A 100-Day Home Study Plan for Cyber (with CPE Credit)

Thomas Carlyle once said that “our main business is not to see what lies dimly at a distance, but to do what lies clearly at hand.” This seems prescient for the times – and I hope it can bring a bit of upbeat energy to such a bleak period in our world.

I’m expecting that we’ll all be home for the next 100 days. If you’re reading this in early April, then that takes us all to mid-June. I hope this estimate doesn’t alarm you – but it pays to be realistic in our planning in the hopes that Mother Nature offers us a pleasant surprise.

And like the carpenter who thinks everything looks like a nail, as a lifelong college professor teaching cyber security, I think all of you resemble prospective students – albeit ones that truly need some cheering up. (And please focus on stats: The survival rate for COVID-19 is good.)

So here is what I propose: I will list below 100 learning modules on cyber security – most of them readings or videos, that you can do every day from now until mid-June. All materials come from publicly accessible sites, and most do not violate (ahem) any T’s & C’s.

Then, once we reach Chocolate Ice Cream Day (really, look it up), you can message me on LinkedIn with the hours you spent. I will happily send you a Continuing Professional Education (CPE) credit certification. (Each module should take about half an hour.)

I hope you decide to take me up on this, because at the end of the 100 days, I assure you that you’ll be smarter and more informed on cyber security. If this doesn’t happen, then what the heck – at least it will help pass some time.

Below are the learning modules. Cut-and-paste them into a file and print. Then tape the list on your computer monitor, right next to your VPN password. Good luck – and keep me posted over the next 100 days. I’ll check back in with you in June. Stay healthy and positive.

-------------------cut here -----------------------

1. Read blog on how firewalls work: https://cybersecurity.att.com/blogs/security-essentials/explain-how-firewalls-work-to-me

2. Watch video on RSA Algorithm: https://www.youtube.com/watch?v=4zahvcJ9glg

3 - 4. Read “Reflections on Trusting Trust” (two-day process) (https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf)

5. Read Paper on Zero Trust: https://www.tag-cyber.com/downloads/Evolution-of-the-Zero-Trust-Model-for-Cyber-Security.pdf

6. Watch video explanation of Diffie-Hellman: https://www.youtube.com/watch?v=pa4osob1XOk

7. Watch video on surveillance detection of spies: https://www.youtube.com/watch?v=qhkJ6sY2mW0&t=76s

8. Spend 30 minutes on Brian Krebs’ site: https://krebsonsecurity.com/

9. Watch Ted Talk on Cyber: https://www.ted.com/talks/nick_espinosa_the_five_laws_of_cybersecurity?language=en

10. Watch address on State of Cyber 2018: https://www.youtube.com/watch?v=yYohsNewMqk

11 - 12. Read “The Birth and Death of the Orange Book (two day process) https://www.stevelipner.org/links/resources/The%20Birth%20and%20Death%20of%20the%20Orange%20Book.pdf

13 -14. Read Steven Levy’s article on James Ellis (two-day process): https://www.wired.com/1999/04/crypto/

15- 16. Read paper on Cyber Weapon Limits (two-day process): file:///Users/edwardamoroso/Downloads/SSRN-id2809463.pdf

17. Spend 30 minutes on Bruce Schneier’s site: https://www.schneier.com/

18. Read Kevin Mitnick Story (Chapter One): https://www.theregister.co.uk/2003/01/13/chapter_one_kevin_mitnicks_story/

19. Watch Ted Talk on cyber: https://www.ted.com/talks/mark_burnette_the_humanity_behind_cybersecurity_attacks

20. Read SANS paper on packet filtering: https://cyber-defense.sans.org/resources/papers/gsec/packet-filter-basic-network-security-tool-100197

21 - 23. Read “An Intrusion Detection Model” (three-day process): https://www.cs.colostate.edu/~cs656/reading/ieee-se-13-2.pdf

24. Watch DEFCON Spot the Fed video: https://www.youtube.com/watch?v=7GODPk-MzKE

25. Here is another video on Diffie-Hellman: https://www.youtube.com/watch?v=NmM9HA2MQGI

26 - 27. Spend two days on this Kerberos site reviewing resources: http://web.mit.edu/KERBEROS/

28. Spend another 30 minutes on Brian Krebs’ site: https://krebsonsecurity.com/

29 - 30. Read the Bitcoin paper (two-day process): https://bitcoin.org/bitcoin.pdf

31. Watch video on OT security monitoring: https://www.youtube.com/watch?v=j4Qw-cY5VcI

32. Watch Ted Talk on personal data: https://www.ted.com/talks/maria_dubovitskaya_take_back_control_of_your_personal_data

33. Read article on CIA model: https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA

34. Watch video on State of Cyber 2019: https://www.tag-cyber.com/media/videos/an-address-on-the-state-of-cyber-security-2019

35. Watch this Ted Talk on Cyber Security: https://www.ted.com/talks/rob_may_your_human_firewall_the_answer_to_the_cyber_security_problem

36 - 37. Read paper on UMTS MITM attack (two-day process): https://www.cs.stevens.edu/~swetzel/publications/mim.pdf

38 - 39. Read Lamport paper that served as basis for S/Key (two-day process): https://tnlandforms.us/cns06/lamport.pdf

40. Read James Ellis’ original paper on public key cryptography: https://cryptome.org/jya/ellisdoc.htm

41 - 42. Spend two days on the NIST CSF website reviewing resources: https://www.nist.gov/cyberframework

43 - 44. Read Charlie Miller’s paper on fuzzing mobiles (two-day process): https://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf

45. Read Bell Labs classic on password security: https://spqr.eecs.umich.edu/courses/cs660sp11/papers/

46. Read Gene Spafford’s paper on mutation testing: https://spaf.cerias.purdue.edu/tech-reps/s21.pdf

47. Spend another 30 minutes on Bruce Schneier’s site: https://www.schneier.com/

48. Read PDD-63 (Classic): https://fas.org/irp/offdocs/pdd/pdd-63.htm

49. Read the alert for NotPetya: https://www.us-cert.gov/ncas/alerts/TA17-181A

50. Watch this talk from ten years ago: https://www.c-span.org/video/?291445-5/edward-amoroso-global-cybersecurity-policy-conference

HALFTIME – It’s Mid-May!

