This page contains an archived version of an internal cybersecurity course we ran in June 2023. It has two parts: using software and building software. Each part has about 1 hour of mandatory reading, 20 minutes of exercises, and a 2-hour live session. We also provide highly recommended further resources, that are often quite fun case studies to learn about!

## How this course came about

After I joined BlueDot Impact full-time, I wanted to quickly learn how all our systems worked. Dewi suggested a great idea: building and running my own course, just for our use internally.

We agreed I'd run an internal cybersecurity training course.<span class="add">[1]</span> BlueDot Impact was building more systems, collecting more data, and spinning out of our fiscal sponsor - so it seemed prudent to make sure we were doing so securely.

Since then, several others have asked about the course and asked for access to the materials. We used to have this up on our course hub, but have since removed it. Given that it could be useful for others, and in line with being fans of [working in public](https://bluedot.org/blog/working-in-public/), we've placed the archived materials on this page.

## Course curriculum

### Session 1: Using software securely

Ever wanted to know to perform the #1 hacking technique? This week you'll learn what it is, and how to do it (but also why you shouldn't).

Explore motivation behind cybersecurity, and cover security practices that will keep you, BlueDot Impact, and our customers safe when using existing software.

By the end of the class, students should be able to:

- Know the importance of security to our work
- Know that they are ultimately responsible for security
- Identify and appropriately report security incidents, such as attempted phishing
- Generate and store secure passwords
- Use password managers and 2-step verification to mitigate phishing attacks
- Contribute to discussions about security culture
- Configure their work and personal devices and accounts securely

**Resources**

- [Why should we worry about information security?](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-to-data-security/#3)  (2 mins, ICO)
    - Only read the section 'Why should we worry about information security?'
    - This discusses why information security is usually important, and some of the risks that could occur. In the session, we'll discuss risks that are likely to emerge from the work done at BlueDot Impact.
- [Reporting suspicious cyber activity](https://bluedot.org/blog/internal-cybersecurity-2023-suspicious-activity/)  (2 mins, BlueDot Impact)
    - Explains what suspicious activity might look like, and how to raise concerns.
- [Top tips for staff](https://www.ncsc.gov.uk/training/v4/Top+tips/Web+package/content/index.html#/) (30 mins, NCSC)
    - Complete this course, including the interactive parts as you go through it.
    - This resource discusses the most likely attacks on organisations like BlueDot Impact, and what steps you can take to mitigate them: phishing, password use, device security, incident reporting. In the session, we'll discuss more about why these are important, and you'll get a go at building your own phishing campaign.

**Exercises**

- Complete the [device security steps](https://bluedot.org/blog/internal-cybersecurity-2023-device-security/) for any device you use for work.

