I'll Complete My Threat Model Later Mom! Infosec in Middle School

um

eighth grade tech ed um eighth grade i teach for engineering seventh grade is where i teach computer science and then sixth grade is kind of exploratory where it's a hodgepodge of the other two classes so um these are my certifications i'm actually certified in secondary english seven through twelve middle school english in language arts four through nine and then technology education seven through twelve um my education background i'm currently seeking my master's of science and curriculum instruction um with a focus on blended computer science and i'll talk more about that term later on in this talk um at hood college and then i received my bachelor's of arts in 2008 in english literature with a little focus

of 20th century american lit and poetry at umbc just down the road yeah go dogs um and the reason why i'm showing you this is because a lot of new cs teachers are in maryland especially are coming from other fields and other backgrounds of certification so i am very new to teaching computer science and also you know the infosec community um the whole reason why i fell into security and education is because i attended defcon way back one in defcon 20. um and i kind of fell in love with community really liked picking locks at the lockpick village and really just enjoyed meeting people and just all the stuff that you guys do is just

amazing slightly terrifying sometimes but also really awesome and so i kind of wanted to bring that into computer science education um so i'm going to talk about some of the initiatives that are happening right here in maryland it's kind of an exciting time governor larry hogan signed on with i think about 38 other governors to with a computer science education initiative to bring computer science and security education to public schools and that's going from kindergarten all the way to 12th grade and we're in i believe or second or third year of implementing such an initiative it's gonna be a little bit but you know things take time um and with that we have a few initiatives statewide that um are

helping develop curriculum and you know getting teacher training professional development off the ground so maryland just came out and it was just approved the k-12 computer science standards um they are heavily based on the csta k-12 framework but um the maryland maryland standards differ a little bit we did different bands with different standards so um like you know we just kind of configured where our class is lined up with where you know with um when children take them so your students take them so to speak um and the maryland center for computing education that has um been at the forefront of developing a lot of this curriculum and a lot of this professional development um it was already initiative that was

started by the university of maryland uh campus system and it just kind of evolved to include more i guess k-12 educators in the process so um some of the highlights for the initiative and like timeline major timelines high schools are to offer cs courses by 2022 and a lot of school districts are you know making sure that they offer a sequence of uh cs courses for students and then overall k-12 cs courses you know and or content depending um by 2027 so there's still some time there and then cs teachers so teachers like myself will have to eventually be certified in computer science by 2030 so i decided to get started on that a little bit earlier by

taking discrete math next term so that's going to be fun um and we have the baltimore digital harbor foundation that has partnered a lot with some of these initiatives and these grants that districts have been getting and going out and providing professional development um on something as simple as like teaching scratch or teaching robotics and they have been a really great um you know resource and a really you know awesome team to come out and work with teachers um so with that in maryland um there's also a very heavy focus for security or as it stubs in the standard cyber security i know that term is not necessarily the best but you know it's catchier than

infosec or hacking parents kind of like that a little better cybersecurity that sounds great um so the nsa and this is by no means a comprehensive list of everything that's out there this is just what i have experience like looking at in terms of resources so the nsa has created gen cyber which is kind of a middle school high school like resource um and the cryptologic museum foundation they actually have started work on a new building and they are creating the cyber center for education and innovation or ccei which you know in education we love acronyms so they are actually developing curriculum for security um in high schools which is really great and that's supposed to get off the

ground within the next year or so as well um there's also a lot of local ctfs magic ctf one of the great sponsors of this wonderful conference they actually have they're based out of westminster maryland and they hold ctfs designed for middle all the way through college students my little ctf team just competed in their first in-person ctf a couple weeks ago at the local library in frederick county and that was a really fun experience for them and seeing how i guess you could say the college kids work in the ctf they were really excited um and then there's cyberpatriot there's cyberpatriot high school teams popping up all over the place i know we have one

in frederick county that made it pretty far this year and there's tons of symposiums and conferences that feature security or cyber security as one of their talks and i usually go to those uh i usually go to those sessions at least when i can so one of the i guess problems that i've encountered going through this and granted it's still very you know new is a curricular development is for mainly high school and post-secondary education higher education um with the sequence of classes with um a lot of districts have career and technology centers where they feature like the cisco uh certification courses and you know there's been talk of putting in even more credentials to eventually get more

