of these concepts in real-world scenarios.
Closure:
A feedback session where students share their experiences with their chosen pathways. A few students from each pathway present their learnings to offer varied perspectives.
Security+ Exam Preparation
(2-3 Days)
Overview: In Unit 1, we introduced you to Professor Messer and his 121 videos that will help prepare your students for the Security+ certification. Have students review the videos for Unit 5 from the Cyber Video List and pick out a couple to review that either clarify their understanding of a topic or introduce them to a topic they were unaware of from Unit 5.
Also, students should start to develop a learning plan that specifically targets the Security+ examination. Not waiting until the summer will allow them to be well-prepared if they decide to sit for the Security+ certification. Consider sharing a process like the one outlined below with students and start to work as a class on accomplishing some of these steps. This 5-step process will be included in the remaining 8 units, so focus only on Step 3 for this unit.
Preparing for the CompTIA Security+ certification requires a structured approach to cover all the necessary topics and gain the required skills. Here's a five-step process to help a student prepare effectively:
Step 1: Understand the Exam Objectives
Download Exam Objectives: Start by visiting the CompTIA website and downloading the latest Security+ exam objectives. This document outlines all the topics you need to study.
Familiarize Yourself with Domains: The exam covers several domains such as threats, attacks and vulnerabilities, technologies and tools, architecture and design, identity and access management, risk management, and cryptography and PKI. Get a good grasp of what each domain entails.
Step 2: Choose Study Materials
Select Study Guides: Invest in reputable study guides designed for the Security+ exam. Look for books authored by industry experts.
Online Courses and Videos: Utilize online platforms like Udemy, Coursera, or LinkedIn Learning for comprehensive video courses.
CompTIA Resources: Consider CompTIA’s training materials, including e-books and interactive learning tools.
Step 3: Practical Application and Labs
Hands-On Practice: Set up a home lab or use virtual labs to practice. Tools like VirtualBox or VMware can be used to create virtual environments.
Apply Concepts: Apply what you learn in real-world scenarios. For instance, configure a firewall or set up a basic network security protocol.
Step 4: Practice Tests and Exam Simulations
Take Practice Exams: Regularly take practice tests to assess your knowledge and get familiar with the exam format. Websites like ExamCompass and Crucial Exams offer free practice questions.
Review Weak Areas: Identify areas where you score less and revisit those topics for a thorough understanding.
Step 5: Join Study Groups and Forums
Participate in Online Forums: Join forums like Reddit’s r/CompTIA or TechExams.net to connect with other aspirants and professionals.
Study Groups: If possible, join or form a study group with peers. Group studies can provide diverse insights and explanations for complex topics.
Additional Tips:
Regular Revision: Make a habit of revisiting topics regularly to ensure retention.
Stay Updated: The field of cybersecurity is always evolving. Stay informed about the latest trends and updates in the industry.
Time Management: During the exam, manage your time efficiently. Practice completing practice exams within the allotted time.
Remember, consistent effort and a well-structured study plan are key to completing the CompTIA Security+ certification.
Lesson 4 - Password Policies and Management
(1 day)
Objective: By the end of the lesson, students will understand the importance and best practices of password policies, including complexity requirements, password length, and password expiration.
Introduction:
Discussion Starter: The teacher presents a recent news article or case study about a major data breach due to weak passwords. A brief discussion on students' personal experiences and perceptions regarding password strength.
Direct Instruction:
1. Importance of Strong Passwords:
Statistics and facts highlighting the vulnerabilities of weak passwords.
Real-life consequences for companies and individuals when password security is breached.
Image Link - Statista
2. Password Policies Explained:
Complexity Requirements: What does it mean and why is it needed? Discussion on the combination of uppercase, lowercase, numbers, and symbols.
Password Length: How length can drastically increase the number of possible password combinations.
Password Expiration: The rationale behind changing passwords regularly.
Common Attacks on Passwords: Brief on methods like brute force, dictionary attacks, and phishing.
3. Modern Trends in Password Management:
Use of passphrases instead of passwords.
Two-factor authentication and its increasing adoption.
Guided Practice:
1. Analyzing Password Strength:
The teacher showcases a variety of passwords (from weak to strong). Students are prompted to rank them and justify their rankings.
Use of online password strength checkers to demonstrate how different passwords hold up against potential attacks.
