21s-2550: Introduction to Cybersecurity
Welcome to CY 2550 Spring 2021!
This section of the course will be delivered using the Hybrid NUflex learning modality in order to accommodate in-person, online synchronous, and online asynchronous participation. I will be teaching classes in-person, and these lectures will be live-streamed via Zoom to enable remote participation and recorded for offline viewing. If I cannot make an in-person class, prior notice will be posted on Piazza. If conditions in the community become unsafe due to COVID-19, then class may be permanently moved online.
Students planning to attend lectures in-person are expected to stagger their attendance in accordance with Northeastern’s dynamic scheduling policy. All students in class are expected to wear masks and socially distance themselves.
First steps
- You have a few actions items before class:
- Enroll in the course Piazza to get answers to your questions. Note: make sure you are in my section’s Piazza.
- Enroll in gradescope using the registration code from Canvas or the first day of class.
Course Basics
-
Instructors: abhi shelat, Christo is running another section of the same course
-
TF 9:50–11:30am, SH 305
-
We have
- TAs: Kieran Croucher, Noelle Floyd, Byron Kress, Sarah Lackey, Nathan Pedowitz, Donald Sea, Riddhi Adhiya, Martin Petrauskas
- The best way to engage the course staff is via piazza and office hours.
-
Office hours:
- Zoom links will be posted in Canvas and piazza.
Goals
This is an introductory (first-year) course that presents an overview of basic cybersecurity principles and concepts. The high-level goal is to introduce main topics in security, introduce adversarial thinking mindset, threat modelling, and design of defense mechanisms.
In my own interpretation, a large part of the field is understanding different classes of failures for critical systems. I think of four categories of failures:
- Failure in operation:
- Human model of usage
- Mistake, checking in secret keys to github
- Failures of implementation:
- improperly handling untrusted input
- time of use and time of check
- error handling leaks implementation
- linux scheduling
- Failures of design:
- MD5, SHA1 hash function
- wifi pwd protocol
- Failures of abstraction: when the assumed abstraction does not hold, which leads to catastropic flaws in security. (These are sometimes the most interesting cases to study.)
- side-channels: power, acoustical, spectre, meltdown
- adversary is stronger than expected
- Unintended consequenses: privacy loss
As we study these failures, and hopefully understand how to design better systems, the field also considers practical defenses against unforseen attacks and adversaries:
- Defense in depth
- reducing attack surface (e.g., point-to-point instead of perimeter security)
- least privilege
- advanced cryptography
The course will also introduce students to legal and ethical issues associated with cybersecurity. The course will quickly cover most of the required background, and so we encourage wide participation.
Concepts will be illustrated with practical tools, systems, and applications that exemplify them. Hands-on projects will introduce students to key security tools and libraries.
Course Schedule
| Lecture | Topic | Due | |
|---|---|---|---|
| L1 L2 | Intro, Linux | ||
| L3 L4 | Passwords, 2FA, biometrics | P0 | |
| L5 L6 | 2FA, Distributed Password Models, Access control | ||
| L7 L8 | Access control (capabilities, mandatory), Crypto | P1 | |
| L9 L10 | Crypto: PRG, Enc, MAC, PRF, PKC | ||
| L11 L12 | Signatures, Social Engineering | P2 | |
| L13 L14 | Cognitive bias, Anonymous data isnt! | ||
| L15 L16 | System security and Exploits | P3 | |
| L17 L18 | Buffer exploits lab | ||
| L19 L20 | Buffer Exploits lab, SQL | P4 | |
| L21 L22 | SQL & Web security (injection, xss, csrf) | P5 | |
| L23 L24 | IOT Security & Web security | ||
| L25 L26 | Network security & Wireless networking | P6 | |
| L27 | Wireless & Review | P7, P8 | |
| Extra | Extra topics for the curious that we couldn’t cover |
Ethics
You will learn about security techniques and tools that can potentially be used for offensive purposes; “hacking” in other words. It is imperative that students only use these tools and techniques on systems they own (your personal computers) or systems that are sanctioned by the instructor. NEVER perform attacks against public systems that you do not control. As we will discuss in class, it is ethically problematic to attack systems that you do not own, and may violate the law.
Grading
Your final grade is computed as a weighted sum of your project scores and your quiz scores.
