Unit 6

How David Eaves teaches Unit 6 (part 2)

Syllabus > Unit 6 > David Eaves teaches Unit 6 (part 2)

Security and the Challenge for Government IT

What is this page?

This is a detailed breakdown of how David Eaves, a Lecturer at the University College London's Institute for Innovation and Public Purpose (UCL IIPP), teaches the contents of Unit 6 of the open access syllabus developed by Teaching Public Service in the Digital Age. Read here how part one of Unit 6 is taught.

This page is part of a series of twenty-five classes that David developed originally for the Harvard Kennedy School's master and executive education programs, where he taught for eight years, and are now taught at UCL's master and applied learning programs.

We believe presenting diverse ways to teach the syllabus will help others adopt and teach the material in various contexts.

Who is this page for?

This page was developed for university faculty who teach public administrators or master's levels students in public policy and public administration. This material may also be suitable for teaching to upper year undergraduates.

Class Overview

In the previous class, the guest lecturer Bruce Schneier introduced a few ideas about cybersecurity, most of them challenging some widespread visions about the topic, such as the promises of online voting, the relative importance of privacy versus security and how to go about distributing or concentrating risk.

After the introduction, students are usually left with the question of how to structure their cybersecurity strategy and prioritize their resources. This class explores some tools that help guide these decisions, such as the threat model and security cards.

This Class' Learning Objectives

By the end of this lecture students should be able to:

  1. Run a threat modeling exercise

  2. Understand that there is often a trade-off between the harm prevention measures built into a system and its accessibility and usefulness

How this class relates to the Digital Era Competencies

💡 This class has a specific focus on Competency 2 - Risks. See all eight digital era competencies here.

Assigned Reading and Practical Resources

As they work through the readings in advance, students should have in mind the following questions to help them prepare for class:

  • The security cards provide an overview of the types of motivations and resources of someone trying to gain unauthorized access to data in a system or computer (referred to below as an “attacker”). The goal in reading the cards is to enable you to better imagine who potential attackers may be and place yourself in their shoes. After reading the cards, were any of the cards descriptions surprising or unexpected?

  • The second reading provides a window into how an attacker might analyze how to attack a city. What have you learned about thinking like an attacker?

Core Reading (Required)

Security Cards: security threat brainstorming toolkit (overview) and downloadable security cards (2013), Toolkit developed by Tamara Denning, Batya Friedman, and Tadayoshi Kohno for the University of Washington

Pen Testing a City (2015), Article by Gregory Conti (West Point), Tom Cross (Drawbridge Networks), and David Raymond (Virginia Tech) for Black Hat

Advanced Reading (Optional)

Threat Modeling: Designing for Security (2014) Chapter 1, pp. 3–28, Book by Adam Shostack

Inside the Cyberattack that Shocked the US Government (2016), Article by Brendan I. Koerner for Wired

NHS cyber attack: Everything you need to know about 'biggest ransomware' offensive in history (2017), Article by Chris Graham for The Daily Telegraph

Security of Password Managers (2014), Blog Post by Bruce Schneier

Is It Safe to Use a Password Manager? (2017), Article by Cara McGoogan for The Daily Telegraph

Security Starter Pack: Assessing Your Risks, Guideline by Electronic Frontier Foundation

Detailed Class Breakdown

Class plan: 75 minutes

See David's slides for this class.

The segments below describe the dynamics of each part of the class. The videos were edited to only display the most relevant parts of each segment:

Segment 1 - Threat Modeling: Introduction – 10'

Purpose of this segment

One important method to prepare for an "attack" is 'threat modeling.' Threat modeling is the process of identifying objectives and vulnerabilities of a system so as to concentrate efforts and resources to best protect it. In this context, a threat is a potential or actual adverse event that may be malicious (such as a denial-of-service attack). That said, while not discussed in this class, one should also consider incidental events (such as the failure of a storage device), and that can compromise the assets of an enterprise.

One element of threat modeling is trying to understand the motivations and capabilities of an attacker.

The goal of the exercise - which can be conducted by students (or public servants) - is to attempt to put themselves in the shoes of a possible attacker. Identifying motivations of plausible attacker's allows one to then think about what potential resources they might have at their disposal, what goals they might have for an attack, and how they might go about targeting an organizations' vulnerabilities. Prioritizing these last three issues, goals, resources and vulnerabilities can help public leaders rethink how them might build services or tools in ways that might prevent or resist attacks as well as how to invest time and energy to better protect existing systems.

Discussion

In this segment, David explores the idea of threat modeling and trying to view a problem from the prospective of an attacker. He starts by describing some questions to have in mind regarding security when building a system:

  • What are you building?

  • What can go wrong?

  • What should you do?

  • Is your analysis good?

One nice linkage to make to earlier course materials is that stepping into the shoes of an attacker draws on many of the same skills of taking a user centered approach. However, instead empathy and understanding to better create a positive outcome one is focuses attacker might try to exploit your systems and processes to gain access.

Video of David teaching this segment

Segment 2 - A Simple Example of an Attack – 15'

The aim of this segment is to give an example of how even a non-sophisticated attack can be effective.

Purpose of this segment

Cyber attacks are often portrayed as incomprehensibly sophisticated and complex methods to gain unauthorized access to a system or data. And while sophisticated attacks do occur, more frequent still our simple - by highly effective - attacks. The purpose of this segment is to illustrate one such simple and effective attack.

