Day 2: Foundations and Strong Passwords

CyberQuest Summer Camp - day deck

This is your hands-on companion to the main course deck. The main deck (Interactive_Slides.html) sends you to specific Parts here and to Modules in the notebook, then back. You can also run this deck on its own, top to bottom, with the Next arrow.

Morning Kickoff: Motivation & News (09:00 AM - 09:15 AM)

Case Profile: The 2024 Change Healthcare Ransomware Attack. Cybercriminals exploited an unauthenticated entry portal, halting health payment infrastructure nationwide. This underscores why missing security controls present catastrophic operational risks.

Teaching Session I: Core Lecture (09:15 AM - 11:15 AM)

Cybersecurity Governance Terminology

Asset: Any high-value resource, hardware appliance, or data segment owned by an organization (e.g., patient health records).
Threat: Any potential event or entity capable of causing harm or unauthorized access to an asset (e.g., a ransomware gang).
Vulnerability: A flaw or operational weakness in system architecture, software code, or physical access controls that can be exploited by an attacker.
Risk: The mathematical probability that a specific threat will exploit a vulnerability, multiplied by the operational impact or financial loss (Risk = Probability x Impact).
Security Assessment: A comprehensive technical evaluation of an infrastructure's defensive posture to identify vulnerabilities before attackers do.

The Threat Actor Spectrum

White Hat Hackers: Security professionals who perform penetration testing with legal authorization to help defend networks.
Black Hat Hackers: Malicious cybercriminals who breach infrastructure unlawfully for financial gain or disruption.
Gray Hat Hackers: Individuals who find vulnerabilities without authorization but report them without malicious intent, operating outside strict legal boundaries.
Script Kiddies: Amateurs who launch pre-made exploit tools and scripts without understanding their underlying code mechanics.
Hacktivists: Politically or ideologically motivated actors who deface web systems or leak files to draw attention to a social cause.

Legal Frameworks and Core Governance Matrix

Ethical Hacking Rules: Requires explicit written permission, a clearly defined scope of testing targets, and adhering to responsible disclosure policies by reporting vulnerabilities privately to owners.
Computer Fraud and Abuse Act (CFAA): The primary United States federal computer crime statute. It criminalizes accessing a protected computer system without authorization or exceeding authorized access bounds.

The CIA Security Triad Core Properties

Confidentiality: Ensuring data is accessible only to authorized entities. Attacks include Brute-Force Password Cracking.
Integrity: Safeguarding data from unauthorized modification or tampering.
Availability: Ensuring information networks are reliably accessible to users. Attacks include Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks, which flood bandwidth to crash systems.

Teaching Session II: Labs & Interactive Tools (11:45 AM - 01:45 PM)

Practical Interactive Tools for Today

Google Interland: Complete gamified interactive paths focused on evaluating threat links, phishing recognition, and risk management parameters.
Security.org Password Tool: Input testing phrases to see how expanding character lengths affects brute-force cracking time metrics.

Recap & Tomorrow's Horizon (04:15 PM - 04:30 PM)

Summary: Today we broke down risk, mapped threat profiles, analyzed the CFAA, and explored how brute-force and DDoS attacks disrupt the CIA Triad.
Tomorrow Preview: We will explore defensive mechanics, covering encoding, hashing, encryption, and strategies to resist social engineering.

Your plan for today

6 parts. Press Next to move in order.

Part 1. Get oriented - 4 slides
Part 2. Learn the basics - 25 slides
Part 3. Code along - 1 slide
Part 4. Play the free tools - 3 slides
Part 5. Test yourself - 4 slides
Part 6. Wrap up - 1 slide

You just saw the big-picture overview. The Parts below take you from the basics to hands-on practice. When a slide says to run a notebook module or play a game, do it, then continue.

PART 1 OF 6

Get oriented

Objectives, key terms, a picture, and the news.

This part is 4 slides. Press Next to begin.

Learning objectives

State the three goals of security (the CIA triad).
Explain why password length beats complexity.
Use a password tester responsibly and estimate crack time.

