|
Professors: |
Alina
Oprea |
|
Classroom: |
Richards
Hall 458 |
|
Time: |
Mondays
and Thursdays 11:45am -1:25pm |
|
Office
Hours: |
Thursday
2-4pm (or by appointment) in 625 ISEC |
|
Teaching
Assistants: |
Lead
TA: Martin Petrauskas petrauskas.m@husky.neu.edu Simon Bruklich bruklich.s@husky.neu.edu Kate Driscoll driscoll.ka@husky.neu.edu Samir Elhelw
elhelw.s@husky.neu.edu Matthew Kline kline.ma@husky.neu.edu Byron Kress kress.b@husky.neu.edu Fiona McCrae mccrae.f@husky.neu.edu Donald Sea: sea.d@husky.neu.edu Rahul Toppur: toppur.r@husky.neu.edu |
|
TA
Office Hours: |
Posted
on Piazza |
|
Class
Forum: |
On
Piazza |
Major security breaches routinely make headline news and impact the lives of millions of people. Cybercrime is a multi-million dollar, mature business. Advanced, persistent threats posed by nation-state adversaries are beginning to impact critical infrastructure, and even democratic processes themselves. As technology becomes embedded in ever more facets of our lives, society, business, and government, the need for cybersecurity experts to protect our infrastructure grows.
This course presents an overview of basic cybersecurity principles and concepts, including systems and communications security. The high-level goal is to introduce the breadth of topics in the cybersecurity space to students, and begin training them to apply these ideas through understanding of defensive mechanisms and attacker strategies.
The course will cover essential security properties like confidentiality and integrity, as well as desirable properties like least privilege and defense in depth. Concepts will be illustrated with practical tools, systems, and applications that exemplify them. Hands-on projects will introduce students to key security tools and libraries.
Readings will introduce students to the history of hacking and cybersecurity, as well as contemporary threats. Students will learn how to develop threat models that characterize attacker capabilities, goals, and the costs of different defensive strategies.
The course will also introduce students to legal, ethical, and human factors issues associated with cybersecurity.
The official prerequisite for this course is CS 2500. I expect students to be able to implement relatively straightforward programming assignments, i.e. ones that will not require hundreds of lines of complicated code. I strive to make my programming assignments as language agnostic as possible, but I will be using Python for in-class examples.
Basic knowledge of the Unix/Linux command line is essential. You should know how to write code using emacs/vim, write a makefile, compile code using makefiles, use SSH and SCP, write very simple shell scripts, check for running processes, kill runaway processes, and create compressed archives.
Since CS 3650 (Computer Systems) and CS 3700 (Networks and Distributed Systems) are not prerequisites, you will not be expected to complete assignments that deal with assembly code, operating system internals, or low-level network protocols. If you expect to be doing binary exploitation in this class, you will be disappointed; you'll have to wait for CS 3740 (Systems Security) and CS 4740 (Network Security) for that stuff.
The class forum is on Piazza. Piazza is the best place to ask questions about projects, programming, debugging issues, exams, etc. To keep things organized, please tag all posts with the appropriate hashtags, e.g. #lecture1, #project3, etc. I will also use Piazza to broadcast announcements to the class. Bottom line: unless you have a private problem, post to Piazza before writing me/the TA an email.
In this class, you will learn about security techniques and tools that can potentially be used for offensive purposes; "hacking" in other words. It is imperative that students only use these tools and techniques on systems they own (your personal computers) or systems that are sanctioned by the instructor. NEVER perform attacks against public systems that you do not control. As we will discuss in class, it is ethically problematic to attack systems that you do not own, and may violate the law.
This class will use a traditional, lecture-style format, punctuated with in-class examples. Slides are available in the course schedule below.
|
Dates |
Slides |
Readings |
Comments |
|
|
Jan.
6, 9 |
Intro,
History, Threat Modeling |
Chapter
1 |
||
|
Jan.
13,16 |
Linux
Basics; Cryptography; One-time pad; Perfect security |
Chapters
2.1 and 2.2 |
Project
0 due Feb
17 |
|
|
Jan. 20 |
Holiday; No class |
|
|
|
|
Jan
23 |
Cryptography
symmetric key [PDF] |
|
|
|
|
Jan.
27, 30 |
Block
ciphers and modes of operation Public
key crypto; key exchange |
Chapters
2.3, 2.4, and 2.5 |
Project
1 (Cryptography) Due
Jan 31 |
|
|
Feb.