certifications in the field and that's great that's awesome for high school students except there's little to no resources for the middle school kids um any answers i've really received on this has been well it's in development or we're working on it here's you know you can do a fun game or flash at you know game activity and i'm like that's not really good enough for me um so what do i do how can i you know teach students about security in middle school that's appealing to them because middle school and high school students are completely different students um if you've ever encountered a middle school student you would know um so i get this idea that hey you know

what maybe i should create and cobble together a security education unit for my seventh graders um and i kind of came up with this idea in the summer of or two summers ago and then i was really lucky enough to get a ticket to shmukhan and then i kind of just sat there in the lockpick village and asked a bunch of people hey so what should i teach seventh graders about cybersecurity and all that stuff and from those conversations and just doing some research i cobbled together you know a bunch of lessons and units so to kind of go before i talk about the actual unit i want to kind of give a little background on my class

um and i am in the teaching philosophy of blended learning so i teach my computer science courses a blended computer science class and what blended learning is is kind of combining educational technologies with traditional teaching methods so we dub at the stage on the stage kind of like how i'm talking to you right now instead of having that like lecture mode students um can kind of have choice in what they learn there's room for failure granted not too much failure but you know if their program doesn't work they're not going to get an f you know they won't get 100 but they're not going to fail because they don't have a working program um and it's more project-based learning

more hands-on building stuff potentially breaking stuff hopefully not too much breaking stuff but um allowing students to kind of take control of their education and personalize it for them you know so they can get out of it what they want that's how i kind of run all of my classes especially for computer science and this has is a very new class i was one of the pilot teachers for a lot of these courses you know that's i guess what happens when you raise your hand during a meeting say hey we should change how we do things and they go okay cool so you're gonna help um and so eventually our seventh grade old seventh grade tech head course

became computer science investigations or csi for short yeah that was not on purpose i'll admit that um and this was last year's sequence so how i split my classes up first half of the year i cover programming um and i allow my students to choose their programming language because despite my lack of programming knowledge i shouldn't hold back a student from reaching their full potential so um you know javascript python scratch you know the blockley programming language from code.org students have that choice and what they're comfortable with um and then the second half of the year i kind of dub it as an application semester so that um you know we do robotics last year was a

research project we did data and encryption and then i kind of tacked on security education or i dubbed it cyber security because you know parents like that term and um i kind of ran out of time unfortunately to do everything i wanted to do so year two which was is this year um i decided to you know still do my programming unit but then i cut it a little short mainly due to my classes i guess fatigue because they worked really tight they worked really hard um and after winter break in january that's when i decided to start the security education unit um so it kind of transferred over to my classes year-long class where some

classes are only half year so it kind of transferred over to the next semester um and then that wonderful thing called snow and ice got in the way and delays and closings later um i kind of had to recalibrate some of its content so then i kind of put cryptography with data and encryption and you know that worked out pretty well and now currently we're in hardware and circuits and eventually we'll get to that end of the year project so this is what my security education unit looks like um i start off with a pre-assessment or a security breakout edu breakout edu is kind of like an escape room combined with like a ctf kind of format

so students kind of have different puzzles that are based on these lessons just to assess what they know and to see if they can kind of problem solve and maybe even like brute force a couple of the answers um and just what they pick up so that's and then i do like a reflection afterwards and um you know students get that frustration and i have to constantly remind them it's okay if you don't know this you know we're gonna learn it like just tell me you don't know it on your reflection page please don't crumple that up please don't get mad um you know sometimes students go i'm gonna rage quit and you're like no please don't especially

with the computer mouse um and then after we do that we get into um the unit lessons itself so i first start off with passwords and personal identifiable information or pii and i have i did not create this one from scratch i adapted a lot of the lessons the stuff i do in this unit from the eff security education companion which thank you eff for that that's really great um and i adapted it down for middle school and kind of turned it into a station rotation where my students go and do a different activity learn about password strength or about multi-factor authentication i um give a mini presentation about brute forcing and kind of identifying pii um and then they