**Further resources (optional)**

- [The true story of a prank so good, even the White House fell for it](https://www.cybsafe.com/blog/the-true-story-of-a-prank-so-good-even-the-white-house-fell-for-it/) (10 mins, CybSafe)
    - The article itself is short, but allow yourself to go down the rabbit hole of reading the conversation threads. As you do this, try to tease out the techniques that he's using: consider writing down notes on what you thought was particularly clever.
    - This follows a prankster who uses social engineering techniques to trick senior staff, including: Governor of the Bank of England, CEO of Goldman Sachs, CEO of Morgan Stanley, Home Secretary Amber Rudd, and a cybersecurity professional at The White House.Reading this can give you a better appreciation for spearphishing techniques, and perhaps give you inspiration for the phishing campaign you'll plan in the session.
- [How post can enable domestic abuse](https://www.citizensadvice.org.uk/Global/CitizensAdvice/Post%20and%20Telecoms/DA%20report%20-%20final.pdf#page=24) (4 mins, Citizens Advice)
    - Read pages 24-27
    - Explains the impact of even what would seem like trivial data breaches (e.g. communicating via a non-preferred contact method, or disclosing contact details to the wrong people) in very human terms. This can help you gain an appreciation for the importance of cybersecurity at BlueDot Impact.
- [Cyber Threat Report: UK charity sector case studies](https://www.ncsc.gov.uk/files/Cyber_threat_report-UK-charity-sector.pdf) (2 mins, NCSC)
    - Read pages 11 and 12. If in a rush, just read the two 'case study' boxes on these pages.
    - Discusses recent cyber attacks on UK charities, how they responded, and what damage it did to them. While reading this resource, consider how these attacks might be mitigated by the security actions in the NCSC course.
- [Growing positive security cultures](https://www.ncsc.gov.uk/blog-post/growing-positive-security-cultures) (8 mins, NCSC)
    - Discusses how we can build an environment that supports security. I think BlueDot's cultural values highly align with this, but it's one to monitor and continue developing over time.
- [The logic behind three random words](https://www.ncsc.gov.uk/blog-post/the-logic-behind-three-random-words) (4 mins, NCSC)
    - Explains the reasoning behind security professionals' recommendation to use three random words for passwords.
- [Default Key Algorithm In Thomson And BT Home Hub Routers](https://www.gnucitizen.org/blog/default-key-algorithm-in-thomson-and-bt-home-hub-routers/) (3 mins, pagvac)
    - Read the 'confirmed suspicions' section.
    - This resource shows an example of people cracking the relationship between Wi-Fi names (e.g. BTHomeHub-8DF3) and default passwords. This relationship existed because people use the same 'random' data to generate the network name, wifi password, and admin password. It's a good reminder to change default passwords, especially on internet connected devices, even when they _seem_ random.This is an old article, but manufacturers don't seem to learn. A year later, the new BT Home Hub had [an even worse default password ('admin'), and then a patch to fix it didn't](https://www.alphr.com/accessories/13347/bt-home-hub-spits-out-password-to-hackers/). In 2021, Which? [studied the most popular home routers](https://www.which.co.uk/news/article/millions-of-people-in-the-uk-at-risk-of-using-unsecure-routers-afweT5A8CGNf) and found many of them had security flaws: with the #1 issue being weak default passwords. The primary hub Virgin Media still sends out today [had severe vulnerabilities in the admin console for years](https://research.nccgroup.com/2018/12/12/owning-the-virgin-media-hub-3-0-the-perfect-place-for-a-backdoor/) that they didn't fix.Many organised crime gangs that indiscriminately target people online, and aim to hack into devices for theft, fraud, or blackmail. Attackers can connect to your router remotely over the internet. Your provider should block them, but clearly they're not watertight on security. Additionally, attackers might be in your home network already (e.g. [on](https://techcrunch.com/2019/07/02/smart-home-hub-flaws-unlock-doors/) [one](https://www.bleepingcomputer.com/news/security/anker-eufy-smart-home-hubs-exposed-to-rce-attacks-by-critical-flaw/) [of](https://www.bitdefender.co.uk/blog/hotforsecurity/smart-air-fryer-vulnerable-dangerous-rce-vulnerabilities-researchers-find/) [your](https://www.theverge.com/2022/11/30/23486753/anker-eufy-security-camera-cloud-private-encryption-authentication-storage) [smart](https://www.theregister.com/2023/04/07/cisa_nexx_iot_flaws/) [home](https://github.com/advisories/GHSA-8pwg-75cm-557h) [devices](https://www.zdnet.com/article/vulnerabilities-in-google-nest-cam-iq-can-be-used-to-hijack-your-camera/)). Changing the admin settings of your hub could be pretty serious alone, e.g. re-routing all your DNS traffic could take you to malicious sites.

**Live activities:** see [the session plans](https://bluedot.org/blog/internal-cybersecurity-2023-session-plans/).

### Session 2: Using software securely

Now we know how to use IT securely, this week we'll look at making our applications secure.

Learn how to perform comprehensive cybersecurity assessments on your own or other people's services, following standard threat modelling processes. We'll explore the most common vulnerabilities, and talk through examples of how they could surface in our applications.

By the end of the class, students should be able to:

- Identify when a security risk assessment may be needed in their day-to-day roles
- Perform a security risk assessment based on a threat modelling process
- Understand and be able to apply models to threat modelling including:
    - Identification: CIA triad or STRIDE; and
    - Prioritisation: DREAD or FMEA
- Identify the most likely risks in a threat modelling identification process, including:
    - Broken authentication
    - Broken authorisation
    - Injection attacks
    - Insecure design
    - Vulnerable and outdated components
    - Overly permissive RBAC
    - Security logging and monitoring failures
- Address security risks identified in risk assessments