Vocabulary (acronyms expanded and defined)

CIA triad = Confidentiality, Integrity, Availability: keep data secret, keep it correct, keep it reachable.
MFA = Multi-Factor Authentication: proving who you are with two or more things (a password plus a phone code).
2FA = Two-Factor Authentication: MFA with exactly two factors.
PIN = Personal Identification Number: a short numeric code.
Phishing: a fake message that tricks you into giving up a password.
Keyspace: the total number of possible passwords; bigger is harder to guess.
Brute force: trying every possible password until one works.

Picture it

  Something you KNOW (password)
  Something you HAVE (phone, key)   ->  combine two = Multi-Factor Authentication
  Something you ARE  (fingerprint)

In the news (real and verifiable)

Every year, password managers such as NordPass publish a list of the most common passwords, and weak choices like 123456 and password appear at the top again and again. These take well under a second for a computer to guess. The lesson security pros repeat: length and unpredictability matter far more than swapping an a for an @.

PART 2 OF 6

Learn the basics

Now go deeper: the core ideas step by step, with quick knowledge checks.

This part is 25 slides. Press Next to begin.

The CIA triad

Three goals of security

Confidentiality: keep data secret.
Integrity: keep data correct.
Availability: keep data reachable.

CIA = Confidentiality, Integrity, Availability.

Knowledge check

The C in the CIA triad stands for...

Why length beats tricks

The math of keyspace

Possible passwords = N to the power L, where N is the character set size and L is the length.

26 ** 8  = lowercase, 8 long
95 ** 12 = all symbols, 12 long  (vastly larger)

Adding length grows the keyspace far faster than swapping a for @.

Knowledge check

Which password is stronger?

Multi-Factor Authentication

A second lock on the door

Something you KNOW: a password.
Something you HAVE: a phone or key.
Something you ARE: a fingerprint.

MFA = Multi-Factor Authentication. Even if a password leaks, the attacker still needs the second factor.

Knowledge check

MFA improves security because...

The CIA triad

Illustration

Every attack breaks a corner; every defense protects one.

CIA in real life

One example each

Confidentiality: a leaked customer database exposes private data.

Integrity: changing a grade or a bank balance without permission.

Availability: a denial-of-service flood takes a site offline.

Knowledge check

Ransomware locks a hospital's files so staff cannot open them. Which pillar breaks?

Authentication factors

Three ways to prove who you are

Factor	Example
Something you know	a password or PIN
Something you have	a phone or security key
Something you are	a fingerprint or face

MFA combines two or more of these.

Brute force versus MFA

Attack vs Defense

A password is one door. MFA adds a second door the attacker does not have.

Keyspace, explained

Why size matters

The number of possible passwords is N to the power L, where N is how many characters are allowed and L is the length. Adding length raises the exponent, which grows the total far faster than adding character types.

How long to crack?

Rough times at a billion guesses per second

Password	Time
`cat123`	Instant
`P@ssw0rd`	Hours to days
`kayak-piano-7`	Thousands of years
`ILovePizzaOnFridays!`	Effectively forever

* Assumes an offline attack against unsalted hashes at 1 billion guesses per second. Rate limiting and salted hashing vastly increase these estimates.

Knowledge check

Which is hardest to crack?

Password do and do not

Simple rules

Do: use long passphrases, a different password per site, and a password manager.

Do not: reuse passwords, use names or birthdays, or share them. Never type a real password into a tester.

Password managers

One strong password to rule them all

A password manager generates and stores a unique strong password for every site, locked behind one master password. You only memorize the master one, and the manager fills the rest.

Passphrases

Easy to remember, hard to crack

Four random words like correct-horse-battery-staple are long and unpredictable. Length plus randomness beats a short complicated password and is easier to type.

Why a salt matters

Illustration

The same password becomes two different fingerprints, so one table cannot crack many accounts.

Hashing

A one-way fingerprint

A hash like SHA-256 turns any input into a fixed-length fingerprint that cannot be reversed. Sites store the hash of your password, so a database leak does not reveal the password itself.

Salting

Random, per-user

A salt is random text added before hashing, unique to each user. It stops attackers from using precomputed tables (rainbow tables) and from cracking many identical passwords at once.

Turning on MFA

The single best account upgrade

In site security settings, enable two-factor authentication, then approve it with an authenticator app or a code. After that, a stolen password alone cannot log in.