3, 6 |
Digital
signatures; hash functions; PKI |
Chapters
2.6, 2.7, and 2.8 Chapters
8.1, 8.2, and 8.3 |
||
|
Feb
10, 13 |
Authentication
and Passwords |
Chapters
3.1-3.5 |
Project
2 (Cryptography written homework) Due
Feb. 14 |
|
|
Feb. 17 |
Holiday; no class |
|
|
|
|
Feb. 20 |
Midterm exam |
|
|
|
|
Feb.
24, 27 |
Cyberlaw
and Ethics |
Project
3 (Passwords) Due Feb. 28 |
||
|
Mar. 2-6 |
Spring Break |
Start Countdown to Zero Day |
||
|
Mar.
9, 12 |
Social
engineering Access
Control |
Chapters
5.2,5.3,5.4 |
Project
4 out on March 9 |
|
|
Mar. 16 |
Class cancelled |
|
|
|
|
Mar.
19 |
Access
Control, cont. [PDF] |
|||
|
Mar.
23, 26 |
Systems
Security |
Project
4 (Social engineering and ethics) Due
March 26 |
||
|
Mar.
30, Apr. 2 |
Exploits |
Chapter
6.3, 6.6, 9.6 Finish
Countdown to Zero Day |
Project
5 (Forensics) Due
April 4 |
|
|
Apr.
6 |
SQL
Injection; Patches
[PDF] |
Chapter
9.7 |
||
|
Apr.
9 |
Review
final exam [PDF] |
Project
6 (Exploits) Due
April 17 |
||
|
April 13 |
Final exam |
|
|
|
We will use chapters from the following textbook, available online:
§
Computer
Security and the Internet: Tools and Jewels
by Paul C. van Oorschot. 2019,
Springer.
https://people.scs.carleton.ca/~paulv/toolsjewels.html
Students will also have a required reading during this course:
You
are free to purchase paper or electronic versions of this book.
There will be several projects throughout the semester. Assignments are due at 11:59:59pm on the specified date. You will use a turn-in script to create a compressed archive of the necessary files for the assignments, timestamp them, and submit them for grading. I highly recommend that students start assignments early!
|
Assignment |
Description |
Due Date |
Piazza Tag |
% of Final Grade |
|
|
Linux
Basics |
January
17 |
#project0 |
|||
|
Cryptography |
January
31 |
#project1 |
|||
|
Project
2 |
Cryptography Conceptual |
February
14 |
#project2 |
||
|
Passwords |
February
28 |
#project3 |
|||
|
Project
4 |
Social
engineering Ethics |
March
23 |
#project4 |
||
|
Forensics |
April
3 |
#project5 |
|||
|
Exploits |
April
17 |
#project6 |
Most projects can be programmed in a language of your choice. The only universal requirement is that your projects must compile and run on an unmodified Khoury College Linux machine. Notice the stress on unmodified: if you're relying on libraries or tools that are only available in your home directory, then we will not be able to run your code and you will fail the assignment. You are welcome to develop and test code on your home machines, but in the end everything needs to work on the Khoury College Linux machines. If you have any questions about the use of particular languages or libraries, post them to Piazza.
There will be one midterm and one final. All exams will be closed book, and computers are not allowed nor is any access to the Internet via any device. Students are allowed to bring a single 8.5x11 cheat sheet to exams, with material written or printed on the front. The exams will cover material from lectures, readings, and the projects. The final will be cumulative, so review everything!
Throughout the semester, there will be five in-class quizzes. These quizzes will be brief; they are designed to be completed in 15 minutes or less. They are not meant to cause students grief, and the questions will be straightforward. The goals of the quizzes are to incentivize attendance and encourage careful study of the lecture material. If you need to miss class for any reason, please let me know ahead of time, just in case there is a quiz. Makeups will be provided on a needs-driven basis.
I do not require students to attend class and I won't be taking attendance, although as stated above, there will be in-class quizzes. That said, I prefer an interactive classroom, and I encourage everyone to attend, ask questions, and participate!
|
Projects
(7): |
50% |
|
Quizzes
(5): |
2%
each |
|
Midterm
and Final: |
20%
each |
Each assignment will include a breakdown of how it will be graded. Some projects may include extra credit components that can boost your grade above the maximum score :)