**Resources**

- [Broken access control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) (15 mins, OWASP)
    - This explains the vulnerability we're most likely to see in our applications, gives examples on how it occurs and how to fix it.
- [Security Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/) (10 mins, OWASP)
    - Given our heavy use of third party tools like Airtable, Whalesync, Bubble, Zoom, Slack, etc. it's likely that we misconfigure some of them. This article discusses the types of common misconfigurations, as well as how to prevent them.
- [Identification and Authentication Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/) (5 mins, OWASP)
    - You can skim this page. This is a fairly common type of security vulnerability we are likely to encounter.
- [Insecure Design](https://owasp.org/Top10/A04_2021-Insecure_Design/) (5 mins, OWASP)
    - You can skim this page. This is another fairly common type of security vulnerability we are likely to encounter.
- [Vulnerable and Outdated Components](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/) (5 mins, OWASP)
    - You can skim this page. Another reminder to keep software up to date - especially the components of our public facing systems.
- [STRIDE model](https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats#stride-model) (10 mins, Microsoft)
    - [Flip a coin](https://www.google.com/search?q=coin+flip). If it lands 'heads', read this resource. If it lands tails, see the 'CIA triad' resource instead.
    - This discusses a threat categorization approach, which is useful for brainstorming different threats to software. In the session, you'll need to explain this approach to other students.
- [What is the CIA Triad?](https://www.fortinet.com/resources/cyberglossary/cia-triad) (10 mins, Fortinet)
    - If you didn't read the STRIDE model resource (the coin landed 'tails' for you), read the 'What is the CIA Triad?' section.
    - This discusses a threat categorization approach, which is useful for brainstorming different threats to software. In the session, you'll need to explain this approach to other students.
- [The DREAD approach to threat assessment](https://learn.microsoft.com/en-us/windows-hardware/drivers/driversecurity/threat-modeling-for-drivers#the-dread-approach-to-threat-assessment) (10 mins, Microsoft)
    - Only read the 'The DREAD approach to threat assessment' section.
    - Discusses a risk assessment framework, that can be used to rank and prioritise threats once you have identified them.

**Exercises**

- Write down an example where there might be broken access control in an application we've built at BlueDot Impact (e.g. think about the course hub, our MiniExtensions forms, our Airtable extensions, the networking bot, our custom Slack workspace, etc.).
    - Example: The networking bot API might not validate the user correctly, and actually allow anyone to start off networking sessions. This could spam our users and cause us to hit rate limits with the Slack API preventing us from other things in our Slack workspace from working properly. This would be an elevation of privilege and denial of service attack (STRIDE) or an availability attack (CIA).

- Only if you studied the CIA model: Write down 3 example breaches, one of each type, for something that could happen at BlueDot Impact. You should use the new knowledge you have about common types of breaches.
    - Example: Integrity: A participant forwards an email to a friend containing their MiniExtension form editing link. That friend mistakenly changes the data in the form, thinking it's the application form: messing up the data we have on the participant.

- Only if you studied the STRIDE model: Write down 3 example breaches, each of different types, for something that could happen at BlueDot Impact. You should use the new knowledge you have about common types of breaches.
    - Example: Repudiation: Someone writes abusive messages in a shared Miro board during a facilitated session, where we don't have revision history. Someone is suspected, but they claim it wasn't them.
    - Example: Elevation of privilege + denial of service: Someone who we intended just to share read-only access to our Airtable is accidentally given write access due to a communication failure. They then try filtering a view of course resources that they thought is just for them, but it actually powers the course hub. This prevents all our participants from seeing the session resources.

- Evaluate any two of your example breaches using the DREAD risk framework (or FMEA). Did this accurately predict which one seemed more intuitively important? If not, why do you think that was?

**Further resources (optional)**

- [What is FMEA? Failure Mode & Effects Analysis](https://asq.org/quality-resources/fmea) (15 mins, American Society for Quality)
    - Discusses another risk assessment framework. This can be used as an alternative to DREAD to help evaluate threats. We won't be using this in the session, but you are welcome to use it as an alternative to DREAD if you find it easier.
- [British Airways Penalty Notice](https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf) (15 mins, ICO)
    - Read pages 17-24 for the facts of the case. Optionally 25-60 for the discussion on what the regulator thought BA did well and poorly, and what they thought BA should have done.
    - We'll go through this as a case study during the session, but you don't need to know about this beforehand. However, if you want a head start on seeing what happened, or want to review the case later, you can take a read of this account by the regulator of what they think happened.

**Live activities:** see [the session plans](https://bluedot.org/blog/internal-cybersecurity-2023-session-plans/).

## Footnotes
[1]: Yes, there are some internal cybersecurity courses you can get off the shelf – and using one of those likely would have been faster. But it wouldn’t have helped me learn about our systems, or be tailored to the kinds of risks we face at BlueDot Impact.



Our 2023 internal cybersecurity course

Adam Jones • July 15, 2024