Password Strength Test
Test your Password Strength
How Secure is my Password
2. Role Play:
In pairs, one student plays the role of an IT administrator advising an employee (played by the other student) on how to create and maintain strong passwords based on the company’s policy.
3. Password Creation Activity:
Students are given different scenarios (e.g., a bank employee, a school student, a top-level executive) and are tasked with creating suitable passwords. They then justify their choices based on what they've learned.
Closure:
The teacher summarizes the main points of the lesson. Finish with a brief open forum where students can ask questions or share any lingering thoughts on the importance of robust password policies.
Homework/Extension:
Ask students to review and potentially update their own personal password practices.
Research on popular password managers and their benefits.
1Password
LastPass
Keeper
Lesson 5 - Identity Management and Directory Services
(2-3 days)
Objective: By the end of the lesson, students will have a comprehensive understanding of identity management concepts, including identity proofing, identity verification, identity federation, and directory services such as LDAP and AD.
Introduction:
Discussion Starter: The teacher starts with a scenario: "Imagine trying to enter a highly secure building. What ways can the security ensure you are who you say you are?" This ties into the concept of identity verification in digital spaces.
A quick poll: How many students have heard of LDAP or Active Directory? Gauge the class's familiarity with the topic. Create a chart on everything the students know. (Could even go with a KWL chart)
Direct Instruction:
1. What is Identity Management?
Explanation of identity management and its importance in maintaining security.
Discussing the difference between identity proofing and verification.
Introducing the concept of identity federation and its role in modern digital ecosystems.
2. Directory Services Explained:
LDAP: What it stands for, its primary uses, and how it ties into identity management.
Active Directory (AD): Explanation of Microsoft's AD, its functionalities, and why it's prevalent in many enterprises.
LDAP VS. AD: What’s the Difference
This is a good opportunity to get your school district’s IT department involved into your cyber course. Reaching out and having a representative from the IT department come talk to the students about AD and LDAP and how these tools help the district run efficiently will help the students to grasp these concepts. It will also help build the relationship and trust with the IT department for the work you are doing with your students.
3. The Role of Directory Services in Cybersecurity:
How directory services help in user management, assigning and enforcing security policies, and auditing.
The risks associated with misconfigured or compromised directory services.
Guided Practice:
Case Study Discussion:
Break the class into three groups. Provide them with one of the following scenarios, or create your own. Students discuss what went wrong and how using robust directory services could have prevented it.
Target Example
OPM Example
SolarWinds Example
Closure:
Summarize the key takeaways.
A brief Q&A session where students can clarify doubts or delve deeper into particular areas of interest related to identity management.
Extension:
If time permits, students could be given scenarios (created by ChatGPT) and choose whether LDAP or AD would be a better option for the fake company in the scenarios. Students would have to look through the detailed table and choose 4 or 5 rows from that table and argue why they would choose LDAP or AD.
Perform
Overview: In an increasingly digital world, personal and organizational data security has never been more at risk. As burgeoning cybersecurity consultants, you are tasked with addressing pressing concerns related to identity and access management (IAM) within our school, local community businesses, or national level. Your innovative contributions will help these entities understand the complexities of IAM and implement robust security measures to protect sensitive information. ALLOW STUDENTS TO CHOOSE ONE OF THE FOLLOWING PERFORMANCE TASKS:
Performance Task Choice 1: Design and prepare to deliver an interactive workshop for local business owners that covers the essentials of IAM. Your performance and materials should explain authentication methods, the necessity of IAM, and practical applications of directory services.
Research common authentication methods such as passwords, biometrics, and two-factor authentication. Describe each method and compare their strengths and weaknesses.
Understand and explain the role of Identity and Access Management (IAM) in ensuring the security of information systems and the confidentiality of data.
Differentiate between Role-Based Access Control (RBAC), Mandatory Access Control (MAC), and Discretionary Access Control (DAC). Provide examples to illustrate the differences.
Learn about directory services and discuss why they are important in managing identities within an organization.
Define identity management and discuss its significance in cybersecurity.
Plan and organize an educational workshop for local business owners, covering the topics of authentication methods, IAM, and directory services.
Ensure your workshop includes interactive elements such as Q&A, demonstrations, or real-life scenarios to engage the audience.
Create visual aids and handouts to support your presentation and help clarify complex concepts.
Rehearse your workshop presentation with peers to refine your delivery and ensure clarity.
Invite feedback after your presentation and be prepared to answer audience questions knowledgeably.