Anatomy of a phishing email

Spot the red flags

Urgency: act in 24 hours or lose access.
Generic greeting: Dear Customer.
Look-alike link: paypa1.com uses a 1 for the l.
Unexpected attachment or a request for your password.

Social engineering types

Tricking people, not computers

Trick	How it works
Phishing	fake email or message
Vishing	scam phone call
Baiting	a tempting infected USB drive
Tailgating	following someone through a locked door

Knowledge check

Your bank calls and asks you to read back the code they just texted. Safe?

Breach lessons

Why today matters

The biggest breaches often begin with a weak or reused password or a single phishing click. Strong passwords, MFA, and spotting phishing, the skills from today, prevent the most common real attacks.

The CIA vs DAD triads

Ch 1 §1.2 — foundational security principles

Two sides of the same coin

CIA (what defenders protect)
Confidentiality: only authorized users read data
Integrity: data cannot be altered undetected
Availability: systems work when needed

DAD (what attackers cause)
Disclosure: data exposed to wrong people
Alteration: data changed without authorization
Destruction: data or service made unavailable

Real breach	CIA property violated
2017 Equifax: 147 M SSNs stolen	Confidentiality
2016 Bangladesh Bank: $81 M fraudulent transfers	Integrity
2021 Colonial Pipeline shutdown	Availability

The Parkerian Hexad

Ch 1 §1.3 — extending the CIA triad

Three extra properties beyond CIA

Property	Meaning	Example question
Authenticity	Is this really from who it claims?	Is this email really from your bank?
Utility	Is the data in a usable format?	Encrypted backup with lost key = useless
Possession/Control	Who physically holds the data?	Stolen laptop still has your data even if encrypted

Parkerian Hexad = CIA + Authenticity + Utility + Possession. Used in legal and insurance contexts where "available but uncontrolled" matters.

Knowledge check

A hacker steals a database of passwords. Which CIA property is primarily violated?

Threat actor taxonomy

Ch 1 §1.5 — who are the adversaries

Who attacks and why?

Type	Motivation	Typical capability	Example
Script kiddie	Curiosity, fun	Low — uses existing tools	Runs downloaded exploit
Hacktivist	Political message	Medium	Anonymous, DDoS campaigns
Cybercriminal	Money	Medium-High	Ransomware gangs
Insider threat	Revenge, greed	High (has access)	Disgruntled employee
Nation-state (APT)	Espionage, sabotage	Very high, funded	Stuxnet, SolarWinds

APT = Advanced Persistent Threat. "Persistent" means they stay hidden for months, collecting data quietly.

Quantifying risk: the ALE formula

Turning threats into dollars

Risk = probability x loss is the simplified form. The formal version breaks it into SLE (Single Loss Expectancy) x ARO (Annualized Rate of Occurrence) = ALE. Both express the same idea: expected annual cost.

Three terms you need:

Formula	Meaning
SLE = Asset value × Exposure factor	Single Loss Expectancy — cost of one incident
ARO = expected incidents per year	Annualized Rate of Occurrence
ALE = SLE × ARO	Annual expected loss from this risk

Worked example: A server worth $200,000 has 40% exposure factor.
SLE = $200,000 × 0.40 = $80,000
ARO = 0.5 (one breach every 2 years)
ALE = $80,000 × 0.5 = $40,000 per year
If a security control costs less than $40,000/yr, it is worth buying.

Password entropy: a numeric view

Ch 1 §1.8 — authentication and access control

Why longer passwords win

Entropy (bits) = length × log2(alphabet size)

Password	Alphabet	Combinations	At 10B guesses/sec
8 lowercase	26	26⁸ ≈ 2×10¹¹	~20 seconds
8 mixed + digits	62	62⁸ ≈ 2×10¹⁴	~6 hours
12 mixed + symbols	95	95¹² ≈ 5×10²³	~1.7 million years

import math
alphabet = 95          # all printable ASCII (including space)
length   = 12
combos   = alphabet ** length
print(f"combinations: {combos:.2e}")   # 5.40e+23

A GPU cracker runs ~10 billion (10¹⁰) SHA-256 guesses per second. Against ~5×10²³ combinations, time ≈ ~5×10¹³ seconds ≈ 1.7 million years.