- Projects (8): 5%, 10%, 10%, 10%, 10%, 10%, 10%, 10%
- Quizzes (10): 2.5% each
Each assignment will include a breakdown of how it will be graded. Some projects may include extra credit components that can boost your grade above the maximum score.
We assign final letter grades on a standard curve with roughly half the grades in the A/A- category; we may take into account special factors like your class attendance and assessment participation.
Projects
There will be eight projects throughout the semester.
Projects must be submitted before 11:59:59pm on the specified date.
You can submit as many times as you like through gitlab.
Your last commit timestamp on your files will be used to determine lateness.
| Assignment | Description | Due Date | Piazza Tag | % of Final Grade |
|---|---|---|---|---|
| Project 0 | Linux Basics | 1/29 | #project0 | 5% |
| Project 1 | Passwords | 2/12 | #project1 | 10% |
| Project 2 | Access controls | 2/26 | #project2 | 10% |
| Project 3 | Cryptography | 3/12 | #project3 | 10% |
| Project 4 | De-anonymization | 3/26 | #project4 | 10% |
| Project 5 | Forensics | 4/2 | #project5 | 10% |
| Project 6 | Capture The Flag | 4/16 | #project6 | 10% |
| Project 7 | Web Capture the Flag | 4/23 | #project7 | 10% |
| Project 8 | Bonus | 4/23 | #project8 | 0% |
If required, any programming needed for projects can be done in a language of your choice. The only universal requirement is that your projects must compile and run on an unmodified Khoury College Linux machine. Notice the stress on unmodified: if you’re relying on libraries or tools that are only available in your home directory, then we will not be able to run your code and you will fail the assignment. You are welcome to develop and test code on your home machines, but in the end everything needs to work on the Khoury College Linux machines. If you have any questions about the use of particular languages or libraries, post them to Piazza.
Quizzes
Throughout the semester, there will be several in-class quizzes. These quizzes will be brief; they are designed to be completed in 15 minutes or less and the questions will be straightforward. The goals of the quizzes are to encourage careful study of the lecture material.
Quizes will be posted and answered through Gradescope; you will have the day on which the quiz is announced to submit your answer. If you miss class, it is your responsibility to ensure that you submit these quizzes on time, and there are no extensions.
Late Policy
If the grading for your project is automated by script (i.e., it uses the gradescope autograder), then the deadlines have little to no flexibility. Within a few hours after the posted deadline, we will turn off the grader and post the grades, after which you will not be able to submit. We do not know exactly when we will cut off the grader, so your best strategy is to aim to finish all projects by the posted deadlines to guarantee you get credit. Extensions beyond this policy will not be given unless you have health issues that are supported by a doctor’s note. Do your best to satisfy the posted deadlines.
Cheating Policy
-
Collaborating with other students in the class on homework problems is encouraged, though we urge you to first attempt working out all of the problems by yourself. It’s ok to ask your peers about the concepts, algorithms, or approaches needed to do the assignments. We encourage you to do so; both giving and taking advice will help you to learn.
-
However, you must write up, prepare, submit your solutions, in your own words. Looking at or copying code or homework solutions from other people or the Web is strictly prohibited. In particular, looking at other solutions (e.g., from other groups or students who previously took the course) is a direct violation. Projects must be entirely the work of the students turning them in, i.e. you and your group members. If you have any questions about using a particular resource, ask the course staff or post a question to the class forum.
Example: If you have copied and pasted any text from someone else, you have violated this policy even if the two of you were working together on an assignment. Type your own keystrokes that lead you to a solution; do not copy commands that you do not understand or that you were given to you by someone else.
-
All students are subject to the Northeastern University’s Academic Integrity Policy. Per Khoury College policy, all cases of suspected plagiarism or other academic dishonesty must be referred to the Office of Student Conduct and Conflict Resolution (OSCCR). This may result is deferred suspension, suspension, or expulsion from the university.
-
If you violate this policy, you will fail the course. There will be no leeway on enforcement of this policy.
Textbook
You do not need a textbook for this course. I am not aware of a great textbook on cybersecurity that aligns with my approach to the topic. However, there are many online resources that cover the topics of this course.
Here is a free online textbook on security that might help you; you will have to find the relevant topics that correspond to class.