Performance Task 2: Develop a multi-faceted awareness campaign to educate the community on cybersecurity. Focus on IAM importance and practical tips for identity management, utilizing various media formats to convey your message effectively.
Identify different authentication methods and discuss each method's strengths and weaknesses.
Explain what Identity and Access Management (IAM) is and why it's essential for securing information systems.
Differentiate between Role-Based Access Control (RBAC), Mandatory Access Control (MAC), and Discretionary Access Control (DAC), including examples and use cases.
Describe directory services and their importance in managing identities within an organization.
Define identity management and discuss its role in cybersecurity.
Design a multifaceted cybersecurity awareness campaign that educates the community about IAM and identity management.
Utilize different media formats such as posters, digital presentations, social media posts, and video content for your campaign.
Provide practical tips for identity management that individuals can apply to protect their personal information.
Include references or statistics from reputable sources to support your campaign's messages.
Collaborate with group members and divide tasks based on each member's strengths.
Performance Task 3: Understand the basics of Identity and Access Management (IAM) and review existing methods like thumbprint access, facial recognition, and voice recognition.
Watch a video and read an article about IAM. Discuss the strengths and weaknesses of current IAM methods in small groups.
In teams, research innovative IAM technologies and brainstorm ideas for new methods. Consider creative and unconventional approaches. Document all ideas and potential applications.
Have informal conversations with friends, family, and community members about their experiences and thoughts on IAM. Compile notes from these conversations and identify common themes or unique insights.
Review the brainstormed ideas and conversation notes. Use a decision matrix to evaluate each idea based on feasibility, security, user experience, and innovation. Select the top 2-3 ideas to develop further.
Create detailed descriptions, diagrams, and flowcharts for each selected IAM method. Explain how each method works, its advantages, and potential challenges. Consider aspects like security, usability, and technology requirements.
Choose a format for the presentation (video, slide deck, code demonstration, etc.). Develop a compelling and clear presentation that showcases the new IAM methods. Include visual aids, prototypes, or mockups as needed.
Present the new IAM methods to the class. Engage in a peer review session where other students provide constructive feedback and ask questions. Use this feedback to refine the methods and presentations.
Make final adjustments based on peer feedback. Present the polished IAM methods to the class or a panel of judges. Write a reflection on the project, including what was learned, the challenges faced, and potential future improvements.
Assessment/Reflection Questions:
Reflecting on the identity management strategies addressed in your performance assessment, how do you think these strategies contribute to the overall cybersecurity of an entity? Can you identify one specific strategy that you think was particularly innovative or effective, and elaborate on why?
Looking at our unit on Identity and Access Management (IAM), can you analyze and share a scenario where IAM could have a significant impact on an organization's security? How might the concepts you've learned influence your personal online behavior?
Why is identity management such a vital component of cybersecurity? For the performance assessment, whether you chose the workshop or the awareness campaign, how did you apply what you learned about identity management to create your product?
What are directory services and why are they a significant part of managing organizational identities? Can you think of a situation where directory services were or could be used effectively within our school system or by a local business?
How would you explain the importance of Identity and Access Management (IAM) to someone who doesn't have a tech background? Use a scenario from your own life to illustrate why IAM is critical for protecting information systems.
RUBRIC
These performance tasks were created using designEd STUDIO, an AI-assisted tool powered by connectingEd. Visit this site to design your own authentic assessments that promote higher-level thinking and future-ready skills: https://www.connectinged.com/
Extend and Portfolio
PORTFOLIO: Add your creation from the Performance task to your Portfolio. Relate it to one of your passions or a career you may be interested in pursuing.
ParadigmCyber 2 Portfolio
Category
Evidence, Artifacts, or Information
Passion
Strengths, Careers of Interest
Example: Interested in career in Forensics or Red Teaming (Unit 1 Activity)
Example: Strengths: Cryptology and OSINT
Curiosity
Areas of interest, Evidence of pursuing curiosities, Experiences that highlight pursuing interests
Example: Extension project on Bitcoin theft
Example: Attended College weekend cyber workshop on Malware
Example: Github project
Performance
Competitions
Competitions
Certifications, Badges, Credentials
Projects
Example: NCL Scouting Report
Example: Paradigm CTF
Example: CyberStart
Example: IBM SkillsBuild Cybersecurity Fundamentals
Unit 3 Performance task