CFAA: legal vs. illegal

The Computer Fraud and Abuse Act (1986, updated 2008)

Action	Legal?	Why
Port scan your own laptop	✓ Legal	You own it
Port scan your school's network with permission	✓ Legal	Written authorization
Port scan a random website	✗ Potentially illegal	Depends on jurisdiction and authorization
Log into someone else's account you found exposed	✗ Illegal	"Exceeds authorized access"
Run picoCTF or CTFLearn challenges	✓ Legal	Built-for-hacking sandboxes

The CFAA says accessing a computer "without authorization" is a federal crime. Always get written permission before testing any system you do not own.

Knowledge check

Using the ALE formula: asset value $100,000, exposure factor 50%, ARO 1. What is the ALE?

PART 3 OF 6

Code along

Run Modules 1 to 4 in the notebook.

This part is 1 slide. Press Next to begin.

Code along: open the notebook

Open Day2.ipynb (upload to Google Colab at colab.research.google.com, or open in Jupyter) and run Modules 1 to 4 with Shift + Enter.

The main course deck (Interactive_Slides.html) will also tell you exactly when to run each module. After the notebook, return to the main deck.

PART 4 OF 6

Play the free tools

Practice for real on two free, fun sites.

This part is 3 slides. Press Next to begin.

Play the free tools

Today you use Google Interland and Security.org tester. Follow the steps on the next slides.

Activity 1: Google Interland

Open https://beinternetawesome.withgoogle.com/en_us/interland - Play Tower of Treasure to practice building strong passwords. - Play Reality River to spot phishing and scams.

Activity 2: Security.org password tester (math you can see)

Open https://www.security.org/how-secure-is-my-password/ - Type made-up passwords only. Never type a real password you actually use. - Add one character at a time and watch the estimated crack time jump. This is the keyspace growing.

PART 5 OF 6

Test yourself

Numericals, multiple choice, and the knowledge bank. Answer key included.

This part is 4 slides. Press Next to begin.

Numericals (do these in the notebook)

How many 4-digit PINs are possible (digits 0 to 9)?
An 8-character lowercase password: how many combinations (26 to the power 8)?
If an attacker tries 1 billion guesses per second, roughly how long to try all 8-character all-symbol passwords? (The notebook computes this.)

Multiple choice (MCQ)

The C in the CIA triad stands for: a) Control b) Confidentiality c) Computer
Which is stronger? a) P@ss1! b) purple-kite-river-stone
MFA improves security because: a) it makes passwords shorter b) an attacker needs more than just your password c) it hides your screen

Knowledge Evaluation Bank (Embedded Assessments)

Multiple-Choice Questions (MCQ)

A hacker leaks corporate database documents to protest a company's environmental policy. This actor belongs to which category?
- A) Script Kiddie
- B) Hacktivist
- C) White Hat Hacker
- Answer Key: B. Hacktivists use technical exploits to drive ideological or political messages.
An attacker floods an e-commerce platform with 500,000 automated requests per second, causing the web servers to crash. Which component of the CIA Triad is compromised?
- A) Confidentiality
- B) Integrity
- C) Availability
- Answer Key: C. Flooding infrastructure with requests causes a denial of service, violating system Availability.

Numerical Exercise

An executive calculates that a corporate server holding customer records faces an asset evaluation cost of \$200,000. Risk analysts determine a threat group has an annual rate of occurrence matching 0.5 (once every two years). If an exploit occurs, the exposure factor damage is 40% of the total asset value. Calculate the Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE) values using these metrics. * Solution Steps: * SLE = Asset Value x Exposure Factor = \200,000 x 0.40 = \80,000 * ALE = SLE x Annual Rate of Occurrence = \80,000 x 0.5 = \40,000 loss per year

Answer key

Answer key. Numericals: 1) 10,000 PINs, 2) 208,827,064,576 (about 2.09 x 10¹¹), 3) see notebook (about 70 days at 1 billion guesses per second, which is why 8 chars is no longer safe). MCQ: 1-b, 2-b, 3-b.

PART 6 OF 6

Wrap up

Recap what you learned and reflect.

This part is 1 slide. Press Next to begin.

Reflection and homework

Turn on MFA on one of your own accounts with a parent or guardian. Write one sentence on why a passphrase of four random words can beat a short symbol password.