go and then at the end of this lesson set they then um analyze somebody who was hacked via and like got their social media pages compromised they look for the pii and potential like password information that could be exposed on social media um and then we go into malware and i have a couple different things depending on the class like they can make a video um educating like elementary school kids about different types of malware or they can do like an infograph i kind of like to give a little choice and a little more creativity because not all of my students you know some of them took my class by choice some of them that was the only

thing left in their schedule so i so i try to make sure that i'm um i'm putting more i guess interests and hobbies you know for more autistic students in there and then my personal favorite social engineering which i swear is about 50 of my job some days i adapted information and research from the social engineering village um from defcon really great resource love what they do um and the eff security education companion so i took those lessons and scaled it down for middle school students which starts off with i actually um do a phishing attack on them via a paper survey and you know you would think that students would kind of catch on we're

doing a security education unit i'm giving them this random survey that like you know makes no sense and asks a whole bunch of weird questions like what's their fortnight uh handle and um you know every year i've done this every student on that survey has been compromised or they had something exposed in that um in that simulation and after they feel betrayed and like hurt because at the class after i tell them hey no actually guys no one's getting prizes from the survey um we then go into social engineering and i go over the six principles and they reflect on how the process of how they like filled out that survey and they kind of come to realization like oh

wow i really didn't i just kind of filled this out um and usually i have a student like well you're a teacher we're supposed to trust you and i said yeah you are but someone could pose as me and i'm a trusted figure and it could look like an email that i have and that's what you have to watch out for because your primary target because whose data are you connected to besides your own oh my parents yes so um social engineering is where i really see students start to kind of everything kind of clicks you know because password and you know malware and viruses they they kind of have that through digital literacy lessons but when you really

start to get into like social engineering part they really start to put it all together and they go wow this is kind of cool and slightly scary but hey it's all good um and then we get into cryptography which they love solving all kinds of ciphers and puzzles and everything and anything i kind of wish i put more history into it but again with such a short time frame and short class time i only teach for 45 minutes a day before this class um i can't do everything i want unfortunately and then i end with current events and i try not to get too like hyperbolic when i go over certain events because i usually do like certain events for warm

up when we talk about different data breaches and stuff and i try not to go oh no this is terrible error error danger will robinson right um so and i have students look at you know different uh i guess data breaches and stuff like that throughout the last like five or so years and they do kind of a research presentation based on that and that's kind of new because i didn't get to the end of this particular unit last year so um they had a really good time with that i didn't want to do careers because they get a lot of like career focused research and some of them you know research security careers and i

didn't want to like step on toes of other you know class areas time all right doing good so um what is the point of all this besides the fact that i want to teach this um i feel like education and you know the security communities we can collaborate and make this like really awesome um sharing resources if you get my business card or take a picture of the last slide i give you a link to all the lesson resources i'm still organizing them and formalizing them but all the things are there if you want to pass this along to a cs teacher or any teacher or after school club or whoever you think can benefit from this

um i am all about free as well that's a great price especially for teachers price of free so um you know just hand it out and let people like go wild with it um inspire the next generation because no offense to anyone in this room but we're not getting any younger and we're going to need a you know with the digital natives you know becoming and going into the workforce and you know making an impact on the world we need like those problem solvers we need them to have the computational thinking skills to think outside the box and like try to prepare for new threats that we don't even know about yet so that's another thing and besides that

i'm kind of in the boat of security knowledge for everyone will all my students go off to be security professionals no i don't expect them to um regardless of what they do after high school whether it's two year four year college whether it's vocational trade whether they go right into the working force i want them to have the knowledge about security um because that's what i hear a lot you know i have a lot of friends that work you know for contractors and you know i hear some complaints about you know well the user the user that kind of thing well we start educating the user we start just putting this into our curriculum and making it a thing just like