51. Read paper on the Bell LaPadula Model: https://www.acsac.org/2005/papers/Bell.pdf

52. Spend today reading about cyber security in Canada: https://cyber.gc.ca/en/

53. Read classic EWD article from Dijkstra in 1975: https://www.cs.virginia.edu/~evans/cs655/readings/ewd498.html

54 -55. Read Framework for Autonomous Machines (two-day process): https://www.tag-cyber.com/analysis/white-papers/cyber-security-framework-for-autonomous-machines

56. Watch video on SSL/CA: https://www.youtube.com/watch?v=T4Df5_cojAs&t=353s

57 – 59. Take three days to read this DHS Study on Mobile Security: https://www.dhs.gov/sites/default/files/publications/DHS%20Study%20on%20Mobile%20Device%20Security%20-%20April%202017-FINAL.pdf

60. Review CMU’s incident response plan (and compare to yours): https://www.cmu.edu/iso/governance/procedures/docs/incidentresponseplan1.0.pdf

61. Read this interview on SDN Security: https://sdn.cioreview.com/cxoinsight/security-advantages-of-software-defined-networking-sdn-nid-23290-cid-147.html

62. Read this article on open source versus proprietary software: https://www.techrepublic.com/article/how-to-decide-if-open-source-or-proprietary-software-solutions-are-best-for-your-business/

63. Spend another 30 minutes on Brian Krebs’ site: https://krebsonsecurity.com/

64 - 65. Spend two days with the AES standard (do the best you can): https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf

66. Read article on SIEM versus log management: https://www.bmc.com/blogs/siem-vs-log-management-whats-the-difference/

67. Spend day learning about Tor: https://www.torproject.org/download/

68. Read article on ISAC versus ISAO: https://www.csoonline.com/article/3406505/what-is-an-isac-or-isao-how-these-cyber-threat-information-sharing-organizations-improve-security.html

69. Spend today learning about security research at NSA: https://www.nsa.gov/what-we-do/research/cybersecurity-research/

70. Watch video on how blockchain works: http://blockchain.mit.edu/how-blockchain-works

71. Spend today on the PCI website: https://www.pcisecuritystandards.org/

72. Listen to podcast on unidirectional gateways: https://www.helpnetsecurity.com/2018/10/05/unidirectional-security-gateways/

73 -74. Read paper on Secure Mobile Voice (two-day process): https://www.tag-cyber.com/downloads/Secure-Mobile-Voice.pdf

75. Watch video on SCADA security: https://www.youtube.com/watch?v=5v9yLlivwA0

76. Watch video on getting started in Bug Bounty: https://www.youtube.com/watch?v=CU9Iafc-Igs

77 – 78. Take two days to read Bloomberg article on Supermicro: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

79. Watch video on GRC: https://www.youtube.com/watch?v=EvQmdMYeFVI

80 – 82. Read “Smashing the Stack for Fun and Profit” (three-day process) (https://github.com/rootkiter/phrack/blob/master/phrack49/14.txt)

83. Spend day reading about Apple platform security: https://support.apple.com/guide/security/welcome/web

84. Watch video on device hacking: https://www.ted.com/talks/avi_rubin_all_your_devices_can_be_hacked/discussion?rss&utm_c

85. Read about the Great Feynman and his lockpicking: http://www.openculture.com/2013/04/learn_how_richard_feynman_cracked_the_safes_with_atomic_secrets_at_los_alamos.html

86. Watch video on installing a reverse proxy at home: https://www.youtube.com/watch?v=QcnAqN_Ihqk

87 – 88. Take two days and watch one-hour interview with Nir Zuk: https://www.youtube.com/watch?v=6FX-TtzZapo

89. Read interview with HD Moore: https://www.darkreading.com/analytics/metasploit-creator-hd-moores-latest-hack-it-assets-/d/d-id/1335860

90. Spend day reading about AWS security: https://aws.amazon.com/security/

91. Spend another 30 minutes on Bruce Schneier’s site: https://www.schneier.com/

92 – 93. Spend two days reading UK report on Huawei security: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf

94 – 95. Take two days to read the TLS RFC: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

96 – 97. Spend two days on DHS incident response handbook: https://www.dhs.gov/sites/default/files/publications/4300A%20Handbook%20Attachment%20F%20-%20Incident%20Response%20.pdf

98. Read article on GDPR: https://medium.com/@ageitgey/understand-the-gdpr-in-10-minutes-407f4b54111f

99. Read article on Bill Gates and Trustworthy Computing: https://www.wired.com/2002/01/bill-gates-trustworthy-computing/

100. Spend your last study day having fun reading Charlie Ciso cartoons! https://www.tag-cyber.com/media/charlie-ciso