Discussion

In this part, facilitators are encouraged to showcase an example of an amateur attack. For this class, David examples is an email found in his spam folder that contained a simple attack. The attacker used only two basic information about him: a password he used in the past and his name. The rest of the threat was psychological. The attacker said they had been watching David's computer for a while and was aware of supposedly embarrassing websites he had accessed. Finally, it ended with a request to transfer 3,000 USD to a back account.

To make students think about the operation behind it, David asks:

  • What are the attackers motivations

  • How was this attack created?

  • What capabilities do the attackers actually have? What are they pretending to have?

One takeaway of this example is that it takes small psychological tricks to get people concerned and prone to fall on a false threat.

Video of David teaching this segment

Segments 3 and 4 - The Security Cards – 40'

The goal of this segment is to introduce the security cards.

Purpose of this segment

In the digital era, there are many potential sources of attack. They can vary from a bored teenager curious if accessing a system is possible to a state sponsored group who wants to disturb the government's systems or access sensitive information. How do you prioritize your resources to prevent the threats? This segment introduces the security cards, which help users to understand a possible adversary's motivations, resources, methods and the human impact of attacks. By understanding those categories, a public leader will be better equipped to decide on how to better allocate resources and prepare for possible security attacks.

Exercise and Debrief

To introduce security cards, David proposes the following exercise: he asks students to imagine they are part of the executive team for a large city in the United States.

🔑 In conducting this exercise, David has learned (not something done in this version) that the specific one is about the city the better. It is also good to note that one is trying to protect the City's systems (e.g. the municipal governments) and not those of private sector actors and others in the city. David often likes to use Atlanta as a prominent city - but also one that suffered a significant cyber attack with which comparisons of the students choices can then be made.

The students are then split into groups that will analyze two categories of security cards: adversary's motivations and adversary methods. The task is to rank the cards for each category based on the likelihood of them being used against the city. David gives his students 15 minutes to discuss and type their answers in a shared spreadsheet. While there is no correct answer, the goal is to make students think differently and broaden their knowledge of common motivations and methods for attacks. In the real world, the result of this exercise would lead to a decision about how to allocate defense resources more responsibly.

Video of David teaching this segment

Segment 5 - Organizing resources and Final Takeaways - 10'

Purpose

This class introduced a few tools that help public leaders understand what might be going on in an attacker's mind, the vectors that have to attack through, and the impact they can make. But then what goes next? This segment aims at providing some guidance on how to organize resources around defense.

Discussion

In this segment, David suggests shares some ideas discussed with Bruce Schneier about activities public leaders may engage in after doing an exercise like the one above.

❓ In an ideal class, it would be wonderful to have a security expert comment on students work and help them map out possible steps. Again, the goal of this class is not to make students security experts but rather to expose them to the scope and depth of the security challenge and provide them with some tools to think about the issue.

  • Task 1: Do a stakeholder's map - Understand what people and institutions could be impacted by an attack

  • Task 2: Prioritize - Not all threats are equal and prioritizing involves tradeoffs. For example, there is a real trade off between security and usability and sometimes increasing security makes users worse off. Requiring users to place numbers, or special characters in their passwords may make for harder to replicate passwords, but they also make for harder to remember passwords, sometimes impeding people's ability to access a service.

  • Task 3: Ensure resources are allocated wisely - What are the variables that you control?

    • Usually, the variables that can be controlled are: i) the data you collect; ii) time and money allocated towards security; iii) user experience; iv) how fast you learn about positive and negative behavior

Finally, the main takeaways for this class are:

  • Security dilemmas are everywhere

  • Security decisions are a balance exercise between different threats, costs and benefits, and accessibility decisions

  • Working in diverse groups improves security strategies and thus outcomes

  • There are lots of tools like the threat modelling that can help

Video of David teaching this segment

Common questions from students faculty could prepare for:

- What types of skills does a team need in order to tackle different categories of attacks?

Next Classes

How David Eaves Teaches Unit 7 (part one)

How David Eaves teaches Unit 7 (part two)

How can you get support teaching this unit?

We're dedicated to helping make sure people feel comfortable teaching with these materials.

Send a message to mailbox@teachingpublicservice.digital if you want to book in a call or have any questions.

You can also connect with David on LinkedIn.

What are your rights to use this material?

We have developed these materials as open access teaching materials. We welcome and encourage your re-use of them, and we do not ask for payment. The materials are licensed under a Creative Commons Attribution 4.0 International License.

If you are using any of our syllabus materials, please credit us on your course website using the following text:

We are proud to use the Teaching Public Service in the Digital Age syllabus in our curriculum and teaching. Developed by an international community of more than 20 professors and practitioners, the syllabus is available open-source and free at www.teachingpublicservice.digital

Why was this page created?

This teaching material forms part of the Teaching Public Service in the Digital Age project. Read more about it here.

Acknowledgements

David Eaves would like to note that this material was made possible by numerous practitioners and other faculty who have generously shared stories, pedagogy and their practices. David is also grateful to the students of DPI 662 at the Harvard Kennedy School for enriching the course and providing consent to have the material and questions shared. Finally, an enormous thank you must be given to Beatriz Vasconcellos, who helped assemble and organize the content on this page.