math or reading then we're going to have more secure you know general public um so i i love to teach this to anyone and anybody um it also helps that my classes are homogeneously mixed so i have the students who can go you know just program something in javascript on their own uh versus students who um you know don't need i guess you could say support systems to learn like math and science and you know some of those students really excel and it's really awesome to see that um professional development so like i said i am currently not certified in computer science working on it um but if maybe conferences or organizations can have a for

educator section that really helps us because we can just go oh hey for educators and then even if it's just a link of resources like awesome um in education we always try not to reinvent the wheel because sometimes we don't have time to even you know plug in our computers and get stuff going before class starts um so having that four educators section in any sort of material any conference section is really great it really helps us out as teachers um teacher scholarship for conferences i'm really lucky and i guess really privileged not to be able i don't have to work during the summer to make ends meet i choose to um because i'm involved with

curriculum writing but a lot of teachers out there um don't make enough during the school year and they have to get sometimes two or you know two jobs in the summer time to be able to you know pay rent and stuff so there's probably a lot more teachers out there who are really want to teach this and if you can give them an educational opportunity because we view ourselves as students and lifelong learners um and scholarships that's awesome that would be great i'll probably also apply for at least one but um mentor and volunteering and trust me i'm a teacher i know about the um you know one more thing syndrome like that's about that's probably somewhere in my

teaching contract um local and school initiatives there are a lot of clubs popping up a lot of programming clubs a lot of ctf teams going in high school and even in middle school and um you can be a mentor and volunteer for that you may have to do some volunteer training because a lot of school districts have that you can't just walk and say hey i want to volunteer um but if you can like impart your knowledge on students and help a teacher to do that or help run a club or a hacker space anything um that would be great even just going and doing a career day talk like we have them in middle school and

high school and in elementary school and there's lots of middle and high school ctfs popping up i know sometimes infosec twitter can be an interesting place but a lot of the online ctfs that my students have participated in is because i found tweets like kind of just signal boosting them so if you have a resource page where you can list all the different types of ctf for middle and high school students and please make sure you differentiate between the two because there are you know with copa and everything we have to make sure that their data is protected and we get the permission slips out and stuff like that um that's awesome and you know just

volunteering your time so with that i have about five minutes left are there any questions okay any questions concerns comments yes

um more middle school let's see the magic ctf was actually really good and like especially if you get to an in-person um ctf that's great because my middle schoolers they've only done online ones and they had a blast and they actually learned a lot talking to some of the college students um so don't be afraid if it's you know middle through college like you can some you know you can sometimes run circles around some of these college students um and then neverland ctf is another one that my students participated in and they really enjoyed that um i also got a question unfortunately dating myself of what the movie hackers was so that was a fun talk and then of

course they all wanted to go home and watch hackers and i was like please don't say miss smith told you to watch hackers for homework um um and those are the those are the two that my students have done and i know there's another one um that maryland is pushing uh i think it's more high school i'm not sure if they're eventually going to middle school i think it's girls um who's cyber or something to that effect and they it can be a team of boys and girls but the girls essentially have to um be the forefront of the team so to speak they have to be like the majority of the team um so there's a lot of different ones

popping up like i said and you know if you're interested in starting a middle school ctf team like there's there's probably a teacher that or someone that will help you run it so because that's how my ctf team got started my students just said when they were doing the security unit hey so can we like do this ctf stuff and i was like well do you want to and i was like they're like yeah i was like okay sure let's do it and you know obviously i told my principal afterwards by the way i'm putting together an ethical hacking team that's cool right and thankfully i do have an administration that is very um is very flexible and really open to

different types of like clubs and with that so they've been really supportive throughout this whole process yes oh yes that's my next slide so there's my resources also on my business card if you want to get one of those um and that's all my information so if you're like hey this doesn't make any sense or you know hey um i had a teacher who made this really awesome um you can email me that's my twitter account it has changed since the program was printed so i apologize for that yay social media policies um and then that's the resource link so that will hopefully take you to um the folder where i i've housed all of

these resources um they can be digital they can be on paper um yeah so that that's the slide also on my business card if you want it i'm very proud of that design any other questions all right well thank you guys so much this is great people came to my talk yay

all right okay